[Dailydave] Forensics: USB fobs
felix-dailydave at fefe.de
felix-dailydave at fefe.de
Tue Oct 31 17:30:37 Local tim 2006
Thus spake Dave Aitel (dave at immunityinc.com):
> Someone yesterday at a conference talk I went to told the crowd that
> you can overwrite a file (aka srm it) on a USB Key fob and it will
> still be there
> for Autopsy to see. That makes no sense to me. Can anyone verify this?
On flash media you have a limit on how often you can overwrite a sector.
It's about 10000 times. For typical FAT file systems, that means the
FAT region will be the first to fail.
So they put a translation layer between the actual media and the
hardware, so that logically you read/write sector 5, but the layer
remaps the physical layout so that you distribute the writes optimally.
I don't know how many usb sticks have this, but I know that embedded
people using flash memory do this. Linux even has a file system that
does this for you.
Felix
More information about the Dailydave
mailing list