43
10
I heard some people mention that files are deleted from flash drive for good, there is no tracing back. Is that really true?
If not, how do I permanently delete files from it? I have a sensitive file on a flash drive and before passing the flash drive around, I want to make sure nobody will be able to see that file.
TPR
Posted 2011-12-26T21:46:48.603
Reputation: 1 363
76
The best delete tool that (little) money can buy:
EDIT: To counter the detractors
Furthermore, I did include instruction on how to do a thorough logical wipe of the thumbdrive.
END EDIT
Don't take chances. Flash drives are cheap and yes, data can be recovered from them. I've done it myself. You could DBAN it. You could also cipher /w a few times on a Windows machine (dd if=/dev/zero bs=2048 of=/mnt/disk/file on a *NIX machine). However, hitting things with a hammer is so much more fun and permanent.
Wesley
Posted 2011-12-26T21:46:48.603
Reputation: 4 359
2You'll have to hit really hard, several times. Just breaking the outer plastic shell is not enough, you need to destroy the SMD chip inside. Otherwise it's about the same security as overwriting the data on the flash media (e.g. recovery may be still possible in a well-funded electronics lab) – haimg – 2011-12-27T17:39:32.857
1The goverment does not use hammers to destroy data- this answer is misleading and does not deserve upvotes. Using BIOS IMPLEMENTED LOW LEVEL FORMAT GUARANTEES TO WIPE DATA TO GOVERMENT STANDARDS! Then you can incinerate it if you want.. but even a cracked SMD can be recovered!! You can use HDD LLF Low Level Format Tool – Piotr Kula – 2011-12-27T19:25:04.330
2Governments use shredders for data destruction. A hammer is a high velocity shredder. If someone needs to be told to break the chip and not just the plastic shell, they need more help than a Q/A site can give them. Also, no one mentioned governments until just now, so that's a bit of a goalpost shift. – Wesley – 2011-12-27T20:03:25.937
8@ppumkin: I wouldn't trust such "BIOS IMPLEMENTED LOW LEVEL FORMAT"s for flash drives. Flash based media such as flash drives and SSDs have something called "wear-leveling" which happens at the hardware level. How to securely wipe data from such media is still an open question. Physical destruction is the only way to be sure. – Scott Pack – 2011-12-27T20:27:49.663
@ScottPack If you do a LLF on a SSF, the clustering(the wear leveing) gets reset and can never be reconstructed again - because the the clusters have been overwritten with new wear -leveling data, hence the data is gone. The same applies to HDD- if you take the PCB away from the HDD.. The rom contains the data clusters- with out that its just a pile of random bits.Just on an HDD there is no need to implement the wear-level method. Even the best forensics detectives will cringe when they have to recover data with out the cluster data – Piotr Kula – 2011-12-28T20:26:08.323
6@ppumkin: The Low Level Format that you're talking about was pretty much non-existent by late '90s for end-users. Some manufacturers do have their own tools which can do something similar (such as Seagate's SeaTools). However they were designed to work with the automagic bad sector recovery of magnetic disks. These days you're not likely to see an old school LLF outside of the factory. – Scott Pack – 2011-12-28T21:31:32.267
3@ppumkin The ATA command 0x50 (Format Sectors) doesn't actually format anything anymore (not since the mid-90s at best). On platter drives the command is implemented as ATA command 0xC0 (Erase Sectors). On flash media it usually only marks the block as free, it commonly doesn't erase the contents of the block. Further USB drives use the SCSI command set, and the SCSI command 0x04 only ensures that the disk is formatted and that a standard read command will return 0s. It does not force the drive to format (if that were even possible) and does not guarantee the actually erasure of the media – Chris S – 2011-12-29T20:44:00.097
Strange... Because i tested that on platter drives and ssd's - using a few nice tools winhex forensics, mhdd, pc3k... seems that the bios erase works pretty well- and yes- it is still used to fix bad sectors-especially after p-listing... – Piotr Kula – 2011-12-29T20:49:19.400
3If you are re-using the (magnetic) media and do a proper 7-pass wipe you've met or exceeded any reasonable standard of "non-recoverable". This however is less applicable to flash media because of wear leveling. In either case the only sure-fire way to irrevocably and irretrievably remove a file from any media is destruction of that media (i.e. "Bash it until it's dust, then bash the dust some more to be safe!") – voretaq7 – 2011-12-29T20:58:43.663
4Worth knowing that on drives using perpendicular storage a single pass wipe is identical to multiple. – Chopper3 – 2011-12-29T21:01:45.183
2@ppumkin Flash media is not magnetic media. It is vastly more complex in terms of its on-board software, which is geared toward extending the life of the flash memory (rather than any goal of data security or strict obedience to a particular disk command set). Even if you have one example of a drive that doesn't wear-level and properly/fully erases when told to you can't guarantee that all drives will behave that way. Nuking from orbit is the only way to be sure when removing sensitive data. – voretaq7 – 2011-12-29T21:02:52.133
1Nuking from space (+1) and smashing to dust- yes.. destroys everything.. but bashing a few times with a hammer.... not really- that all i am saying.. INCINERATE IT :) – Piotr Kula – 2011-12-29T21:09:04.000
1
@ppumkin also, re: what "The Government" does, The US Government sanctions physical destruction in many cases, and mandates it for certain types of classified data. Refer to NIST PUB 800-88 and DoD 5220.22M
– voretaq7 – 2011-12-29T21:15:43.943@ppumkin absolutely - the standard for "hammer erasure" is "pulverized" (when you're done there should be dust, maybe with a few chunks of plastic). That's half the fun of hammer erasure is landing 2-3 good whacks on an old HDD and then shaking it like a Maraca before finishing the job :-) – voretaq7 – 2011-12-29T21:17:39.313
It was requested by the government on those basis you mentioned to be implemented into each intel based computer so that data can be disposed off in a safe way to re use hardware on low level security.(eg public health sector-which is always under paid) Any high level security hardware.. gets Nuked from orbit or smashed to dust.. not banged with a hammer.. or melted into a door stop. – Piotr Kula – 2011-12-29T21:18:05.827
@voretaq7: Just FYI: It's been proved that doing a 7-wipe is worthless with today's magnetic spinning hard drives. They are unrecoverable after a single wipe sequence. Not even forensics can't recover anything any more... Density is way too high and magnetic surface has advanced way too much... And I seriously doubt that we have data interesting for forensics or at least data that would justify such drive recovering. – Robert Koritnik – 2011-12-30T14:52:04.330
Similar method: http://www.ctsweep.com/blog/wp-content/uploads/2011/10/fireplace-by-krazy79.jpg
– stommestack – 2013-06-03T18:55:55.93029
It depends on who your adversary is. If it is a casual user, e.g. friend/coworker/spouse/etc., then preventing regular undelete is good enough: format the flash drive, then fill it with random/non-private files till it's 100% full, then format the flash drive again. Your original sensitive data will be gone for good, and unrecoverable using undelete tools or direct scan of the drive.
However, if your adversary is a major corporation, government, etc., then the only safe course is to destroy the media physically, e.g. burn your flash drive in a high-temperature industrial oven.
haimg
Posted 2011-12-26T21:46:48.603
Reputation: 19 503
1@MattH When he says the "original sensitive data" will be gone, I think he means that it is no longer possible to retrieve the original file with all data intact, whereas if your adversary is a "major corporation, government..." portions of the data may be recoverable, but not in its original, unaltered state. – WillS – 2015-11-24T08:46:47.220
2For casual users, just deleting the files normally is sufficient - most of them don't even realize files can be undeleted. And destroying a perfectly good flash drive (as with @Wesley's answer) because you are afraid your Great Aunt Sue is going to figure out how to access the raw wear-leveled data to recover your dirty photos is paranoid to an unhealthy level. – BlueRaja - Danny Pflughoeft – 2011-12-28T00:35:49.647
3@BlueRaja: For a casual user, undelete is at the far end of "how to restore deleted photo" google query... Certainly within reach of Great Aunt Sue. And as I said, destroying your media physically is only needed if your adversary is very well-funded and resourceful. – haimg – 2011-12-28T01:03:03.120
1"Your original sensitive data will be gone for good...", "However, if your adversary is..." You mean it's not gone for good? are you sure you know what you're talking about? – Matt H – 2013-01-10T04:15:00.577
22
There's an excellent free open-source program called Eraser that removes data by overwriting it with your choice of data patterns - high level security for data erasure.
But - there is a big issue with flash drives when erasing by overwriting. The problem is the "wear leveling" methods used on solid state drives, which writes in a different place each time you add or replace data. There is a full explanation and discussion at Erasing USB key Drives
The short answer - erase the file but also use the "erase open space" function in the Eraser program. This overwrites all unused space, including the earlier version of your file.
Dave Becker
Posted 2011-12-26T21:46:48.603
Reputation: 2 572
13
Because of wear leveling of modern flash devices, it's not under your control. You think you've overwritten your data 25 times, it may still be there. If you want to store sensitive data on a flash device, use an encrypted container like truecrypt, so you won't be in trouble when you lose the device (unless you give away the key).
ott--
Posted 2011-12-26T21:46:48.603
Reputation: 1 911
Can't you just use an encrypted 7zip with a strong password? – Jonathan – 2015-02-13T08:45:25.680
also make sure it is encrypted before copying to the drive. – jiggunjer – 2016-01-07T02:39:05.177
8
Use shred.
shred /dev/sdx -n 25
should clean your drive well.
Loke
Posted 2011-12-26T21:46:48.603
Reputation: 81
1It will, because when the drive gets full, it will be forced to write at every location. – Loke – 2011-12-28T05:15:24.270
4
I heard some people mention that files are deleted from flash drive for good, there is no tracing back. Is that really true?
NO, A Files start with a bit referred to as a flag. When you delete a file,what you are doing is actually setting the flag off, which tells the computer that the space is now free to hold new data.
If you really want to destroy the data on a disk, you need to repeatedly overwrite the data with a random mixture of 0's an 1's. Just doing a format won't work because someone with the proper sniffing hardware & software can restore and reset the flags so the data can be read.
One way you can do this without anyone's help is, write_data - delete_data - write_data - delete_data - write_data - delete_data :) (ensure every bit of the drive gets written to, and that what you write is sufficiently random)
Use a file shredder , Google it and you'll get many free file shredders, if you have bit-defender, I've seen file shredder in-built in that.
COD3BOY
Posted 2011-12-26T21:46:48.603
Reputation: 189
1Just write data - delete data is a bit simple: you need to ensure every bit of the drive gets written to, and that what you write is sufficiently random, else there might still be ways to detect what data used to be there. – Konerak – 2011-12-27T15:17:38.027
1@Konerak edited the answer to include your points too :) – COD3BOY – 2011-12-27T15:32:01.970
3
I plan to use this flash drive at home, but it's very possible one of the family members give it to somebody else accidentally. I just wanted to be safe. – progtick
In that case, you won't have the chance to delete the files beforehand anyways.
Just encrypt your files, and don't worry about deleting them if the drive is ever lost - no one will be able access them without the password.
BlueRaja - Danny Pflughoeft
Posted 2011-12-26T21:46:48.603
Reputation: 7 183
2no, I already know what files I need to delete. I dont usually put sensitive files on flash-drive anyway, but somebody in family did. I dont want to know throw away the flash-drive yet, since we are primarily using it at home, so I just wanted to delete the particular files. – TPR – 2011-12-28T00:50:28.730
3
I heard some people mention that files are deleted from flash drive for good, there is no tracing back. Is that really true?
Yes and no; it depends on your definition of “gone for good”.
What they were likely talking about was that deleting a file from a flash-drive is always equivalent to holding ⇧ Shift when deleting the file.
This is because Windows only puts a Recycle Bin on fixed volumes like hard-drives, not removable volumes like flash-drives, memory cards, floppy disks, packet-writing CD+RWs, network drives, or substituted drive letters (even ones mapped to fixed-disks). Therefore, if you delete a file in Windows from a hard-drive with just Del instead of ⇧ Shift+Del, you should be able to restore it from the Recycle Bin, but deleting a file from a removable media with Del is the same as using ⇧ Shift+Del to permanently delete it since it has no Recycle Bin.
However, for performance reasons, permanently deleting a file doesn’t actually delete the file. Instead, the system only marks it as deleted and its disk-space as free for use by new files. Until its clusters are overwritten by other files, it can theoretically be recovered, and if there is a lot of free space, then it could take a while before it gets overwritten—of course if you are actually trying to recover an accidentally deleted file, it is likely to immediately overwritten even with plenty of free space (ಠ_ಠ).
If not, how do I permanently delete files from it? I have a sensitive file on a flash drive and before passing the flash drive around, I want to make sure nobody will be able to see that file.
Use a secure-deletion tool. They will overwrite the file before deleting it. The better ones also delete the directory entry to wipe out even its filename and the best will even overwrite its meta-data like its size and timestamp. Some can also wipe existing free space which can be handy to wipe previously deleted files, however it can take a while if there is a lot of free space since it is writing to every byte of that space, e.g., wiping a drive with 300GB of free space is like creating a 300GB file. Most provide one or more techniques like different patterns of bytes to overwrite with and number of repetitions.
Synetech
Posted 2011-12-26T21:46:48.603
Reputation: 63 242
3
If you want to absolutely sure that nobody will be handling the drive again, a generous application of suspect liquid to the circuit board should take care of both the data on the chips and prevent people from handling it.
Pauska Sock
Posted 2011-12-26T21:46:48.603
Reputation: 147
3What do you mean by suspect liquid? – Revetahw says Reinstate Monica – 2016-10-04T21:50:32.927
2
Depends. If you just want to make sure noone can recover the data with regular file recovery/carving tools: Overwrite the flash drive with random data using linux (dd if=/dev/urandom/ ... or the already mentioned shred). Alternatively, if you have no such tools available, format it (this will destroy the metadata), then fill completely with irrelevant data, then format again. This is less reliable than the proper, tool-assisted method, but should be sufficient for data of low sensitivity.
If you want to delete an individual file (unreliable, not recommended), rename it to a random name, then delete it, then fill the drive completely with irrelevant data.
These methods will not reliably prevent recovery that involves hardware manipulation ("laboratory attack"). If the data is so sensitive that you want to avoid this risk, follow the NIST Guidelines for purging flash-based media:
Purging: See Physical Destruction.
Physical destruction: Destroy media in order of recommendations.
- Shred.
- Disintegrate.
- Pulverize.
- Incinerate by burning in a licensed incinerator.
Jan Schejbal
Posted 2011-12-26T21:46:48.603
Reputation: 1 014
1
System Mechanic has a tool called Incinerator which does exactly what you are asking for.
Mike
Posted 2011-12-26T21:46:48.603
Reputation: 179
What exactly does this tool do? – Xen2050 – 2017-05-08T13:04:08.963
@Xen2050 It securely delete files so they can't be restored. http://www.iolo.com/resources/articles/securely-delete-files-with-the-incinerator/
– Mike – 2017-10-06T12:50:27.277Thanks for the link, that "Incinerator" tool has images like this one that imply overwriting a hard drive three times will still leave almost all the data easily recoverable (with an electron microscope... that's their threat model?), which might possibly have been true 30 years ago, but one overwrite is virtually unrecoverable today, two's probably paranoid overkill. Especially for a flash drive it's just wearing it out. PS The System Mechanic page says it costs $49.95 (Normally $49.95 Save $0.00)...so...
– Xen2050 – 2017-10-07T10:29:23.823ya, I wasn't advertising anything, just was giving a not of something I used that does what the original question asked. And of course there are other ways and free tools to do the same. But again, that price perhaps reflects other features of the software or something.. – Mike – 2017-10-07T10:32:09.767
Can it securely delete specific files and not the whole drive? – Joe Black – 2018-10-26T16:08:04.657
Commercial-ware – Hrobky – 2019-08-28T11:47:17.397
1
If your drive supports one of these commands, you're in luck:
sg_sanitize - remove all user data from disk with SCSI SANITIZE command
or similar commands to hdparm:
hdparm --security-erase PWD
Erase (locked) drive, using password PWD (DANGEROUS). Password
is given as an ASCII string and is padded with NULs to reach 32
bytes. Use the special password NULL to represent an empty
password. The applicable drive password is selected with the
--user-master switch (default is "user" password). No other
options are permitted on the command line with this one.
hdparm --security-erase-enhanced PWD
Enhanced erase (locked) drive, using password PWD (DANGEROUS).
Password is given as an ASCII string and is padded with NULs to
reach 32 bytes. The applicable drive password is selected with
the --user-master switch (default is "user" password). No other
options are permitted on the command line with this one.
MikeyB
Posted 2011-12-26T21:46:48.603
Reputation: 1 232
-1
at the time of frmating unselect the Quick format and start. It will take time but fully delets all the deta an no other recovary app can back it up.
Diptangshu Mandal
Posted 2011-12-26T21:46:48.603
Reputation: 1
-2
If physical destruction is warranted I would go for an angle grinder - a cheaply available tool. Hold the piece with a pair of pliers against the rotating disc until the chip is consumed.
Sometimes the flash drive is damaged and you can't delete/overwrite data on it and you just want to destroy it before disposing of it.
Note: wear eye protection in case the piece flicks off.
Basel Shishani
Posted 2011-12-26T21:46:48.603
Reputation: 179
1
-1! DON'T DO THIS! It's super dangerous! You don't hold things with pliers up against an angle grinder, you need both hands to use an angle grinder, not balancing it in one hand and pushing pliers in your other hand towards the cutting disk. Or rig the grinder to run without touching it. Eye protection won't help you when your hand slips into the angle grinder, or something worse happens. Even a hammer's a million times safer. Search youtube for angle grinder accidents and then never even think of doing something so crazy
– Xen2050 – 2017-05-08T13:20:31.540-2
Here's a method I've cooked up after reading all these answers.
erase1 and place it there. erase1 untill you've reached this 1/3 number, so you now you have a folder with roughly one third free space now occupied in it by a bunch of safe 100 MB files... erase2, and then try copying it again to erase3.erase2 copies to erase3.erase2, copy erase3 and call it erase2a.erase3, copy erase2a and call it erase3a.erase2a and erase3a.erase1 to erase1a.erase1.Start the process over again
erase1a to erase2berase2b to erase3b.erase2berase3b to erase2c.erase3berase2c to erase3c.erase2c and erase3c.erase1a to erase1b and delete erase1a.You could go it again, but probably two times is safe, delete the remaining erase1b folder and you should have overwritten everything in the open region of the flash drive.
Crude method, but if you only need to do it once it should work I think. Any comments out there?
John B Delphia III
Posted 2011-12-26T21:46:48.603
Reputation: 7
Will somebody come and collect their grandpa? – Hashim – 2017-10-23T21:35:53.373
5"Any comments out there?" Just one. Yikes. – thirtythreeforty – 2013-01-10T04:13:35.853
1Can you clean this post up? I would but I'm afraid. – slm – 2013-01-10T05:27:08.917
1nice try Great Aunt Sue – danjp – 2013-01-10T05:33:03.910
1Why would any person do this? CCleaner a free tool can do what this process does automatically. Besides this process doesn't make it impossible to recovery the files. – Ramhound – 2013-02-05T12:47:04.297
2Find a safe file that is just under 100 MB in size Define “safe”. Would a blank file (e.g., filled with nulls) be safe? Not really; an NTFS volume with encryption would compress it and leave the free space unaffected. The same goes if the file is created as a sparse file. Unfortunately, things are not as simple as they were in teh old FAT days when you could easily and manually ensure things were clean with a low-level disk editor in DOS. – Synetech – 2013-02-06T22:32:48.570
23FLash drives are cheap, if it is that sensitive, don't pass it around. Why take chances? – JonnyBoats – 2011-12-26T22:13:42.850
1@JonnyBoats I plan to use this flash drive at home, but it's very possible one of the family members give it to somebody else accidentally. I just wanted to be safe. – TPR – 2011-12-27T01:27:16.687
2Unless people are going to access the chips directly, overwriting once may be good enough. Some drive have "spare" cells they swap in to level wear and to replace bad cells. So over write more than once may get the space cells. In the future I would suggest encryption with a strong password then deleting/formatting may be enough. – Scott McClenning – 2011-12-28T23:07:13.693
2All you really need to do is erase everything, fill it up with junk, and then erase again. The odds of anything significant remaining would be vanishingly small, and would take black helicopters to recover. – Daniel R Hicks – 2013-02-06T23:58:45.137