Write-Once Read-Many Memory Cards

SanDisk has introduced Write-Once Read-Many Memory (WORM) cards for forensic applications.

Posted on July 28, 2008 at 5:04 AM • 38 Comments

Comments

SteveJJuly 28, 2008 5:48 AM

Nice, although note that you can still "edit" evidence by the following procedure:

1) Record to WORM, send suspect+lawyer away,
2) Read back off WORM, edit at will,
3) Write to a new WORM. Pretend this is the WORM you used in the first place.

This is precisely analogous to the old scheme of which police have on occasion been accused, and which bonded tape recorders were supposed to have prevented already:

1) record to tape, send suspect away,
2) edit recording on tape,
3) pretend you haven't altered it.

So, even with a WORM you still need to protect the evidence by somehow proving that you're presenting the same memory card as was originally recorded.

This is no different from the case with any other evidence, including a modifiable SD card. So it's probably still an advance in that it makes evidence-tampering a little bit harder.

However, you could set up a system to achieve the same thing without using a WORM, by for example posting a secure hash of the digital evidence with a trusted third party such as a public notary or the court itself. Once that's done, it doesn't matter how the data is stored, and tampering becomes much harder instead of only a bit harder.

Not that I blame SanDisk for the fact that their doohicky is only a marginal advance - they can only do anything about the part of the process that they control.

RoyJuly 28, 2008 6:05 AM

Failure modes:

1. A black hat swaps out WORM A (actual data) for WORM B (bogus data), which becomes the official 'unalterable record'.

2. A black hat forces a physical failure of the WORM, so that the only evidence is testimony from his confederates, which stands in for the 'unalterable record'.

jeremyJuly 28, 2008 6:15 AM

Perhaps the cards have some sort of unique id system that can be used to thwart such record/modify/record attacks. I understand this would introduce problems in keeping track of said numbers, but it would still prevent an attacker modifying the data.

yDNAJuly 28, 2008 6:16 AM

These devices will need some kind of immutable serial number (both legible externally and burned digitally inside). The serial numbers will need to be recorded when issued to officers, for example, to show that what went out is what came back. But even then, there's still the ability to apply the attack methods suggested by others.

JackJuly 28, 2008 6:20 AM

Don't take SanDisk seriously. Their operations are a disaster. The right hand doesn't know what the left hand is doing, sales couldn't care less whether you buy anything or not, they're always waving new products around in the air only to drop them or make them unavailable later, they must have dumped half their staff recently, they jerk distributors around, and their tech support is non-existent.

We inquired about a very large order for a gov't contract and no one would even respond. They're nothing but Chinese autoresponders. We got one Email from a kid who didn't understand anything, no one would even return phone calls.

Finally, after obtaining the identity of a certain individual at SanDisk who was the person to speak with, an Email to them was returned with an autoresponse that they had been fired the month before and if you needed to contact them at home here was the number.

A bunch of dopes. Not even sales managers at big rep firms could reach anyone. Besides that, their prices suck.

yDNAJuly 28, 2008 6:22 AM

@jeremy, unique id tracking is still vulnerable. Let's say the card's id is recorded by the clerk at the time it's issued to an officer responding to an incident. What's to prevent an officer from recording raw evidence with a non-WORM card, modifying that data, and then transferring it to the issued WORM card? Of course, this would suggest willful corruption on the part of the officer.

jeremyJuly 28, 2008 6:28 AM

@yDNA: I see your point. I think that the very nature of the police force is the issue. The police are meant to be quintessentially trustworthy; my experiences are that such a characteristic cannot be applied to a human being. While I am sure that 99% of officers are law-abiding, nice people, 99% != 100%.

bobJuly 28, 2008 6:49 AM

This would be great to have for a bootable core OS which could then run a regular disk containing an encrypted version of the latest virus scanner. That way you could trust that nothing had hacked your OS and was ignoring itself when you scanned using the infected OS. But then like Andy said, CD-R already does that (and is probably cheaper since you only buy the hardware once).

Although this claims a life of 100 years where I believe CD-R is

Richard BraakmanJuly 28, 2008 6:49 AM

I'm still waiting for a read-once card. It would be perfect for one-time pads!

Ross SniderJuly 28, 2008 6:51 AM

SteveJ is completely correct here. We use trusted third parties to confirm a signed hash of the data. Usually this is enough, but someone can still claim that they lost their key somewhere in public and that someone else signed the hash.

This is a bit unrealistic (if SteveJ handed me something he said he digitally signed and then said he didn't digitally sign it later), but it is possible and would give an individual some grounds to deny signing the evidence if they were not the individual handing over the hash.

Does WORM card fix this? If someone says they wrote the data on the WORM, then later says they hadn't written anything to it they can't blame it on losing the key - but it is true that they could have "accidently left it in public and written data to another disk, then found this later and was confused". Like paper documents we still rely a large amount on trust.

I think it is more realistic that data would be tampered with before being committed to a digital signing or on a WORM card.

One more thought. If the WORM card can be used for applications like in digital cameras (like they specify on the website), does that not mean that you can write multiple times, but each single write is modifyable? Or do you have to switch out cards every time? If you can write more data on later I don't think this is a good solution for court systems/etc at all because adding information is still considered modifying data and these cards promise to mitigate that.

MarcosJuly 28, 2008 7:11 AM

Ok, now there is a company trying to sell programmable once memories like it was something new.

Next, they'll probably extend it, so you can clear the memory on a lab and save some money. They'll probably call it extended programmable once memory (E-PROM to be short). Then, they'll probably create a way to errase it electronicaly, then they can call it FLASH memory...

RogerJuly 28, 2008 8:21 AM

The main motivation for WORM devices is to prevent *accidental* erasure of data that either cannot easily be backed up, or for which there is some regulatory requirement to keep the original.

However unique serial numbers are a common feature of WORM devices, and they can add some degree of security -- if, and only if, combined with suitable handling protocols. In some applications (e.g. red light cameras) this has been a common practice for at least a decade.

elzJuly 28, 2008 8:26 AM

Unless everything on source is tempered with some kind of watermaking this is just an illusion, as most of the security is.

And even if it would be watermarked, its probably not to hard to unalter it to some point.

On the other hand try to make your point in court when "they" have "experts" and you are accused. AKA that it would have been possible that the media presented could have been altered.

No its not altered you see the serial number written using a ballpoint pen on it. It is the same media. !!


NyhmJuly 28, 2008 8:32 AM

@Andy - Brilliant... if we only had some form of data storage that could be written to once, but was not capable of re-writing... Eureka - I've got it! Pressed vinyl plates!

Alan PorterJuly 28, 2008 8:34 AM

@ Richard Braakman

> I'm still waiting for a read-once card. It would
> be perfect for one-time pads!

I bought one from A-Data. They call it an "SD Card".
Mine worked once, and then it transformed itself
into a guitar pick. Fascinating.

Alan

Clive RobinsonJuly 28, 2008 8:51 AM

WORM technology in one form or another has been around for a very long time.

And I think most if not all WORM technologies (that are not mask programed) suffer from a simple problem in that if you can write to a memory location once you can write to it a second or more time, but you can only alter the bits that where not altered on a previous write...

That is if you read blank WORM memory it is either all ones (0xFF) or all zeros (0x 00). when you write to it you set (permanently) some bits in the oposite state, so writing 0x0F to it will read back as 0x0F. However if it started off as 0xFF you can write 0x07 to it a second time and the byte will read 0X07, you could write 0x03 a third time and so.

As this issue applies to just about every WORM chip on the market, unless they have their own fab plant I do not see how they can avoid it reliably (circuitry outside the chip is not going to be compleatly reliable as it would need to store which words have been writen to or not and would likewise be vulnerable).

As I see nothing in the blurb to indicate that this has been addressed in their WORM technology I will have to assume pending evidence to the contry that it also is vulnerable...

John CampbellJuly 28, 2008 9:39 AM

It sure looks like there have to be some... ummm... R/W spots so that the FAT filesystem will work, won't it?

It strikes me that these will really need a much better filesystem so that, say, multiple versions of a file can be monitored and maintained (I'm thinking like the "file cycles" that Exec-8^H1100 had). FAT sure doesn't do that!

So there are probably regions of the card that are fully R/W... or all of the chip is but there is something that "locks" down specific regions once they've been written.

Landon DyerJuly 28, 2008 10:23 AM

You could have the hardware / firmware on the card also scribble time stamps from a secure clock; have the original clock sync come from a trusted third party.

I still don't see what prevents you from recycling a chip from another card, though, unless you start burning fuses on the chips themselves. Everything else looks like a speed bump.

WadeJuly 28, 2008 11:54 AM

CD-R is fine for some applications, but as in the article, doesn't work so well for cameras:

Applications for the SanDisk SD WORM card include:
* Police photography and witness/suspect interviews, where courts require proof that photos and audio recordings are genuine.

Clive RobinsonJuly 28, 2008 12:10 PM

@ Wade,

"where courts require proof that photos and audio recordings are genuine"

Unfortunatly, as SanDisk should know that is just not possible...

The best you can hope for is two or more people who were present testify that to their recolection it is a "true and fair" (ie correct) record of the events that they remember.

Which is why you have things like the chain of custody for evidence etc.

The usual solution to the problem is to make two tapes simultaniously in front of the witness and give them (or their representative) one. Unfortunatly it would be fairly easy to make a fake recording infront of the witness as they have no control over the equipment used.

At the end of the day this problem is one, that like proving who you are is going to be quite difficult to solve especially as the technology to make avatars etc more realistic are progressing at a rate far greater than the technology to detect them...

Brandioch ConnerJuly 28, 2008 12:14 PM

@SteveJ
@Ross Snider
@Roger

You've covered most of the issues. But there's also the issue of corrupt cops not "locking" the media until AFTER they've made changes.

That could be mitigated by decent lawyers who demand a copy of the "locked" media immediately after an interrogation or whatever.

Example:
Cop conducts an interrogation and records it to the "secure" media.

Cop then copies the interrogation to regular media and edits it.

Cop then plays the edited version and records it on a new version of the "lockable" media.

There, your confession on "secure" media.

As it usually does, this process depends upon people understanding it and making sure that it is followed.

But that is very difficult when you are in an asymmetric power situation such as being held by the police.

JimmyJuly 28, 2008 1:12 PM

How is this different from their One Time Programmable (OTP ROM) products?

SamJuly 28, 2008 1:40 PM

@John Campbell:

See this part of the article:

"SanDisk is now partnering with manufacturers of cameras, digital voice recorders, medical equipment, electronic cash registers and other digital devices to add the firmware required for recording to SanDisk SD WORM cards. SanDisk is also working with the SD Card Association for approval of this new specification as an industry standard.
"

It's likely using some sort of modified FAT system that reads out as a standard file system, but needs special commands to write to some sort of chained list under the covers....

AlexJuly 28, 2008 2:06 PM

I wonder if this is the matrixSemi tech finally coming out. That was a 3d lithography startup that got bought by sandisk, it was going to do a WORM card as its first product.

havvokJuly 28, 2008 2:50 PM

Is this actually a write-once media, or is it just a funky flash configuration that prevents over-writing of blocks that have been written?

EtaoinJuly 28, 2008 3:14 PM

@Clive Robinson:

"The usual solution to the problem is to make two tapes simultaniously in front of the witness and give them (or their representative) one. Unfortunatly it would be fairly easy to make a fake recording infront of the witness as they have no control over the equipment used."

The simple fix to that particular weakness would surely be procedural: the protocol should require that the witness sees both tapes/chips/whatevers go into the machine at the start of the session and then, when they have been removed from the machine in front of him, he points to one of them and says "I'll have *that* one, please, and you have the other."

In cases of extreme paranoia more than two devices can be used, from which the witness selects two, one for him and one for the cops, and the rest are destroyed.

JamesJuly 28, 2008 4:45 PM

@Richard Braakman

Read-once was a feature of core memory (universally worked around, of course). I wonder how small you could make an array these days.

Of course, you'd need some way of getting the bits in there in the first place, and then some way of preventing write-after-read - so there'd have to be some extra write-once/OTP memory.

*Then* you'd need something that prevented the data from being cloned on to a blank card - something like a pre-programmed device serial, with a one's-complement copy.

And after all that, you'd find that "They" had tapped your entropy source :)

John CampbellJuly 28, 2008 10:47 PM

@Etaoin:

Everything resolves down to "trust".

Can you trust *all* members of a police force?

Heck, can you even trust _yourself_ 100% of the time?

Realize that the best cops are able to think like the people they "hunt"...

That being said, a third copy, sent to a neutral party (if there is such a thing), might be important, especially if the data is written as a RAID-5 set, so any two copies can re-construct all of the data.

But, then, the neutral party has to be trust-worthy, too.

Where do you stop when distributing this kind of data to ensure that there are enough un-interested parties that can be trusted?

Maybe we need a new deviant of RAID where you can reconstruct the data from 2/3rds... or only 51%... of the distributed media.

The point being that breaking the array means that tampering would be evident...

And, yes, I was thinking about this problem some years ago with an eye to filing a patent but the problem always comes down to "trust".

Davi OttenheimerJuly 29, 2008 1:00 AM

Wow, some great comments here but it feels like so many are focused on the failure of technology.

It's too true, the chain of custody and such are still mostly human processes.

I think the problem here could be SanDisk marketing overstating the benefits of their WORM device, but that's marketing for you.

My reaction is that this is just a new/different form factor and that's it. It's handy for mobile devices that don't have WORM options today. Now they have one, albeit with the normal problems associated with WORM.

Clive RobinsonJuly 29, 2008 8:22 AM

@ Etaoin,

"The simple fix to that particular weakness would surely be procedural"

I think you missed my point.

It is the equipment not the cards I was calling into question. Both cards would be identical but the data they had both recorded would be false because either the recording machine or the source of data had been tampered with effectivly in "real time".

As far fetched as it sounds there is almost a golden rule about security and the bad guys,

When you find and fix one problem the "bad guys" just take one step back along the chain and break the system there.

So if you assume that the interview is being recoreded by a CCTV Camera (usualy low res stuff) and the video recorder(s) are on the table in front of you are you actually going to trace the wires back to the camera?

Even if you did how do you know that the wires are actualy doing what you think they are doing?

As an example the CCTV camera outputs to both the wire and to an RF transmitter (built into it's case). The video recorder is modified so that what comes down the wire goes out of the "monitor" port to a display. So you see what is going on in the room in real time (thus being luled into a false sense of security).

However the video recorder is actualy recording from a hidden receiver in it's case which is on a different frequency to the camera.

In the room next door is a system that receives from the camera "processess it" in some way and then transmits the result on the frequency the video recorder is receiving on.

As a simple example, let's assume that the processing involves a ten second delay. If you where the "suspect" or their representative would you be able to detect that delay?

The simple answer is not at all unless you were very suspicious.

Now let us assume that the processing additionaly replaced the audio of you saying no with yes from an earlier recording. unless you are a very clear speaker and you are facing directly at the camera (which often you are not) you would need the services of a court aproved (expert witness) lip reader to show the tampering.

Also as I indicated technology is rapidly getting to the point where replacing the above side view of a witness with a digitaly generated one would not be difficult (the low res of most CCTV would cover it up quite nicley).

For audio only recordings there are already software "profanity switches" that run on PC's etc, which are routeinly used in the broadcasting industry. Basicaly the switch delays the audio from the studio by a few seconds and will remove a second or so of audio when the "F*** button" is pushed by the presenter or engineer. By using pitch and time shifting it fills in the missing gap with later speach almost inaudibly and stretches the few seconds out to fill out the missing portion, so to a person listening to the broadcast they hear at most a click. It would be easily possible for a person with appropriate knowledge to modify such a system to replace one word with another instead of making up for the silence...

Worse you could make the delay considerably longer than a few seconds with a digital recording system. If the interviewers make the interview very long the earlier parts can be edited and then uploaded to the recording device again without the "suspect" or the "representative" being aware of it going on.

The only solution is that your "trusted representative" brings along their own recording equipment to make a "check copy". It's quality does not realy have to be that high as it's purpose is to show obvious differences, which the human mind would probably have forgoton after a furhter couple of hours intensive interviewing.

EtaoinJuly 29, 2008 12:15 PM

@Clive:

Your points regarding tampering with the recording equipment are well made; however I still believe the cure to be procedural rather than technical.

If the circumstance you describe of extensive and systematic official tampering with equipment, or something similar, were considered to be a likely occurrence it may well make sense for such interview-recordings to be made inadmissible as evidence in court as they could no longer be considered to be any more or less reliable than, for example, the notorious back-seat confessions of yore.

The current passion for recording formal interviews, custody suits, police vehicles etc., stems partly from a desire to stem the old "He said X, m'lud." "Oh no I didn't!" exchanges that left courts guessing, and which may have contributed to a significant number of miscarriages of justice.

If there is reasonable doubt as to the veracity of any disputed recording or statement made whilst under arrest, then they should be ruled inadmissible and the on-the-record questioning of the accused should instead be done within the court proceedings, as a part of the trial.

If nothing else that may remove the discomfort that I (and presumably others) feel regarding the partial removal, in the U.K., of a suspect's right to silence whilst under arrest and the concomitant shifting of a part of the cross-examination from the court room to the police cell.

If the interview of a suspect is informal and to assist police in their investigations, rather than having automatic evidential status, then the issue of tampering with the recordings of the interview (and the motivation to do so) is removed.

Clive RobinsonJuly 30, 2008 7:37 AM

@ Etaoin,

"however I still believe the cure to be procedural rather than technical"

I would likewise wish that the authorities in their various forms could be sufficiently trusted that technical solutions are not required.

Unfortunatly as you noted a percentage of the authorities will go against procedure either overtly or covertly depending on their skill.

As technology improves it catches one or two of these "bad apples" out, as in the case of the Judge having to throw out a case against a youth because he found that a Police Officer was clearly not telling the truth after the suspect produced a recording from their mobile phone of the officer telling the youth that he would "fit him up".

The others who are not caught just modify their behaviour appropriatly to avoid that method of being caught out (call it evolution if you like).

Unfortunatly as you point out their is now no right to silence in the U.K. The iddiots that thought this one up obviously do not understand that criminals evolve faster than any laws they create (for Parliment to consider).

It was obvious to quite a few that criminals would work out how to deal with that minor (to them) problem with little or no difficulty before the law was even passed, whilst an inocent person would be considerably predudiced because they would have no reason to know how to deal with it. So the law of unintended consiquences has come into play.

As you will find out if you look the new(ish) "Bad Charecter Refrence" system will be abused by the authorities and will be realy only of use against the inocent and those who would have been found guilty by more traditional methods if the authorities could be bothered to employ them.

DavidTCAugust 1, 2008 12:07 AM

First of all, the issue isn't tampering with recordings of interviews. It's actually recording them at all, which very very often does not happen. Worry about that before you start worrying about tampering with recordings.

Secondly, stopping tampering is easy, because tampering has to be easy for it to happen. There is an easy and almost tamper-proof way to record anything that happens in a police station:

Put audio and cameras in that record at all times and transmit the audio to a third party, which records every second. Put an atomic-radio clock in view of each camera. (Note the video can be rather poor quality...and, of course, footage of an empty room can be compressed very well.)

But the key is to always record. No gaps when the room is 'empty', every second accounted for. Later, someone goes through the tape and every second that the suspect is in the room gets marked and sent to the lawyers.

It doesn't actually have to be 'a third party', it could be some recording equipment in the courthouse or even in a locked room in the police station. One of the cameras would, of course, record this room.

You can use WORM drives in there if you want, but there's a reason for a chain of evidence, and that's getting a little paranoid. There's no such thing as tamper-proof evidence.

Of course, the video feeds can and should also be recorded by the police themselves. Although they seem perfectly happen to not record their sessions now, and just rely on their memory, so screw them.

Yes, anyone can think of ways this system can be subverted, but not easily. A single bad officer can check an audio tape out of evidence and replace it with an edited version a while later. Or turn off the tape recorder for a bit and turn it back on. A single police officer could not tamper with recordings in rooms he doesn't have access to, on locked-down computers that are themselves recorded.

Clive RobinsonAugust 1, 2008 11:19 PM

@ DavidTC,

"First of all, the issue isn't tampering with recordings of interviews. It's actually recording them at all"

Actualy no this not the first issue at all.

The first two issues for any person entering any system is,

"Can the system be trusted?, and to what extent?".

In the U.K. It has become abundantly clear to those that care to look that with regards the Met Police the answers are "No" and "Only where no potential conflict or liability exist" (ie anything above asking for the time or street directions).

In recent times the very senior (tier 1) staff including the commisioners have been found to operate significant extensive and expensive spying activities against their own tier 2 and 3 staff and others often of ethnic or minority back grounds.

You have to ask if such a major police force has a highly questionable if not malicious "system within a system" in operation against it's own senior staff, what does it have for others?

Well how about recording and using "legaly privelaged information" between an elected politician and one of their constituents?

No problem they get another Police force to do it for them (opps that means that other police forces in the U.K. Have similar "systems within systems" in place and routeinly "do favours").

If you want a U.S. Historical perspective look into either J Edgar Hoover or Richard Nixon.

When in human terms you cannot trust an organisation to be honest with their own people you should then not have any expectations of it being honest with you.

Which brings you to the security view point "do you have to place trust in the system" if so and you know it has failed before what do you do? Simple don't trust it and run your own trusted system in tandum.

As was once said,

"Place not your trust in others".

CryptoSchemeFebruary 21, 2010 6:58 PM

Hi,

One of my research paper on forward-secure stream integrity has been critized by arguing that WORM devices are sufficient for tamper-proof media.

I do not agree this, and seeing the above arguments enhanced my stance.

Could you provide some websites and references which show WORM are tampered?

Especially,
@Roy:
1. A black hat swaps out WORM A (actual data) for WORM B (bogus data), which becomes the official 'unalterable record'.

2. A black hat forces a physical failure of the WORM, so that the only evidence is testimony from his confederates, which stands in for the 'unalterable record'.

Could you point out some citations?

Thanks.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..