1

Slack space appears when a file written to the disk does not occupy the last cluster entirely. For example, if I write a 512B file on the HDD formatted with 16KB clusters, only a single 512B sector will be written physically. The remaining 15.5KB will not be modified, potentially leaking sensitive data.

Flash memory, however, is substantially different. While write operations can work on single pages which may be smaller than cluster size, flash needs to be erased before it can be written to. Typical erase blocks are substantially larger (512KB to several MB), well above typical cluster sizes.

So, unless I use a filesystem with very large clusters, do I ever have to worry about securely erasing slack space on SSDs or SD cards?

Dmitry Grigoryev
  • 10,072
  • 1
  • 26
  • 56
  • I would say no, you don't need to worry about it. But mostly because you can't. See http://security.stackexchange.com/questions/12503/can-wiped-ssd-data-be-recovered for some discussion of the difficulties in securely erasing anything from SSDs – Matthew Jan 14 '16 at 11:29
  • Well, I still can overwrite slack space manually. At least this will certainly prevent data recovery using imaging software. The question is, do I need to? – Dmitry Grigoryev Jan 14 '16 at 12:41
  • @Matthew's argument was, don't bother deleting it, since you should encrypt everything in SSD. SSDs firmware remap sectors on almost every writes for write balancing, which make it impossible to reliably delete anything from an SSD. If you try to overwrite the slack space, what's likely to happen is that the SSD will overwrite some other empty space and remap the slack space onto that, leaving the old slack space around somewhere you don't know. – Lie Ryan Jan 14 '16 at 12:57
  • No, sectors which are remapped after being overwritten are known to contain no useful data, so garbage collector will erase those pretty quickly. Of course, if you erase a lot of files at once, the actual data may still be there for an hour or so (enough for FBI to restore it if you erased files as they rang the doorbell, but that's not the use case I consider) – Dmitry Grigoryev Jan 14 '16 at 13:11
  • 1
    Also, "some other empty space" is by definition outside of reach of disk imaging software, so overwriting gives you at least some kind of protection, even if your SSD doesn't collect dirty sectors reliably. – Dmitry Grigoryev Jan 14 '16 at 13:26
  • If you have TRIM enabled and working correctly, the device should erase unused pages for you. The advice to do block-level encryption is sound: it's fast on modern systems with AES hardware and guarantees anti-forensics if you delete the key. – pjc50 Jan 14 '16 at 16:44
  • @pjc50 Indeed it is, only if you wipe a single file, you can claim you never had it. If you delete the master key and thus wipe the entire drive, it will look like you're hiding something. – Dmitry Grigoryev Jan 14 '16 at 19:57

0 Answers0