What´s the best way...
 
Notifications
Clear all

What´s the best way for cleaning flash drives?  

Page 1 / 2
  RSS
electronic_x
(@electronic_x)
Junior Member

Due to ' Wear Leveling' what is the best way for safely cleaning all types of flash drives, flash cards etc? I suppose in this case more tan one pass are needed.

Quote
Posted : 08/08/2013 12:17 am
jaclaz
(@jaclaz)
Community Legend

Due to ' Wear Leveling' what is the best way for safely cleaning all types of flash drives, flash cards etc? I suppose in this case more tan one pass are needed.

Actually not really.

It is something on which there are many theories, but if you want "safe", right now you need to destroy them physically OR use the specific controller manufacturer's "Mass Produiction" tool to completely wipe the flash memory(ies).
But even these tools may not be enough, since what a weared down area does is to "retain" previously written information i.e. the controller is not being able to write there the new info (or not completely/exactly).

As a matter of fact by making several passes it is possible that more spare sectors get used (and thus more of the previously written ones and "worn down" remain on the stick though not accessible easily).

jaclaz

ReplyQuote
Posted : 08/08/2013 1:45 am
jhup
 jhup
(@jhup)
Community Legend

I second the destroy. Shred then burn.

If you are bored and have nothing better to do, I can tell you how you could use microprobes and wipe the memory individually, including the spare areas, ECC, and such…

But, expect to spend more money on the tools, than purchasing a new device - even if it is a SSD.

ReplyQuote
Posted : 08/08/2013 1:55 am
electronic_x
(@electronic_x)
Junior Member

a)Some time ago I read an article supporting the idea that not accesible areas would be increasingly overwritten the more higher number of passes were performed. So, that idea is not correct?

b)On the other hand, I have read an article on Kingston website. The autor supports the idea that HDDERASE(or any other similar tool??) can sucesfully perfom the ATA command on external flash drives. Have I correctly understood the article, and is the autor correct about this?

http//www.kingston.com/us/community/articledetail?articleid=10

c) BTW, although I know my question is naive but I´d like to know me and a friend, PC technician, tried file recovering on a USB pendrive after 7 passes. We used recuva and Encase. Nothing was recovered. How, then can wear leveling áreas recovered?

d) If absolutely NO other way to get rif of old remnant data in flash devices jhuo has mentioned 'burning' but Are chips, madeof silicon, affected by fire?

ReplyQuote
Posted : 08/08/2013 4:15 am
athulin
(@athulin)
Community Legend

a)Some time ago I read an article supporting the idea that not accesible areas would be increasingly overwritten the more higher number of passes were performed. So, that idea is not correct?

It probably is – for an identified sector. The more writes, the greater the likelihood that that sector (or the area in which that sector is located) will die.

But you're not interested in one single sector, you are interested in all of them. That means not only those that can be accessed through the host interface, but those that cannot. And you are also interested in the information stored in those sectors, and how that is moved during the lifetime of the device.

It's not a bad idea to consider a storage device a black box that works as if it was a ATA-compatible drive, but may be up to all kind of additional tricks behind the curtains. (Like those Xerox copiers that Soviet embassies used for copying their secret documents.)

b)On the other hand, I have read an article on Kingston website. The autor supports the idea that HDDERASE(or any other similar tool??) can sucesfully perfom the ATA command on external flash drives. Have I correctly understood the article, and is the autor correct about this?

As long as you stick to that exact make of Kingston SSD, why not? But if you're dealing with Intel, you may have a look at this. http//www . iishacks . com/2009/06/30/how-to-secure-erase-reset-an-intel-solid-state-drive-ssd/

And there are random indications that some devices don't really do a full erase, but just report that it has been done.

I hope you realise that you need to cope with *all* eventualities, including those of drives that worked fine for some time, but then locked up completely, and won't respond anymore. How do you ensure that any information that remains in them is destroyed?

The emphasis is probably How do *you* ensure that any information that remains in them is destroyed? Taking all eventualities into consideration.

Me, I'd go for physical destruction. Even then, I'd probably keep the remains in a safe for a year or two – because sooner or later someone will ask me how I really can be sure.

If your security requirements are lower, you may ben able to go for other solutions. Make sure you document your decision. Sooner or later, you will need to defend it.

ReplyQuote
Posted : 08/08/2013 1:15 pm
jhup
 jhup
(@jhup)
Community Legend

You may also want to take a step back and think about the risk to cost ratio.

What is the risk level, and likelihood that someone else will be able to extract information from areas you cannot get to?

What is the cost associated with you wiping that area?

Is the risk less costly than the cost of wiping everything?

That is, your cost of wiping user accessible areas is minimal.
Running special TRIM commands, if the device accepts them, and not verify is minimal.
Destroying the device is more expensive as you have to replace it.
Running special TRIM commands, if the device accepts them, and verify the result will require you to spin up a small lab.
Find some OCD and attempt to rewrite non-volatile memory will need an other type of lab.
Rewrite ICs manually than putting them back on, even more lab…

So what is the "cost" of your risk? Remember you can get a +500GB SSD for less than $300.

You will be hard pressed to ramp up a a small lab to verify that a TRIM command worked on even the over-provisioning areas. Same for manually wiping the chips.

Might be slightly less if you can work with on-chip debugger.

ReplyQuote
Posted : 08/08/2013 6:29 pm
jaclaz
(@jaclaz)
Community Legend

The article you linked to on Kingston is ONLY about SSD drives (with a ATA interface) AND the validity of the theory has been debunked by practical experiments.
Read
http//www.forensicfocus.com/Forums/viewtopic/t=9847/
http//articles.forensicfocus.com/2012/10/23/why-ssd-drives-destroy-court-evidence-and-what-can-be-done-about-it/
https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf

The issue here is that seemingly a number of manufacturer have not implemented correctly the ATA standard for Safeerase.

About flash drives (USB sticks) you can always do a chip off, and read memory directly (IF you know how to do that - NOT easy but doable).
JFYI
http//flash-extractor.com/
http//www.forensicfocus.com/Forums/viewtopic/t=7042/

jaclaz

ReplyQuote
Posted : 08/08/2013 6:44 pm
electronic_x
(@electronic_x)
Junior Member

jaclaz, you said it is something about which there are many theories. Why doesn´t exist unanimity about it?

In fact, I have read some papers, saying that some researching was made showing that, the more you overwrite and delete a flash USB stick, the more the wear levelling area is more and more reduced , and more and more containing meaningless data, as the overwriting characters(zeroes) ended being placed into that area. Do you think that explanation is correct?

On the other hand if any data from a flash device can be retrieved by reading the chip
directly

a)I suppose it must be something only accesible to forensics?(I ask this as some common computing technicians I asked help for retrieving old information from a non redabl USB, non of them couldn´t retrieve anything.

b)By dismounting the chip from an overwritten USB and reading it meaningful and useful data can be retrieved or only fragments of meaningless information?

ReplyQuote
Posted : 16/08/2013 10:09 pm
jaclaz
(@jaclaz)
Community Legend

jaclaz, you said it is something about which there are many theories. Why doesn´t exist unanimity about it?

Basically because there is not an "accepted" standard (or actually *any* standard) about the innards of a Flash USB stick and experiments (cited) proved that existing standards for ATA devices (SSD) have not been respected/were not implemented fully or correctly.

In fact, I have read some papers, saying that …

I also read quite a few books about flying dragons and aliens reading other people minds (and governments hushing up all of that).

You simply cannot use the "I read somewhere" argument, you either cite EXACTLY the whatever you read, or the point is null ab initio.

On the other hand if any data from a flash device can be retrieved by reading the chip
directly

a)I suppose it must be something only accesible to forensics?(I ask this as some common computing technicians I asked help for retrieving old information from a non redabl USB, non of them couldn´t retrieve anything.

b)By dismounting the chip from an overwritten USB and reading it meaningful and useful data can be retrieved or only fragments of meaningless information?

You are - it seems to me again - falling in the usual misunderstanding. 😯

If *any* data can be retrieved it is not "secure".

I.e. when you say that NO information can be retrieved, it may mean

  • NO (meaning NONE, in NO WAY, and by NOONE) <- secure
  • NO (meaning noone among the three or four common technicians I found managed to make it) may mean BOTH "secure enough" OR that you found a bunch of lousy technicians. 😉
  • NO (meaning "fragments of meaningless info only" is dependent greatly on how you rate the meaningfulness, on the amount of such fragments, on their size, etc., etc.)

Or we are back to "who" may be able to get the data (and find it of any use), like your cousin Joe, a common technician, a malicious hacker, a "normal" LE digital forensics expert, the Government, etc.

The general idea of a wear leveling algorithm is to prolong the life of the memory chip, in theory by using any given cell the same number of times.
I.e. when the device will fail due to wear, it will fail "largely" and "all together, or if you prefer, you won't be forced to throw away a device (or lose data) only because a limited number of cells would be weared down by use.

The more common practical comparison is car tyres "rotation". idea

Nowadays most cars will not have a "proper" spare tyre/wheel, but when all cars had one, there were two different theories, the four tyre and the five tyre one
http//www.automobileplanet.com/2011/05/how-to-rotate-your-tyres.html

Someone would advocate that by using the 4 tire one when you had a flat the spare one would be new and then could bring you home/to the workshop safely, others would say, well, but this way you are using 4/5 of the available resources, then you will have a flat due to wear earlier, and since your "main" four wheels are all at the same wear level, the fact that the fifth one is new won't help as one of the other three would be likely to fail before you get home.
To this the other ones would say, maybe, but when you will have (later) the flat tyre you will have 4/4 weak points instead of 3/4.
And the argument would go on and on forever.

On a memory stick the issues are similar, with the added problem that noone knows for sure what the controller actually does, how it does it and when it does it (and each and every controller may have it's own peculiar wear leveling algorithm, it's own peculiar way to manage spare sectors and the actual memory chip depending on the specific kind of memory may behave differently, as an example a weared cell could "loose" information and in time become all 00's, or become "freezed" on current values, or accept being partially overwritten at bit - not byte - level).

Consider also how most "Mass production tools" by the various USB flash stick controllers allow to widen (or reduce) the number of "spare sectors", so two USB sticks using the same controller and memory chip(s) may have been set in factory by two different "brand resellers" in very different ways, one with more space available to the user (but less or no spare sectors) and one with less space available to the user (but plenty of spare sectors).

jaclaz

ReplyQuote
Posted : 16/08/2013 10:49 pm
PaulSanderson
(@paulsanderson)
Senior Member

I imagine that the ATA security erase function would wipe the drive. If I had more time I would look up the ATA spec.

ReplyQuote
Posted : 16/08/2013 11:01 pm
jaclaz
(@jaclaz)
Community Legend

I imagine that the ATA security erase function would wipe the drive. If I had more time I would look up the ATA spec.

Paul, the several times mentioned paper
https://www.usenix.org/legacy/events/fast11/tech/full_papers/Wei.pdf

is about the experimental finding that security erase has not been implemented fully or correctly on some SSD devices.

Out of 12 units tested only 4 were found to be reliable in the erasing through the ATA commands.

Of course on these 4 the Security erase worked alright.

jaclaz

ReplyQuote
Posted : 16/08/2013 11:23 pm
electronic_x
(@electronic_x)
Junior Member

I can´t remember exactly what´s the paper was nor the names of the researchers. But the paper was about some researchers testing USB flash media deletion by overwritting.I clearly remembar that the conclusión was the more the drive was overwritten, the less data retrieved.Of course this quote is not valid for any scientific study, but I am sure I read it, and it was not a comment from a forum.

So, acording your opinión and experience what usually can be found -in terms of meaningful/meaningless information, quantity etc- from, let´s say, a single zeroed USB Stich 4GB?
What are common forensic experiences regarding retrieving data from USB flash media?

What happens if the old USB drive one is deleted, is fully encrypted? that is if its size is 8MB you créate an encryoted container, 8GB filling all the drive? Does it affect anyway?

And finally(seriously) when we´re speaking of destroying is there any soaking substance suited for make chips unusable?( I do not like hammers lol

ReplyQuote
Posted : 16/08/2013 11:46 pm
jaclaz
(@jaclaz)
Community Legend

I can´t remember exactly what´s the paper was nor the names of the researchers. But the paper was about some researchers testing USB flash media deletion by overwritting.I clearly remembar that the conclusión was the more the drive was overwritten, the less data retrieved.Of course this quote is not valid for any scientific study, but I am sure I read it, and it was not a comment from a forum.

Good, and I am sure that you actually read it, but that doesn't change the fact that it is a vague reference about something you recall vaguely or that you are representing vaguely what you recall.
If you want some vague comments on that, it's OK.
What you posted makes NO SENSE, if the idea is to wipe and sell by writing over and over and exhausting the wear capability of the device, you will have a NON working device that you WON'T be able to sell.

So, acording your opinión and experience what usually can be found -in terms of meaningful/meaningless information, quantity etc- from, let´s say, a single zeroed USB Stich 4GB?

Nothing useful, but again, that does not mean in any way that the procedure is correct or "secure".
I have however drawn a probability estimation that you can find here, together with a visual representation of the SH-1 degausser®
http//reboot.pro/topic/13601-software-to-wipe-a-systemdrive-from-windows/page-7#entry123099

What are common forensic experiences regarding retrieving data from USB flash media?

Again this is a question that may be good for a poll, but I doubt that the G.I.'s will take part to it.

What happens if the old USB drive one is deleted, is fully encrypted? that is if its size is 8MB you créate an encryoted container, 8GB filling all the drive? Does it affect anyway?

Who knows?
What do you mean "affect"?
Any properly encrypted data is difficult to decrypt, partial encrypted data is likely "impossible", but still it cannot be defined "secure".
You are well beyond my "paranoid limit", ignore anything I tried to explain you and follow this guide/tutorial
http//reboot.pro/topic/12862-encrypt-your-sensitive-data-before-wiping-it/
ignore also each and every comment, just trust that guide/tutorial "as is" and replocate it EXACTLY on each and every device.

And finally(seriously) when we´re speaking of destroying is there any soaking substance suited for make chips unusable?( I do not like hammers lol

Well, you can zap it electrically, it will be safer (for you) than any acid/corrosive soak.

jaclaz

ReplyQuote
Posted : 17/08/2013 12:11 am
electronic_x
(@electronic_x)
Junior Member

What you posted makes NO SENSE, if the idea is to wipe and sell by writing over and over and exhausting the wear capability of the device, you will have a NON working device that you WON'T be able to sell

No. I already know that overwriting a flash device will destroy it gradually. I am not at this point speaking of reselling. It is now just out of curiosity, what happens with such a overwritten device?

And finally(seriously) when we´re speaking of destroying is there any soaking substance suited for make chips unusable?( I do not like hammers lol

Well, you can zap it electrically, it will be safer (for you) than any acid/corrosive soak.

How is it made?

jaclaz

ReplyQuote
Posted : 17/08/2013 12:45 am
jaclaz
(@jaclaz)
Community Legend

How is it made?

You apply 12/24/36 V (your choice) with no current limiter below (say) 2 A on the pins of the memory and controller chips.
They make nice popping noises when frying….. though they do smell a bit.

If you don't plan to sell the device, then destroy it, and all the spare sectors within it will be gone, forever.
In Schroedinger cat's issue there wasn't the option to destroy the box no matter if the cat inside is alive or dead, you have this possibility, use it. wink

jaclaz

ReplyQuote
Posted : 17/08/2013 1:45 am
Page 1 / 2
Share: