Dailydave mailing list archives

Re: Forensics: USB fobs

From: "Dave Korn" <dave.korn () artimi com>
Date: Tue, 31 Oct 2006 13:30:16 -0000

On 01 November 2006 10:34, Dave Aitel wrote:

Someone yesterday at a conference talk I went to told the crowd that
you can overwrite a file (aka srm it) on a USB Key fob and it will
still be there
for Autopsy to see. That makes no sense to me. Can anyone verify this?


  Big problem.  A flash disk pretends to be like an ATA drive but it isn't.
In particular you have flash filing system issues like wear-levelling and
bad-block remapping getting in the way.

  So when you overwrite the file, the flash controller allocates you a fresh
page of memory, and marks your old one stale.  Give it a 35-pass-gutmann wipe
and you will have 35 stale pages, one with the original data and 34 with
overwrite data on them, and one fresh page with the data from the very final
overwrite pass.

  You'd have to do enough overwrites to work your way through the entire free
page list, then the least-recently-used-stale pages, until you finally got
back to the start and overwrote (meaning, flash-erase-plus-repogram-cycle) the
original data from your file.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Forensics: USB fobs Dave Aitel (Oct 31)
- Re: Forensics: USB fobs Dave Korn (Oct 31)
- Re: Forensics: USB fobs Alaric Dailey (Oct 31)
- Re: Forensics: USB fobs s17 -- (Oct 31)
- Re: Forensics: USB fobs Michael Spath (Oct 31)
- Re: Forensics: USB fobs felix-dailydave (Oct 31)
- Re: Forensics: USB fobs William Watson (Oct 31)