16
\$\begingroup\$

Does any manufacturer produce a compact camera which has the ability to securely delete pictures from the memory card? Or, failing that, have a format feature which really blanks the card rather than just deleting the FAT?

I work for a healthcare organization and we're trying to find the easiest way to wipe photos of patients after they have been transferred to our network.

I'm aware that we can load the memory into a PC and wipe it there, but I'd like to find something built in, for convenience.

Improve this question
\$\endgroup\$
12
  • 13
    \$\begingroup\$ Cameras and PC software can't offer truly secure deletion on flash devices because of the way those devices manage the memory where the data is actually stored. (See this question on StackOverflow for a slightly more detailed explanation.) If your local regulations require erasure to the point where there's absolutely no trace of the information left anywhere on the media, you will probably have to resort to buying inexpensive, low-capacity devices and physically destroying them after each patient. \$\endgroup\$
    – Blrfl
    Commented Dec 7, 2012 at 19:55
  • 2
    \$\begingroup\$ But couldn't you just fill the card up after "deleting" the images? \$\endgroup\$
    – Paul Cezanne
    Commented Dec 7, 2012 at 21:23
  • 2
    \$\begingroup\$ @PaulCezanne: Depends on how the wear leveling algorithm in the card works. The only practical, 100% safe possibilities are physical destruction and using cards that implement the ATA secure erase operation. Hard disks and some SSDs implement the latter; I've never seen a flash card or USB stick that did. \$\endgroup\$
    – Blrfl
    Commented Dec 8, 2012 at 14:12
  • 5
    \$\begingroup\$ I would recommend a two-stage process. Erase images in the normal way once you have uploaded them to the network, but also treat all SD cards that have been used for this as if they were hardcopy patient records - keep them locked up when they are not in use, use tracking numbers so they don't get lost etc. The first will prevent casual browsers from finding pictures and the second will prevent determined violators. \$\endgroup\$
    – DJClayworth
    Commented Dec 10, 2012 at 19:15
  • 1
    \$\begingroup\$ @BillN - Most likely the pictures will be transferred from outside the network i.e. from a laptop via VPN. We've discussed the possibility of wiping cards after they are in the laptop, or the camera is mounted over USB, but it would need to be a very easy to use process as this will be done by non-technical staff. Hence my hope to find a camera with a secure delete option; it would be simplest of all. \$\endgroup\$
    – Chris
    Commented Dec 12, 2012 at 13:10

13 Answers 13

Reset to default
5
\$\begingroup\$

The closest you could get is to have a secure (encrypted) card so that the contents were scrambled to those who don't have the password.

Lexar produced a CF card range called LockTight, which offered encryption in combination with the Nikon D200 although I've seen nothing new on it in a few years.

I haven't heard much if anything about the technology for a few years but it's a starting point.

Edit: I should have mentioned that the encryption mechanism happens within the card rather than in camera/computer - which means the key management is not subject to the usual forensic recovery techniques which come about as a result of wear levelling.

Improve this answer
\$\endgroup\$
5
  • \$\begingroup\$ I don't think anything like this is currently available. \$\endgroup\$
    – mattdm
    Commented Feb 2, 2013 at 15:27
  • 1
    \$\begingroup\$ Ah: turns out that although Lexar says "encryption", it really wasn't. \$\endgroup\$
    – mattdm
    Commented Feb 2, 2013 at 15:30
  • \$\begingroup\$ I noticed this when I posted an answer involving the locktight card on another question a few of days ago. It just blocks the card's access until the passphrase was entered. So while not technically encryption, locking the card in this way would still be sufficient for the needs of this situation since the card it would be unlikely to be under any kind of well resourced or sustained attack. I can edit to clarify if you like, matt? \$\endgroup\$
    – James Snell
    Commented Feb 2, 2013 at 15:45
  • \$\begingroup\$ This sounds like it's private medical information: pictures of patients. I think more protection than this is likely required. Speculation on Scheier's blog is that an attack would be as simple as swapping the flash chips into a normal CF card. \$\endgroup\$
    – mattdm
    Commented Feb 2, 2013 at 16:00
  • \$\begingroup\$ I see where he's getting at as it's just locking out the controller based on a password/hash you could bypass the controller, assuming it's not baked into the chip(s). I figure to remove and install the chips elsewhere requires a surface mount device workstation as a minimum, making the attack well resourced and highly targeted. In those situations a card like this is very unlikely to be the weakest link in the chain and that simpler attack vectors would be more effective and cheaper. \$\endgroup\$
    – James Snell
    Commented Feb 2, 2013 at 17:16
3
\$\begingroup\$

For anyone who's interested: we ended up using Panasonic Lumix cameras with pictures stored on the internal memory instead of an SD card. The image files are transfer over VPN to a network share and then securely deleted; this is all done with a batch file the users can just click on.
Blrfl's answer about whether secure deletion is even viable is well taken, but we figure it's about the best we can do and the fact that the memory is internal probably helps here.

Improve this answer
\$\endgroup\$
2
  • \$\begingroup\$ Thanks for coming back to us. It's nice to know what you actually decided to do. \$\endgroup\$
    – James Snell
    Commented Mar 10, 2014 at 14:17
  • 1
    \$\begingroup\$ This internal memory only displaces the problem, the photos can now be recovered from built-in NAND rather from the NAND on the memory card. \$\endgroup\$
    – Joep van Steen
    Commented Jun 8, 2023 at 0:19
2
\$\begingroup\$

Here are some alternative idea:

  • Maybe you can take a look at Eye fi SD card ( http://www.eye.fi/ )
    It's an SD card that ransfer the captured image in real time on the computer via a WiFi network. I never used one: you can check if it's possible to transfer the images without storing them in the memory of the SD card.
    UPDATE: @Chris already own an Eye fi card, and it seem that this solution is not possilbe
  • Find a camera that have integrated support for WiFi image transfer, AND can take photos without a memory card
  • you can look in the "alternative firmware" world (CHDK come to mind http://chdk.wikia.com/wiki/CHDK) and ask if someone want to develop a "secure erase/overwrite" function, or maybe you can develop you own with some kind of scripting... (I don't know it's possible, but maybe you want to check out)
Improve this answer
\$\endgroup\$
2
  • \$\begingroup\$ I have a Eye Fi card and I don't think it transfers without storing first (unless newer models/updates allow this). However, this wouldn't be an option as they will rarely have wifi access when taking pictures. Interesting idea though! I'll have to look into chdk and see what scope that offers. \$\endgroup\$
    – Chris
    Commented Dec 12, 2012 at 12:55
  • \$\begingroup\$ While you can't do a secure delete on an SD card (as the card decides where a file goes and not the OS or device) you could store the files in an encrypted volume on the card which is then useless if recovered? \$\endgroup\$
    – James Snell
    Commented Mar 10, 2014 at 14:11
2
\$\begingroup\$

Samsung has a new Android based compact camera, the Galaxy Camera.

Using this camera, you should be able to logon to Google play and download Android apps for Secure file deletion.

I've not tried this myself as I do not have that camera but hopefully this would work for you.

Improve this answer
\$\endgroup\$
1
\$\begingroup\$

I suspect that such a system does not exist. At one time Canon produced a system for its Pro cameras to ensure that images taken on the camera were authentic and not retouched, however, this system was proven to be inadequate and subsequently easily cracked. As a result, Canon no longer produces the system.

I suspect that deletion or even secure deletion will never be adequate, as it is not adequate for computer hard drives. With enough time and money, files are easily recovered from most media. In-camera Encryption would likely be the preferred route, but I suspect this would require a significant step up in processor power on the camera (hence the 'security' system Canon provided which was an encryption dongle for the camera), and therefore expense. I know of no system that provides encryption of the card.

I would recommend that you 1) simply reformat the card following each use, making it part of the training for camera users, and 2) since this is technically inadequate, treat the card (or card and camera for convenience) as a form of PHI, and secure it in the same manner you do other sources of PHI.

Improve this answer
\$\endgroup\$
1
\$\begingroup\$

The most secure way to do this would be to use a smart phone instead of a camera, and ensure that the storage is encrypted. Modern versions of Android support hardware encryption. If you erase images on encrypted storage, there is no way to recover them. Obviously you'd need to make sure you disable any automatic photo backup settings.

Something like the Nexus 5X, or 6P would be ideal, and the photo quality would be comparable to most compact cameras.

No actual cameras (that I'm aware of) support encrypted storage. To securely delete photos from non-encrypted storage, requires the data to be overwritten multiple times, which is very time consuming.

Improve this answer
\$\endgroup\$
0
\$\begingroup\$

While not specifically a camera, what about an iPod Touch or iPhone? Both offer hardware encryption, passwords, remote wipe and other mobile device management options. You could use configuration tools to lock it down to just the camera app and if something does go awry you could remotely wipe it (or maybe even locate it!).

Users would plug in the device to a computer, enter a password and download the photos.

I too work in healthcare and have been pondering a solution for handling photos of our burn victims. Taking a photo and storing in securely is a much better experience than having to wrap and unwrap bandages.

Improve this answer
\$\endgroup\$
1
  • \$\begingroup\$ Android phones and tablets also support hardware encryption. \$\endgroup\$
    – user1751825
    Commented Feb 2, 2016 at 11:46
0
\$\begingroup\$

Most cameras (if not all) uses the same chip, or a variation of it, to handle the FAT-file system as this makes it cheaper to implement support for cards and so on.

The drawback security-wise, is that they all offer the same functionality. Deleting a file only deletes the header of the file and such the file can easily be reconstructed.

Simply full-formatting the card helps, but with forensic techniques it is possible to get those data back (picking up and amplifying weak electric/magnetic residue). With quick-format only the file table is cleared, content is left untouched.

So what you can do to achieve high security with a common camera is the following:

After you have transferring the pictures use the following procedure:

  • Format the card (important: full format, not quick).
  • Turn off flash and take as many pictures you can to fill up the card. Point the camera to the sky f.ex. This is to overwrite the old left-over traces with "noise".
  • Re-format again with full format

And repeat once more (or twice) to be sure.

This technique is basically what file "shredders" do, only here you do it manually. It's somewhat time-consuming but offer good data security in terms of ability to restore data from the card.

Improve this answer
\$\endgroup\$
2
  • 1
    \$\begingroup\$ Reformatting multiple times will not help in the slightest, and a full format is no better than a quick format in this regard. To securely erase a drive, the actual data blocks have to be overwritten multiple times. This is what file shredders do. \$\endgroup\$
    – user1751825
    Commented Feb 2, 2016 at 11:57
  • \$\begingroup\$ You can demonstrate this yourself quite easily... Save some photos on an sd card, re-format the card however many times you like, then run the free 'recuva' application. You'll find it's easily able to recover the files. \$\endgroup\$
    – user1751825
    Commented Feb 2, 2016 at 12:02
0
\$\begingroup\$

Cameras and PC software can't offer truly secure deletion on flash devices because of the way those devices manage the memory where the data is actually stored. (See this question on StackOverflow for a slightly more detailed explanation.)

If your local regulations require erasure to the point where there's absolutely no trace of the information left anywhere on the media, you will probably have to resort to buying inexpensive, low-capacity devices and physically destroying them after each patient.

Improve this answer
\$\endgroup\$
3
  • \$\begingroup\$ If the storage is encrypted, then all that's necessary is to erase the decryption keys, and all data on the disk is irretrievable. \$\endgroup\$
    – user1751825
    Commented Feb 2, 2016 at 11:54
  • \$\begingroup\$ @user1751825: Nobody, as far as I know, has a camera on the market that encrypts its storage. Certainly wasn't the case three years ago. \$\endgroup\$
    – Blrfl
    Commented Feb 2, 2016 at 13:35
  • \$\begingroup\$ That's true. My comment was of a general nature, as the answer also mentions PC software. \$\endgroup\$
    – user1751825
    Commented Feb 2, 2016 at 13:39
0
\$\begingroup\$

The more nodes you bring into the chain of transfer the weaker your security becomes. When thinking of the deleting of the images on a SD or CF card I can think of two simple methods to achieve this:

A) The camera can format a card which erases the contents of the card. However, some 'Format' options in a camera only tell a card it's empty, to allow the data to be overwritten, and do not in fact actually overwrite the card itself.

In this case I would suggest a camera that can be set to take images with a built-in intervalometer and once you have transferred the images you overwrite the card by 'formatting' it and the take images of something (or with lens cap on) until the card is full, there by over-writing the data. Now you can 'format' it again.

B) Some cameras will actually overwrite the data during formatting, but that you would have to research.

C) Only buy smaller, cheaper cards and physically destroy them after you no longer use them. With card prices for smaller cards dropping even further this may actually be affordable, depending on how often you would need to exchange those cards.

D) Canon cameras have additional firmware available written by a developer community. In some canon models (and others) software is actually not replacing the camera firmware but augmenting it. This would NOT void your warranty and, as explained above, may add that functionality to the camera's features. However be aware that if you have multiple people using that camera you may have to train them, as it isn't particularly easy to use in some cases.

If security is of top concern I would caution against any networked or mobile phone software as the camera's operating system as you will have to harden those points of entry for the potential security breaches.

Improve this answer
\$\endgroup\$
0
\$\begingroup\$

From answers to this question, it would appear that some Canon cameras can perform a 'Low Level Format' on SD memory cards, and that this will write data to the whole card (i.e. overwriting the free space).

It's only available for formatting (not deleting individual photos), and only on some cameras, and only on their SD cards (e.g. Canon 5D Mark III only offers it for the SD slot, not the CF slot).

It's a feature I thought was only on the DSLR range, but it appears several (if not all?) Canon PowerShot cameras can do it, so would expect to find it on a few other compact Canon cameras (perhaps even other vendors). For example, S110, SX280HS, even the rather old A550, so I suspect most Canon cameras with SD cards will support it.

Also worth noting, according to this discussion thread, that some cameras' low level format doesn't seem to securely erase as expected. One user found images could be recovered after performing a low level format with their 450D, but not with their 70D. It's an internet discussion forum, so take with appropriate levels of salt, and definitely test any secure erase/low level formatting thoroughly before you rely on it!

Finally, as various others have commented, if you truly need secure erasing, then there's nothing better than physical destruction of the card. I certainly wouldn't guarantee (even with thorough testing) that a low level format will properly wipe the card. It may be good enough for most purposes, but you still have risks (like the chance some sectors don't get erased, perhaps quite deterministically, and the likelihood of a user forgetting to check the 'Low Level Format' option). You could talk to Canon about how Low Level Format works at a technical level, and if there's any guarantees on it wiping the data. Otherwise consider using small/cheap SD cards and considering them as disposable (with an appropriate protocol to ensure destruction).

Improve this answer
\$\endgroup\$
2
  • \$\begingroup\$ A low level format will not necessarily securely erase all data. It would still likely be recoverable. \$\endgroup\$
    – user1751825
    Commented Feb 2, 2016 at 11:51
  • \$\begingroup\$ Nonsense if we assume low level format being zero filling LBA addressable space. It would require NAND protocol to attempt recovery from what's left in overprovisioned space. \$\endgroup\$
    – Joep van Steen
    Commented Jun 8, 2023 at 0:16
0
\$\begingroup\$

Thinking a little outside the box... rather than a compact camera, have you considered using an iPhone or iPod Touch for your cameras? (Specifically iPhone 4S or higher / iPod Touch 5th Gen 32GB or higher models)

Since the iPhone 3Gs and (I think) iPod Touch 3rd gen, the contents of the built-in flash is encrypted, so a factory reset will securely wipe any traces of photos on there. Even simply deleting them on such a device will make them very difficult to recover since the flash is non-removable—a common complaint, but a potentially useful security feature.

There's some enterprise software to manage devices, which may even make it easy to ensure users are following the protocol properly, track/wipe lost devices, manage any additional software/resources (e.g. you could include training material, instructions, or useful apps).

The cameras are reasonable quality, as good as a cheap compact. iPhones since the 4S have an 8MP camera, the iPod Touch 5th gen (32/64GB models—NOT the 16GB) have a 5MP camera. They can focus quite close for semi-macro shots, are very easy to use, have a basic built-in flash, and generally work okay in reasonable lighting.

The downsides compared to a compact are they cost a bit more than the cheapest compacts, no spare/removable batteries, no zoom (though unlikely a big deal for your use), and low-light/high-ISO performance won't be as good as recent compacts.

Improve this answer
\$\endgroup\$
2
  • \$\begingroup\$ I hadn't looked into the specifics of how the iPhone stores or deletes photos, but I had been advocating for iPhones (or similar) for other reasons e.g. email, sms, mobile hotspot, etc. however cost was the prohibiting factor. It might be worth revisiting, though we'd need to be sure that we could lock down access to the photos and prevent emailing and texting of them, except by secure means. As a camera, they would certainly be good enough. \$\endgroup\$
    – Chris
    Commented Mar 13, 2014 at 14:41
  • \$\begingroup\$ Have a look into their mobile device management business software. I suspect you can lock the phone down (akin to parental controls) in a business-appropriate way (or maybe just use parental controls directly). See their business IT management page. \$\endgroup\$
    – drfrogsplat
    Commented Mar 15, 2014 at 12:54
-1
\$\begingroup\$

Yes, the Nikon Z8 and firmware 3.0 for the Nikon Z9 can "full format" their CFexpress type B memory card. Based on the speed it completes, they probably do this by instructing the drive to rotate its encryption key.

Improve this answer
\$\endgroup\$
3
  • 1
    \$\begingroup\$ More likely they use TRIM commands to wipe the translator (FTL) which makes the card appear to be erased while data is still recoverable using NAND protocol. \$\endgroup\$
    – Joep van Steen
    Commented Jun 8, 2023 at 0:12
  • \$\begingroup\$ If you can indeed recover data from such a card full formatted by the Z8 or Z9, you'll have publicly embarrassed Nikon. "In contrast, performing a full format on a CFexpress memory card deletes all data. We recommend fully-formatting CFexpress memory cards prior to transfer of ownership or disposal." \$\endgroup\$
    – Lucent
    Commented Jun 9, 2023 at 1:05
  • \$\begingroup\$ A full format doesn't finish within seconds which I assume is what you mean by "Based on the speed it completes". It's either like you say crypto erase (which I doubt) or TRIM. From the latter you can possibly recover data via NAND protocol (but not using file recovery software). It would require several 1000's of $ worth of equipment and specialized software. A full format that actually overwrites (zero fills) can not be recovered from (some over provisioned space aside, two passes would probably take care of this too). \$\endgroup\$
    – Joep van Steen
    Commented Jun 9, 2023 at 1:36

Not the answer you're looking for? Browse other questions tagged or ask your own question.