3

I have deleted a file on a FAT16-formatted flash drive with rm.

I can see that the file is still recoverable using testdisk or fls.

Is there a way to securely delete the (already deleted) file, without destroying other data on the flash drive?

Matthias Braun
  • 8,239

2 Answers2

3

You might want to look at the shred command, which is written explicitly for this purpose.

However, at the end, you talk about a "flash drive." If you mean solid state storage (USB Stick, SSD, etc.), then thanks to advanced features like wear leveling, you really have no way of knowing if you're overwriting the old data.

This is why FDE is much more important today than years ago; recoverable data never touches the disk.

Aaron D. Marasco
  • 5,758
  • FDE is the only easy way. – dan Aug 22 '20 at 13:01
  • 2
    shred works only before removal of the file and only on RHD ( Rotational Hard Drive ). – dan Aug 22 '20 at 13:07
  • @dan Yes there was some hand-waiving, which is why I wrote it in the order I did. I also could've talked about journalling, but didn't since OP said FAT-16. Of course, now I see it the flash was also in the leading sentence, but whatever. FDE covers from USB sticks to cloud ("I don't even know what building my data is in"). – Aaron D. Marasco Aug 22 '20 at 13:13
  • 2
    shred is great, but how can I overwrite the already deleted file with it? I have to provide a file path to shred. – Matthias Braun Aug 22 '20 at 16:01
  • If it's already been deleted by the system, you would need to fill the now-empty space, as noted in another answer. – Aaron D. Marasco Aug 22 '20 at 22:03
2
cat /dev/zero > /media/flash/EMPTY
sync
rm /media/flash/EMPTY

Since the maximum file size for fat32 is 4GB minus 1 byte, you may need to create several empty files to wipe the entire free space.

Some pieces of the file (if you've changed its size) can still remain in the ends of other blocks.

If you want to make sure it's not recoverable, backup all the files, wipe the disk using dd or shred, recreate the filesystem, restore the files.

Artem S. Tashkinov
  • 29,025
  • 3
    With overprovisioning, even a full dd isn't guaranteed to wipe out an SSD. – Aaron D. Marasco Aug 22 '20 at 12:54
  • @AaronD.Marasco 1) Out of over 100 usb flash drives that I've had so far, none has had overprovisioning. 2) good luck reading data from the overprovisioning zone. No way on earth you can do that directly. 3) Overprovisioning is usually reserved for SSDs and SSDs only. So much for downvotes. Specialists, my arse. – Artem S. Tashkinov Aug 22 '20 at 13:40
  • 2
    Thanks for your answer! The commands you listed created an all-zero file EMPTY on the drive as large as the formerly free space of the flash drive. This indeed overwrote the old deleted file, making it unrecoverable with testdisk. I was hoping to get the beginning and end of the deleted file and overwrite that, since it's faster than filling the whole flash drive with zeros. – Matthias Braun Aug 22 '20 at 16:27
  • I'd use a larger block size (512 bytes is much less that the flash block size). 1MB or larger even – Chris Davies Aug 22 '20 at 18:04
  • @roaima the minimum cluster size for fat32 is 512 bytes https://support.microsoft.com/en-us/help/140365/default-cluster-size-for-ntfs-fat-and-exfat , so I didn't specify bs=SIZE for dd at all. 512 is also the default block size for dd. – Artem S. Tashkinov Aug 22 '20 at 18:16
  • I'm thinking about physical writes. Regardless of filesystem block size, flash memory is usually 4K blocks. If you write 512 byte blocks that's eight writes for each physical block – Chris Davies Aug 22 '20 at 19:13
  • That's why I replaced dd with cat. – Artem S. Tashkinov Aug 22 '20 at 21:06
  • @ArtemS.Tashkinov the wear leveling argument would still apply for USB drives when using shred, which is why I noted it. As for accessing outside of what the controller lets you touch, physical access to the ICs means you can do anything. Your answer is valid for the question asked and deserves to be voted on appropriately. – Aaron D. Marasco Aug 22 '20 at 22:09