Erasing USB key Drives

[freestyle]

There seems to be a serious misunderstanding about the way USB drives work on this forum which can lead to security risks. Virtually every post I've seen on the subject here states that USB drives can be securely erased using eraser "because they are magnetic." However, that's simply not the case.

USB drives use wear-levelling algorithms - sort of a low level file format that resides in the key and is lower level than the operating system's file system. Whenever a file is written to the USB key, it distrubtes the file in a psuedo-random fashion across the key's memory cells so that no one cell gets written too many times. This extends the operative life of the key because any one memory cell has a limited number of writes before it dies. Therefore, since Eraser essentially writes files full of random data a certain number of times, there is no way of knowing if the particular data you wanted "erased" has in fact been overwritten even once.

Take for example, a popular version of wear-leveling in USB keys found in TrueFFS. Their site states: When a file needs to be updated, TrueFFS (through NFTL) does not overwrite the old data. Instead it writes it to unused blocks and directs subsequent read accesses to these blocks. The old data will be marked as "old", and will not be erased until the block has to be reused

Even doing a complete wipe of a key doesn't guarantee that you'll overwrite every cell in the usb key! Therefore, if security is really at issue and you want to secure your USB key, I advise that you use an encryption program, such as Truecrypt. In that case, all the memory is at least encrypted.

Therefore, in short, don't rely on "erasing" a USB key for security. It won't do the job. Instead put your data in an encrypted volume on the key or encrypt the entire USB key. Some good discussion of this issue can be found at: http://forums.truecrypt.org/viewtopic.php?t=1702

Encryption of your USB key also offers another benefit over "erasing." Encrypting your USB key instead of "erasing" also reduces the wear on the key's memory cells from repeat file writes during "erasure" of the USB key.

Cheers.

[Glenn]

I know USB flash memory is not magetic (so multiple passes won't help) but if Eraser is:

1. erasing a specific file by overwriting; or

2. erasing unused space by filling an entire drive with random data;

why wouldn't deleted data be wiped?

[freestyle]

The problem lay in the fact that it is not "overwriting" the file. When you save a new copy of a file over an old copy of the file in a USB drive, it doesn't overwrite the cells that the old copy occupies. Instead, it marks those cells as available (but the contents still remain) and then writes the new copy to other cells and updates the FAT to indicate where the new data is being written. Therefore, Eraser doesn't actually write over the old file with its new file because the USB key drive redirects the writes to random cells, not the cells that your data originally occupied. Your old data is still there, just marked "available" so the OS recognizes it as free space.

I'm beginning to change my mind about the full-drive erase though. My understanding of how eraser does the full drive erase is it completely fills the drive with files that contain random data and after the drive is completely full, it deletes those files. If that's the case then a full erase might effectively erase the USB key drive because each cell will be occupied with random data.

[freestyle]

In other words, to truly "erase" any given file on a USB key drive, the program doing the erasing would have to interact directly with the low-level routine of the USB key drive so that the memory cells that contain the copy you want to erase can be written to directly.

[Glenn]

I'm not saying you're wrong but a couple of observations:

1. If I delete a very large file on my 1GB USB flash memory, it's virtually instant (since it is just updating the FAT). But if I use file Erase, it can take over 2 minutes (which seems consistent with the 7MB/sec write speed of the device). Are you saying Eraser is just blindly writing to the media but not necessarily over the correct area?

2. I have recovery software that easily recovers deleted files but it can't recover Erased files on my USB flash memory.

[freestyle]

1. If I delete a very large file on my 1GB USB flash memory, it's virtually instant (since it is just updating the FAT). But if I use file Erase, it can take over 2 minutes (which seems consistent with the 7MB/sec write speed of the device). Are you saying Eraser is just blindly writing to the media but not necessarily over the correct area?

Yes. Erase works at the OS's level, not at the USB's key's level. A file erase using eraser will randomly write to cells on the USB key because the wear-levelling the USB key does once it receives the "write" command from the OS. What cells get written to are not dependent on the OS's write command but on the algorith used by the USB key.

2. I have recovery software that easily recovers deleted files but it can't recover Erased files on my USB flash memory.

That's because the USB key says that the old cells are "available" for rewrite (effectively telling the OS there's nothing there) - your program doesn't have access to the USB key's logic. If someone were able to access the USB key's logic (which I'm sure the manufacturer or a sufficiently sophisticated hack could), then the old copy (or what's left of it after random parts have been overwritten by the multiple random writes done by eraser) could be accessed. The only secure USB key is an encrypted one.

[EraseTheTrace]

i just ran my own test, BUT i only deleted the file, and i WAS able to recover it.

according to your logic this shouldnt even be possible.

[sd6]

Is this also true for USB MP3 players like Apple's Ipod Nano?

[Swifty]

It will work but your disk will die out quickly.

[Overwriter]

Hi All.

I have read this thread with some interest and I thought I would do my own experiment.

Using a Corsair 256MB Flash Drive I first zeroed the entire drive. Then I formatted it FAT32.

I made a large text file with some readable English text in it. I then saved the text file to the flash drive.

I opened the flash drive with my Hex Editor and took a note of where the file was on the flash drive. I was also able to read the English text.

Using the right click option of Eraser I erased the text file with a single pass random overwrite.

I then reopened the flash drive with my Hex Editor and checked the sectors I had previously taken note of. They had been overwritten with what appeared to be a DLL file. This is a feature of Eraser 5.84 that after a random wipe Eraser then selects a random DLL and copies it to the erased location in an effort to disguise the fact erasing had taken place.

I checked the entire flash drive for any data and I was unable to find any.

So it would seem for me that Eraser works ok on Corsair flash drives. This may be something to do with the capacity of the flash drive or the way Corsair works. I guess the only thing to do is to test the flash drive you are currently using with a varied number of test files of different sizes to make sure.

Remember safety first !

[douche.fun]

I thought it wrote over data in a pattern... Not randomly.

[Overwriter]

Hi douche.fun

I am a bit worried about your username !


You can select how Eraser overwrites data. You can even make your own patterns.

I usually choose a random pass.

[Bugles]

I am researching do-it-yourself bootable flash drives, (namely Damn Small Linux) and I want to use an old 512 flash drive. I also would prefer the contents erased by a good program like eraser. So, I have some questions after reading this post:

Overwriter, I do not know what you mean by seroing the drive. (are you talking about low level formatting?) I assume you wrote a large text file, but not a 256MB text file. Was there data on the drive before you reformatted in FAT32?

Anyway, if there was daata on the drive before you "zeroed" and reformatted, and you could not find any data after erasing. Then I would say all we need to do is "zero" our drives, and reformat. No need for eraser! You are a genious Overwriter! (sarcasm, if yo ucan't tell)

Anyway, please let me know the answers to the first paragraph questions.

[Overwriter]

Hi.

Overwriter, I do not know what you mean by zeroing the drive.

I used a hex editor to write zero’s to the entire drive.

Was there data on the drive before you reformatted in FAT32?

Only the zero’s written with the hex editor.

Anyway, if there was daata on the drive before you "zeroed" and reformatted, and you could not find any data after erasing. Then I would say all we need to do is "zero" our drives, and reformat.

You could do that but it would mean when you wanted to erase a 1KB text file you would have to copy all the data you wanted to keep from your flash drive and save it to another disk then zero and format the entire flash drive which could now be as much as 16GB ! Then copy all your data back to the flash drive.

No need for eraser!

Unless you want to go through the procedure in the paragraph above then you do need Eraser, or a hex editor.

[eskdaleman]

I have recovery software that easily recovers deleted files but it can't recover Erased files on my USB flash memory.

I have exactly the opposite experience. Using oo-software Unerase most of the images I had erased on a USB drive were recovered and readable by Paint Shop Pro. Some had been corrupted, probably because they had been deleted some time ago and before the drive had been re-used several times. I erased them again, and recovered them again easily. I then used the 'erase unused drive space' option and that did the trick.
Thanks to others on this forum I have been alerted to the risk on USB drives.