Erasing USB key Drives

[freestyle]

There seems to be a serious misunderstanding about the way USB drives work on this forum which can lead to security risks. Virtually every post I've seen on the subject here states that USB drives can be securely erased using eraser "because they are magnetic." However, that's simply not the case.

USB drives use wear-levelling algorithms - sort of a low level file format that resides in the key and is lower level than the operating system's file system. Whenever a file is written to the USB key, it distrubtes the file in a psuedo-random fashion across the key's memory cells so that no one cell gets written too many times. This extends the operative life of the key because any one memory cell has a limited number of writes before it dies. Therefore, since Eraser essentially writes files full of random data a certain number of times, there is no way of knowing if the particular data you wanted "erased" has in fact been overwritten even once.

Take for example, a popular version of wear-leveling in USB keys found in TrueFFS. Their site states: When a file needs to be updated, TrueFFS (through NFTL) does not overwrite the old data. Instead it writes it to unused blocks and directs subsequent read accesses to these blocks. The old data will be marked as "old", and will not be erased until the block has to be reused

Even doing a complete wipe of a key doesn't guarantee that you'll overwrite every cell in the usb key! Therefore, if security is really at issue and you want to secure your USB key, I advise that you use an encryption program, such as Truecrypt. In that case, all the memory is at least encrypted.

Therefore, in short, don't rely on "erasing" a USB key for security. It won't do the job. Instead put your data in an encrypted volume on the key or encrypt the entire USB key. Some good discussion of this issue can be found at: http://forums.truecrypt.org/viewtopic.php?t=1702

Encryption of your USB key also offers another benefit over "erasing." Encrypting your USB key instead of "erasing" also reduces the wear on the key's memory cells from repeat file writes during "erasure" of the USB key.

Cheers.

 

[Glenn]

I know USB flash memory is not magetic (so multiple passes won't help) but if Eraser is:

1. erasing a specific file by overwriting; or

2. erasing unused space by filling an entire drive with random data;

why wouldn't deleted data be wiped?

 

[freestyle]

The problem lay in the fact that it is not "overwriting" the file. When you save a new copy of a file over an old copy of the file in a USB drive, it doesn't overwrite the cells that the old copy occupies. Instead, it marks those cells as available (but the contents still remain) and then writes the new copy to other cells and updates the FAT to indicate where the new data is being written. Therefore, Eraser doesn't actually write over the old file with its new file because the USB key drive redirects the writes to random cells, not the cells that your data originally occupied. Your old data is still there, just marked "available" so the OS recognizes it as free space.

I'm beginning to change my mind about the full-drive erase though. My understanding of how eraser does the full drive erase is it completely fills the drive with files that contain random data and after the drive is completely full, it deletes those files. If that's the case then a full erase might effectively erase the USB key drive because each cell will be occupied with random data.

 

[freestyle]

USB Erasure

In other words, to truly "erase" any given file on a USB key drive, the program doing the erasing would have to interact directly with the low-level routine of the USB key drive so that the memory cells that contain the copy you want to erase can be written to directly.

 

[Glenn]

I'm not saying you're wrong but a couple of observations:

1. If I delete a very large file on my 1GB USB flash memory, it's virtually instant (since it is just updating the FAT). But if I use file Erase, it can take over 2 minutes (which seems consistent with the 7MB/sec write speed of the device). Are you saying Eraser is just blindly writing to the media but not necessarily over the correct area?

2. I have recovery software that easily recovers deleted files but it can't recover Erased files on my USB flash memory.

 

[freestyle]

1. If I delete a very large file on my 1GB USB flash memory, it's virtually instant (since it is just updating the FAT). But if I use file Erase, it can take over 2 minutes (which seems consistent with the 7MB/sec write speed of the device). Are you saying Eraser is just blindly writing to the media but not necessarily over the correct area?

Yes. Erase works at the OS's level, not at the USB's key's level. A file erase using eraser will randomly write to cells on the USB key because the wear-levelling the USB key does once it receives the "write" command from the OS. What cells get written to are not dependent on the OS's write command but on the algorith used by the USB key.

2. I have recovery software that easily recovers deleted files but it can't recover Erased files on my USB flash memory.

That's because the USB key says that the old cells are "available" for rewrite (effectively telling the OS there's nothing there) - your program doesn't have access to the USB key's logic. If someone were able to access the USB key's logic (which I'm sure the manufacturer or a sufficiently sophisticated hack could), then the old copy (or what's left of it after random parts have been overwritten by the multiple random writes done by eraser) could be accessed. The only secure USB key is an encrypted one.

 

[EraseTheTrace]

i just ran my own test, BUT i only deleted the file, and i WAS able to recover it.

according to your logic this shouldnt even be possible.

 

[sd6]

Is this also true for USB MP3 players like Apple's Ipod Nano?

 

[Swifty]

It will work but your disk will die out quickly.

 

[Overwriter]

Hi All.

I have read this thread with some interest and I thought I would do my own experiment.

Using a Corsair 256MB Flash Drive I first zeroed the entire drive. Then I formatted it FAT32.

I made a large text file with some readable English text in it. I then saved the text file to the flash drive.

I opened the flash drive with my Hex Editor and took a note of where the file was on the flash drive. I was also able to read the English text.

Using the right click option of Eraser I erased the text file with a single pass random overwrite.

I then reopened the flash drive with my Hex Editor and checked the sectors I had previously taken note of. They had been overwritten with what appeared to be a DLL file. This is a feature of Eraser 5.84 that after a random wipe Eraser then selects a random DLL and copies it to the erased location in an effort to disguise the fact erasing had taken place.

I checked the entire flash drive for any data and I was unable to find any.

So it would seem for me that Eraser works ok on Corsair flash drives. This may be something to do with the capacity of the flash drive or the way Corsair works. I guess the only thing to do is to test the flash drive you are currently using with a varied number of test files of different sizes to make sure.

Remember safety first !

 

[douche.fun]

I thought it wrote over data in a pattern... Not randomly.

 

[Overwriter]

Hi douche.fun

I am a bit worried about your username ! :?


You can select how Eraser overwrites data. You can even make your own patterns.

I usually choose a random pass.

 

[Bugles]

I am researching do-it-yourself bootable flash drives, (namely Damn Small Linux) and I want to use an old 512 flash drive. I also would prefer the contents erased by a good program like eraser. So, I have some questions after reading this post:

Overwriter, I do not know what you mean by seroing the drive. (are you talking about low level formatting?) I assume you wrote a large text file, but not a 256MB text file. Was there data on the drive before you reformatted in FAT32?

Anyway, if there was daata on the drive before you "zeroed" and reformatted, and you could not find any data after erasing. Then I would say all we need to do is "zero" our drives, and reformat. No need for eraser! You are a genious Overwriter! (sarcasm, if yo ucan't tell)

Anyway, please let me know the answers to the first paragraph questions.

 

[Overwriter]

Hi.

Overwriter, I do not know what you mean by zeroing the drive.

I used a hex editor to write zero’s to the entire drive.

Was there data on the drive before you reformatted in FAT32?

Only the zero’s written with the hex editor.

Anyway, if there was daata on the drive before you "zeroed" and reformatted, and you could not find any data after erasing. Then I would say all we need to do is "zero" our drives, and reformat.

You could do that but it would mean when you wanted to erase a 1KB text file you would have to copy all the data you wanted to keep from your flash drive and save it to another disk then zero and format the entire flash drive which could now be as much as 16GB ! Then copy all your data back to the flash drive.

No need for eraser!

Unless you want to go through the procedure in the paragraph above then you do need Eraser, or a hex editor.

 

[eskdaleman]

Erasing USB Keydrives

I have recovery software that easily recovers deleted files but it can't recover Erased files on my USB flash memory.

I have exactly the opposite experience. Using oo-software Unerase most of the images I had erased on a USB drive were recovered and readable by Paint Shop Pro. Some had been corrupted, probably because they had been deleted some time ago and before the drive had been re-used several times. I erased them again, and recovered them again easily. I then used the 'erase unused drive space' option and that did the trick.
Thanks to others on this forum I have been alerted to the risk on USB drives.

 

[Overwriter]

Hi eskdaleman

I then used the 'erase unused drive space' option and that did the trick.

Are you saying that after a full wipe you were unable to recover data ?

 

[reboot]

Sorry, I still don't get it.

Instead it writes it to unused blocks...The old data will be marked as "old", and will not be erased until the block has to be reused...
Even doing a complete wipe of a key doesn't guarantee that you'll overwrite every cell in the usb key!

My thought was that if I fill the whole key with data there are no more unused blocks. So there are cells (memory) above the specified storage size?
So if I put a 1GB file on a 1GB stick there's some additional memory that still holds old data?

 

[Excelsius]

I am glad I found this forum because I was almost going to say that Eraser doesn't work. I did a single pass on my 4GB Titanium flash drive. I was able to recover files. Then, on top of it, I did another 3 passes and again I recovered total of 229MB of files. Here is the report:

334 file headers were found. 45 files were retrieved. 9 are supposedly incomplete or corrupt.

This is from the best file recovery available: WinHex X-Ways Forensic (15.1). The retrieval took over four hours and 12 minutes. I can imagine that a 300GB hard drive will take days to process at 1gb/hr = 300hrs, so about 13 days!!!! (More precise, 1:03 hr per 1 GB, 300GB= 315hrs=13 days, 3 hours).

Unfortunately, I don't have a small hard drive, but I really want to do this test because this USB deal made me feel insecure about Eraser and any other "erasing" program. I think that the developers should have clearly stated that you CANNOT delete files from USB drives right in the software description. I really shouldn't had to come here to find out that's the case. At least thanks for the truecrypt suggestions.

Anyway, I want to do this test on a hard drive and I have some questions first. When eraser overwrites data, does it replace the files with something? I read someone here saying that Eraser replaces files with dll. Are there any other files? I have attached an image showing all the files that were recovered. You can see the dll files which were probably created by eraser, but there are other files as well. The thing is that even though the files are there, I have not been able to open or view any of them. But since the data is there, I have to assume that given the right programs and expertise, someone might be able to open them. This is why I want to know which files on that list were created by Eraser.

Finally, I'd like to hear some suggestions about the test. The way I am thinking about doing it is:

1. Create different types of files on the hard drive (text, video, music, zip, rar, exe, window OS files) and save a copy of all these files on another HD to compare it to recovered data later.
2. Format the hard drive
3. Use Eraser to erase all empty space using 7 passes DoD (if I can find a smaller HD, I would like to try one and then three passes first).

If you have any suggestion about it, let me know. Meanwhile it seems that once you have sensitive data on USB, you can never sell it - must destroy it unless you create a 256 bit encryption using truecrypt right from the start. One thing I don't get is how can USB drives retain the old data even when you fill the entire memory with new data. I'd think that the old data would have to be erased to make space for the new data.

All our hard drives are headed to the USB drive direction. I sure hope someone develops a reliable eraser for that technology.

 

[Joel]

First I would like to thank you for spending the time into researching the reliability of Eraser. Your effort is greatly appreciated. Now I'd like to state that my post will not attempt to defend or support any stance but rather a neutral standpoint.

I'd like to start by outlining what Eraser does in a free space erasure. Eraser will fill the drive with files to overwrite unused space then fill the MFT with random file names in hopes to erase them. This should get rid of almost all files (I'm yet to find any case in which files are recoverable, yours may well be the first.) This explains your ability to recover files (or supposed files), but the inability to recover the file contents.

A quick explanation as to how such recovery programs work probably is going to be helpful. These "deep" scanning programs scour the whole disk for patterns which indicate a file. Open up a JPEG in Notepad if you don't believe me - the files always start with (some seemingly random data) then JFIF (I can't remember the header exactly, but something to that effect). Certain patterns indicate certain types of files - so scanning the whole drive for such patterns will give the recovery program "data" to recover, or data it thinks is valid.

Why you are unable to recover the files however is hypothetically due to the fact that these headers are there because it was generated by Eraser. Eraser's randomness source told it to write data that is identical to such a header, "fooling" the recovery program into believing that the file exists when the data is in fact, all rubbish. Filenames arise from the same cause: they are after all stored in a certain pattern that the OS uses to distinguish file data from unallocated space.

You are right in that some of the files are there due to the plausible deniability code in v5; that's been made optional in v6. Those are the DLLs at the top of the list. Hopefully I've replied to your question (somewhat). Feel free to ask for clarification if necessary.

Joel

 

[Excelsius]

So are you saying that Eraser works only partially on USB drives? I think that was already pretty much discussed in this thread - that Eraser can't completely erase USB drives because the data is stored over the entire empty space.

While I am unable to open the files myself, I think that a professional could be able to open those files. What I want to know is whether these files would still be recovered if I had used a regular hard drive.