The document discusses methods for accessing encrypted data on SecureAccess encrypted USB drives. It describes the old method of imaging and mounting the drive, which is no longer effective as the software now checks the drive's Vendor ID and Product ID. It then explains how to emulate a SanDisk drive by flashing a USB drive with the correct IDs, serial number, and contents in order to allow decrypting files with the SecureAccess software. A separate method is described for bypassing the security mechanism to view encrypted file metadata without the password by copying specific configuration files.

1. Forensic Processing
Version 1.5
Brent Muir – 2015

2.  SecureAccess V1
 Encryption
 Bypass
 SecureAccess V2
 Encryption
 Changes
 Flashing USB Devices
 Fake USB devices?
 Anatomy of USB
 PID & VID
 Serial Number
 Emulating a SanDisk Device
 Accessing a SecureAccess Vault

3.  Based on technology by YuuWaa
 Subsidiary of Gemalto
 No longer supported product
 EOL as of January 2014

4. The old method:
1. Enable write-blocking (SW or HW)
2. Image device
3. Mount forensic image as write-cached (FTK Imager V3.x)
4. Run SecureAccess software
5. Decrypt contents and add to forensic container

5. Bypass published in August 2013:
1. Open Explorer  Click on Folder and Search options  click on view  make sure that you can see hidden files
2. Go to the MyVaults folder, located in the same location as RunSanDiskSecureAccess_Win.exe.
3. In the MyVaults folder go to the folder named as the same thing the vault you want to access is named.
4. Open the dmOption.xml file in Notepad or any other word processing program
5. Look for DoCrypt"true" and change true to “false”. Then save the file.
6. At login screen leave password field blank and click “OK”
http://www.hackforums.net/showthread.php?tid=3637837

6.  Based on EncryptStick
 ENC Security Systems
 AES 128 bit encryption algorithm
 No bypass is currently known for encryption, but there is a bypass for the
software security mechanism

8.  Old method of imaging and mounting write-cached no longer works
 Software now looks for Vendor ID (VID) & Product ID (PID) of SanDisk devices

9.  So how can we recreate a SanDisk device?

10.  Ever wondered how you can buy 512GB USB thumb drives for so little
$$$ online?

11.  online?

14.  2 major components to a USB thumb drive:
 ASIC (Application Specific Integrated Circuit)
 NAND (Negated AND) – flash storage (utilises logic gates)

15. Toshiba, ASIC & Foundry Solutions for USB

16. Phison Electronics Corporation, USB 2.0 Flash Controller Specification PS2251, Version 1.2

17.  USB devices are NOT created equal
 Same make and model ≠same USB controller chipset and FW

18. Manufacturer Market Share Profit (Million Dollars)
Phison 35.5% $32.3
Silicon Motion (SMI) 23.2% $21.1
SanDisk 14.9% $13.6
Skymedi 9.0% $8.2
Sony 7.4% $6.7
AlcorMicro 3.2% $2.9
Toshiba 3.1% $2.8
Others 3.7% $3.4
TOTAL 100% $91.1
iSuppli Corp (2007), USB Controller Market Shares (Revenue in Millions of Dollars)

19.  Some of the numerous OEM Flash Controller Vendors:
 ALCOR
 Ameco
 ChipsBank
 Efortune
 Icreate
 Innostor
 Netac
 OTI
 Phison
 Prolific
 Silicon Micro
 Skymedi
 Solid State System
 USBest

20.  Tools required:
 ChipsGenius (latest version preferably)
 Identifies PID, VID, SN of USB device as well as USB controller chip and related FW
 Relevant flashing tool (based on USB controller chip)
 Suitable USB thumb drive (size and availability of flash SW/FW)
 Older USB devices are easier to flash due to release of FW tools and FW files
 Otherwise buy a fake thumb drive (such as 512GB) as these should be easily flashable

21. Important Attributes:
 VID
 PID
 Serial Number
 Controller Vendor
 Controller Part-Number
 F/W
 Flash ID code

22. Important Attributes:
 VendorID
 ProductID
 Serial Number

23.  Steps required:
1. Identify VID & PID of SanDisk device using ChipsGenius or USBDeview
 E.G. VID 0781 & PID 5581 = SanDisk
2. Flash* suitable USB device with the original VID & PID
3. Copy logical contents across from original exhibit
 What happens when you try to run the SecureAccess software now?
*WARNING: All data on device will be wiped during flashing

24.  Software runs, but as first-time use

25. SanDiskSecureAccess VaultSystem Files
 2 files reference SN of original
exhibit
 SN must match original device in
order to “see” encrypted files

26.  Steps required:
1. Identify VID & PID of SanDisk device using ChipsGenius or USBDeview
 E.G. VID 0781 & PID 5581 = SanDisk
2. Flash* suitable USB device with the original VID, PID, & SN
3. Copy logical contents across from original exhibit
 What happens when you try to run the SecureAccess software now?
*WARNING: All data on device will be wiped during flashing

27. SUCCESS!

28.  Files can now be decrypted and added to forensic container

29.  If the password of a SecureAccess Vault is unknown there is a way
to see what files are inside the Vault
* This is not a bypass of the encryption scheme, more like a bypass
of the security mechanism used to protect the SecureAccess
database

30.  The encrypted files themselves are named
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat
 Located in the directory “SanDiskSecureAccess Vault”

31.  The SecureAccess database and configuration files maintaining the
information about the encrypted files are located in the directory
“SystemFiles”, there are five files

32.  USB Flash Drive-1739900307A0D887.idx – the last sixteen alphanumeric
digits are the serial number of the USB drive
 encryptstickconfig.enc
 filesys.enc
 stickauth.enc
 1739900307A0D887.enk – this is the serial number of the USB drive.

33.  The software requires the correct serial number value to allow access to the
encrypted container
 Creating a new SecureAccess container, with a known password, on a flashed
USB and comparing hashes of the SecureAccess files showed only filesys.enc
stayed the same

34.  The only file required to get access to the original encrypted container is the
serialnumber.enk file (e.g. 1739900307A0D887.enk)
 So if you copy the SecureAccess files from an original exhibit across to a
flashed USB and then overwrite serialnumber.enk with the one from the
known SecureAccess system files what happens?

35. This will allow you to see what
files/folders are in the
encrypted container, as well as
providing additional metadata*
about the files
 Metadata fields present:
 Name
 Date
 Size
SUCCESS!

36.  Steps required:
1. Flash a USB with the same serial number as the original
exhibit
2. Copy the SanDisk SecureAccess software onto the newly
flashed USB
3. Create a new SecureAccess encrypted container, the
password can be anything you want but write it down so
you don't forget, then close the SecureAccess software

37.  Steps required:
4. Rename the “SanDiskSecureAccess Vault” directory to “NEW___ SanDiskSecureAccess
Vault”
5. Copy all of the SecureAccess files from the original container into the root directory of the
new device
6. Overwrite the serialnumber.enk file in the SanDiskSecureAccess VaultSystem Files
directory with the one from the NEW___ SanDiskSecureAccess VaultSystem Files
directory
7. Run SecureAccess on the newly flashed USB and enter the password from step 3
8. You will now be presented with the SecureAccess GUI showing the metadata* from the
encrypted files

38.  Trying to decrypt these files with this bypass will not work, the SecureAccess
software will crash
 This is because the decryption password is incorrect
 You will get zero byte files but nothing else

39.  HackForums - http://www.hackforums.net/showthread.php?tid=3637837
 ChipsGenius – http://www.usbdev.ru/ - hosts many flashing tools including ChipsGenius (Russian)
 http://flashboot.ru/iflash/ - good database for locating flashing tools that work with various chipsets (Russian)
 http://dl.mydigit.net/ - contains many flashing tools for various chipsets (Chinese)
 https://viaforensics.com/computer-forensics/forensic-acquisition-analysis-u3-usb-drive.html
 Harman, R. (2014) Controlling USB Flash Drive Controllers: Exposé of Hidden Features, Smoocon, URL:
 Bang, J., Yoo, B. and Lee, S. (2010) Secure USB Bypassing Tool, , URL:http://www.dfrws.org/2010/proceedings/bang.pdf
 http://usbspeed.nirsoft.net/ - lists some VID and PID
 http://www.scribd.com/doc/216218953/PS2251# - Phison Electronics Corporation USB 2.0 Flash Controller Specification PS2251
Version 1.2