Proactive IT Security
 

Digital Dumpster Diving

2011-02-24 [Mobile and wireless technologies, Privacy issues, Trends & predictions]

Introduction

Dumpster diving is known as examining trash to find interesting items that have been discarded. This security article's title refers to examining digital trash, which for certain purposes may turn out to be useful.

Discarding storage devices

Storage devices are regularly discarded. The reasons are numerous, the main reason why is probably because they need to be replaced by a new version with better capacity (space and/or speed). Another reason is that a more advanced model (typically computers and mobile phones) is replacing the tool using the storage device.

Regardless of why the storage device is discarded, one should be aware that the device may have information that may be useful for other than the original owner. There are regularly news items about disposed computers that turn out to have information of a personal character, which are never meant for the public. Trash of any type may be useful for a company's competitors, which are into industrial espionage.

Increasing focus has therefore been on secure disposal of digital storage devices, like hard disks. A specialized industry has emerged, who supply devices and software used for deleting information on storage devices before they are discarded. Some countries have special regulations regarding how storage devices must be securely wiped to get rid of potentially secret information. Another industry specializes in retrieving digital information that is lost by accident or intent.

Different storage devices

Traditional storage devices like hard disks have been in use a long time, and the technology for secure deleting information stored on these, is quite matured and advanced. There are two main techniques involved: degaussing (erasing using magnetism) and overwriting. (These may even be combined for the really security paranoid.)

In later years, however, a new storage technology has emerged, which is being increasingly popular and advanced. We refer to flash-based solid state drives (SSDs). Until recently, SSDs have been restricted by their storage capacity, but this restriction applies less these days. Small USB sticks with a storage capacity of 32GB are inexpensive and common, and sticks with 128GB are available - more expensive, though. Internal and external SSD-based hard drives have storage capacities that exceed most desktop computers' needs. The storage potential and price for devices using this technology will without doubt be even more attractive in the future.

Erasing SSDs - a study

A study about erasing data on flash-based SSDs was published last week. Eliminating residual information on these type of devices is of course essential, since e.g. USB sticks in particular are often used for typical temporary utilization (moving data between devices), and are not seen as valuable investments.

The study emphasizes that one crucial difference between SSDs compared to "traditional" storage devices like hard disks, is that the former may store copies of a file in several places. The consequence is e.g. that it is not sufficient to erase the latest version of the file in order to remove all information connected to that file. Nor will erasing the used space on a storage device guarantee removal of all data, as information may still reside in parts of the drive, which are defined as unused. 

We will not go into details about the study in this article, but confine to referring some of the findings:

  • Degaussing using magnetic technologies proved to be completely ineffective on SSDs,
  • None of the existing hard drive oriented techniques for wiping individual files are effective on SSDs,
  • Overwriting the entire address space on SSDs are usually - but not always - effective,
  • Built-in commands for erasing entire disks are effective, but manufacturers may have implemented them incorrectly.

 The study's main conclusion is

[T]he increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations.  

An industry expert's view

We have contacted the company Ibas (Norwegian web site), subsidiary of Kroll Ontrack - a leading specialist in data recovery, computer forensics and data erasure - for comments regarding deletion of information from SSDs.

Ibas confirms that deletion of information from SSDs involves particular challenges, and has given the following statement:

A 1GB Flash USB stick actually has about 1.2GB worth of sectors available for storage, but only assigns LBA numbers (i.e. user accessible sectors) to 1GB worth of sectors. That leaves about 20% of the sectors unused at any time. However, the LBA numbers are constantly reassigned to different physical locations, so that all 1.2GB worth of sectors get written to the same number of times (i.e. all the sectors wear out evenly). The device may reassign the LBA numbers every time it needs to write, or it might count the number of times that physical location has been written to and only reassign when it reaches a threshold number – the wear leveling algorithm is different on every device. So, only 1GB worth are ever accessible to the computer through the USB interface at any one time, so neither Ontrack Eraser nor any other software can access these sectors through the USB interface. This extra 20% is what we mean by hidden area – it has nothing to do with partitions or the OS.

Now, the device marks the old block for erasure when it reassigns the LBA numbers to a new physical location, but it may not erase immediately. Also, if the device gets corrupted, those sectors may never get erased.

In short, LBA 0 (i.e. the MBR) could be anywhere on the device at any time – front, back, or middle. And there may be multiple copies if the erasing function isn’t working perfectly. And this applies to every LBA on the device – the only way to know where each LBA is, is to decode the hidden metadata associated with each LBA.

So a software erase program will erase all 1GB of the LBA, but 20% of the sectors are not accessible by the erase software. You could write to the device over and over and hope the wear leveling algorithm kicks in and assigns the LBAs to every last sector on the device at least once, but since each algorithm has different thresholds, we cannot guarantee every sector on the device got overwritten.

If anyone takes the chips off and images them raw, which is not that difficult with commercially available hardware, they will see all 1.2GB worth of sectors because you are bypassing the controller. Putting the sectors in the proper order to obtain good files is not possible with the commercial hardware, but the LBAs are grouped together in large chunks (128KB typically), so any small to medium files could be intact in this raw format.

Above scenario will be handled by our erase software OES (Ontrack Erase Software) in the next major release in order to have our customers erasing their drives securely and accordingly with software erase processing.

Ibas recommendation is that SSD disks containing classified information should yet not be discarded at this point in time. SSDs should rather be stored securely. Within 6 - 12 months the erasure industry is expected to release products that enables secure deletion of all information on SSDs.

Non-classified information may be deleted with "sufficient probability" by overwriting the entire disk many times, as this will most likely also overwrite the non-accessible sectors. However, one cannot be absolutely sure that all data is erased by this method.

References