Last Updated: February 25, 2016
·
3.925K
· austinkeeley

Checking for fake USB drives on Linux

I've heard about the fake USB and flash memory problem that's happening on eBay and some less-reputable retailers. I recently purchased a 32 GB USB drive and I wondered if there was a quick way to make sure it was the advertised size. I found a few Windows utilities, but I'm running Linux. Fortunately, it's not too hard.

First, plug in your USB drive (obviously) and find the device using mount -l

Be sure you are getting the right device! Otherwise, this next step is not going to be fun. We're going to overwrite the entire drive with 0s from /dev/zero. This will delete everything on the drive so make sure you have things backed up if you want to keep them.

sudo dd if=/dev/zero of=/dev/[your device here]

Now wait a while as it writes to the drive. In the end you should see something like this:

dd: writing to ‘/dev/sdb1’: No space left on device
62254082+0 records in
62254081+0 records out
31874089472 bytes (32 GB) copied, 1500.72 s, 21.2 MB/s

So it wrote 32 GB, which is what I expected. I've heard about some fraudsters getting clever and getting around this, so we can take it a step further by writing some known data instead of just a bunch of 0s.

First, let's allocate some data.

fallocate -l 31874089472 known_value.img

[Edit: Earlier I used the argument -l 32G, which does indeed allocate 32 gigabytes, but due to dumb weirdness about how one defines disk space, it was about 2 billion bytes off. Whups.]

Open up known_value.img in your favorite hex editor and throw some bytes into it. I'll go with 0xDEADBEEF. Your hex editor might not be able to support large files. I used bless and it seemed to be okay.

You can probably guess what to do next. We'll write the known value image to the USB drive and then read it back.

sudo dd if=known_value.img of=/dev/sdb1
sudo dd if=/dev/sdb1 of=new_image.img

Open new_image.img in the hex editor. If we can find 0xDEADBEEF at the end, then our disk should be legit.

I've never encountered a fake drive before, so I'm not sure if there are any other ways of getting around checks like this. I'd be very interested to know about them.