[Dailydave] Forensics: USB fobs
William Watson
wawatson at ntlworld.com
Wed Nov 1 00:57:49 Local tim 2006
As far as the 'normal' filesystem goes, there should be no image left of the
old file contents ...
HOWEVER ...
It seems that each USB memory device contains spare memory areas (around 3%
on a 1Gbyte device) which are used to implement "wear-levelling" (I guess in
much the same way that magnetic discs have spare sectors). Maybe it is these
spare areas which Autopsy can recover.
It is also "well known" that there is no secure way to delete the contents
of a flash memory device. Part of this is due to the spare wear-levelling
sectors; the rest ... ????
Cheers,
William
----- Original Message -----
From: "Dave Aitel" <dave at immunityinc.com>
To: "dailydave" <dailydave at lists.immunitysec.com>
Sent: Wednesday, November 01, 2006 10:34 AM
Subject: [Dailydave] Forensics: USB fobs
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Someone yesterday at a conference talk I went to told the crowd that
> you can overwrite a file (aka srm it) on a USB Key fob and it will
> still be there
> for Autopsy to see. That makes no sense to me. Can anyone verify this?
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFFSHgpB8JNm+PA+iURAv4FAJwIoazjywY1peHQ4CkVTEYJgJw12wCg6sqX
> OyA1m6tU5az94Wp03tVD3+Q=
> =DY3U
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.409 / Virus Database: 268.13.18/506 - Release Date:
30/10/2006
>
>
More information about the Dailydave
mailing list