58

I was reading another post on destroying IDE drives, and how you could remove data, wipe it, or just destroy the drive. The removed data would still be there in some state, although not easily reachable without software. Wiped data is just removed data, but it has been overwritten and is essentially gone. A destroyed disk, if done well enough, will remove everything, or make it nearly impossible to recover anything. According to my understanding.

What about a solid-state drive? Can the data on one of these be recovered once deleted? It seems that this would be the way to go if you constantly dealt with and removed sensitive data, but SSDs only have so long of a life span (again, as I understand).

Can data from an SSD be recovered in any way once it is removed, even if it has not been overwritten?

schroeder
  • 123,438
  • 55
  • 284
  • 319
cutrightjm
  • 1,714
  • 4
  • 18
  • 31
  • See also [Is it enough to only wipe a flash drive once?](http://security.stackexchange.com/q/5662) – Gilles 'SO- stop being evil' Apr 03 '12 at 22:50
  • The short answer is, yes. But the more question is: what's the objective...to retrieve or destroy data? The only fully secure way to destroy data on the flash SSD is device destruction, which depends on form factor. for small USB flash devices, pulverization is more secure because most shredders have some small spaces between their crushing metal cylinders. Pulverization converts flash USBs to a fine dust. –  Aug 13 '12 at 17:56
  • 1
    Yes off course the deleted data can be recovered easily but it is not possible to recover the data once overwritten. Even I have came across the problem where I have accidentally deleted partition from my SSD drive that contained important files folders, photos, videos etc. I used Yodot Hard Drive Recovery for [SSD partition recovery](http://www.yodot.com/hard-drive-recovery/ssd-recovery.html). This softwares features are really good. Just try it out. It might help you as well. –  Jan 25 '13 at 12:11
  • 1
    In some ways yes: Data is not always overwritten, In other ways no: Due to garbage collection on modern SSDs the longer a drive is in use the harder it will be to locate and read the data. – November Jan 26 '13 at 03:20
  • 1
    I know this thread is a bit old but I was looking for information on this topic and thought it might be worth mentioning the following: Although one can recover data from SSDs using third party tools it seems that one use case was omitted here.. From my understanding, deleted DATA on internal SSDs with "TRIM" enabled cannot be recovered (see [this article](http://techgage.com/article/too_trim_when_ssd_data_recovery_is_impossible/)).. – JayC Jan 20 '16 at 09:36
  • 2
    Related (and of special interest to @JayC), the following thread provides interesting explanation how the underlying NAND chip handles cells marked as unused and may actually reset them: [Does the ATA Trim command irrecoverably delete data on an SSD?](https://security.stackexchange.com/q/109916/32746) – WhiteWinterWolf Jul 02 '16 at 14:31

6 Answers6

78

Yes. If you do a normal format, the old data can be recovered. A normal format only deletes/overwrites a tiny bit of filesystem metadata, but does not overwrite all of the data itself. The data is still there. This is especially true on SSDs, due to wear levelling and other features of SSDs.

The following research paper studies erasure of data on SSDs:

One takeaway lesson is that securely erasing data on a SSD is a bit tricky. One reason is that overwriting data on a SSD doesn't work the way you'd think it does, due to wear-leveling and other features. When you ask the SSD to "overwrite" an existing sector, it doesn't actually overwrite or delete the existing data immediately. Instead, it writes the new data somewhere else and just change a pointer to point to the new version (leaving the old version laying around). The old version may eventually get erased, or it may not. As a result, even data you think you have erased, may still be present and accessible on the SSD.

Also, SSDs are a bit tricky to sanitize (erase completely), because the methods that used to work for magnetic HDDs don't necessarily work reliably on SSDs (due to the aforementioned wear levelling and other issues). Consequently, utilities that are advertised as providing "secure drive erase" functionality may not be fully secure, if applied to a SSD. For instance, the FAST paper found that, in most cases, performing a full overwrite of all of the data on the SSD twice was enough to sanitize the disk drive, but there were a few exceptional cases where some of the data still remained present. There may be other reasons not to want to perform repeated overwrites of the full drive: it is very slow, and it may reduce the subsequent lifetime of the drive.

The FAST paper also found that degaussing (a standard method used for sanitizing magnetic hard drives) is not effective at all at sanitizing SSDs.

Moreover, the FAST paper found that standard utilities for sanitizing individual files were highly unreliable on SSDs: often a large fraction of the data remained present somewhere on the drive. Therefore, you should assume there is no reliable way to securely erase individual files on a SSD; you need to sanitize the whole drive, as an entire unit.

The most reliable way to securely erase an entire SSD is to use the ATA Secure Erase command. However, this is not foolproof. The FAST paper found that most SSDs implement this correctly, but not all. In particular, 8 of the 12 SSDs they studied supported ATA Secure Erase, and 4 did not. Of the 8 that did support it, 3 had a buggy implementation. 1 buggy implementation was really bad: it reported success, but actually left the data laying around. This is atrociously bad, because there is no way that software could detect the failure to erase. 2 buggy implementations failed and left old data laying around (under certain conditions), but at least they reported failure, so if the software that sends the ATA Secure Erase command checks the result code, at least the failure could be detected.

The other possible approach is to use full disk encryption: make sure the entire filesystem on the drive is encrypted from the start (e.g., Bitlocker, Truecrypt). When you want to sanitize the drive, forget all the crypto keys and securely erase them, and then erase the drive as best as possible. This may be a workable solution, though personally I would probably want to combine it with ATA Secure Erase, too, for best security.

See also the following questions on this site:

Community
  • 1
D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    I have done a "secure erase" by writing random data sequentially to the whole drive, twice. If the drive recycles its spare block pool to minimize wear, this MAY work by having written every physical block at least once. But I really have no idea if every block really would get used in one pass or the other. Maybe three passes? – Skaperen Jan 27 '13 at 05:56
  • 3
    Hi @Skaperen: SSD drives are very complex. I doubt anyone will be able to answer your question authoritatively, from first principles. Instead, I think the only way to know is to conduct experiments and look at the resulting data. For some data on how well overwriting twice works, see my answer above, the part starting with "The FAST paper found that, in most cases, performing a full overwrite of all of the data on the SSD twice was...". For data on another way to erase a SSD, see the paragraph beginning "The most reliable way to securely erase an entire SSD is...". That's all I know. – D.W. Jan 27 '13 at 19:00
  • 2
    Degaussing hasn't worked for silicon platter drives since the 90's, FYI. They're just too dense and not magnetic enough anymore. A hammer always works, though. – SilverbackNet May 10 '14 at 22:49
  • 1
    You only need to overwrite the whole drive with random data once, as no thresholds exist for flash chips. The original data will be gone. – rustyx Feb 10 '16 at 14:10
  • 4
    I didn't see any mention of the TRIM command. SSD's can't write to a previously written location without first erasing it. Which also means that an SSD's wear leveling algorithm will write new data to a smaller and smaller area of the flash memory, wearing the drive out faster, unless some background process regularly runs TRIM to erase released flash memory, or the memory is erased immediately before a write. The latter has serious performance implications. – Craig Tullis Oct 08 '16 at 23:25
  • @Craig: Of course, if you're trying to erase the whole drive anyway, TRIMming the whole thing between passes would likely go a long way. – Kevin Sep 16 '17 at 17:12
  • 1
    Or just erase all of the files on the drive, then TRIM it. Done. – Craig Tullis Sep 16 '17 at 18:14
  • so if I *switch* to full-disk encryption, am I wiping my SSD? https://security.stackexchange.com/questions/176572 – lofidevops Jan 03 '18 at 12:23
  • @Craig TRIM tells the drive which blocks are no longer in use. The drive does not have to erase them right away. – Brian Mar 06 '20 at 21:50
  • 1
    TRIM makes it impossible to read the contents of wiped sectors from your OS (they will typically by zeroed-out), but the data isn't actually gone. With access to the physical chips, or the ability to put the drive in factory access mode, data can be recovered. See https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/ – craig65535 Feb 01 '21 at 23:19
  • @craig65535, this answer doesn't suggest TRIM. It suggests ATA Secure Erase. My understanding is that TRIM causes the drive to wipe the data in the background. So, if the drive was captured immediately after data was TRIMmed, before the data could be wiped in the background, the data could be recovered. However, if you wait long enough, TRIM *might* be fine (not verified, I can't guarantee it). – D.W. Feb 02 '21 at 00:10
  • Windows 10 has a scheduled task that periodically sends TRIM commands to SSD's for a selection of NTFS areas Windows isn't using, as some older SSD's didn't handle large block TRIM commands very well. So a quick format to NTFS on a Windows 10 box, followed by enough time in the Win10 box will permanently erase all user data, including in the reserve areas, as the SSD garbage collection will eventually catch up, and the SSD will maximise the number of erased blocks it has ready for writing new data. You can hurry Windows 10 up, by going to properties on the drive, then tools, then optimize. – BeowulfNode42 Feb 02 '21 at 06:28
5

I'd like to refer to this video. It explains how data can be recovered from HDDs using thresholds. Which includes that the given signal-level returned from a HDD ain't only based on the current content, but also on what was previously there. By changing the 'accuracy' of the signal-detection you can find what was previously there. However this is of course just theory, in practice this is almost never done. View other post.

It also explains why erasing data on flash-drives/SSDs ain't that secure as you might think. Because when you delete data on a SSD, the micro-controller in that SSD doesn't delete/overwrite those blocks containing that data instantly, but put them on a 'delete in future'-list.

Also, to lengthen the lifetime of SSDs, they make use of wear leveling. Which means that when overwriting a specific block, the micro-controller remaps the blocks, and make a new block which points to the old unmarked one. Note that writing to all free space will defeat wear-leveling because then the micro-controller doesn't have blocks left to remap.

However, note that if you want to make sure data is not recoverable. Encrypting the drive and dropping the key (deleting from drive/not storing anywhere) will also be an extra level of security. Unless they're able to crack your key of course.

Community
  • 1
O'Niel
  • 2,740
  • 3
  • 17
  • 28
2

Encrypted data cannot be decrypted unless you use the hash key or password, but it is an offence to withhold the key when ordered to reveal it by a court.

Also, securely shredding may get rid of the content, but links, search terms and temp files can remain elsewhere, which can point to illegal actions that can get you charged by the Police if they have reason to search your life or activity. At the least you might lose all of your digital hardware while they carry out forensic tests, and you might forfeit it permanently if the courts find you guilty of anything.

If the information is really that sensitive, or if you are paranoid, you should physically destroy all of the drives in the machine and fit new ones. And be aware of cloud backups, and IP providers who log search terms...

Alraat
  • 21
  • 1
  • "securely shredding may get rid of the content". Due to wear leveling and the [flash translation layer](https://en.wikipedia.org/wiki/Flash_translation_layer) the command `shred` [doesn't work as expected on SSDs](https://askubuntu.com/questions/794612/how-to-securely-wipe-files-from-ssd-drive). Many SSDs support [ATA TRIM](https://en.wikipedia.org/wiki/Trim_(computing)) to securely erase the content of a file. – Matthias Braun Jun 11 '21 at 04:26
1

This is not a direct answer to your question, but if you are concerned about data recovery then encrypting the data from the beginning might be a solution.

Of course the devil is in the details: you must either use software full-disk encryption or relying on the SSD's encryption capabilities. And while the former comes with a performance cost, the latter be a liability for some of the reasons explained in other posts such as buggy implementation, etc.

Also, if your concern is to protect data at rest from a motivated attacker over a long period of time (e.g. 10, 20 years) then encryption might not be the best solution for you: attacks against software encryption might make it uneffective, and the chances of an implementation bug in an SSD firmware aren't zero.

lorenzog
  • 1,911
  • 11
  • 18
0

Its possible to recover data from SSD bare chips by fluctuating the power voltage very quickly while the array is being scanned- sometimes this works. I've also had some success reading totally dead-but-draw-voltage microSD cards by using a proprietry method involving low energy X-rays and modified readers, got about a 25-30% success rate this way. My working hypothesis is that this activates the broken wear leveling and allows some data to be read from nearly dead chips, also nudging molecules around sometimes temporarily works because the bond wires are gold and heat up a bit under the X-ray fluence. Sometimes extreme cold also works for the same reason, if done carefully (ie less than 5c/minute)

Conundrum
  • 9
  • 1
  • Are you sure this works for _erased_ data, not just for SSDs or microSDs that have broken and are not returning reads under normal conditions? It seems extremely unlikely that any of these would work for a _wiped_ flash device. – forest Aug 14 '18 at 22:18
  • I did test it on a non working (bricked but otherwise electrically OK) AData card. Also had some success reading back wiped-with-Winhex uSD cards with some fragments surviving only one zerofill cycle. I did also find out that the X-ray technique may have worked because it writes noise into the array randomly allowing marginal bits to read back their original data if they have only ever been set to a complement (1 or 0) once. Each time you overwrite it does alter the molecular structure slightly with modern flash chips. so the error correction takes this into account. – Conundrum Sep 16 '18 at 07:43
  • Sorry, but this sounds too much like techno-babble to be believable ("nudging molecules around"?). Could you add some sources to why you think this helps? – sleske May 02 '19 at 08:48
-4

If there is a legitimate reason to wipe data and the wiping of the data is legitimate Totally format your drive, or do an OS restore that will compact all essential data in a less fragmented space so that maximum empty space is available again, run a drive wipe program such as ccleaner and then format or restore the os again, then rewrite long high quality superfine videos that use up maximum pixels onto it until it is completely full, remove the drive, then delete some and overwrite again. If using a phone, run an OS restore, use a drive wiper such as ccleaner, then set video recording to highest pixels and superfine and walk about recording random stuff that can't just be removed from the reconstruct equation like a movie until the storage is full, don't delete it all immediately but make what space you need for data copy. If possible, move some of the new random videos to external sd and record new random videos.

Bear in mind that many data wipe software use small blocks such as 1gb to overwrite and may leave spaces, especially if you are using your device in the process, the device's high quality random video recording should be capable of writing the whole empty storage space in one single file and there is usually no known "x" factor to remove from the process when attempting a restore.

abzcomputers
  • 7
  • 1
  • 5
    There is so much wrong with this answer that I can't even begin. Everything you are saying is either incorrect or useless. For example, formatting does _not_ securely erase a drive, much less an SSD. – forest Aug 14 '18 at 22:16
  • 1
    This answer isn't as off-base as it sounds. Windows has a `cipher /w` command that more or less does exactly that - fill the disk's free space with data. If you quick-format, reinstall Windows, and run that command, you will have effectively wiped your HDD. The problem is that won't work on a SSD - you can only write to what is currently mapped by the firmware (typically 85%-95% of the SSD's true capacity). Physical access to the chips, or putting the drive in factory mode, could theoretically recover the rest. – craig65535 Feb 01 '21 at 23:15