[Dailydave] Forensics: USB fobs
Dave Korn
dave.korn at artimi.com
Tue Oct 31 13:30:16 Local tim 2006
On 01 November 2006 10:34, Dave Aitel wrote:
> Someone yesterday at a conference talk I went to told the crowd that
> you can overwrite a file (aka srm it) on a USB Key fob and it will
> still be there
> for Autopsy to see. That makes no sense to me. Can anyone verify this?
Big problem. A flash disk pretends to be like an ATA drive but it isn't.
In particular you have flash filing system issues like wear-levelling and
bad-block remapping getting in the way.
So when you overwrite the file, the flash controller allocates you a fresh
page of memory, and marks your old one stale. Give it a 35-pass-gutmann wipe
and you will have 35 stale pages, one with the original data and 34 with
overwrite data on them, and one fresh page with the data from the very final
overwrite pass.
You'd have to do enough overwrites to work your way through the entire free
page list, then the least-recently-used-stale pages, until you finally got
back to the start and overwrote (meaning, flash-erase-plus-repogram-cycle) the
original data from your file.
cheers,
DaveK
--
Can't think of a witty .sigline today....
More information about the Dailydave
mailing list