File Wiping and Disk-on-Key
Most vendors selling security software that deals with removable devices or with flash storage mediums such as Disk-On-Key (DoK) provide the functionality of file wiping (often called shredding) from the removable medium. This feature allows the user to erase sensitive files that are no longer needed, in a way that (presumably) prevents them from ever being recovered; even if forensics gear is involved.
I find file wiping to be a useful function. Software that permanently destroys files is available on PCs since the early 80’s and has always been handy. File encryption utilities also use file wiping to remove the original plaintext file after encrypting it.
The one concern I have is about the reliability of these tools when they run against particular files that are stored on flash memory, such as USB DoK or SD cards.
To see the potential problem, let’s first examine how file wiping works:
When you select to wipe a file, the wiping application checks which are the sectors that the file is physically stored on, on the disk. Each file is stored on at least one sector of the disk and the mapping is available from the file-system. Then, the wiping application repeatedly overwrites the data stored in these sectors with some constant patterns. The overwriting process occurs three, seven, or any other number of times. The patterns that are written are determined by the wiping method. The two most common wiping methods are probably the DoD 5220.22 and the method conceived by Peter Gutmann (which I believe to be much safer). After the contents of the relevant disk sectors are replaced a few times, the file is removed.
The reason I have my doubts about using this method on flash memory is because of a mechanism called Wear Leveling. Flash memory sectors have limited endurance. They do not live forever but can only tolerate a certain number of read/write cycles before they become unreliable. In order to make sure that all sectors on the flash medium are used evenly (so no small group of sectors is overly stressed), a wear leveling mechanism is deployed. This mechanism usually spreads the sector write operations automatically across the physical volume. Such operation is done transparently. The writing application is not aware of where the sector is physically written.
The implication of wear leveling on wiping is that the wiping application does not have any control on what physical sectors are really involved in a write operation. The wear leveling mechanism is implemented on the hardware level, by the flash controller, not by the operating system that implements the file-system.
Consequently, as file wiping is performed, while the wiping application thinks that it is scrubbing the same sector seven times, it may just as well be scratching seven sectors one time each. Moreover, the sectors that are being scratched may not even be the sectors where the data to be wiped is really stored!
It is quite alarming. Not only that individual files cannot be permanently removed from such mediums, but even file encryption may be ineffective unless it is done in RAM (that is, unless no plaintext is ever written to the flash medium — not even temporarily.)
Comments
Display comments as Linear | Threaded