I have a question regarding file shredder software and its
effectiveness when used on flash drives. I recently tried to shred some
files on a flash drive. I applied various aggressive shredding methods
– 35 passes, 7 passes, 3 passes, etc.. Each time, using a relatively
old recovery software, I was able to easily recover most of the
supposedly shredded files!
Are these shredder softwares not intended for use on flash (solid
state) devices? If so, why not? Are they effective only on hard disks
devices?
I will say that I’m surprised that the file recovery tools were able
to recover files after being shredded. I would have expected the files
to be gone.
However…
Using a file shredder on a flash or solid-state drive isn’t
something I recommend doing, at least not in the same way as you might
on an actual hard disk. The problem is that you could be wearing out
the flash drive faster than you need to.
]]>
File shredders, or secure delete utilities, address two distinct problems when you delete a file in Windows:
-
When a file is deleted, the data is not actually overwritten.
-
On magnetic media, data that has been overwritten might still be recoverable using advanced (and expensive) forensic tools.
Flash drives are not magnetic material, and hence the second item simply doesn’t apply. When data is overwritten, the previous data is gone. There’s no “magnetic residue” to use to perhaps recover the previous data.
The approach that file shredders use to really, truly, positively erase data on magnetic material such as hard drives is to overwrite it multiple times with random data or data patterns that are designed to make any previous data completely unrecoverable. In reality, overwrite the data two or three times, and for all practical situations it’s gone. 35 pass shredding is overkill for the seriously paranoid.
And regardless, overwriting more than once is only applicable for magnetic material.
The problem is simple: flash memory wears out the more you write to it. So writing to the entire flash drive 3, 7 or heaven forbid 35 times when in fact you only needed to write once could be seriously shortening the useful life of that device.
So my advice is simple: to shred or securely delete the data on a flash or solid state device, use a utility that will perform exactly and only one pass of overwriting the deleted data.
That’ll be enough.
And if the tool you choose isn’t working, I’ll point you to SDelete, Secure Delete, which will let you do exactly that.
Modern flash drives force new data to locations that have not been used (as much) as current locations to keep wear as even as possible. I suspect that these newer flash drives divert the shredder to locations that don’t include the data you’re trying to shred. The data from the file you’re trying to shred stays intact while some innocent area gets “shredded”. ;-)
09-Mar-2009
I used to work for a hard drive and flash manufacturer. You are correct about SSDs and HDs. But HDs with shingled recording also have the same wear leveling issues. As HDD tracks get closer together writes to adjacent tracks can cause bit flips in the track nearby. Toget arround that they invented shingled recording. Now the disk is divided into sections. Like SSDs the drive remembers where each block is. contiguous blocks “to the outside world” may not me stored adject to each other in the media. The big point is you are NEVer OVERWRITING THE DATA YOU THINK YOU ARE. jUST FREE SPACE.
SDelete is a little complicated for the casual user.
I use the freeware Eraser which gives you the option to write once with Pseudorandom Data. After installing the software, you can do a right click on the file name and select ERASE.
http://www.brothersoft.com/eraser-12113.html
it is very good when delete function not work
Wouldn’t East-Tec Eraser be the best option for USB and disk?
http://www.east-tec.com/
i want to view & recover my picture files but how can i recover picture files on my USB if i have already cut them from my USB and paste it on a folder who happens to be inffected by a virus giving it the cause why i cannot view my Picture files anymore.
Wear leveling means it is writing the shred to other parts of the memory drive, thus it does not overwrite the original file remnants.
And, voila, the old file remains intact to a file recovery program.
contig is “complicated”??? sheesh.
It would be better to use a truecrypt volume to keep private stuff private on a flash disk. Perhaps the only way.
14-Mar-2009
Wear leveling would increase the chances of recovery if the recovery program is looking at ALL of the free blocks… as there is still a block on that USB that contains that data.
15-Mar-2009
What about other forms of flash memory? Like SD cards and their ilk. Do they wear out as well?
19-Mar-2009
As someone with a scienctific background it would be easier to recover data from from many passes than from a few and here’s why…
Granted the signal of the original files will become weaker the more passes one does, and more difficult to recover, but in essence the file would be less corrupt. The more random passes one does the more the scrambled signal evens out. Everyone should know this from statistics, flip enough heads and tails and you’ll get a 50/50 split. It’s kind of like cryptography in a way if you visualize each track as a column, but I digress, similarily if you only do a few passes the original signal will be stronger but more corrupt. hd only though not sure about flash.
23-Mar-2009
Hello,
does “Wear levelling” consider about partititions?
Example: 4 GB USB Stick with two partititions
1. Linux Ext2 – 8MB
2. Windows FAT – Rest of it
If I overwrite partitition 1. once with random data, will there be left data from that partitition somewhere on the stick because of “Wear levelling”?
15-Apr-2009
Here is the answer. The hardware leveling software is integrated with the filesystem in ways that are not obvious. This has to be the case because the card cannot produce memory from nothing. In other words if you “erase” file A which say is a large file of 1Gb from nowhere. It takes it from the free space of the filesystem. It tracks how many times each block is used.
Can the user who posted the original question attempt to erase all unused space on the filesystem once, I think this would get it.
Steve
Just saying no over and over again doesn’t make it so.
I think only a designer of the flash drive wear-leveling system (WLS) can answer the question with assurance.
If a file is handed over to the WLS by the OS to be stored, the WLS would have to have a way to retrieve the bits and hand it back to the OS. This implies some kind of directory. Unless you can be assured that this low level directory entry is not accessible after the file is erased, then the file could presumably be recovered by specialized software.
When you say that a file only needs to be overwritten once on a flash drive, it leads me to believe that you don’t know what you are talking about. If the file is distributed in a random fashion by the WLS, you would not have to erase it even once, rather you would only have to erase the directory entry to make in inaccessible, since there is no contiguous data. Without the directory entry, there would be no way to re-assemble the file.
Whilst I can understand that wear-levelling would mean that even using sdelete would not actually over-write the data that was stored in the file, I would have thought that it would make that data inaccessible to ordinary file recovery software. I think that the only way to securely erase a USB memory stick that uses wear-levelling would be to fill the entire thing with one large file of random or zero data. Rasty, the data would still be in chunks but they would have to be stitched back together by someone who could access the underlying storage on the USB key. Difficult, but not for a military or secret service organization.
ComputerWorld reports (March 7, 2011) that recovering data from both SSD drives and flash drives is incredibly easy even after being overwritten.
This article requires you to sign up. But it is harmless to do so. Remove the check marks from both boxes and you will not get any additional mailings. At least that is my experience.
This article is scary and should be required reading.
http://www.computerworld.com/s/article/355159/SSD_Security_Issues_Surprise_Experts