Erasing Data from Flash Drives

"Reliably Erasing Data From Flash-Based Solid State Drives," by Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson.

Abstract: Reliably erasing data from storage media (sanitizing the media) is a critical component of secure data management. While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture, so it is unclear whether hard drive techniques will work for SSDs as well.

We empirically evaluate the effectiveness of hard drive-oriented techniques and of the SSDs' built-in sanitization commands by extracting raw data from the SSD's flash chips after applying these techniques and commands. Our results lead to three conclusions: First, built-in commands are effective, but manufacturers sometimes implement them incorrectly. Second, overwriting the entire visible address space of an SSD twice is usually, but not always, sufficient to sanitize the drive. Third, none of the existing hard drive-oriented techniques for individual file sanitization are effective on SSDs.

This third conclusion leads us to develop flash translation layer extensions that exploit the details of flash memory's behavior to efficiently support file sanitization. Overall, we find that reliable SSD sanitization requires built-in, verifiable sanitize operations.

News article. Video of talk.

Posted on March 1, 2011 at 6:29 AM • 96 Comments

Comments

RichardMarch 1, 2011 7:04 AM

Thanks Bruce, this is useful for me, I've been using an SSD for six months now (love it) but wasn't sure how various disk tools deal with zeroing it out.

Clive RobinsonMarch 1, 2011 7:36 AM

Also note the paper did not go into "failure modes".

That is the drives they looked at to get the results were still working.

Usually we only get rid of drives for two reasons,

1, Upgrade (which this paper covers)
2, Fault (which this paper does not).

Now...

Fault on SSD's is way way way more complicated than on mechanical drives.

For simplistic explanation of why this is important think for instance of the drive as having an internal fuse that blows and the drive stops working. If you know about the fuse then you replace it and carry on working. If you don't you chuck the drive in the trash where potentialy somebody who does know will replace the fuse and read your data.

Contary to what many think when an electronic item fails it can usually be repaired as it only fails in one specific place and the rest of it is unharmed.

Thus data on an SSD is highly vulnerable unless you realy know how to destroy each and every chip beyond recovery.

Doing this is actualy very very difficult which is why such chips are used in those "black box" flight recorders...

Clive RobinsonMarch 1, 2011 7:40 AM

@ go2null,

"TrueCrypt"

You forgot the human element.

There was a recent news item from the UK's Information Commisioners Office (ICO) about a middle England organisation that got fined.

Apparently they used encrypted drives etc but still the information got lost in plain text...

DaveMarch 1, 2011 7:48 AM

@ go2null

"TrueCrypt"

I know what you're getting at, but surely sanitizing TC's volume header effectively is just as tricky as wiping any other part of the drive?

Clive RobinsonMarch 1, 2011 7:54 AM

@ Dave,

The paper also showes that not all drives sold as "encrypting drives" actualy encrypt reliably...

Moral,

If you can't check it don't trust it...

Or as the CIA supposadly used to say it,

In God we trust, all others we check.

DaveMarch 1, 2011 7:56 AM

So, SSDs are klunky (less reliable than traditional hard drives), not superfast (only marginally quicker than traditional hard drives in real-world usage), suffer from performace degradation over time, and evidently (if you'll pardon the pun), more difficult to sanitize.

Give me spinning platters any day.

Clive RobinsonMarch 1, 2011 8:15 AM

@ Dave,

"but surely sanitizing TC's volume header effectively is just as tricky as wiping any other part of the drive?"

You have just reminded me of a very important point.

@ ALL,

There is a reliability issue in all flash memory and it is to do with the number of "erase cycles" to memory density.

That is Flash with low erase cycle reliability are way way cheaper than those with high erase cycle reliability.

IMPORTANTLY this has design conciquences over and above the ordinary "wear leveling" you get told about.

When a typical USB or other "thumb drive" is designed they use two types of Flash memory low erase cycle reliable for storing the data and high erase cycle reliable for storing the FATs of the MicroSoft FAT FS...

This gives the drive a much greater inlife reliability figure than it would have if the FATs were stored in the low erase cycle reliable Flash memory.

One conciquence of this (that you should not see on IDE SSD's) is if you formate it for NTFS or other non FAT system it will fail long before you expect. Further even if it is FAT it's the old MS FAT FS as Microsoft have shown a willingness to prosecute people who use the "extended FAT" filesystem.

Clive RobinsonMarch 1, 2011 8:27 AM

@ Josh O,

"Fire ?"

Sorry not a chance in any fire yould want to be even close to.

One test I'm aware of the testerd took a flash memory modual that was mounted in a heat resistant packaging for the expected usage. They then put this inside a well known insulation inside a thin (5mm) thick high temprature container of moderatly large size.

They put this in a furnace and raised it to above the liquifing temprature of common aluminium materials for an hour or so (the expected burn time of a jet full of fuel burning in a natural depression in the ground which would "pool" the fuel).

Once cool they removed what was left of the outer casing and insulation and the memory modual was found to have reached tmpratures well above it's expected operating point (ie the PCB was nearly black and was breaking down) but the data on the chips was found to be still mainly readable...

As I said earlier they are a bit difficult to destroy reliably.

CalvinMarch 1, 2011 8:42 AM

Propane for home use, Dremel for the patient, or for the paranoid Oxy-Acetylene

ThomasMarch 1, 2011 8:52 AM

@Clive Robinson That's very impressive; can you share the source of this test?

RonMarch 1, 2011 8:56 AM

{snip}Doing this is actualy very very difficult which is why such chips are used in those "black box" flight recorders... {/snip}

Are you sure about that? It may be true for the newest generation of "black boxes" (representing a tiny % of aircraft flying), but all of the examples I've seen or read about are still reel to reel tape recorders.

Clive RobinsonMarch 1, 2011 9:06 AM

@ Calvin,

"For the paranoid Oxy-Acetylene"

No that's just for the run of the mill cautious people...

Think, Crush, then burn, then pulverise, then burn again to start.

Then grind and then Oxy-Acetylene temp burn as some peoples idea of secure destruction. And others as a way to get out the semiprecious metals like gold.

But... this is not enough for some, So then,

All the remaining ashes and slag are then chemicaly destroyed further untill nothing solid is left not even sand.

Or the ashes and slag are added as part of the load in an electric arc furnace used for turning scrap steal and other junk to slag iron.

Remember even Diamonds burn (on liquid oxygen) or disolve (in molten iron).

And quite seriously there are materials out there that in some repects are much tougher than diamond...

And yes I'm being quite serious about the "not even sand" and I do know of a couple of electronic arc furnaces (south east of Heathrow Airport near London) that have been used for secure destruction.

If you think about the size of a grain of sand and modern information packing densities you could get one heck of a number of AES keys on a grain of sand.

People think of "data loss" as being a major issue, I can assure you "reliable data destruction" is about as hard as it gets...

ChrisMarch 1, 2011 9:23 AM

@Dave

>SSDs are klunky (less reliable than traditional hard drives)
MTBF on good SSDs is ~1.5 million hours now and the early firmware bugs are long gone.

>not superfast (only marginally quicker than traditional hard drives in real-world usage)
This is a joke, right? Current-gen SSDs beat the hell out of mechanical drives in even light consumer-level workloads. The upcoming stuff like the Vertex 3 utterly embarrasses them.

>suffer from performace degradation over time
Argument invalidated by TRIM, please try again.

>and evidently (if you'll pardon the pun), more difficult to sanitize.
More difficult but not impossible.

>Give me spinning platters any day.
Enjoy your rotating rust, I'll be over here in the modern world.

problem?

Clive RobinsonMarch 1, 2011 9:33 AM

@ Thomas, Ron,

The tests for this were carried out as part of a contract to find more reliable methods of recording the vastly increasing amounts of flight data.

Rolls Royce however have also opted to send the data from their latest range of jet engines in real time (or very close to it) so as to avoid even this level of "unreliability" and even allow what is in effect in flight maintanence...

When reputation is at stake in the airframe and engines business flight data is what can save a multi billion dollar organisation (think Boing / EuroBus / Rolls Royce et al) from going splat when an aircraft drops off the radar.

It is one of the many reasons they are still trying to find the flight data recorders for that French Aircraft where little more than a patch of tail fin was found.

@ Ron,

They don't use conventioanl tape or even wire anylonger except in systems that are last century or where that medium is mandated, it's to heavy for one thing and to large for another.

The big trick with all these systems is "thermal energy managment" that is you could if you were very quick run a cutting tourch across the back of your hand and suffer only minimal burns. Many people have the silly party trick of waving a finger through a candle flame. Providing you can manage to keep the energy away from the recording medium the more robust it is going to be. Thus it would be possible (and the likes of NASA have investigated for instrumentation etc) to make a device that could be left in liquid magma for not so short periods of time.

Dirk PraetMarch 1, 2011 9:48 AM

Looks like an interesting experiment for Jim Hughes. I wonder if he'd go for machinegunning the SSD or putting it through the shredder.

PhilMarch 1, 2011 9:53 AM

Grinder is a great tool. I can't see anyone recovering any useful data from fine powder. You'll just need ventilation during the process to avoid inhalation of toxic elements if you do it as your daily job.

PaeniteoMarch 1, 2011 10:04 AM

@Dave: "I know what you're getting at, but surely sanitizing TC's volume header effectively is just as tricky as wiping any other part of the drive?"

True, but I have two cents to add:
1) Normally/IMHO, your threat model would include the "lost/stolen media" scenario anyway. Hence, your passphrase should be strong enough so that theoretically there is no necessity at all to sanitize the header.
2) Even if copies of the header remain un-sanitized due to wear-levelling, one probably cannot find them as they cannot be distinguished from ciphertext blocks without knowing the passphrase (this is a feature of Truecrypt that is not commonly found in other full-disk encryption tools, such as LUKS).

sheeshmanMarch 1, 2011 10:27 AM

@Clive
Usually we only get rid of drives for two reasons,

1, Upgrade (which this paper covers)
2, Fault (which this paper does not).

Now...

Fault on SSD's is way way way more complicated than on mechanical drives.
---
A sledgehammer is one way to "solve" the data access issue for a drive that a user is going to throw away.

MailDeadDropMarch 1, 2011 10:28 AM

For simple consumer-level destruction, wouldn't tossing a thumb drive into a microwave oven suffice? At that point, recovery would require the use of a focused ion beam (FIB) to repair the aluminum traces on the surface of the chip in order to then access the chip circuitry.

bmedwardMarch 1, 2011 10:56 AM

Interesting - while the NIST SP 800-88 - Guidelines for Media Sanitization (published in 2006) makes no claims for SSD media as a class, its recommendations on "purging" of solid state storage media are handled inconsistently.

Cell phones, PDA's, and disk-free USB media can be purged by meeting the "clear" criteria. This involves resetting, or overwriting and validating the media is cleared.

For Compact Flash, SD cards, and PCMCIA storage, the purge defers instead to "Physical Destruction" criteria.

In either cast, if the media is used to store highly sensitive information it is generally more holistically cost effective to destroy it rather than putting it up on ebay or wikileaks.

http://csrc.nist.gov/publications/nistpubs/...

Joseph R. JonesMarch 1, 2011 11:10 AM

I take a contrarian view on this one: if you need to securely erase your drive you're doing it wrong. Tools like BitLocker and TrueCrypt make whole-drive encryption easy and seamless-- why storing any cleartext on your drive?

Been There, Done ThatMarch 1, 2011 11:32 AM

@MailDeadDrop

Microwave ovens are a good way to "fry" CD-ROMs as well.

BorisMarch 1, 2011 11:34 AM

Dave, it really depends on your real-world usage. From my comparisons, an SSD makes things like OS boot and application startup _much_ faster. Think a web browser starting in 0.2s instead of 2s.

Clive RobinsonMarch 1, 2011 11:49 AM

@ Phil,

"Grinder is a great tool"

It is if you can reliably get it to the storage media (which is dificult in an industrial scale process).

@ Sheeshman,

"A sledgehammer is one way to "solve" the dat access issue for a drive that a user is going to throw away"

Whilst I would agree a sledgehammer is a good way to open any drive it probably wont do any real harm to some of the chips in a thumb drive even if you do give it a good pounding.

@ MailDeadDrop,

"For simple consumer-level destruction, wouldn't tossing a thumb drive into a microwave oven suffice?"

No due to EMC and other sometimes cosmetic requirments.

Using 2.5GHz or 12cm EM radiation is actually not that good on a device that's total electronic area is 0.75cm by 1cm with protection circuitry and a wrap around metal case.

@ All

For most of us just wrapping a faulty thumb drive up in a used babies nappy and chucking it in the trash is the most security precaution we need.

However for some who's activites may be less socialy acceptable for whatever reason you might want to consider the following,

Using a hammer to open and remove any metal screening etc from the PCB and knocking off the bigger protection component would make a good first step.

Chucking the PCB into the microwave for a minute (remember the half glass of water to protect the microwave) would make a good second step.

Then carefully grinding down the chip packages so as not to tear them out of the mountings before you grind down the silicon would make a good third stage.

Finally toss the remains in a used nappy etc.

The problems the likes of large high security organisations such as the NSA have is the quantity of highly confidential waste and using the minimum of highly trusted people to handle it during the destruction process.

And for them as a lot of the waste is KeyMat, it is a very real concern one or two encryption keys escape the process and get found and used to decode radio communications traffic even from years back.

And they have good reason to be, have a look at the history of Project Venona ( http://www.nsa.gov/public_info/declass/venona/ ). Put simply the Soviets where lax with they used One Time Pads for agents. It was found as part of the project that some of the OTP key material had been reused. The messages this revealed and their content showed a major major security breach in what was at the time one of the most highly clasified areas there was (and in some respects still is).

But for the majority of us being sensible about what we do and being moderatly cautious is enough.

ChrisMarch 1, 2011 12:58 PM

@Kenny

Anything with a SandForce controller should do it correctly, as the controller does AES-128 in hardware. When the drive receives the ATA Secure Erase command, it overwrites everything *including* the key storage area as well, and then generates a new key.

Nick PMarch 1, 2011 1:27 PM

Um, are these research claims new? I remember the last time I read a paper on flash drive wiping it said pretty much the same things. Don't remember the paper, but I've avoided flash drives for anything sensitive (and unencrypted) ever since. I still maintain that the best way to erase data is to store it encrypted and loose the key. The odds of recovering a key are slim compared to data on a storage medium, the workings of which are wrought with complexity. Inline encryption, software or hardware, is the best approach for COTS devices to achieve these properties.

When will people learn to quit worrying about how to remove sensitive data from devices and just stop putting it there (in plaintext) in the first place?

Richard Steven HackMarch 1, 2011 1:29 PM

Clive: Thermite?

One of the Syngress books had the bad guy with a thermite mix set over his hard drives, if I remember correctly, which if triggered would melt down over his drives. (He also ground down his CDs with an industrial sander.)

I mean, if it's good enough for melting Terminators who have high thermal resistance endoskeletons...

Nick PMarch 1, 2011 1:31 PM

@ Clive Robinson

Good info on recovery. Many people just don't know how good these recovery firms are or how resilient the data is. Truly paranoid types use solid encryption & destroy the data storage medium.

I thought the mention of using the arc to for secure destruction was interesting: I came up with it independently. However, I found something better around last year. Did you hear of the plasma converters that are being used to dispose of trash? I figure the NSA and companies handling secure disposal should buy one because, last I checked, plasma isn't as kind to flash cards as fire. ;)

http://science.howstuffworks.com/environmental/...

I also expect a company connected to the Mob to buy one. Would be useful trying to get rid of... things. ;)

Nick PMarch 1, 2011 1:40 PM

@ Richard Steven Hack

"One of the Syngress books had the bad guy with a thermite mix set over his hard drives, if I remember correctly, which if triggered would melt down over his drives. "

I'm suing him for infringement. Although, I did stop using that setup after a week. I had to make a risk tradeoff. Which is more likely? Bad guys kicking in my door and grabbing the computers with sensitive materials? Or some fault causing the thermite to destroy them for no reason at the worst time possible? I removed the thermite...

Recent design involves high voltage currents moving through wires connected to each chip with volatile memory, activated upon redundant tamper detection. Not sure how well this will work, but it is the last in several layers of defense. I also try to keep the secrets and data in the first 128MB to 256MB of RAM, which are wiped before the physical defense is activated. Whole process takes 5 seconds if random overwrite, 3 if zeroizing, and no more than 1 if just physical shock is applied.

@ Clive

What do you think is good enough voltage, amps, etc. to apply to a piece of RAM to ensure the data isn't recoverable? I'm trying to move to an all-hardware solution, but I have no way of extracting data from the RAM after I shock it to see how much data is lost. Any re-assuring answers? And the NSA isn't the opponent: more like university students paid by crooks and maybe various national law enforcement forensics labs.

Richard Steven HackMarch 1, 2011 1:54 PM

Nick P: That was my first thought about the thermite approach. Presumably one could minimize the accident potential.

Meanwhile, thermite works:

Scary Robot
:http://www.youtube.com/watch?v=-fZN5-kHETc

Bucket of thermite and a flare. Classic scene.

Actually Summer could melt the machine just by her presence.

Steven HooberMarch 1, 2011 2:19 PM

> why storing any cleartext on your drive?

If your computer is in a suitably secure facility, why not? I suspect NSA doesn't encrypt everything because they can't take the performance hit on those acres of computers beating on all that data. And consider stuff that's hard to stop being stupid, like printers and so on.

When it's time to throw them away, what do you do? Most agencies seem to throw them away, but there are standards that should be abided by.

Clive RobinsonMarch 1, 2011 3:17 PM

@ Richard Steven Hack,

"thermite - book"

I think it was called something like "own the network" or "own the world" and was supposadly written by "ellite hackers" or some such.

The problem is that they may have good knowledge in some domains but not others.

The problem is thermite does not work the way people think it does from TV Movies and films.

As I said earlier it's not about making the thermal energy which is relativly easy but getting it to where you either want it or away from where you don't want it (as in the case of the proto data logger for aircraft engine usage).

I actually have some thermite destruction sleeves for older style large 5" hard drives (and one for an 8" drive) I will describe how they are constructed and you will get to see how you have to think.

The sleves consist of 1/4 inch (6mm) thick steel plate welded together to form a container with a clamp down lid (yes I did say clamp down). Inside of this is a 1/4 formed sleeve of white asbestos with an interlocking lid that is underneath the clampdown lid. the inside of this sleeve has about a 1inch thick celulose nitrate bonded formed thermite sleeve, mounted in which are rails the drive slides in and out on with a coresponding cork rubber shock absorber. The data and control cables (yup this is way before IDE or SCSI single cable) come through a compression fitting in the edge between the clamp down lid and the sleeve.

Now the thing was originaly manufactured in SA and the instructions are it is to be fitted with with the compression fitting on the top side. And should be mounted in a fire brick enclosure on a concreat plinth.

This design is such that the thermal energy gets quickly and reliably directed into the drive and only leaks out slowly to the steal ovter case.

Simply wrapping the drive in thermite or having a lump above the drive is insufficient to ensure the entire drive gets melted way beyond recovery in a rasonably short period of time.

Now I know people can find the recipe for low ignition temprature thermite on the web and all the chemicals (red lead oxide powder, black or red iron oxide powder, aluminium powder celulose paint binder) down at their local car body shop and not attract any attention in buying them as they are all used in either paint or undercoat or underbody protection and "good old boy" car restorers prefer to "roll their own" original style paints.

But that knowledge alone won't help you as it is all about energy flow managment and you can demonstrate this by putting a small amount of thermite in a very clean potery or ceramic flower pot with a hole in the bottom and whilt setting it off hold it by the top with your hands whilst having molten iron and alumina running out the bottom and yes I do know someone who has done it as a party trick (the real trick being knowing when to put it down).

Thermite is not an explosive, it does not produce super heated gases that expand rapidly, it just generates enough heat to melt small quantities of steel and the odd diamond or two. It is why it is used in the railway industry to efficiently weld rails together.

So you need a considerable quantity of thermite to compleatly destroy a hard drive if the thermite is just sitting on top and this is obviously a very real safety hazzard as molten iron and alumina flow with gravity just like water and will take the thermal energy with it.

Buy yourself a dual skin steel fire safe and drill a hole through for the serial/network cable and power cable at the top (this also acts as a vent off point). Line the inside of the safe including the door with either "kiln bricks" or unglazed ceramic tiles and bond with "fire clay". Put your equipment inside and also if required an externaly available water cooling system. Surrounded the equipment by a volume of thermite sufficient to ensure the equipment will get fully immersed in molten metal.

Build the fire safe in surounded by atleast two brick thickness of kiln or fire breast bricks (those for fire walls won't do) mounted on a concrete plint with a raised edge such that if the safe ruptures the molten metal will be contained safely.

The only hard bit left to do is design the electrical or mechanical or both igniters and appropriate anti tamper detectors.

This design of "secret safe" has been used by the likes of the NSA et al for donkeys years (there is a story about one being used and taking six weeks to get sufficiently cool to be removed safely). Other types have used glass or porcelain containers of conc sulphuric or stronger acid etc but these would prove extreamly difficult for the semiskilled home constructor. Military Crypto destructor kits often look like largish biscuit tins and have various shaped thermite and other "charges" plus instructions on how to deploy them...

The important thing to remember when designing things is that the equipment you put inside must not have a serious rate of expansion otherwise you have a small bomb or flame thrower on your hands...

NobodySpecialMarch 1, 2011 3:24 PM

@Chris - not 100% true. Although Truecrypt doesn't have a header signature it is possible to identify trucrypt volumes from the checksum in the header - although false positives are possible.

So you could have a case where a wear levelled block contained data identifiable as a TC header which would prove that the ssd had contained a TC volume.

Wouldn't help you getting at the actual data of course.

mooMarch 1, 2011 3:41 PM

Consider an SSD with a TrueCrypt container on it (assume the container fills most or all of the space on the SSD), and suppose you want to change your passphrase because you think it might possibly be compromised.
So TrueCrypt is going to replace the volume header with a different one. The old header and new header will both look equally random to an attacker, unless they happen to know your passphrase. Because its an SSD, there's no guarantee that "overwriting" the volume header will actually overwrite those blocks at all. So how to do this securely?

The best solution I can think of requires a couple of steps:
(1) Change the password and write the new volume header to the SSD (which stores it somewhere, but doesnt necessarily overwrite the old one at all).
(2) Copy the entire container from the SSD to a different storage device (spinning-platter hard drive, or if you're feeling daring, maybe a RAM drive...)
(3) Quick-format the SSD.
(4) Copy the entire container back to the SSD. As long as the container is big enough, this has a very high probability of overwriting the old volume header, if the SSD isn't smart enough to have already garbage-collected it.
(5) Secure-delete the container (or at least the volume header part) from your spinning-platter drive, or wipe the RAM drive.

Step 1 is necessary so that you don't copy the old/vulnerable volume header anywhere else. Steps 2-4 are necessary to make sure the old volume header gets overwritten, and step 5 is to avoid leaving the new volume header lying around on other devices.

(6) If you were really paranoid, you could do steps 1-5 using a temporary passphrase written on a scrap of paper, and then once its on the SSD, change its passphrase again, to whatever you actually want to use as your passphrase. And then burn the piece of paper. This way, your "real" new volume header never gets written to anywhere but the SSD.

Note, using containers that are substantially smaller than the entire size of the SSD is simply NOT safe from a determined adversary. When you "overwrite" the volume header there is a high probability that it won't actually be overwritten. Even formatting and overwriting the "full size" of the device does not strictly guarantee that it will get overwritten, but at least it is very likely to succeed. You want to fill the "full size" of the SSD with your container, so that the entire contents of the drive look like random data to anyone who doesn't have the proper passphrase and/or keyfiles. Even then, forensic efforts might still reveal when certain areas of the container were written to (and possibly even the previous encrypted contents of those areas of the container). If you want to try and deny that its an encrypted container, you need a plausible explanation for why you wrote "random" data to different areas of it over time. About the only possibly credible excuse I can think of in that vein is "I forgot my password".

Henrik StornerMarch 1, 2011 3:53 PM

It's interesting that the same type of devices exhibit a behaviour that is causing much headache for people doing forensic analysis on computers: http://news.techworld.com/security/3263093/...

Apparently, finding deleted data on an SSD can be quite a problem. At the same time, it is difficult to be 100% sure that is really has been made un-recoverable.

mooMarch 1, 2011 3:54 PM

@NobodySpecial:

I think you're incorrect about that one. Unless you can decrypt the volume header (i.e. you already know passphrase+keyfile(s)), there is no way to verify the checksum in it. To an adversary who can't decrypt it, the entire volume header looks like random data, just like every other sector of the TrueCrypt volume. Of course a large file or device full of "random" data is highly suspicious if someone thinks you might be trying to hide your data, but there's no way to positively prove that it is encrypted data without actually revealing the passphrase+keyfile(s).

The real weakness of SSDs (and I guess any kind of "smart" or remapping storage device) is that securely erasing a potentially-compromised volume header is not as easy as it looks.

If someone finds out your passphrase, and they also find a copy of an old volume header that could be unlocked with that passphrase, then they can get the real key and access the container even after you've "changed" the password on the container to something else. (This is also a nice feature for businesses, that want to use encrypted containers but keep an "alternate" volume header that is unlocked by an "administrator" password stored in a safe somewhere, in case the user forgets their own password or something).

If you ever suspect that someone might have had access to a potentially-compromised volume header, the only safe thing to do is create a completely new encrypted container (including a new key) and copy all of the contents across, and then securely overwrite all copies of the entire old container.

Clive RobinsonMarch 1, 2011 4:10 PM

@ Nick P,

With regards blowing chips with electricity I'm not the best person to ask these days. Robert T knows more about current chip internals.

And this is important as if done wrong you may only blow out the bond wires or IO blocks and thus leve the data still in the chip.

As for Uni students some of them these days could well give the likes of the NSA a run for their money (they already are when it comes to vast database analysis for data mining).

To destroy a chip I personaly would look at taking it dynamicaly out of specification. That is by over/under/reverse volting the chip and or IO lines and generating sufficient heat in the chip to destroy it.

But as I said you need to speak to someone who is well up on the internals of chips not just in general but specificaly to the chips you use.

As for the futuristic "plasma garbage bin", hmm I've seen plasma torches in use for cutting and other activities lets just say I'd keep away from them. The setup given by the article does not look "conveniant" or inexpensive to operate. Also keep them away from operating computers and the like the generators used to get and sustain the plasma are very definatly an EMC hazzard.

If you are looking into the future you could also have a think about generating artificial "ball lightning" inside the computer case. If I remeber correctly in essence it uses an arc to generate a plasma ball in certain gas mixtures and you dump mega joules of energy in as current. I don't know how viable it is now but it was a fringe research topic years ago around the time of Flichman's "cold fusion".

Personaly I like carbon arc smelters or even old fashioned bessema converters etc because they are actually quite common and not that fussy about what the scrap realy looks like. So for "home use" you get a bit of scafolding pipe bash your stuff up with the sledge hammer, pop it in the pipe and bash it flat to keep the bits in and just chuck it into the arc smelters input pile, with nobody being any the wiser. From what I've seen many of these smelters don't realy care about bits of ruber tyre or other organic materials mixed in with the scrap iron (shades of Auric Goldfinger ;) as it's fairly normal in operation when the scrap includes crushed cars and rebar from building sites.

Clive RobinsonMarch 1, 2011 5:36 PM

@ Steve Hoober,

With regards storage and use of plain text,

"I suspect NSA doesn't encrypt everything because they can't take the performance hit.."

That is probably the least problematical of the reasons.

For many reasons things are easier if you design for plaintext or ciphertext and don't mix them in
a system.

One aspect is "lost data" from a dynamic system.

Sometimes it is more important to know exactly what you have lost than the fact that you have lost it to the enemy. Thus in some Mil or Intel environments you find the likes of document safes that often don't have "fail on tamper" doors which are quite normal in a business such as a jewlers or rare coin dealers.

The reason is to do with the intangable nature of information. If you assume it can be copied easily or at no cost it's value is not in the documents or data but the meta data about them.

As an overly simplistic and non technical explanation... ;)

If you have a safe which might have some part or all of a battle plan or other very time sensitive info, and a dead guard infront of it you realy need to know what your enemy has taken/copied quickly. Not guess at "what they might have" because you can't find out because the door is now jamed shut and will be for many days untill an expert arives who can open it.

And if you have a long think about it you might also see several other reasons why there are other non-performance issues that are more easily solved when you have plain text not cipher text.

If you look at some of the NSA product line up they tend to do "transparent" cryptography. That is they use the likes of "inline media encryptors" not individual file etc encryption to effectivly do data in transit or "comms encryption". This is a follow on from the "know the plain text" ethos.

One reason for this view point is simplicity of design and segregation of Red/Green. You don't end up with serious design headachs trying to work out where your red and green areas are and how they might interfere with each other in EmSec.

On the technical side there are very real issues to not just signal cross over but remodulation in all the domains (frequency, time, etc).

For instance you can inadvertantly loop signals back on each other and have some very interesting and unwanted effects when such things as time or sequence domain encrypted signals get re-encrypted. This can make plain text leak out in the jitter on signals with some types of encryption mode but not others...

If you design the system such that each unit is either red or green then things like testing and integration become easier to deal with especialy as systems evolve.

Yup I know it is difficult to explain without a concrete example but here goes.

As you know there are a number of theoreticaly secure systems the simplest of which is the One Time Pad, the electronic version been a stream cipher where the keytext or stream is added modulo two bit by bit to the plain text to make the cipher text. As long as the keytext remains unknown (and unpredictable) the ciphertext is unbreakable.

Imagine what would happen if the cipher text gets fed back by a quater of a bit through the modulo two adder. The output would in effect contain elements of the plain text and key text acting as ISI on each other.

If care is not taken even reclocking will not stop the plaintext leaking through on such things as rise times, worse the low frequency of the plain text has now become very very high frequency spurs around the basic reclock frequency, and thus can re-impose itself somewhere else in the circuit via some common element such as a ground, powersupply or clock rail.

Even in fully digital systems underneath they are still analog and are thus just like preasure cookers. A simple digital element such as a D type latch acts as a frequency mixer which can turn simple sequence domain information into frequency domain information which leaks out in unexpected places.

mooMarch 1, 2011 6:00 PM

After thinking about it for a while, I think you should never change the password on a TrueCrypt container which has been stored on an SSD, and you should also never copy that container to another device because of the risk of leaking two different versions of the same part of a container (encrypted with the same master key) which could be used for cryptanalysis. Its safer if you never copy containers. Just create a new container with a random passphrase on some other (non-SSD) temporary device, copy the contents across, quick-format the SSD, create a new container filling almost all of the SSD with your new passphrase, copy the contents back, unmount the containers and secure-erase the one on the temporary device (or the entire temporary device, and then grind it down to a fine powder...) See? Simple!

Richard Steven HackMarch 1, 2011 6:17 PM

Clive: OK, I can see where the problem is - basically it's controlling where the thermite goes once it's ignited.

Why can't you just build a kiln similar to your fire safe, put the thermite in it, then dump the hard drive in it? Or in the case of this thread, the USB drive - which is a lot smaller area to consume? If you essentially "immersing" the drives in the thermite, shouldn't that work to avoid the issue of flow directing the heat away from the entire drive surface?

Granted, it's not as fast or secure a solution for someone worried about being raided, since you'd have to pull the drive to insert it in the kiln, but for general destruction on a small scale (and is possibly scalable to larger numbers), that seems a feasible method to me.

pjMarch 1, 2011 6:47 PM

There was a recent article in the UK news regarding a worker in a British Airways datacenter being arrested as part of a bomb plot. The press reported the police as saying he had the most advanced encryption they had ever come across - and it took them almost 9 months to break.

Have the UK police just cracked something like PGP or TruCrypt in 9 months...?

NobodySpecialMarch 1, 2011 9:29 PM

@moo might have got the details wrong - but I was thinking of TCHunt (https://github.com/16s/TCHunt)

NobodySpecialMarch 1, 2011 9:31 PM

@pj - they don't have to break the encryption just guess, eavesdrop or 'extract' the passwd from him

The 9months probably included 8months of filing the paperwork followed by guessing it was "password"

RobertTMarch 1, 2011 11:01 PM

If I were tasked with destroying a flash drive, I'd do the following:
1) remove external plastic casing to get at the PCB with chip mounted on it
2) Put the entire PCB in a mixture of fuming Nitric acid and Sulfuric acid and heat to about 80C and wait about 5 minutes
3) now you should have a beaker with acid, metal scraps and some clean die (chips)
4) put the die (Flash chips) in Hydrofluoric acid and wait while chip dissolves.

End of procedure: No chip = No data

@NickP, @CliveR
"What do you think is good enough voltage, amps, etc. to apply to a piece of RAM to ensure the data isn't recoverable? I'm trying to move to an all-hardware solution, but I have no way of extracting data from the RAM after I shock it to see how much data is lost. Any re-assuring answers? And the NSA isn't the opponent: more like university students paid by crooks and maybe various national law enforcement forensics labs."

Using Over-Voltage / Over Current to electrically destroy the contents of a memory (Flash or RAM) is not really possible.

Ok so what happens when a CMOS device is electrically Over-stressed (EOS damage).

There are 3 models of EOS damage commonly in use within the chip business. these are
1) Human Body Model
2) Machine Model
3) Charged Device Model

The region of the chip that is damaged depends on the nature of the EOS event. For the first 2 damage is almost exclusively contained to the I/O pad area.

A CDM type event is your best hope of inducing damage within the core of the device. However this will only happen if the device is not designed to withstand CDM EOS events. CDM is a relatively recent requirement. To create a CDM type event you need to charge the whole USB stick to say 50KV and then discharge the chip by connecting one of the I/O to GND. repeat for as many I/O as are available. Unfortunately the nature of USB memory sticks means they are almost certainly immune to this type of damage. otherwise they'd be damaged just by being in our pockets.

In general EOS damage will occur at the Supply clamp or at the I/O ESD clamp. If someone wants to recover the data they will typically remove the packaging material above the damaged die, using a special depackage tool that adds hot fuming nitric acid to the top of the chip and dissolves enough package to expose the chip surface. Typically you can now see the damaged pin (black spot on the die), so you now find a way to bypass the damaged I/O circuit and reconnect the internal signals to the external pin. This is repair is done with a FIB (focused Ion beam) and a manual wire bonder. After this they can just read the data from the flash/ RAM, as if nothing had happened.

BTW: the same analysis applies to microwave-ing the USB memory stick.

I have no idea how many local LEA's would have the skills to do what I have outlined above, I suspect none, but it is certainly not outside the skill sets of other 3 letter agencies.

There are also several FA (failure analysis) companies that could easily do what I've described, total cost about $3000USD per chip.


Nick PMarch 2, 2011 1:36 AM

@ RobertT

So your saying hitting the chip a bunch with a 500,000 volt stun gun won't scramble the data enough? That's the method I'm referring too. I wasn't talking about sending voltage up through the connectors, which I figured they'd plan for to prevent faults. I'm talking about discharging electricity onto arbitrary pieces of the chip with a stungun. Do your statements still apply to this? Less? More? New considerations?

Thanks for the input as always.

Nick PMarch 2, 2011 1:42 AM

@ Clive

Thanks for the design criteria on the thermite. I can tell from the description that it would probably work. As Richard has discovered, controlling how the energy is directed is the trickiest part of thermite use, which can only be described as attempting to bring some order to utter chaos. I think we can simplify the design you gave, but I don't think I'll try if the data is truly important. ;)

On the plasma, there are certainly risks, but there are also safeguards. What I was thinking about was the use of a plasma cutter to incinerate grinded pieces of the material. I'd probably do it in an environment that absorbs fumes and wearing a hazmat suit. I'm just thinking that the plasma doesn't really leave anything to be recombined, unlike combustion. Repeated runs through a plasma furnace, torches, or cutters are probably the next best thing to dropping it in a black hole. ;)

Well, from what I hear, dropping a piece of strange matter on the hard drive would get rid of it too, converting it to strange quarks. There's just certain global side effects of this method that I'd like to avoid, so I'm staying with non-sub-atomic methods. ;)

RobertTMarch 2, 2011 3:03 AM

@NickP
"So your saying hitting the chip a bunch with a 500,000 volt stun gun won't scramble the data enough?"

If the device is powered-up at the time of the 500KV strike than you might be able to induce something called ESD induced Latch-up but even this damage is typically isolated to the I/O pins. So the data in the Flash array is in no way effected. If you managed to flood the substrate with minority carriers it is possible that a massive latch-up would occur (but even than I'd expect metal supplies or bond wires to fuse)

A HV strike to the middle of the chip surface will probably result in surface conduction of the charge to the device pins, at which point it looks like any other ESD event and will likely damage the I/O protection structure and maybe the gate of the I/O device, but generally not much beyond that. Also with many chips the top of the chip is actually the back of the die (called cavity down assembly) and for power dissipation reasons these chips will have a metal slug in the top so a HV strike will go straight to the metal slug which is always at GND. Meaning absolutely no chip damage

If you somehow got the discharge to go through the package to the middle of the chip than you would stand a chance of causing array damage maybe killing Column senseamps. But even that is not so certain because usually the top two layers of metal in a chip are power supplies (VDD/VSS) these have low impedance connections to the PCB so likely a discharge in the middle of the chip would be conducted away by the chip power supply and result in power clamp activation with associated ESD clamp damage.

Actually changing the data in the array is a difficult task, because each bit needs to be addressed to be accessible. The Flash data is actually stored as a floating charge either on the floating gate (EEPROM) or in the oxide/ nitride stack (Sonos), or as an offset associated with Hot electron damage (regular Flash). (sorry for the technical nature of the discussion)

To change the Flash data you must somehow scramble each of these bits, just causing damage that effects everything the same way will be canceled because of the differential nature of the internal read circuits.

It is possible (even probable) that you can damage an internal chip circuit with a HV strike, so that it is difficult to figure out what is damaged, and therefore no-one will be able to figure out how to fix the chip thereby making the data irrecoverable. But don't rely on this, especially not if the adversary is well funded or the data is very important, because I can still think of ways to access Flash data directly from the array, so I'm sure they can too.

Most of what I have discussed relates to Flash but SRAM and DRAM are not a lot different. DRAM the data is capacitive storage and SRAM is logic state, however once power is removed both of these cells will typically retain some data through a process called "data burn-in" this cell offset process is basically the same as that used intentionally to create a Flash device, so the same analysis applies to destroying the data.

BTW : my whole discussion is theoretical because I've never actual discharged a 500KV stungun onto a Flash chip. If you want to try the experiment than I'll give you the name of a few FA labs that can assess the damage. (Cost maybe $200USD) but bear in mind the results you get may vary considerably from device to device.

To simple erase the data I'd suggest you try prolonged XRAY or gamma ray exposure.


Clive RobinsonMarch 2, 2011 5:10 AM

@ Robert T,

Hmm I was aware that the bond wire "fuses" and I/O blocks usually took the hit with ESD and could be bypassed hence my earlier analagy to "changing an unknown fuse" I just didn't know it was so cheap these days.

I was hoping that marginaly overvolting or over driving the clocks or both would cause sufficient build up of thermal energy actually in the chip to do permanent damage past the IO block on the chip.

I know that several years ago some devices where susceptable to this but things change ans as I said to Nick P, I have no real idea about todays chips (the same appears to be true for many accademics who don't have direct FAB contact).

So the 20$ Question is what whould the "on chip" temp need to be to either cause the flash to be corrupted/errased or for the chip to be realisticaly destroyed I'm guessing well in excess of 300C for a sustained period.

I like your method it's clean ;)

However it's just that although Joe Average might be able to get hold of fuming nitric for his jet pack hobby and conc sulfuric for his battery business he might not know how to mix it up safely ( http://www.synthesia.eu/external-data/bl/... ).
But further... as the mix is a precursor to the nitrating into explosives of many organic materials including some you might find as the fillers in some electronic moduals it's use might just blow up in his face. Then again even if he can "cook up Aqua Regia" safely for his "buy gold" business as an alternative, it has it's own probs.

No the real killer though is hydroflouric it is very difficult to store even under the best of conditions so attracts all kinds of attention even to those that etch glass as a hobby ;)

So although with care it's a good solution to total destruction it's not something you would do in a hurry or without a lot of prior preperation ;)

BF SkinnerMarch 2, 2011 6:35 AM

Flip side of the coin. eliminating data may not be easy but neither is evidence preservation.

From the Register this morning.
http://www.theregister.co.uk/2011/03/01/...

"Data stored on Flash drives is often subject to a process the scientists called “self-corrosion,” in which evidence is permanently erased or contaminated "

Graeme B. Bell and Richard Boddington, of Murdoch University's School of IT published thier findings here http://www.jdfsl.org/subscriptions/...

RobertTMarch 2, 2011 6:38 AM

@All
My previous 4 point solutions post should have added a disclaimer because all the chemicals I mentioned are VERY dangerous.
THEY CAN KILL YOU!
Please don't play around with this procedure without the proper training and understanding of the chemical processes involved. HF is especially dangerous! please don't even go near it, it is honestly that dangerous.

@Clive
If you increase the supply voltage (OV event) than you will trigger the Supply Clamp (typically about 5V for a 3V process), Once this triggers it will snapback to about 1.5V and sink say 500mA, so as long as the OverVoltage supply can provide more than 1A current you can continue to increase the internal VDD towards the secondary breakdown point, this will cause lots of distributed damage with gate-oxide punch-through in lots of locations, this equates to a VERY dead chip. The bond wire will typically fuse at about 1A, so you need to stay below this current.

However, despite all this 3V gate oxide destruction, nothing has happened to the array data. The charge is still there stored on each of these tiny cells, It might be impossible to retrieve due to the damage to other sections of the chip BUT the data is still there.

Erasing data through Over Temp. This is definitely possible, a die temp of about 300C for several hours would probably do the job. BUT the data is not really gone all that you have done is to introduce an offset that is larger than expected. since the data is still stored as an isolated charge, and some of that charge still exists after the OverTemp event (probably resulting in substantially reduced voltage margin but nevertheless still there) and therefore still theoretically possible to extract.

The big problem with modern chips under(180nm) (anything in the last 10 years), is that all the internal circuits are typically ran at 1V and only the I/O run at 2.5V or 3.3V. The 1V supply is often internally regulated so the array does not see the external 3.3 VDD supply, the internal voltage regulator would need to fail first. this division of interface and core supply means that damage is even more contained at the edge, which is usually just a I/O buffer, so it can be bypassed.

FIB time sells for about $1500/hr, the expertise to know what to do, however is much more expensive.


ChrisMarch 2, 2011 7:41 AM

@pj

Four options here:

1. They just guessed his key. "Advanced encryption" doesn't imply "sufficiently strong key." You can use AES+TwoFish+Serpent, but if your password is "god" then it's all a moot point.

2. They LIED. Saying they found the plans laying around C:\Users\Dude\Desktop\Blow Up This Building.pdf wouldn't make them look as good as "he had the best encryption but we still broke it, might as well not encrypt at all, subject, unless you have SOMETHING TO HIDE" with segues nicely into

3. In the UK the law can force you to reveal your encryption keys, making it all the more important to use plausibly deniable methods.

4. http://xkcd.com/538/

Though I guess 3 & 4 are one and the same, so three options.

Clive RobinsonMarch 2, 2011 8:50 AM

@ Chris, Pj,

"The press reported the police as saying he had the most advanced encryption they had ever come across and it took them almost 9 months to break"

That is a definate "bull541t" warning when reading articles by various reporters etc.

It's a form of "My god it was steep, but we over came the difficulty and got up it" or "my good were heros man" statment where in reality it might well have been near vertical it was also in reality less than a couple of feet high. It is making "mountains by implication" whilst talking "obliquely about mole hills".

Or put it another way the press have just given the police a puff piece to wave at the politicians who are trying to cut budgets...

If the only cipher those police have ever seen a criminal use upto now is a shifted alphabet substitution cipher (ceaser) than even a random alphabet substitution cipher will truthfully fit the statment...

However it could also be an attempt to 'sow confusion" to the enemy that their communications are open where as in reality they could just have poped a bit of malware on a smart phone and key logged nine months of finger presses checking untill they got the right one.

Another might have been building up a contacts web to get sufficient context to try password guessing. People are often not that bright about password reuse or "secret questions".

As for breaking stationary enecrypted AES or Blowfish files, belive me that would be of such importance they would be hiding it behind "we found a slip of paper in his girlfriends purse".

I would wait and see IF it ever gets to trial (probably not the UK have a bad rap for big show raids that go nowhere near trial or even deportation).

T800March 2, 2011 10:08 AM

Looks like SSDs will not be the choice for important security systems (beside, they are ridiculously expensive).

Fábio Negrão BalbyMarch 2, 2011 12:04 PM

These conclusion were predictable. Sanitizing technics for hard-drives were developed based on the magnetic principles involved ( hysteresis, remanence ).
Flash memory doesn't work by magnetic principles. It's made of MOSFET transistors ( arrangements of semiconductor crystals and metal oxides ), the storage has to do with electron movements inside the atomic structure of the silicon.
The quantum principles involved are different: electron spin alignment on the first case, particle-wave duality and tunneling effect on the latter.
We're talking about different matterials, metals vs. semiconductors, so we couldn't expect the same behaviour.

Bob StaudenmaierMarch 2, 2011 12:34 PM

Let's not forget the cost factor. Depending on economic considerations and the value of the data, it could often be more practical just to destroy the flash drive.

BF SkinnerMarch 2, 2011 12:48 PM

@Clive "That is a definate "bull541t""

My thoughts. Though I was thinking. National Security Terrorism case; wouldn't GCHQ have been asked/directed to assist on deciphering the emails? or are there internal/external jurisdictional boundaries.

Don't know the English system. I'm only in MI6 to the point between the wars when Cummings is fighting off Special Branch and MI5 consolidation.

Nick PMarch 2, 2011 12:58 PM

@ RobertT

Thanks for your indepth reply. It seems to offer some hope. Perhaps it was hidden in comments above, but my main usage scenario for electrification by stun gun or aptly placed wiring was to kill the on-chip processor memory and system RAM upon tamper-detection in a system whose IO was encrypted. The attacker might be trying to get the keys and I needed a method to quickly destroy the volatile memory that's reliably automated and doesn't pose the huge hazard acid and thermite do.

So, how much electricity (what specs?) would I need to hit some SRAM, cache and/or SDRAM with to fry it in seconds?

EarthlingMarch 2, 2011 1:14 PM

A microwave oven does a pretty neat job on frying 'chips' :-)

It's a good idea to remove the metal casing first though.

Nick PMarch 2, 2011 2:31 PM

@ w and Earthling

Read the context of my question. The disposal method would be installed in the server/desktop and activated automatically and instantaneously when a tamper-detection device signals the alarm. Most stove's and microwaves don't fit in a PC chassis. They are also far from immediate in data erasure.

Clive RobinsonMarch 2, 2011 3:02 PM

@ BF Skinner,

"Don't know the English system."

What an Anglophile like yourself?

The answer might be that the likes of GCHQ unlike the NSA realy Never Say Anything.

Steller Rimington was the first to bring the MI's and their cohorts in from the cold and actually smile on camera (once I think ;)

So... from that you can conclude that if they had been involved they would have said nothing, and if they hadent been involved they would likewise say nothing.

With regards,

"I'm only in MI6 to the point between the wars when Cummings is fighting off Special Branch and MI5 consolidation"

You need to realise that there where a whole bunch of MI's at one point over 16 of them and that there also was the "Diplomatic Wirless Service" (DWS) who acted as a bridge between the likes of MI6 and the BBC World Service and where responsable to the diplomatic missions of the F&CO.

And they all regarded each other as the enemy more than the real enemy (much like the various cohorts pushed under the DHS bed).

The odd one out was MI8 because it did a bit of everything with regards Comms and was fairly agnostic. However the DWS looked down on both MI6 and the BBC and just about everybody else including "The Admiralty" as they considered the diplomats to be the most senior of any service (which if you go by age of existance has a degree of truth to it).

Like all "Cambridge Men" they had a natural superiority and made little word play jokes about the other services.

For instance "Sir C" or just "C" of "The Service" (ie Cummings) was called "cercies" by those who were of "the court abroad" which is actualy in mythology a "witch". And later when they had to sully their lily white hands with the commoners via Sir Robert Peel's cohort the Commisioner of the Met Police who was also a "sir" was refered to as "SirMet" pronounced like "cement" as in concrete over shoes that would make you "plod" which was also what the police where called apparently due more to their supposed mental capacities rather than "walking the beat".

They where as you can guess way to busy fighting each other than fighting the enemy, and it was actually nearly the unmaking of Great Britain. It was certainly not down to these intercene turf wars that all the German agent's were rounded up and owned...

It might also account why Churchill was so for the likes of the "have ago" SOE and the likes of (later) Prof RV Jones (DDI Sci) and the geese at bletchly (Ultra) who basicaly were getting on with things (unlike 6 who were preocupied with sabotaging SOE or anyone else who they thought encroached on "their lawn").

CryptonoobMarch 2, 2011 3:05 PM

Ahh... the comments section never disappoints.
You guys are extreme hard core, you know that, right?

Clive RobinsonMarch 2, 2011 3:18 PM

@ Robert T, Nick P,

So the upshot is we can damage the chip possibly beyond repair but the data stays locked like a "fly in amber" within the chip.

The only way of destroying the data is to actualy destroy the physical chip it's self, by boiling in acid or molten metal, grinding to dust, or arc or plasma tourching into vapour...

This is a tough cookie which might acount for why OTP's still get printed with weak and very soluable vegtable ink on vegtable dyed rice paper...

Maybe we should be looking at "ink jetting" 2D bar codes onto highly soluble potassium nitrate soaked paper...

Richard Steven HackMarch 2, 2011 3:25 PM

As the guy in that Syngress book I referenced mentioned, if they can come in and point a gun at you, it doesn't matter if you have time to erase the data. They can just threaten to shoot you if you don't give them the information.

If they have you, it doesn't matter if they have the data. Unless of course you're protecting someone else or some operation under way of importance to you. For the military or spies, this would be of importance; for a hacker, not so much.

While that might be rare in the US and the UK, in a lot of countries the tactic would probably pass muster. And I wouldn't guarantee that it wouldn't be tried in most Western countries if the data was that important. We do have Guantanamo and Baghram and a recent government that approved of torture (and it's becoming apparent the current government does, too, to some degree.)

I still like my "throw it in a thermite kiln" for general disposal, though. It doesn't take up much room and doesn't involve chemicals that can't be controlled easily.

Although I like the arc furnace method. too. But an arc furnace costs thousands of dollars. I don't know how much a kiln of the type Clive described would cost, but I assume it would be less than that.

Probably the best way, if you can do it unobserved, is just to take the thing out and bury it somewhere far away from anything associated with you where it will never be found until it doesn't matter. Or if you live near the ocean, weight it down with a brick and toss it.

"Security through obscurity" CAN work that way.

One other point: depending on how effective your destruction method is, it may not have to be good enough for complete destruction - just good enough so whatever data IS retrieved isn't enough to 1) derail whatever operation you're protecting - in time, or 2) injure whoever you're protecting, or 3) convict you in a court.

So cost-benefit comes in to play here. OTOH, this is a hacker discussion - cost-benefit doesn't come into play. :-)

wMarch 2, 2011 3:46 PM

@Nick P, a soilod coil surding the chip, which is covered in MgS would do it

Clive RobinsonMarch 2, 2011 3:49 PM

@ Richard Steven Hack,

"But an But an arc furnace costs thousands of dollars"

Actually it doesn't you can make one yourself (although I would not advise it).

You can make a toy one with a small lead acid battery (or other high current low voltage source) a couple of carbon rods (soft pencil lead or strip down a couple of AA bateries) and some aluminium foil or powder in a small unglazed dish like the ones used on incence burners.

Once you have actually seen the foil melt between the carbon rod electrodes into a little mercury like ball you might well get the taste for something bigger.

And yes I've made one when younger with a "variac" (variable AC transformer) and a hand and hammer rewound transformer from an old spot welder. It was a follow on project from a home made arc lamp that could burn your eyeballs out.

I got it to the point. where it would melt iron or even steel but it tended to splutter throwing bits of molten metal all over the place (but exciting fun for a 15year old never the less).

Thankfully for my parents I then got into satellite tracking and pirate radio...

Martin DMarch 2, 2011 4:58 PM

I can't help thinking that a flash drive controller with the extra fuction of providing direct, non load-leveled, read and write access to ALL the memory on the drive is a MUCH simpler solution to the problem.

It would not help for current hardware - you would have to zap any current drives you own by applying all the creative suggestions offered here. As manufacturers are always looking for new, compelling features to make people buy the latest product a secure erase capability should be a 'must have' feature on new drives.

Nick PMarch 2, 2011 5:00 PM

@ Richard Steven Hack

Good points on the cost-benefit and time issues. I'd like to add that if it's a crime the data must be hidden for the duration of the statute of limitations and possibly the entire life of the offender. National security related data must usually be hidden for a minimum of 40 years so that it doesn't matter when it gets out. It might be easier to store the stuff on things that don't last long anyway, like CD's/DVD's. The ocean is much more reliable than burial: digging animals and construction crews have accidentally uncovered more secrets than I can recount, including classified fiber transmission lines (reaction is always hilarious to read about).

It might be easier to employ the thermite kiln idea if we smash the hard drive first. Most plasma converters also employ this strategy: crush it into small pieces; grind it into pretty tiny pieces; run it through the plasma torch. Busting it to pieces and lining up all the pieces with storage or processing capability under thermie could help. One could also use a layered design with alternating layers of thermite and storage pieces, perhaps with some of the insulation Clive mentions. I definitely think we have to use a container that can ensure the storage mediums get the proper exposure. Hard disks seem easier than SSD's because you only have to destroy the platters and maybe a few chips that process the data, like the cache or controllers. Don't even necessarily have to bust them open thanks to cheap tools.

Nick PMarch 2, 2011 5:02 PM

@ cryptonoob

"you guys are extreme hard core, you know that right?"

Yes. A certain subset of people here focus on "high assurance" solutions with little chance of failure or breach. Bet your life on nothing less. ;) I like to say the approaches most blogs mention for deploying "secure" systems are just... (makes lude hand gesture)

@ w

Now that's much better. ;)

Nick PMarch 2, 2011 5:21 PM

@ Clive Robinson

"Actually it doesn't you can make one yourself (although I would not advise it)."

Maybe like this?

Build a microwave transformer stick welder
http://www.instructables.com/id/...

DIY TIG, MIG and Arc welder
http://diy-welder.com/

Plasma cutter's are a tad more dangerous to build DIY. Clive, if what u built was a plasma torch and not a arc welder then u were (are?) crazy.

Nick PMarch 2, 2011 5:28 PM

@ RobertT

I just looked up hydroflouric acid on Wikipedia. My reaction to health risks can be best summed up as "HOLY S***!" Will be staying away from that one. (I usually stay away from flouride/flourine-based stuff anyway.)

Sulfuric acid seems best because it's so strong. Although I've never used one, a superacid sounds even better. I'd imagine they are harder to get ahold of and pose more risks than hydroflouric acid. Will stick to thermite, arcs, sledgehammers and sulfuric acid for disposal.

RobertTMarch 2, 2011 7:12 PM

@NickP
"So, how much electricity (what specs?)"

If you want to use electricity, than I recommend about 20KV and two handles protruding from the equipment, grab one with each hand and activate. The Flash chip will be completely unaltered, but I can assure you that you wont care anymore.:-)


Nick PMarch 2, 2011 7:27 PM

@ RobertT

So, does the stun gun or shock system have to be connected directly to the chip via wiring or merely placed on an arbitrary part of the chip due to voltage? Can it just touch the pins on the chip to do the job without any fancy prewiring? Just drop it and it burns...?

JayMarch 2, 2011 11:41 PM

@secure destruction peeps

If you want to securely erase a Flash chip (rather than securely destroy it) - I'd be wondering about some way to set up a UV emitter to cover the cell array(s).

The downside is you'd need to partly decapsulate the chips in advance (and then keep them totally light-insulated when in use). The upside is not having to have a gamma/X-ray source hanging over your device...!

Speed would be related to the amount of UV you could deliver. UV lamps on old EPROMs took ~30min. The smaller feature sizes on modern chips might make things easier; the metal layers might make things harder (or impossible, for a secure chip - heh).

Clive RobinsonMarch 3, 2011 4:16 AM

@ Nick P (Doug Coulter if your reading)

"Plasma cutter's are a tad more dangerous to build DIY. Clive, if what u built was a plasma torch and not a arc welder then u were (are?) crazy"

Having looked into the descriptions then what I built was a T-CAW or Twin-Carbon Arc Welder, however I was not using it for welding only smelting ;)

Now there is a lso something called Atomic Hydrogen Welding and this sounds quite fun 8)

Essentialy as you know the temprature in an arc is many thousands of degrees C however getting the thermal energy out of the arc without killing it is difficult.

Step in diatomic hydrogen gas (H2) when this is heated by the arc above ~600C it splits into monoatomic hydrogen (H+) and this can store an awfally large amount of energy which it releases on condensation with cold metal etc and can thus produce a weld temprature in excess of 3600C.

Now modifing a twin carbon arc torch to get a flow of H2 across it would not be difficult...

The question then becomes can the Individual H atoms be moved via a high voltage charge to make a "flame".

I think I might have a play when I get out of hospital it might be fun (need to have a think about the downsides first with H2 and carbon and an arc in what is essentialy a 17%O + 79%N + 1%H2O environment, I don't need to accidently make a hydrogen cyanide generator or some such by mistake ;)

Now if the torch can be made it should fry those pesky data bits quite quickly.

And as carbon arcs are very easy to make self starting and electrical gas valves are quite cheap and reliable It might be quite easy to make an outomated "chip fryer" of the sort you ar looking for ;)

rupert003March 3, 2011 4:22 AM

If you can't solve a problem with fire, the problem is you're not using enough fire

jacobMarch 3, 2011 10:36 AM

Wow, nice to see that geeks can still go overboard. My thoughts...
1. I doubt that I have anything that valuable.
2. I already knew that SSDs are not as erasable as spinning hard drive. (once sent my young son to the backyard with a mauler and told him to go for it) He loved it. No, I really wasn't trying to evade the NSA. LOL
3. I have had SSDs fail. I hammer them and pulverise, throw away.
4. Truecrypt is great for most uses, if people actually use them in a safe manner.
5. If you are evading the NSA, you already lost if they are really out to get you. (citing Bruce)
6. I would use an acetelyne torch. (sp)
7. I really am boring, so other than credit card, web site log in, etc. really am not overly worried. Now if you were hiding missile secrets and giving them to the north koreans, that calls for something more "customized" in practice.
8. It is fun to imagine different ways to evade "the Man". I would leave them a drive with nothing on it but..wait for it.....rick roll 'em!!!!
jacob.

Nick PMarch 3, 2011 11:13 AM

@ rupert003

I just came up with one too:

"Wisdom to the crowds is foolishness to the wise."

Nick PMarch 3, 2011 11:26 AM

@ Clive Robinson

Found another useful resource describing how most types of welding work.

http://www.fortunecity.com/village/lind/247/...

I was already familiar with atomic hydrogen welding from research into better ways to get into bank vaults. I figured someone would eventually try to cut a bank vault with a hydrogen torch, which is similar in heat to thermal lances used by spec ops teams to get into barred windows. I had other uses in mind for it too.

The page had your carbon welding setup. I could see that it would be pretty simple. I might have an associate help me build some apparatus. The fact that I try to reduce the number of systems with critical data should help here as I'd only have to fry a few.

Random: make plasma in your microwave (awesome!)
http://video.google.com/videoplay?...

Clive RobinsonMarch 3, 2011 12:24 PM

@ Henrik Storne,

"It's interesting that the same type of devices exhibit a behaviour that is causing much headache for people doing forensic analysis on computers"

Sorry for not commenting earlier I'm in Hospital currently and only have a small smart phone to use and checking data sheets etc it a bit of a pain in the eyes.

The problem the researchers out in AZ have shown is "garbage collection" and it is believe it or not as a result of the improvment of Flash Memory reliability...

The way a flash device works is a little odd to describe in that it has the equivalent of pages and lines and writing and erasing are entirely seperate activities.

I'll leave Robert T to give the gritty ins and outs but overly (as always ;) simply the sort of Flash "ROM" used in both the newer thumb drives and SSD drives has a vastly increased "Page Erase" reliability up from just a few thousand to over 1.5million claimed by some.

And further due to the very asymetric way Flash "Rom" works there are very real advantages not just on doing "garbage collection" but hidden padding when writing.

Inside the Flash ROM the "memory cell" arangment is not that disimilar to other memory cell arrays however unlike the many other memory types it becomes painfully obvious at the user interface.

The memory is stored as "pages of lines" and although you can write to a lines of memory cells you can only erase in pages. And pages are very very much bigger than lines.

Also the erase function takes considerably longer than a line write by several orders of magnitude (the paper Bruce links to goes into this as well).

The upshot is although the "write function" of a line can be extrodinarily fast the erase of a page can be glacial in comparison.

So the SSD designers fudge the real activity behind an interface that fakes what is realy happening.

When your OS writes out a block of data it is by nomeans written where you think it is it is written to the next available free line in whatever page is available and so on and so forth on the assumption that most writes will be to the same "logical block of cyclinders)...

However the same happens with random writes which means that the OS thinks it's got a standard LBA hard drive scheam and the Flash ROM is used as a circular buffers with a custom translation layer.

Now in ordinary circumstances the Hard or Flash drive does not nor cannot know about files or other OS level data containers and at best it can only assume the OS LBA groupings (ie 4K or 8K blocks). It thus tries to optomise in to the Flash ROM page size.

The result of this is fairly hit and mis at best.

However what happens when the OS deletes a block of data or tries to overwrite a block it believes is free. Well the Flash ROM cannot in general overwrite an already writen line, thus the line has to be writen somewhere else and the internal page translation table in the Flash custom translation layer updated.

The custom layer then at some point erases the page, however as the page may contain many OS blocks some from different files a Flash page may never become fully empty. Thus the Flash translation layer will on it's own move blocks of lines so it can erase a page. How it does this is Flash translation layer design specific. Some will move them into empty pages some will try to fill part filled pages.

All of this is going on actually on the SSD drive and is not done by the OS in any way. Thus the result is data in an SSD is during idle times being moved around in various ways to maximise the "blank Page" availability for both the OS and for the Flash Translation layer it's self.

Thus the traditional Forensic HD "write blocker" put in the IDE or SCSI drive cable does not in any way stop this....

Now to make it worse the likes of earlier SSD's where so unreliable in terms of erase cycles that some OS manufactures and the drive design organisations colaborated on the implementation of "enhanced commands" that would enable OS layer Data Container managment to become to a limited extent "known" to the Flash Drive custom translation layer...

The result as far as Courts are concerned is that the SSD's become "self tampering" and thus a reliable "chain of custody" on the data (not the drive itself) cannot be established.

Now in many circumstances this would not matter however a smart legal eagle can require a "re-examination" of the evidence the fact that what the prosecution claims is there may well not be or in a different place is a Golden Oportunity currently to call the evidence and the prosecution forensic examiner into question in court as they cannot show tampering has not been carried out...

However I can see this problem becoming resolved in most cases with little difficulty and the court and prosecution processess being toughened up (there is afterall usually a big difference between data disapearing or being re-aranged and new data appearing).

However I guess the time is ripe to bring up the concept of "data shadows" that is for any number of bits N of data (hard information) in storage or transit there are at the very least 0.5(N^2-N) basic soft information relationships or data shadows.

If somebody encodes data as positional shadows of soft information within a data container then simply saying the file is nolonger in use could cause the relationships to change simply by having the SSD powered thus making it vanish with time even without the data actualy being erased...

Being tangable beings in a tangable physical universe that is very much the subset of the intangable information world most of viewpoints have hidden "physical" assumptions.

It may take our legal bretherin a generation or two to get over the fact that information is effectivly infinatly copyable, infinatly modifiable, and compleatly unconstrained by our views of hear and now thus things like no distance constraints and in some cases no time constraints either. Thus traditional view's such as "geopolitical area" from which legal jurisdictions are derived have no realistic meaning (something that some who have been subject to cyber-crime are all to acutely aware).

wMarch 4, 2011 12:49 AM

@Clive Robinson. data shadows
Say you have a loop (i=0;i value = value ^ (i)^(i>>8).....

if value started at 0x41, it would finish at 0x41. In theory 0x41 would hold all the keys 256^16 in one byte. If you take least steps to get the information out...

you could store all the information in the universe in a single byte

wMarch 4, 2011 12:50 AM

@Clive Robinson. data shadows
Say you have a loop (i=0;i value = value ^ (i)^(i>>8).....

if value started at 0x41, it would finish at 0x41. In theory 0x41 would hold all the keys 256^16 in one byte. If you take least steps to get the information out...

you could store all the information in the universe in a single byte

@ Mods you've got a problem with 32 FFFFs

wMarch 4, 2011 12:53 AM

@Clive Robinson. data shadows
Say you have a loop (i=0i value = value ^ (i)^(i>>8).....

if value started at 0x41, it would finish at 0x41. In theory 0x41 would hold all the keys 256^16 in one byte. If you take least steps to get the information out...

you could store all the information in the universe in a single byte

@ Mods Thanks

HagaiMarch 4, 2011 3:30 AM

I am not sure I would trust mechanisms that the vendor builds in. On the other hand, selective destruction cannot work effectively, as I wrote 4 years ago in:

File Wiping and Disk-on-Key
http://www.hbarel.com/blog?itemid=18

The only reasonable way other than physical destruction would be to wipe off the entire device.

sleMarch 9, 2011 8:37 AM

@moo
Even formatting and overwriting the "full size" of the device does not strictly guarantee that it will get overwritten, but at least it is very likely to succeed

I don't think so, as most manufacturers have some extra cells for reliability. The internal storage room is larger than the full size storage room. But it is probably our best option, for the moment.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..