[Dailydave] Forensics: USB fobs
Michael Spath
michael.spath at gmail.com
Tue Oct 31 16:40:39 Local tim 2006
On 11/1/06, Dave Aitel <dave at immunityinc.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Someone yesterday at a conference talk I went to told the crowd that
> you can overwrite a file (aka srm it) on a USB Key fob and it will
> still be there
> for Autopsy to see. That makes no sense to me. Can anyone verify this?
I guess that your guy was thinking about wear-levelling algorithms.
Basically to maximize the lifetime of the sticks, manufacturers add an
address translation layer between USB interface and the actual flash,
so that erase and write cycles are spread evenly on all blocks. This means
that when srm will try to overwrite a file, the data will actually be written
to another block and the old data will still be there.
regards,
--spath
More information about the Dailydave
mailing list