Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SanDisk SecureAccess Encryption 1.5

Update from my previous presentation on dealing with SanDisk SecureAccess encrypted containers; including a bypass of the SecureAccess V2 software to see the contents of the encrypted containers.

  • Login to see the comments

SanDisk SecureAccess Encryption 1.5

  1. 1. Forensic Processing Version 1.5 Brent Muir – 2015
  2. 2.  SecureAccess V1  Encryption  Bypass  SecureAccess V2  Encryption  Changes  Flashing USB Devices  Fake USB devices?  Anatomy of USB  PID & VID  Serial Number  Emulating a SanDisk Device  Accessing a SecureAccess Vault
  3. 3.  Based on technology by YuuWaa  Subsidiary of Gemalto  No longer supported product  EOL as of January 2014
  4. 4. The old method: 1. Enable write-blocking (SW or HW) 2. Image device 3. Mount forensic image as write-cached (FTK Imager V3.x) 4. Run SecureAccess software 5. Decrypt contents and add to forensic container
  5. 5. Bypass published in August 2013: 1. Open Explorer  Click on Folder and Search options  click on view  make sure that you can see hidden files 2. Go to the MyVaults folder, located in the same location as RunSanDiskSecureAccess_Win.exe. 3. In the MyVaults folder go to the folder named as the same thing the vault you want to access is named. 4. Open the dmOption.xml file in Notepad or any other word processing program 5. Look for DoCrypt"true" and change true to “false”. Then save the file. 6. At login screen leave password field blank and click “OK”
  6. 6.  Based on EncryptStick  ENC Security Systems  AES 128 bit encryption algorithm  No bypass is currently known for encryption, but there is a bypass for the software security mechanism
  7. 7.  Old method of imaging and mounting write-cached no longer works  Software now looks for Vendor ID (VID) & Product ID (PID) of SanDisk devices
  8. 8.  So how can we recreate a SanDisk device?
  9. 9.  Ever wondered how you can buy 512GB USB thumb drives for so little $$$ online?
  10. 10.  online?
  11. 11.  2 major components to a USB thumb drive:  ASIC (Application Specific Integrated Circuit)  NAND (Negated AND) – flash storage (utilises logic gates)
  12. 12. Toshiba, ASIC & Foundry Solutions for USB
  13. 13. Phison Electronics Corporation, USB 2.0 Flash Controller Specification PS2251, Version 1.2
  14. 14.  USB devices are NOT created equal  Same make and model ≠same USB controller chipset and FW
  15. 15. Manufacturer Market Share Profit (Million Dollars) Phison 35.5% $32.3 Silicon Motion (SMI) 23.2% $21.1 SanDisk 14.9% $13.6 Skymedi 9.0% $8.2 Sony 7.4% $6.7 AlcorMicro 3.2% $2.9 Toshiba 3.1% $2.8 Others 3.7% $3.4 TOTAL 100% $91.1 iSuppli Corp (2007), USB Controller Market Shares (Revenue in Millions of Dollars)
  16. 16.  Some of the numerous OEM Flash Controller Vendors:  ALCOR  Ameco  ChipsBank  Efortune  Icreate  Innostor  Netac  OTI  Phison  Prolific  Silicon Micro  Skymedi  Solid State System  USBest
  17. 17.  Tools required:  ChipsGenius (latest version preferably)  Identifies PID, VID, SN of USB device as well as USB controller chip and related FW  Relevant flashing tool (based on USB controller chip)  Suitable USB thumb drive (size and availability of flash SW/FW)  Older USB devices are easier to flash due to release of FW tools and FW files  Otherwise buy a fake thumb drive (such as 512GB) as these should be easily flashable
  18. 18. Important Attributes:  VID  PID  Serial Number  Controller Vendor  Controller Part-Number  F/W  Flash ID code
  19. 19. Important Attributes:  VendorID  ProductID  Serial Number
  20. 20.  Steps required: 1. Identify VID & PID of SanDisk device using ChipsGenius or USBDeview  E.G. VID 0781 & PID 5581 = SanDisk 2. Flash* suitable USB device with the original VID & PID 3. Copy logical contents across from original exhibit  What happens when you try to run the SecureAccess software now? *WARNING: All data on device will be wiped during flashing
  21. 21.  Software runs, but as first-time use
  22. 22. SanDiskSecureAccess VaultSystem Files  2 files reference SN of original exhibit  SN must match original device in order to “see” encrypted files
  23. 23.  Steps required: 1. Identify VID & PID of SanDisk device using ChipsGenius or USBDeview  E.G. VID 0781 & PID 5581 = SanDisk 2. Flash* suitable USB device with the original VID, PID, & SN 3. Copy logical contents across from original exhibit  What happens when you try to run the SecureAccess software now? *WARNING: All data on device will be wiped during flashing
  24. 24. SUCCESS!
  25. 25.  Files can now be decrypted and added to forensic container
  26. 26.  If the password of a SecureAccess Vault is unknown there is a way to see what files are inside the Vault * This is not a bypass of the encryption scheme, more like a bypass of the security mechanism used to protect the SecureAccess database
  27. 27.  The encrypted files themselves are named {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.dat  Located in the directory “SanDiskSecureAccess Vault”
  28. 28.  The SecureAccess database and configuration files maintaining the information about the encrypted files are located in the directory “SystemFiles”, there are five files
  29. 29.  USB Flash Drive-1739900307A0D887.idx – the last sixteen alphanumeric digits are the serial number of the USB drive  encryptstickconfig.enc  filesys.enc  stickauth.enc  1739900307A0D887.enk – this is the serial number of the USB drive.
  30. 30.  The software requires the correct serial number value to allow access to the encrypted container  Creating a new SecureAccess container, with a known password, on a flashed USB and comparing hashes of the SecureAccess files showed only filesys.enc stayed the same
  31. 31.  The only file required to get access to the original encrypted container is the serialnumber.enk file (e.g. 1739900307A0D887.enk)  So if you copy the SecureAccess files from an original exhibit across to a flashed USB and then overwrite serialnumber.enk with the one from the known SecureAccess system files what happens?
  32. 32. This will allow you to see what files/folders are in the encrypted container, as well as providing additional metadata* about the files  Metadata fields present:  Name  Date  Size SUCCESS!
  33. 33.  Steps required: 1. Flash a USB with the same serial number as the original exhibit 2. Copy the SanDisk SecureAccess software onto the newly flashed USB 3. Create a new SecureAccess encrypted container, the password can be anything you want but write it down so you don't forget, then close the SecureAccess software
  34. 34.  Steps required: 4. Rename the “SanDiskSecureAccess Vault” directory to “NEW___ SanDiskSecureAccess Vault” 5. Copy all of the SecureAccess files from the original container into the root directory of the new device 6. Overwrite the serialnumber.enk file in the SanDiskSecureAccess VaultSystem Files directory with the one from the NEW___ SanDiskSecureAccess VaultSystem Files directory 7. Run SecureAccess on the newly flashed USB and enter the password from step 3 8. You will now be presented with the SecureAccess GUI showing the metadata* from the encrypted files
  35. 35.  Trying to decrypt these files with this bypass will not work, the SecureAccess software will crash  This is because the decryption password is incorrect  You will get zero byte files but nothing else
  36. 36.  HackForums -  ChipsGenius – - hosts many flashing tools including ChipsGenius (Russian)  - good database for locating flashing tools that work with various chipsets (Russian)  - contains many flashing tools for various chipsets (Chinese)   Harman, R. (2014) Controlling USB Flash Drive Controllers: Exposé of Hidden Features, Smoocon, URL:  Bang, J., Yoo, B. and Lee, S. (2010) Secure USB Bypassing Tool, , URL:  - lists some VID and PID  - Phison Electronics Corporation USB 2.0 Flash Controller Specification PS2251 Version 1.2