Thought exercise: destroying data on a memory card  

Memory cards are used in many appliances to store information while the equipment is switched off. Memory cards are used, for instance, in MP3 players, palmtop computers, personal organizers, mobile phones and digital cameras. The information stored in these devices is typically of a personal nature, and therefore subjected to the same privacy concerns as the information stored on hard disks. Thus, it is legitimate to ask how to safely delete it.

Memory cards typically use flash memory, which is built on solid-state silicon chips. This type of memory is extremely resistant to mechanical forces. Dropping these memory cards does not affect them (unless they have mechanical defects to start with, like poorly soldered contacts). Moisture and moderately high temperatures likewise do not affect the stored information. Memory cards are often forgotten in pockets, and almost invariably survive laundering without damage. After the Southeast Asian tsunami of 2004, the memory cards of digital cameras recovered from the flooded rubble yielded their contents - in some cases, pictures of the advancing tsunami wave, taken by the camera owners moments before being killed.

A few devices and memory cards contain miniature hard disks. They should be treated like normal hard disks as far as privacy is concerned, but their small sizes make it more practical to destroy them in bulk, without preliminary disassembly (see here).

In another page, I argued that hard disks should be physically destroyed, in order to keep their contents private. Much the same can be done with memory cards. Grinding can effectively destroy a memory card beyond the possibility of recovering its contents. However, it may be discussed whether this procedure is the only secure one available.

Memory cards contain several components, in addition to memory chips. The memory chips (the Toshiba black rectangular chip packages in the above pictures, with pins along two sides) are interfaced through other digital components, not directly connected to the card contacts. The memory chips themselves contain digital driver circuits to access the individual memory cells. Unlike hard disks, in which the individual data locations on the platters can be physically accessed to detect weak magnetic domains left over after erasing and rewriting, the memory cells of flash memory are not directly accessible from the electrical connectors of the chip package. Thus, I believe that it is virtually impossible to recover the contents of a flash memory that has been overwritten a few times (short of isolating the memory chips and studying the residual electrical charges stored in the memory cells under an atomic force microscope or equivalent equipment - which might or might not work in practice, given the stochastic nature and individual variation of these structures).

While the recovery of overwritten data from a hard disk can exploit the fact that the head never exactly overlaps the data track on the platter in exactly the same way, there is no equivalent weakness in flash memory. Although it is possible that previous, overwritten logical states of a flash memory cell leave a trace in the form of a slightly higher or lower cell charge, after a number of overwrites there is no way to identify which "generation" of data had which logical value, except possibly for the generation immediately preceding the currently stored data. Therefore, a modest number of overwrites (from five to ten) should more than suffice to thwart any attempt to recover data.

The above does not mean that it is sufficient to erase the files from a memory card. Doing so has the same effect as erasing files from a hard disk: all data in the files is preserved (until overwritten), and the directory entries are either deleted, or flagged as deleted but still preserved. The only information that sometimes is lost is the file name, but the file contents can be recovered with broadly available software. Formatting a memory card usually leaves the file data unchanged, and available for recovery. Thus, the only secure way to erase the file data is by overwriting it. There is "disk-wiping" software designed to do so with hard disks. Some of this software can be used also with memory cards. Because of the factors discussed above, a wiping procedure designed to be effective against moderate efforts to recover data from a hard disk is likely to be much more effective when applied to a memory card.

A possible difficulty in completely overwriting data on a memory card is that solid-state hard disks based on flash memory do not overwrite the same memory cells when instructed to do so. Instead, they just mark the data as deleted and store the new data into a different region of memory. The purpose of this operation is to avoid overwriting many times the same memory cells (e.g., the ones located near the beginning of the address space) while leaving other cells unused. Since flash memory cells can only be overwritten a limited number of times before starting to deteriorate, it is necessary to spread the wear evenly across the whole memory space. Large-capacity memory cards might use a similar mechanism to increase the useful life span of the device. This problem can be largely avoided, however, by completely filling the memory card with bogus data before erasing it, and repeating the procedure multiple times.

The CF card shown above is an old model. However, recent models have a similar physical architecture. Depending on the card capacity, they may contain one or more flash memory chips. The outer "skin" of newer cards may be molded around the electronics, thus providing a better protection of the electronics against corrosion.

In an emergency, and in the lack of suitable disk-wiping software, I suggest the following procedure:
- Delete all files.
- Format the memory card.
- Copy a few very large files to the memory card, and if necessary finish filling it up with smaller files (in order to take up all available space).
- Erase all files.
- Copy a large amount of very small files to the memory card.
- Delete all files.

The above procedure may be repeated if there is time, by using different sets of files. The reasons for this procedure are explained in the following paragraph.

The initial deleting and formatting reclaims all space on the memory card, and makes it available for overwriting. Copying a few large files to the card makes it likely that all, or almost all the memory will be overwritten. When files are written to memory or a hard disk, a small amount of space may not be overwritten. This is called "slack space". Slack space is left over because space on a card or hard disk is allocated in "chunks" of fixed size. Thus, part of the last chunk of space may be left unchanged, if the file does not occupy an exact multiple of allocation chunks. The use of few large files reduces the number of incompletely overwritten chunks. Subsequently, writing a large number of small files to the card has the purpose of overwriting the directory entries (i.e., the regions where the file names and other directory information are stored). In some cases, there is a finite number of files that can be written to a directory, and this procedure overwrites the whole directory space. In other cases, there is no practical limit, but it is possible to write a number of files so large that it exceeds any number of files stored on the card during normal operation. The result is the same. Thus, both file contents and file information are overwritten. Repeating the process with a different set of files is very likely to overwrite the few unused data chunks and directory entries left over by the first overwrite. Although not entirely foolproof, this procedure is very likely to destroy all or virtually all information on a card. Physical destruction of the card (ideally, by grinding) can be performed if a higher level of security is desired, and sufficient time is available.


web counter