What´s the best way...
 
Notifications
Clear all

What´s the best way for cleaning flash drives?

19 Posts
6 Users
0 Likes
1,508 Views
(@electronic_x)
Posts: 48
Eminent Member
Topic starter
 

Due to ' Wear Leveling' what is the best way for safely cleaning all types of flash drives, flash cards etc? I suppose in this case more tan one pass are needed.

 
Posted : 07/08/2013 11:17 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Due to ' Wear Leveling' what is the best way for safely cleaning all types of flash drives, flash cards etc? I suppose in this case more tan one pass are needed.

Actually not really.

It is something on which there are many theories, but if you want "safe", right now you need to destroy them physically OR use the specific controller manufacturer's "Mass Produiction" tool to completely wipe the flash memory(ies).
But even these tools may not be enough, since what a weared down area does is to "retain" previously written information i.e. the controller is not being able to write there the new info (or not completely/exactly).

As a matter of fact by making several passes it is possible that more spare sectors get used (and thus more of the previously written ones and "worn down" remain on the stick though not accessible easily).

jaclaz

 
Posted : 08/08/2013 12:45 am
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

I second the destroy. Shred then burn.

If you are bored and have nothing better to do, I can tell you how you could use microprobes and wipe the memory individually, including the spare areas, ECC, and such…

But, expect to spend more money on the tools, than purchasing a new device - even if it is a SSD.

 
Posted : 08/08/2013 12:55 am
(@electronic_x)
Posts: 48
Eminent Member
Topic starter
 

a)Some time ago I read an article supporting the idea that not accesible areas would be increasingly overwritten the more higher number of passes were performed. So, that idea is not correct?

b)On the other hand, I have read an article on Kingston website. The autor supports the idea that HDDERASE(or any other similar tool??) can sucesfully perfom the ATA command on external flash drives. Have I correctly understood the article, and is the autor correct about this?

http//www.kingston.com/us/community/articledetail?articleid=10

c) BTW, although I know my question is naive but I´d like to know me and a friend, PC technician, tried file recovering on a USB pendrive after 7 passes. We used recuva and Encase. Nothing was recovered. How, then can wear leveling áreas recovered?

d) If absolutely NO other way to get rif of old remnant data in flash devices jhuo has mentioned 'burning' but Are chips, madeof silicon, affected by fire?

 
Posted : 08/08/2013 3:15 am
(@athulin)
Posts: 1156
Noble Member
 

a)Some time ago I read an article supporting the idea that not accesible areas would be increasingly overwritten the more higher number of passes were performed. So, that idea is not correct?

It probably is – for an identified sector. The more writes, the greater the likelihood that that sector (or the area in which that sector is located) will die.

But you're not interested in one single sector, you are interested in all of them. That means not only those that can be accessed through the host interface, but those that cannot. And you are also interested in the information stored in those sectors, and how that is moved during the lifetime of the device.

It's not a bad idea to consider a storage device a black box that works as if it was a ATA-compatible drive, but may be up to all kind of additional tricks behind the curtains. (Like those Xerox copiers that Soviet embassies used for copying their secret documents.)

b)On the other hand, I have read an article on Kingston website. The autor supports the idea that HDDERASE(or any other similar tool??) can sucesfully perfom the ATA command on external flash drives. Have I correctly understood the article, and is the autor correct about this?

As long as you stick to that exact make of Kingston SSD, why not? But if you're dealing with Intel, you may have a look at this. http//www . iishacks . com/2009/06/30/how-to-secure-erase-reset-an-intel-solid-state-drive-ssd/

And there are random indications that some devices don't really do a full erase, but just report that it has been done.

I hope you realise that you need to cope with *all* eventualities, including those of drives that worked fine for some time, but then locked up completely, and won't respond anymore. How do you ensure that any information that remains in them is destroyed?

The emphasis is probably How do *you* ensure that any information that remains in them is destroyed? Taking all eventualities into consideration.

Me, I'd go for physical destruction. Even then, I'd probably keep the remains in a safe for a year or two – because sooner or later someone will ask me how I really can be sure.

If your security requirements are lower, you may ben able to go for other solutions. Make sure you document your decision. Sooner or later, you will need to defend it.

 
Posted : 08/08/2013 12:15 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

You may also want to take a step back and think about the risk to cost ratio.

What is the risk level, and likelihood that someone else will be able to extract information from areas you cannot get to?

What is the cost associated with you wiping that area?

Is the risk less costly than the cost of wiping everything?

That is, your cost of wiping user accessible areas is minimal.
Running special TRIM commands, if the device accepts them, and not verify is minimal.
Destroying the device is more expensive as you have to replace it.
Running special TRIM commands, if the device accepts them, and verify the result will require you to spin up a small lab.
Find some OCD and attempt to rewrite non-volatile memory will need an other type of lab.
Rewrite ICs manually than putting them back on, even more lab…

So what is the "cost" of your risk? Remember you can get a +500GB SSD for less than $300.

You will be hard pressed to ramp up a a small lab to verify that a TRIM command worked on even the over-provisioning areas. Same for manually wiping the chips.

Might be slightly less if you can work with on-chip debugger.

 
Posted : 08/08/2013 5:29 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

The article you linked to on Kingston is ONLY about SSD drives (with a ATA interface) AND the validity of the theory has been debunked by practical experiments.
Read
http//www.forensicfocus.com/Forums/viewtopic/t=9847/
http//articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/
https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf

The issue here is that seemingly a number of manufacturer have not implemented correctly the ATA standard for Safeerase.

About flash drives (USB sticks) you can always do a chip off, and read memory directly (IF you know how to do that - NOT easy but doable).
JFYI
http//flash-extractor.com/
http//www.forensicfocus.com/Forums/viewtopic/t=7042/

jaclaz

 
Posted : 08/08/2013 5:44 pm
(@electronic_x)
Posts: 48
Eminent Member
Topic starter
 

jaclaz, you said it is something about which there are many theories. Why doesn´t exist unanimity about it?

In fact, I have read some papers, saying that some researching was made showing that, the more you overwrite and delete a flash USB stick, the more the wear levelling area is more and more reduced , and more and more containing meaningless data, as the overwriting characters(zeroes) ended being placed into that area. Do you think that explanation is correct?

On the other hand if any data from a flash device can be retrieved by reading the chip
directly

a)I suppose it must be something only accesible to forensics?(I ask this as some common computing technicians I asked help for retrieving old information from a non redabl USB, non of them couldn´t retrieve anything.

b)By dismounting the chip from an overwritten USB and reading it meaningful and useful data can be retrieved or only fragments of meaningless information?

 
Posted : 16/08/2013 9:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

jaclaz, you said it is something about which there are many theories. Why doesn´t exist unanimity about it?

Basically because there is not an "accepted" standard (or actually *any* standard) about the innards of a Flash USB stick and experiments (cited) proved that existing standards for ATA devices (SSD) have not been respected/were not implemented fully or correctly.

In fact, I have read some papers, saying that …

I also read quite a few books about flying dragons and aliens reading other people minds (and governments hushing up all of that).

You simply cannot use the "I read somewhere" argument, you either cite EXACTLY the whatever you read, or the point is null ab initio.

On the other hand if any data from a flash device can be retrieved by reading the chip
directly

a)I suppose it must be something only accesible to forensics?(I ask this as some common computing technicians I asked help for retrieving old information from a non redabl USB, non of them couldn´t retrieve anything.

b)By dismounting the chip from an overwritten USB and reading it meaningful and useful data can be retrieved or only fragments of meaningless information?

You are - it seems to me again - falling in the usual misunderstanding. 😯

If *any* data can be retrieved it is not "secure".

I.e. when you say that NO information can be retrieved, it may mean

  • NO (meaning NONE, in NO WAY, and by NOONE) <- secure
  • NO (meaning noone among the three or four common technicians I found managed to make it) may mean BOTH "secure enough" OR that you found a bunch of lousy technicians. 😉
  • NO (meaning "fragments of meaningless info only" is dependent greatly on how you rate the meaningfulness, on the amount of such fragments, on their size, etc., etc.)

Or we are back to "who" may be able to get the data (and find it of any use), like your cousin Joe, a common technician, a malicious hacker, a "normal" LE digital forensics expert, the Government, etc.

The general idea of a wear leveling algorithm is to prolong the life of the memory chip, in theory by using any given cell the same number of times.
I.e. when the device will fail due to wear, it will fail "largely" and "all together, or if you prefer, you won't be forced to throw away a device (or lose data) only because a limited number of cells would be weared down by use.

The more common practical comparison is car tyres "rotation". idea

Nowadays most cars will not have a "proper" spare tyre/wheel, but when all cars had one, there were two different theories, the four tyre and the five tyre one
http//www.automobileplanet.com/2011/05/how-to-rotate-your-tyres.html

Someone would advocate that by using the 4 tire one when you had a flat the spare one would be new and then could bring you home/to the workshop safely, others would say, well, but this way you are using 4/5 of the available resources, then you will have a flat due to wear earlier, and since your "main" four wheels are all at the same wear level, the fact that the fifth one is new won't help as one of the other three would be likely to fail before you get home.
To this the other ones would say, maybe, but when you will have (later) the flat tyre you will have 4/4 weak points instead of 3/4.
And the argument would go on and on forever.

On a memory stick the issues are similar, with the added problem that noone knows for sure what the controller actually does, how it does it and when it does it (and each and every controller may have it's own peculiar wear leveling algorithm, it's own peculiar way to manage spare sectors and the actual memory chip depending on the specific kind of memory may behave differently, as an example a weared cell could "loose" information and in time become all 00's, or become "freezed" on current values, or accept being partially overwritten at bit - not byte - level).

Consider also how most "Mass production tools" by the various USB flash stick controllers allow to widen (or reduce) the number of "spare sectors", so two USB sticks using the same controller and memory chip(s) may have been set in factory by two different "brand resellers" in very different ways, one with more space available to the user (but less or no spare sectors) and one with less space available to the user (but plenty of spare sectors).

jaclaz

 
Posted : 16/08/2013 9:49 pm
PaulSanderson
(@paulsanderson)
Posts: 651
Honorable Member
 

I imagine that the ATA security erase function would wipe the drive. If I had more time I would look up the ATA spec.

 
Posted : 16/08/2013 10:01 pm
Page 1 / 2
Share: