31

I want to wipe all residual data left behind even after a format on a regular 64GB fash drive, the ones someone can scan and recover data. What's the most efficient but quickest way to do this? Any test software I can scan for those residual files before and after the wipe?

200_success
  • 2,154
  • 2
  • 15
  • 20
LtMuffin
  • 442
  • 1
  • 4
  • 13
  • 2
    Related: [Is it enough to only wipe a flash drive once?](https://security.stackexchange.com/questions/5662/is-it-enough-to-only-wipe-a-flash-drive-once) – sleske May 02 '19 at 08:32
  • Getting data back after even a single overwrite with something like DBAN would require accessing the nand directly (de-solder and attach to a new controller) or re-flashing the controller firmware (not an easy task). Only the Colonel's 11 herbs and spices would be worth that ;) See [this](https://www.techrepublic.com/article/disk-wiping-and-data-forensics-separating-myth-from-science/) article for some level headed advice. – Aaron May 02 '19 at 15:04
  • 4
    As always, it depends on what threat you're protecting against. If it's state actors with a quasi-infinite budget I'd personally go with incinerator, hydraulic press... nuke it from orbit. Take your pick. If it's protecting from your nosy neighbour, just delete the files normally. – J... May 02 '19 at 16:33
  • 8
    @J... My instincts say that nuking it from orbit, while it may sanitize the flash drive, may cause one to acquire undesired levels of attention from the state actors you were worried about. – Cort Ammon May 02 '19 at 22:49
  • We take off. Nuke the site from orbit. It's the only way to be sure. – Aron May 03 '19 at 01:24
  • @Aaron It's actually not that difficult. There was a recent DEF CON talk about it. – forest May 03 '19 at 03:50
  • What if you plug it into a USB power plug port, the ones normally used to charge mobile phones? They're the same shape and size. What would happen if USB drive would be exposed to a strong electric current? – Galaxy May 03 '19 at 07:20
  • I never get these questions. If you care that much and it's something cheap, why not just physically destroy it? – northerner May 03 '19 at 07:22

5 Answers5

43

To quote the ISM (Australia's military standards for cyber security).

Security Control: 0359; In flash memory media, a technique known as wear levelling ensures that writes are distributed evenly across each memory block. This feature necessitates flash memory being overwritten with a random pattern twice as this helps ensure that all memory blocks are overwritten.

This means that if you select a secure delete function such as DoD 5220.22M, you will need to run it twice (note that this method only writes randomly through one pass). If you do this it will mean that your data should be safe from the average attacker, however if your USB contains the Colonel's Secret Recipe, or evidence of you committing a serious crime, refer again to the ISM:

Security Control: 0360; Following sanitisation, highly classified non-volatile flash memory media retains its classification

In other words Destroy it with fire and spread its ashes to the 4 corners of the globe.

If you don't have anything as valuable as I stated above don't listen to the paranoid people on here about how you can never sanitse it, as frankly no one will have the resources to retrieve the data, unless it is a Nation State or a Global Conglomerate.

You may also be interested in NIST SP800-88 Which is American Guidelines for Sanitisation, although I like the ISM as it is much more succinct.

meowcat
  • 1,349
  • 1
  • 6
  • 16
  • 1
    Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/93173/discussion-between-meowcat-and-forest). – meowcat May 03 '19 at 04:05
23

Next time you're about to put sensitive data on a flash drive, consider encrypting it first! Strongly encrypted data is useless without the key, and if you securely erase the drive first, all that will be left is an occasional sector of such encrypted data surviving due to wear leveling.

If you're still unsatisfied by this technique because there's a small probability that (a) a meaningful chunk of data survives and (b) the adversary will be able to read it out and (c) decrypt it, consider that physical destruction may not destroy the data definitely: there will be a chance that one night you will sleepwalk to a potential adversary and sleeptalk the data to them.

Edit addressing some of the comments: consumer-grade flash storage does have over-provisioning, e.g. SanDisk microSD Product Manual tells it's an intrinsic function in their products. And this over-provisioning is much more significant that the difference between 1GB and 1GiB, in fact, the ability to use low-grade flash wafers is why the flash storage is so cheap. On such wafers, 5% to 10% of the cells are stillborn, and a few others will only last a few write cycles, while a decent flash card or thumb drive is typically specced to survive 100-500 complete overwrites.

Furthermore, the chance of a random sector to survive N full overwrites (assuming 15% over-provisioning) is not 0.15^N. Wear leveling is nowhere near uniform write distribution, in fact, if a file stays on the flash drive for a long time while other content is written/removed/overwritten, sectors allocated to that file will have significantly less writes done to them, so they may be overwritten every single time during subsequent full-disk overwrites. Additionally, wear leveling is not based exclusively on write count, but also on the number of correctable errors in a sector. If a sector containing sensitive data exceeds such correctable error threshold, it will never be written to again, so the data in it will be there no matter how many times you overwrite the disk.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
  • @Ruslan i guess the chips are made of sand ;) – adrian May 03 '19 at 22:57
  • _in fact, if a file stays on the flash drive for a long time while other content is written/removed/overwritten, sectors allocated to that file will have significantly less writes done to them_ - Static wear leveling deals with this by periodically moving that content elsewhere to give some other cells a rest. Of course, cheap SD cards and USB flash drives do not use static wear leveling, but the much simpler dynamic wear leveling. – forest May 04 '19 at 01:40
17

A quick check at amazon.com shows 64GB USB drives in non-designer cases go for about $20. Less if you buy in bulk.

Since you want "quick and efficient" lets factor in the time needed to overwrite the drive at least twice, and maybe running a drive scanner to verify the erasure. And then remembering to do it each time.

A quick check of homedepot.com shows a propane torch goes for $20, and that's the fancy model with the built-in igniter. Replacement tanks of propane are $4, and will melt quite a few usb drives.

So, take the drive and open it with either pliers or a hammer. A door jamb also works. Pull out the circuit board, go out to the parking lot and incinerate it.

meowcat mentioned this along with the military classification bit - he wasn't making a funny. From a security perspective, nothing ever gets recovered from a melted blob of plastic (semiconductors fail completely at far lower temperatures than a propane torch can provide). From an economic perspective, buying a new one is cheaper than your time to wipe and verify the old one. Same with SSD in retired laptops and spinning drives - physical destruction is quicker, cheaper and more reliable than software solutions.

30 years ago drives were much more expensive, and a lot smaller. A 7 times overwrite to recycle the hardware made much more sense back then - not any more.

peter
  • 179
  • 2
  • 5
    :'( Think about the planet! – A. Hersean May 02 '19 at 14:36
  • Will the flame from a propane torch get hot enough to destroy the data on the flash chip? The flash chip itself is basically a rock, so unlike the PCB you're not going to burn/melt it; and I don't know how temperature sensitive the stored data is. – Dan Is Fiddling By Firelight May 02 '19 at 14:50
  • A propane flame is slightly hotter than the melting point of the silicon, The file details will be long gone before you get it that hot. If this bothers you, use an acetylene welding torch ( 2,250 °C) or a TIG welder (about 6,000 °C). Both require more skill and more money. – peter May 02 '19 at 15:00
  • 3
    @DanNeely As the temperature increases, so does the leakage current in the nand cells (basically charged capacitors) allowing them to self discharge very quickly. A few hundred degrees will very effectively erase any and all data even if the silicon itself survives. – Aaron May 02 '19 at 15:13
  • 3
    Even cheaper is to pop the flash chips off the board with a hammer and chisel/screwdriver. Hold the chip vertically in a vise, hit it with the hammer, and shatter it into pieces. Even if some of those pieces still contain cells that technically retain data, I don't believe there's any way to reconstruct a shattered chip. For the ultra-paranoid, grind it into dust with a belt sander or rotary tool. For optimum *fun*, go with thermite. – bta May 02 '19 at 22:05
  • @bta hammer, chisel and vise cost considerably more than a torch. – peter May 03 '19 at 00:23
  • _hammer, chisel and vise cost considerably more than a torch_ You might be surprised. High quality tools cost a lot more (especially vises), but home depot also says you can get a cheap 10 oz hammer for $5, a small flathead screwdriver for $2, and a bargain-bin clamp vise for $12. All of them will be more than strong enough to demolish hundreds of USB drives. I like the thoroughness of the torch idea, but personally I'd be most worried about people asking me why I'm leaving melted blobs on the parking lot... – GrandOpener May 03 '19 at 02:56
  • Also consider that the only time a military organization will permanently retire a hard drive is when the hard drive no longer works. Otherwise just delete the files that are no longer needed and continue using it so that you don't have to spend precious budget dollars (seriously!) buying a replacement. The drive continues to enjoy the highest classification of anything that has ever been stored on it. If the drive no longer works, it's thermite time. – EvilSnack May 03 '19 at 03:10
  • @EvilSnack No one is going to keep an old hard drive until it fails unless they have a _very_ small budget and a crappy IT dept. They're often replaced regularly and the old drives are degaussed and destroyed. – forest May 03 '19 at 03:31
  • @forest Did 20 years in the military. Very small budgets were the rule, not the exception. And IT isn't going to give you new gear if your budget doesn't have money for it. – EvilSnack May 03 '19 at 04:15
  • @EvilSnack Ah. I was thinking more about "cybersecurity" agencies e.g. FBI, RCMP, NSA and related contractors. I admittedly have little experience with the military specifically. – forest May 03 '19 at 04:16
0

Truth be told, your question is moot.

Once you've paid out the money for the storage device, you generally use it until it no longer works. It's not like the boss ever says, "We don't need this drive. Wipe it and return it to supply." Seriously. I have a 128M thumb drive that I've been using for over 11 years.

From time to time, like when we replaced the old 50MHz desktops with rip-roaring new 166MHz machines, the machines we turned in to supply didn't have hard drives (or any other storage device); we pulled the drives and re-used them. (This helped when a guy in our office was busted for indecent acts with a minor; the OSI pulled the drive from every computer on which he had logged onto the network—to see if he was surfing kiddie porn—and we never saw those drives again.)

If you no longer need the data on the device, simply delete it, continue to use the device for other work, and protect the device with the highest level of security that is required for any of the data that has ever been on the device; if that's not good enough when the device is wiped, it wasn't good enough before, and you have bigger problems.

The only time a storage device leaves custody, especially in military circles, is when the device no longer works. When that is the case, there's no reason to allow a non-functioning device with sensitive data on it to remain intact. Thermite is your friend. (Yes, my unit had a degausser. No, we weren't allowed to use it. Someone in the security-regulation-writing business had updated their regulations, which decertified our degausser's certification for classified material, and whoever was supposed to get it recertified hadn't gotten it done, for reasons.)

EvilSnack
  • 127
  • 2
-4

On a Unix based system, find your USB flash drive device node in /dev. Then, use the following command :

#dd if=/dev/urandom of=/dev/[USB flash drive device node] bs=4M

Using this command will write random bytes of data from the sector 0 to the last one of the USB flash drive device. It is possible to do multiple wipe passes by running the command again.

pmbonneau
  • 181
  • 2
  • 2
  • 10
  • 5
    This would work on HDD, but not on flash media. Wear leveling will spread writes across cells, and not every byte will be overwritten and maybe data can get recovered. This innacuracy is why you got downvotes (not mine, though). – ThoriumBR May 02 '19 at 19:23
  • @ThoriumBR, but if we overwrite the whole device, not just a file, doesn't it mean that every cell on the chip will be written to? – VL-80 May 02 '19 at 19:29
  • 4
    No, as the device with 8GB **usable** space have more than 8GB of **real space**. Think of the older IDE disks with spare sectors on each cylinder for mapping bad blocks. Ask Google for *SSD Over Provisioning*. You will see some devices have as much as 37% over-provisioning, so even if you fully overwrite a device, you are left with 37% of the data untouched. – ThoriumBR May 02 '19 at 19:32
  • @ThoriumBR, with USB thumb drives, the spare capacity usually comes from the difference between kilobytes of 1000 bytes and kilobytes of 1024 bytes. The physical layout of NAND chips encourages power-of-two capacities, so a 64-metric-gigabyte thumb drive will naturally have about 7% spare capacity. – Mark May 02 '19 at 21:57
  • @Mark That's a good heuristic, but it's not always the case. – forest May 03 '19 at 02:12
  • 1
    Actually it pretty much is. It's a pretty sophisticated thumb drive that has any wear levelling at all. This works as described as does using /dev/null in between or filling it with \xF6. Thumb drives are not SSD's, and neither are SD cards. They don't have a controller capable of implementing wear levelling. They have about as much wear leveling as EEPROM. Happy to be corrected if you can find an example. – mckenzm May 03 '19 at 06:55
  • @Mark 7% is very little, maybe just enough to remap the blocks which are faulty right after production. Such drive as a whole will be as good as the worst 7% of its sectors (read: not very good). – Dmitry Grigoryev May 03 '19 at 06:55
  • @mckenzm Flash drives do support wear leveling, but they use the very basic _dynamic_ wear leveling, whereas real SSDs use _static_ wear leveling. The difference is that the former only maps new logical blocks to random unused physical blocks, whereas the latter will, in addition to that, periodically move data from blocks that have held the data for a long time to blocks which have been recently used many times in order to give it a "rest". There's some further information [on Wikipedia](https://en.wikipedia.org/wiki/Wear_leveling#Dynamic_wear_leveling). – forest May 03 '19 at 23:20
  • @mckenzm You can test this yourself by writing 10,000 times to a single logical sector on a cheap but modern flash drive. If the sector goes bad, then you'll know it doesn't use wear leveling. If it survives, then the controller uses _at least_ dynamic wear leveling. Flash drive (and even SD card) controllers are surprisingly powerful nowadays. They're typically ARM chips or heavily-modified 8051s (in the case of SD cards, at least) running at many MHz. The FTL is fully capable of mapping logical to randomized physical sectors. – forest May 03 '19 at 23:29