completely removing information from an USB stick

Perhaps you have seen those movies where a person is questioned about things from the past. Of course he doesn’t remember all those embarrassing things the interrogator wants to know. Then a hypnotherapist is called in and puts the man under hypnosis and all details come pouring out.
A USB stick acts the same. If you look at it from Windows explorer or you do a mount + ls under Linux you see only the information which is on the surface. But beneath it a lot of other information is often lingering, information which maybe could be embarrassing if it falls into the wrong hands.
The reason for this is that when files are deleted from the USB stick, or from a harddisk for that matter, they not actually wiped. The only thing that happens is that the space is marked free in the File Allocation Table. But as long as this space is not overwritten by new files, the information still remains on the device.
That is why undelete tools can recover files for you.

A potential risk is that when you hand over your thumbdrive to someone for copying info on or of the stick, they might just copy a complete image of the stick to their laptop. There is even a handy program: USBdumper which provides this functionality. Afterwards they can do a forensic analysis of the data, for instance using foremost and see what kind of residual data they can retrieve. On linux you could even do a strings < USBimage.dd to get a quick view.

So how to avoid this risk? If you are on a Windows system, there is a free tool called eraser which securely wipes all residual data of a device. For Linux there are a number of tools, for instance wipe, but it is more fun to do it by hand and know what you are doing.

Let’s say i plug in my USB stick and mount it under: /media/disk
When i execute a df -k it displays how much space is free and therefore the number of bytes of hidden information there possibly are on the stick:

# df -k /media/disk/
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sdb1               249336     60736    188600  25% /media/disk

To completely obliterate all data, we need to overwrite all information with something else. If this were a harddrive, the specialists say you need to overwrite the data a fair number of times with random bytes, otherwise it’s possible that the NSA can still reconstruct the original bits from looking at the magnetic patterns on the disk. But since we are talking microchips here, anything will do. The fastest way would be to read zero’s from /dev/null, but we will use /dev/urandom just for the fun of it 😉

Since there are 188600 blocks of 1 kbyte free, we need to write exactly that amount of data to the USB drive:

# cd /media/disk/
# dd if=/dev/urandom of=rnd.bin bs=1k count=188600
188600+0 records in
188600+0 records out
193126400 bytes (193 MB) copied, 52.3836 s, 3.7 MB/s

# df -h .
Filesystem            Size  Used Avail Use% Mounted on
/dev/sdb1             244M  244M     0 100% /media/disk
# sync
# ls -l
total 188640
drwxr-xr-x 2 root root      4096   2007-11-22 15:39 porn_collection
drwxr-xr-x 2 root root      4096   2007-11-21 14:11 passwords
-rwxr-xr-x 1 root root 193126400 2007-11-28 15:43 rnd.bin
# hexdump -C rnd.bin | head -6
00000000  6b 9d 85 95 6c 41 00 56  30 c5 f4 49 0a 90 ed 5a  |k...lA.V0..I...Z|
00000010  54 eb df 6d 4e 53 7a 39  33 a8 21 44 f7 a7 df 61  |T..mNSz93.!D...a|
00000020  6a 33 f6 77 c1 cb d4 46  6e ab 57 0d 28 8e eb 13  |j3.w...Fn.W.(...|
00000030  f3 0d bd 28 eb 96 54 6c  21 ec d9 91 b8 4e ea 50  |...(..Tl!....N.P|
00000040  fa 98 8e 78 0c d0 6c 49  7d 4a c6 b9 37 87 84 21  |...x..lI}J..7..!|
00000050  ad 25 a5 fa 6a 52 62 ff  54 ae 77 ba 9d 45 4d a3  |.%..jRb.T.w..EM.|

That looks alright, since 188600 * 1024 = 193126400 and sync is needed to flush the data from the write cache to the USB disk.
The only thing left to do is remove the random blob again (but now you know that what happens is that the space is marked free in the File Allocation Table and our random bytes remain in place), sync and unmount:

# rm -f rnd.bin
# sync
# cd
# df -k /media/disk/
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/sdb1               249336     60736    188600  25% /media/disk
# umount /media/disk

And as you can see we are spacewise exactly where we started from.

Caveat lector! This trick only protects you from somebody recovering deleted information. If you got private files on the stick, use cryptography to protect those. TrueCrypt is a very nice program you can use. If you choose a simple password to access the encrypted files, you might as well use no crypto at all.

Author: Ewald

The grey haired professor

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.