Perhaps you have seen those movies where a person is questioned about things from the past. Of course he doesn’t remember all those embarrassing things the interrogator wants to know. Then a hypnotherapist is called in and puts the man under hypnosis and all details come pouring out.
A USB stick acts the same. If you look at it from Windows explorer or you do a mount + ls under Linux you see only the information which is on the surface. But beneath it a lot of other information is often lingering, information which maybe could be embarrassing if it falls into the wrong hands.
The reason for this is that when files are deleted from the USB stick, or from a harddisk for that matter, they not actually wiped. The only thing that happens is that the space is marked free in the File Allocation Table. But as long as this space is not overwritten by new files, the information still remains on the device.
That is why undelete tools can recover files for you.
A potential risk is that when you hand over your thumbdrive to someone for copying info on or of the stick, they might just copy a complete image of the stick to their laptop. There is even a handy program: USBdumper which provides this functionality. Afterwards they can do a forensic analysis of the data, for instance using foremost and see what kind of residual data they can retrieve. On linux you could even do a strings < USBimage.dd to get a quick view.
So how to avoid this risk? If you are on a Windows system, there is a free tool called eraser which securely wipes all residual data of a device. For Linux there are a number of tools, for instance wipe, but it is more fun to do it by hand and know what you are doing.
Let’s say i plug in my USB stick and mount it under: /media/disk
When i execute a df -k it displays how much space is free and therefore the number of bytes of hidden information there possibly are on the stick:
# df -k /media/disk/ Filesystem 1K-blocks Used Available Use% Mounted on /dev/sdb1 249336 60736 188600 25% /media/disk
To completely obliterate all data, we need to overwrite all information with something else. If this were a harddrive, the specialists say you need to overwrite the data a fair number of times with random bytes, otherwise it’s possible that the NSA can still reconstruct the original bits from looking at the magnetic patterns on the disk. But since we are talking microchips here, anything will do. The fastest way would be to read zero’s from /dev/null, but we will use /dev/urandom just for the fun of it 😉
Since there are 188600 blocks of 1 kbyte free, we need to write exactly that amount of data to the USB drive:
# cd /media/disk/ # dd if=/dev/urandom of=rnd.bin bs=1k count=188600 188600+0 records in 188600+0 records out 193126400 bytes (193 MB) copied, 52.3836 s, 3.7 MB/s # df -h . Filesystem Size Used Avail Use% Mounted on /dev/sdb1 244M 244M 0 100% /media/disk # sync # ls -l total 188640 drwxr-xr-x 2 root root 4096 2007-11-22 15:39 porn_collection drwxr-xr-x 2 root root 4096 2007-11-21 14:11 passwords -rwxr-xr-x 1 root root 193126400 2007-11-28 15:43 rnd.bin # # hexdump -C rnd.bin | head -6 00000000 6b 9d 85 95 6c 41 00 56 30 c5 f4 49 0a 90 ed 5a |k...lA.V0..I...Z| 00000010 54 eb df 6d 4e 53 7a 39 33 a8 21 44 f7 a7 df 61 |T..mNSz93.!D...a| 00000020 6a 33 f6 77 c1 cb d4 46 6e ab 57 0d 28 8e eb 13 |j3.w...Fn.W.(...| 00000030 f3 0d bd 28 eb 96 54 6c 21 ec d9 91 b8 4e ea 50 |...(..Tl!....N.P| 00000040 fa 98 8e 78 0c d0 6c 49 7d 4a c6 b9 37 87 84 21 |...x..lI}J..7..!| 00000050 ad 25 a5 fa 6a 52 62 ff 54 ae 77 ba 9d 45 4d a3 |.%..jRb.T.w..EM.|
That looks alright, since 188600 * 1024 = 193126400 and sync is needed to flush the data from the write cache to the USB disk.
The only thing left to do is remove the random blob again (but now you know that what happens is that the space is marked free in the File Allocation Table and our random bytes remain in place), sync and unmount:
# rm -f rnd.bin # sync # cd # df -k /media/disk/ Filesystem 1K-blocks Used Available Use% Mounted on /dev/sdb1 249336 60736 188600 25% /media/disk # umount /media/disk
And as you can see we are spacewise exactly where we started from.
Caveat lector! This trick only protects you from somebody recovering deleted information. If you got private files on the stick, use cryptography to protect those. TrueCrypt is a very nice program you can use. If you choose a simple password to access the encrypted files, you might as well use no crypto at all.
