Thought exercise: destroying data on a memory card  

Memory cards are used in many appliances to store information while the equipment is switched off. Memory cards are used, for instance, in MP3 players, palmtop computers, personal organizers, mobile phones and digital cameras. The information stored in these devices is typically of a personal nature, and therefore subjected to the same privacy concerns as the information stored on hard disks. Thus, it is legitimate to ask how to safely delete it.

First of all, if the data on the card is encrypted with strong cryptographic algorithms and the key is certain not to be accessible by a third part, a low-level reformat of the whole card may be sufficiently secure, unless the consequences of the disclosure of the data stored on the card are exceptionally dire for the owner/creator of the data. A low-level reformat overwrites all currently functioning data clusters on the card and re-creates an empty directory and file allocation table (see also below).

Memory cards typically use flash memory, which is built on solid-state silicon chips. This type of memory is extremely resistant to mechanical forces. Dropping these memory cards does not affect them (unless they have mechanical defects to start with, like poorly soldered contacts). Moisture and moderately high temperatures likewise do not affect the stored information. Memory cards are often forgotten in pockets, and almost invariably survive laundering without damage. After the Southeast Asian tsunami of 2004, the memory cards of digital cameras recovered from the flooded rubble yielded their contents - in some cases, pictures of the advancing tsunami wave, taken by the camera owners moments before being killed.

The memory chips on a memory card are usually connected to a controller chip that manages the communication with external devices. With special equipment it is still possible to access the memory contents when the controller is faulty or removed.

A few (mostly legacy) memory cards contain miniature hard disks. They should be treated like normal hard disks as far as privacy is concerned, but their small sizes make it more practical to destroy them in bulk, without preliminary disassembly (see here).

In another page, I argued that hard disks should be physically destroyed, in order to keep their contents private. Much the same can be done with memory cards. Grinding can effectively destroy a memory card beyond the possibility of recovering its contents. Incineration at a sufficiently high temperature to leave only ashes, small fragments of silicon chip and metal bits as a byproduct is equally effective (just don't microwave a memory card, which is uncertain to damage the data but can potentially set the microwave oven on fire). However, it may be discussed whether these procedures are the only secure ones available.

Memory cards contain several components, in addition to memory chips. The memory chips (the Toshiba black rectangular chip packages in the above pictures, with pins along two sides) are interfaced through other digital components, not directly connected to the card contacts. The memory chips themselves contain digital driver circuits to access the individual memory cells. Unlike hard disks, in which the individual data locations on the platters can be physically accessed to detect weak magnetic domains left over after erasing and rewriting, the memory cells of flash memory are not directly accessible from the electrical connectors of the chip package. Thus, I believe that it is virtually impossible to recover the contents of a flash memory that has been overwritten a few times (short of isolating the memory chips and studying the residual electrical charges stored in the memory cells under an atomic force microscope or equivalent equipment - which might or might not work in practice, given the stochastic nature and individual variation of these structures).

While the recovery of overwritten data from a hard disk can exploit the fact that the head never exactly overlaps the data track on the platter in exactly the same way, there is no equivalent weakness in flash memory. Although it is possible that previous, overwritten logical states of a flash memory cell leave a trace in the form of a slightly higher or lower cell charge, after a number of overwrites there is no way to identify which "generation" of data had which logical value, except possibly for the generation immediately preceding the currently stored data. Therefore, a modest number of overwrites (from five to ten) should more than suffice to thwart any attempt to recover data.

The above does not mean that it is sufficient to erase the files from a memory card. Doing so has the same effect as erasing files from a hard disk: all data in the files is preserved (until overwritten), and the directory entries are either deleted, or flagged as deleted but still preserved. The only information that sometimes is lost is the file name, but the file contents can be recovered with broadly available software. Formatting a memory card usually leaves the file data unchanged, and available for recovery. Thus, the only secure way to erase the file data is by overwriting it. There is "disk-wiping" software designed to do so with hard disks. Some of this software can be used also with memory cards. Because of the factors discussed above, a wiping procedure designed to be effective against moderate efforts to recover data from a hard disk is likely to be much more effective when applied to a memory card.

A possible difficulty in completely overwriting data on a memory card is that solid-state hard disks based on flash memory do not overwrite the same memory cells when instructed to do so. Instead, they just mark the data as deleted and store the new data into a different region of memory. The purpose of this operation is to avoid overwriting many times the same memory cells (e.g., the ones located near the beginning of the address space) while leaving other cells unused. Since flash memory cells can only be overwritten a limited number of times before starting to deteriorate, it is necessary to spread the wear evenly across the whole memory space. Large-capacity memory cards might use a similar mechanism to increase the useful life span of the device. This problem can be largely avoided, however, by completely filling the memory card with bogus data before erasing it, and repeating the procedure multiple times.

The CF card shown above is an old model. However, recent models have a similar physical architecture. Depending on the card capacity, they may contain one or more flash memory chips. The outer "skin" of newer cards may be molded around the electronics, thus providing a better protection of the electronics against corrosion.

In an emergency, and in the lack of suitable disk-wiping software, I suggest the following procedure:
- Delete all files.
- Format the memory card.
- Copy a few very large files to the memory card, and if necessary finish filling it up with smaller files (in order to take up all available space).
- Erase all files.
- Copy a large amount of very small files to the memory card.
- Delete all files.

The above procedure may be repeated if there is time, by using different sets of files. The reasons for this procedure are explained in the following paragraph.

The initial deleting and formatting reclaims all space on the memory card, and makes it available for overwriting. Copying a few large files to the card makes it likely that all, or almost all the memory will be overwritten. When files are written to memory or a hard disk, a small amount of space may not be overwritten. This is called "slack space". Slack space is left over because space on a card or hard disk is allocated in "chunks" of fixed size. Thus, part of the last chunk of space may be left unchanged, if the file does not occupy an exact multiple of allocation chunks. The use of few large files reduces the number of incompletely overwritten chunks. Subsequently, writing a large number of small files to the card has the purpose of overwriting the directory entries (i.e., the regions where the file names and other directory information are stored). In some cases, there is a finite number of files that can be written to a directory, and this procedure overwrites the whole directory space. In other cases, there is no practical limit, but it is possible to write a number of files so large that it exceeds any number of files stored on the card during normal operation. The result is the same. Thus, both file contents and file information are overwritten. Repeating the process with a different set of files is very likely to overwrite the few unused data chunks and directory entries left over by the first overwrite. Although not entirely foolproof, this procedure is very likely to destroy all or virtually all information on a card. Physical destruction of the card (ideally, by grinding) can be performed if a higher level of security is desired, and sufficient time is available.

Data that cannot be deleted on a memory card

Unfortunately, some meaningful data can survive the overwriting procedure discussed above. In particular, as a memory card slowly degrades during its useful life, data clusters that fail a checksum and cannot be successfully reformatted are marked as permanently bad, and not re-used afterwards. This may include clusters that contain data that should be kept as private. In principle, such "undeletable" clusters can still be read, and the information they contain accessed by a third party with physical access to the memory card (and quite possibly also through network access to a compromised computer on which the memory card is mounted).

Attempts to bulk reformat the card may or may not be successful in deleting this sensitive data. It depends on whether the formatting utility has a setting available to attempt reformatting the bad clusters, and this operation is allowed by the card's formware and hardware. In this case, although the checksum still fails and the cluster is still marked as bad, its contents have likely been replaced by the data pattern used in formatting.

If the original contents of the memory card are of such a nature that access by a third party to even a small amount of the original data should be avoided, and the data on the card was not encrypted, then it is appropriate to physically destroy the card by grinding it, or incinerating it.