Counterfeit Memory Stick – Fake Flash
CDR – Manchester Data Recovery Services – has covered fake/counterfeit flash NAND devices in previous posts. Usually, we receive these devices in when they have failed completely, typically when the processor has failed. We know they are fake as the advertised capacity of the memory stick is higher than the capacity of the NAND chip when it is read directly in PC3000 Flash or SoftCenter-Flash Extractor. Unfortunately, it is often the case that data cannot be recovered from these devices due to the nature of the counterfeiting process.
During the last month, CDR has been presented with two identical looking memory sticks which each owner thought had a capacity of 256GB and 512GB. Both devices still had functionality, so it has allowed CDR to investigate the nature of the faking. Pictured below is the memory stick which when plugged into a computer reported a capacity of 512GB.
The 512GB fake memory stick was presented to CDR as brand new. The owner intended to use it to store the data that CDR has successfully recovered from a failed HDD. When the device is plugged into a computer it shows as having 512GB of free space for data to be written to. To begin with, when transferring some small files the memory stick appears to work normally. This is because the memory stick has an 8GB flash NAND chip on the printed circuit board.
However, when an attempt is made to write data at an LBA value higher than the capacity of the NAND chip the faked processor re-writes data over the existing data on the memory stick. This will corrupt the existing data on the memory stick. When you come to open the file it will no longer work as the more recent data will have overwritten it. Moreover, the fake processor also creates nonsense data.
Inspection in WinHex.
Pictured below is a screenshot showing the memory stick contents open in WinHex. To begin with, the contents was filled with a “00” pattern. A test pattern was added to the start of a sector. In response to this, the counterfeit processor created a significant about of data in the sectors before and after, as well as spurious FILE0 master file table entries. The FILE0 entry in the MFT tells the operating system that data is stored at the high capacity ‘fake’ values, even though there is not actually any real data there.
Once the data has been written to the memory stick there is no way to correct or undo the data. If we change the “TESTPATTERN2TEST” data back to the blank “00” data, then yet more ‘fake’ data gets written to the chip. In short, if you are using a counterfeit memory stick then it will not be long before your data becomes corrupt.
How do you know if you have bought a fake memory stick?
In general, if the price seems, “too good, to be true,” then the memory stick is likely to be a fake. In our experience, CDR has found that the majority of counterfeit items have been purchased on eBay or Amazon market place.
Counterfeiting on TV
The counterfeiting of flash NAND devices (and disguising as hard disk drives) has been covered by the BBC’s fake Britain. You can view this on YouTube.