Archive for November 2008
What to people mean by fake flash drives?
When people talk about fake flash drives they usually mean a drive that reports itself as a higher capacity than it is. This is not the same as a counterfeit. A counterfeit is something that is pretending to be a brand. The problem is not the same. Something that is counterfeit may in fact be quite servicable – for example a counterfeit Gucci handbag could still be a perfectly functional handbag – it’s just not a real Gucci.
However, a flash drive that says it’s 8GB but is really only 1GB will cause all data over about 970mb to be lost/corrupt. For someone like me this could be an absolute disaster. I bought flash drives on ebay sold as being 8GB, 16GB and 32GB to use with students on a video course. Had I tried to move a 4GB video file from a camera to any of these drives for students to edit, all the hard work they had put into the filming would have been lost. Although both the counterfeit Gucci handbag and the fake capacity flash are fraud; to my mind fake flash is a much more serious issue than the counterfeit Gucci handbag – yet much less is done to stop it. See the page what is a counterfeit? for more.
Fraudesters program the control chip of low capacity flash drives to report the drive as having a much higher capacity drive than it actually is. Many flash drives sold on Ebay especially from Hong Kong /China have had this treatment. Drives that are seen by the operating system as being 16GB can have a true capacity as low as 1 or 2GB. These are mostly unbranded drives. The big issue is not so much the fact that the fraudsters are getting money by deception by doing this but that if you use these drives but you will eventually end up with lost/corrupted files. If this has been done with a drive that shows a brand name then it is a counterfeit. So how do you find the true capacity of a drive that you bought? With the free program h2testw!
The free program h2testw has proved its worth in detecting flash drives which have been programmed to miss-report capacity (what we now call frankenflash). We give H2testw 1.4 the highest rating and recommend it for testing fraudulently programmed USB Flash Drives for the following reasons:
- Easy to Use
- Tested to work on 1.1 and 2.0 USB Ports
- Tested to work to analyze drives advertised as 4GB, 8GB, 16GB, 32GB and yes …64 GB capacity.
- Reports what the operating system sees size to be.
- Will write 1 GB files up to the reported size – requiring no work on your part except patience if it is a large drive and a slow computer
- Will read all the files it wrote and verify them
- Will report that the test ran without problems if all is well
- Will produce a detailed report showing the true capacity, how much data has been lost/corrupted and whether there are aliased memory addresses if problems are found.
- Output results can easily be copied and pasted into notepad to be saved as a text file.
- The program is free
The readme.txt file provides:
- Explanation of the program and what it does for general computer users
- Information on how to interpret the results
- Technical information for those who have a deeper understanding of data storage and file writing and for the skeptics out there.
It has been invaluable to those who (like me) now test all flash they buy (wherever from) to avoid potential data loss arising from use of a falsely programmed device. You can download this free program here:
download h2testw by Harald Bögeholz published by c’t magazine for computer technology
Save the downloaded zip file to your desktop an run the exe file in the folder to install the program on your computer. To test your flash launch the program, select your language (German or English) and select the target drive.
The program will fill your device with numbers and letters in 1000Mb lots and then try to read it back . If your device works as claimed it will tell you that the test ran without problems and you can delete the test files. If not you will get a detailed report.
The results from H2testw have been verified on drives detected as fakes. How?
- Drives were dissembled
- Controller chips were identified
- Flash chips were identified
- Searches on the actual flash drives using their identification number revealed their true capacity. These matched the output from the H2testw Program.
In a few cases, when drives were disassembled, epoxy glue removed holding the flash drive to the bottom casing, quality control stickers were found with a size circled. The size? Exactly what H2testw reported as the capacity it could write to. All drives autopsied for investigation and validation of this program were purchased on eBay.
No other program that can match these features has been found. Therefore, H2testw has been adopted as the gold standard in detection of flash that reports a false capacity to the operating system.
However – this program is windows only.
A word to the terrified:
We fully understand the caution people feel about downloading things from the web, the blog authors are also very cautious about this. For anyone who is worried about following the link please be assured that the download page is on the website of a reputable german computer magazine.
The program was written by Harald Bögeholz (who works for the magazine) after they found that the flash drives they gave away a couple of years back were actually fake! The program was originally written for their readers to make up for the mistake. You can follow the link with confidence – or (if you prefer) you can search for the page with google – but for goodness sake if you buy flash memory get the program h2testw!
UPDATE AUGUST 2010: Michel Machado has developed a program for linux users called F3 (after Fight Flash Fraud – how nice!) but reports from those who have used it are a bit inconclusive as to how user-friendly it is if you aren’t very technical. If you want to give it a go you can download F3 here – let us know how you get on if you try this!
UPDATE SEPT 2010: Another Linux programmer has started work on an alternative solution but we don’t know how far he has got yet.