The document discusses methods for accessing encrypted data on SecureAccess encrypted USB drives. It describes the old method of imaging and mounting the drive, which is no longer effective as the software now checks the drive's Vendor ID and Product ID. It then explains how to emulate a SanDisk drive by flashing a USB drive with the correct IDs, serial number, and contents in order to allow decrypting files with the SecureAccess software. A separate method is described for bypassing the security mechanism to view encrypted file metadata without the password by copying specific configuration files.
2. SecureAccess V1
Encryption
Bypass
SecureAccess V2
Encryption
Changes
Flashing USB Devices
Fake USB devices?
Anatomy of USB
PID & VID
Serial Number
Emulating a SanDisk Device
Accessing a SecureAccess Vault
3. Based on technology by YuuWaa
Subsidiary of Gemalto
No longer supported product
EOL as of January 2014
4. The old method:
1. Enable write-blocking (SW or HW)
2. Image device
3. Mount forensic image as write-cached (FTK Imager V3.x)
4. Run SecureAccess software
5. Decrypt contents and add to forensic container
5. Bypass published in August 2013:
1. Open Explorer Click on Folder and Search options click on view make sure that you can see hidden files
2. Go to the MyVaults folder, located in the same location as RunSanDiskSecureAccess_Win.exe.
3. In the MyVaults folder go to the folder named as the same thing the vault you want to access is named.
4. Open the dmOption.xml file in Notepad or any other word processing program
5. Look for DoCrypt"true" and change true to “false”. Then save the file.
6. At login screen leave password field blank and click “OK”
http://www.hackforums.net/showthread.php?tid=3637837
6. Based on EncryptStick
ENC Security Systems
AES 128 bit encryption algorithm
No bypass is currently known for encryption, but there is a bypass for the
software security mechanism
7.
8. Old method of imaging and mounting write-cached no longer works
Software now looks for Vendor ID (VID) & Product ID (PID) of SanDisk devices
14. 2 major components to a USB thumb drive:
ASIC (Application Specific Integrated Circuit)
NAND (Negated AND) – flash storage (utilises logic gates)
17. USB devices are NOT created equal
Same make and model ≠same USB controller chipset and FW
18. Manufacturer Market Share Profit (Million Dollars)
Phison 35.5% $32.3
Silicon Motion (SMI) 23.2% $21.1
SanDisk 14.9% $13.6
Skymedi 9.0% $8.2
Sony 7.4% $6.7
AlcorMicro 3.2% $2.9
Toshiba 3.1% $2.8
Others 3.7% $3.4
TOTAL 100% $91.1
iSuppli Corp (2007), USB Controller Market Shares (Revenue in Millions of Dollars)
19. Some of the numerous OEM Flash Controller Vendors:
ALCOR
Ameco
ChipsBank
Efortune
Icreate
Innostor
Netac
OTI
Phison
Prolific
Silicon Micro
Skymedi
Solid State System
USBest
20. Tools required:
ChipsGenius (latest version preferably)
Identifies PID, VID, SN of USB device as well as USB controller chip and related FW
Relevant flashing tool (based on USB controller chip)
Suitable USB thumb drive (size and availability of flash SW/FW)
Older USB devices are easier to flash due to release of FW tools and FW files
Otherwise buy a fake thumb drive (such as 512GB) as these should be easily flashable
21. Important Attributes:
VID
PID
Serial Number
Controller Vendor
Controller Part-Number
F/W
Flash ID code
23. Steps required:
1. Identify VID & PID of SanDisk device using ChipsGenius or USBDeview
E.G. VID 0781 & PID 5581 = SanDisk
2. Flash* suitable USB device with the original VID & PID
3. Copy logical contents across from original exhibit
What happens when you try to run the SecureAccess software now?
*WARNING: All data on device will be wiped during flashing
26. Steps required:
1. Identify VID & PID of SanDisk device using ChipsGenius or USBDeview
E.G. VID 0781 & PID 5581 = SanDisk
2. Flash* suitable USB device with the original VID, PID, & SN
3. Copy logical contents across from original exhibit
What happens when you try to run the SecureAccess software now?
*WARNING: All data on device will be wiped during flashing
28. Files can now be decrypted and added to forensic container
29. If the password of a SecureAccess Vault is unknown there is a way
to see what files are inside the Vault
* This is not a bypass of the encryption scheme, more like a bypass
of the security mechanism used to protect the SecureAccess
database
30. The encrypted files themselves are named
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat
Located in the directory “SanDiskSecureAccess Vault”
31. The SecureAccess database and configuration files maintaining the
information about the encrypted files are located in the directory
“SystemFiles”, there are five files
32. USB Flash Drive-1739900307A0D887.idx – the last sixteen alphanumeric
digits are the serial number of the USB drive
encryptstickconfig.enc
filesys.enc
stickauth.enc
1739900307A0D887.enk – this is the serial number of the USB drive.
33. The software requires the correct serial number value to allow access to the
encrypted container
Creating a new SecureAccess container, with a known password, on a flashed
USB and comparing hashes of the SecureAccess files showed only filesys.enc
stayed the same
34. The only file required to get access to the original encrypted container is the
serialnumber.enk file (e.g. 1739900307A0D887.enk)
So if you copy the SecureAccess files from an original exhibit across to a
flashed USB and then overwrite serialnumber.enk with the one from the
known SecureAccess system files what happens?
35. This will allow you to see what
files/folders are in the
encrypted container, as well as
providing additional metadata*
about the files
Metadata fields present:
Name
Date
Size
SUCCESS!
36. Steps required:
1. Flash a USB with the same serial number as the original
exhibit
2. Copy the SanDisk SecureAccess software onto the newly
flashed USB
3. Create a new SecureAccess encrypted container, the
password can be anything you want but write it down so
you don't forget, then close the SecureAccess software
37. Steps required:
4. Rename the “SanDiskSecureAccess Vault” directory to “NEW___ SanDiskSecureAccess
Vault”
5. Copy all of the SecureAccess files from the original container into the root directory of the
new device
6. Overwrite the serialnumber.enk file in the SanDiskSecureAccess VaultSystem Files
directory with the one from the NEW___ SanDiskSecureAccess VaultSystem Files
directory
7. Run SecureAccess on the newly flashed USB and enter the password from step 3
8. You will now be presented with the SecureAccess GUI showing the metadata* from the
encrypted files
38. Trying to decrypt these files with this bypass will not work, the SecureAccess
software will crash
This is because the decryption password is incorrect
You will get zero byte files but nothing else
39. HackForums - http://www.hackforums.net/showthread.php?tid=3637837
ChipsGenius – http://www.usbdev.ru/ - hosts many flashing tools including ChipsGenius (Russian)
http://flashboot.ru/iflash/ - good database for locating flashing tools that work with various chipsets (Russian)
http://dl.mydigit.net/ - contains many flashing tools for various chipsets (Chinese)
https://viaforensics.com/computer-forensics/forensic-acquisition-analysis-u3-usb-drive.html
Harman, R. (2014) Controlling USB Flash Drive Controllers: Exposé of Hidden Features, Smoocon, URL:
Bang, J., Yoo, B. and Lee, S. (2010) Secure USB Bypassing Tool, , URL:http://www.dfrws.org/2010/proceedings/bang.pdf
http://usbspeed.nirsoft.net/ - lists some VID and PID
http://www.scribd.com/doc/216218953/PS2251# - Phison Electronics Corporation USB 2.0 Flash Controller Specification PS2251
Version 1.2