Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

In Search of Lost Data: A Study of Flash Sanitization Practices

Janine Schneider, Immanuel Lautner, Denise Moussa, Julian Wolf, Nicole Scheler, Felix Freiling, Jaap Haasnoot, Hans Henseler, Simon Malik, Holger Morgenstern, Martin Westman

TL;DR

This study quantifies the risk that new-looking USB flash drives contain residual data from recycled memory components used in the low-cost market. Through a large-scale forensic analysis of 614 drives, the authors recover non-trivial user data on 75 drives (about 12%), highlighting the prevalence of chip reuse in promotional products. While some correlations emerge at the chip-manufacturer or batch level, there are no robust external predictors tying data presence to specific external factors, complicating provenance assessments. The findings have important legal and forensic implications, underscoring the need for caution in attributing evidence recovered from such devices and motivating future work on higher-priced drives and broader market sampling.

Abstract

To avoid the disclosure of personal or corporate data, sanitization of storage devices is an important issue when such devices are to be reused. While poor sanitization practices have been reported for second-hand hard disk drives, it has been reported that data has been found on original storage devices based on flash technology. Based on insights into the second-hand chip market in China, we report on the results of the first large-scale study on the effects of chip reuse for USB flash drives. We provide clear evidence of poor sanitization practices in a non-negligible fraction of USB flash drives from the low-cost Chinese market that were sold as original. More specifically, we forensically analyzed 614 USB flash drives and were able to recover non-trivial user data on a total of 75 devices (more than 12 %). This non-negligible probability that any data (including incriminating files) already existed on the drive when it was bought has critical implications to forensic investigations. The absence of external factors which correlate with finding data on new USB flash drives complicates the matter further.

In Search of Lost Data: A Study of Flash Sanitization Practices

TL;DR

This study quantifies the risk that new-looking USB flash drives contain residual data from recycled memory components used in the low-cost market. Through a large-scale forensic analysis of 614 drives, the authors recover non-trivial user data on 75 drives (about 12%), highlighting the prevalence of chip reuse in promotional products. While some correlations emerge at the chip-manufacturer or batch level, there are no robust external predictors tying data presence to specific external factors, complicating provenance assessments. The findings have important legal and forensic implications, underscoring the need for caution in attributing evidence recovered from such devices and motivating future work on higher-priced drives and broader market sampling.

Abstract

To avoid the disclosure of personal or corporate data, sanitization of storage devices is an important issue when such devices are to be reused. While poor sanitization practices have been reported for second-hand hard disk drives, it has been reported that data has been found on original storage devices based on flash technology. Based on insights into the second-hand chip market in China, we report on the results of the first large-scale study on the effects of chip reuse for USB flash drives. We provide clear evidence of poor sanitization practices in a non-negligible fraction of USB flash drives from the low-cost Chinese market that were sold as original. More specifically, we forensically analyzed 614 USB flash drives and were able to recover non-trivial user data on a total of 75 devices (more than 12 %). This non-negligible probability that any data (including incriminating files) already existed on the drive when it was bought has critical implications to forensic investigations. The absence of external factors which correlate with finding data on new USB flash drives complicates the matter further.

Paper Structure

This paper contains 25 sections, 5 figures, 1 table.

Table of Contents

  1. Introduction
  2. Research Questions
  3. Contributions
  4. Paper Outline
  5. Background
  6. Flash Storage
  7. eMMC Technology
  8. Simple Data Removal Operations
  9. Secure Data Removal
  10. ONFi Technology
  11. The USB Flash Drive Market
  12. Market Players
  13. The Chinese Chip Recycling Market
  14. Study Design
  15. Possible Influencing Factors
  16. ...and 10 more sections

Figures (5)

  • Figure 1: Distribution of different system data found on the USB drives.
  • Figure 2: Distribution of USB drive suppliers and data findings. Blue indicates that the USB drives did not contain any data. Red indicates that the USB drives contained data.
  • Figure 3: Example NAND chips with irregular stamps on it.
  • Figure 4: Example NAND chips with a handwritten note, dirt and paint.
  • Figure 5: Correlation between different USB drive and chip characteristics and data findings.