Re: Forensics: USB fobs

["William Watson" <wawatson () ntlworld com>]

As far as the 'normal' filesystem goes, there should be no image left of the
old file contents ...

HOWEVER ...

It seems that each USB memory device contains spare memory areas (around 3%
on a 1Gbyte device) which are used to implement "wear-levelling" (I guess in
much the same way that magnetic discs have spare sectors). Maybe it is these
spare areas which Autopsy can recover.

It is also "well known" that there is no secure way to delete the contents
of a flash memory device. Part of this is due to the spare wear-levelling
sectors; the rest ... ????

Cheers,

William

----- Original Message ----- 
From: "Dave Aitel" <dave () immunityinc com>
To: "dailydave" <dailydave () lists immunitysec com>
Sent: Wednesday, November 01, 2006 10:34 AM
Subject: [Dailydave] Forensics: USB fobs


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Someone yesterday at a conference talk I went to told the crowd that
> you can overwrite a file (aka srm it) on a USB Key fob and it will
> still be there
> for Autopsy to see. That makes no sense to me. Can anyone verify this?
>
> - -dave
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.4 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFFSHgpB8JNm+PA+iURAv4FAJwIoazjywY1peHQ4CkVTEYJgJw12wCg6sqX
> OyA1m6tU5az94Wp03tVD3+Q=
> =DY3U
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.1.409 / Virus Database: 268.13.18/506 - Release Date:
30/10/2006
>

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave