3

Let's say I have a pen drive of maximum capacity 20MB. Does this mean, that after an additional 40MB of data has been written to the drive, the first 20MB of data would be completely overwritten? Assume that it's never completely filled. At any point of time, there's always some free space (i.e., space that has been marked free), say about 2MB.

David
  • 15,814
  • 3
  • 48
  • 73
God San
  • 33
  • 1
  • 5
  • You're not very specific (what does "gone through" mean?), but a simple counterexample: copy 2 10M files, then delete and re-copy the second one twice. – AndrolGenhald Jan 19 '18 at 15:52
  • Assume that throughout its usage, there was a file which was transferred only once, and also during the first 20MBs, file size at around 10KB, and then deleted. So, after going through the first 40MB of data would this unique file be overwritten? – God San Jan 19 '18 at 16:06
  • "Gone through 40MB" as in, the total amount of data transferred up untill that point of time was >40MB. – God San Jan 19 '18 at 16:09
  • Still no, as your conditions don't guarantee that the drive is ever completely full. You could transfer & delete the 10K file, then transfer and delete another 10K file a few hundred times without the first being overwritten. There's also the issue of wear leveling: https://security.stackexchange.com/a/12506/151903 – AndrolGenhald Jan 19 '18 at 16:21
  • Thank you! So, when is recently freed space actually used again? Won't the fact that it has gone through upwards of 40MB(without being completely full)mean that some part of the pen drive was written on more than once? – God San Jan 19 '18 at 16:28

1 Answers1

5

Wear leveling on modern flash drives is a very complex topic, and the big manufacturers have all devised proprietary algorithms for it, so it's hard to give a general answer, but I'll attempt to.

  1. All modern flash drives have more flash space than is advertised to the OS. There are sections of flash that are used just for wear-leveling and replacement of bad sectors. These are not accessible from the operating system interface to the flash drive.
  2. Blocks are large compared to rotating media. It's not unusual to have erase blocks of a couple of MB in size.
  3. Wear leveling attempts to keep the average number of writes per block the same. Because statistical models are used in modern flash drives (expecting that files are naturally written to in a non-random fashion), this does not mean that in the short term, the number of writes per block will be the same.
  4. Some flash controllers compress data before writing it to flash because the controller is faster than the flash. This gives improved write speeds in benchmarks. Especially if you were to try to erase a flash drive by writing a bunch of \0 bytes to it.

Consequently, there is no point at which it is guaranteed that a given block has been overwritten, but there is an increasing probability of it. So how does one manage flash media properly to prevent the loss of confidential information to a determined adversary?

  1. Encrypt data going onto removable media in a secure fashion. Any kind of removable media should be encrypted (if permitted at all) in an enterprise dealing with sensitive data.
  2. If you need to ensure that media that was not encrypted is destroyed beyond retrieval, physically destroy the device, including all of the flash chips inside. I'm not aware of any forensics technique that will work on flash chips turned into multiple pieces.
  3. If you're dealing with an SSD and not a USB flash drive, you can try to perform an ATA secure erase. For major manufacturers, these appear to be implemented correctly.
  4. If the flash drive needs to be reused, your next best option is to completely fill the drive with random data multiple times. On Linux, you can use the shred utility, or dd if=/dev/urandom of=/dev/flashdrive bs=1M. shred is nice because it can do the multiple passes for you. Multiple passes are necessary to increase the likelihood of overwriting the sectors reserved for wear leveling.
David
  • 15,814
  • 3
  • 48
  • 73
  • What about the not so modern storage devices, specifically, the non-smartphones from around 2012? I mean, the non-smart phones that had very low internal storage (20MB). Would overwriting be just as difficult? – God San Jan 19 '18 at 17:32
  • The scenario that I was talking about in the main question, would it hold true in this case? – God San Jan 19 '18 at 17:42