6

Edit: this is not about how to securely erase, but how to check whether the erase was secure enough.

I have over written my SSD with very large video files, in order to overwrite any sensitive data I may have had, before selling the SSD.

I use the Mac program Disk Drill to try and recover deleted files, but it didn't find any file to recover.

Does that mean my SSD is safe to sell?

What if I use another similar program, will it be able to find something, or do they all look for data the same way?

alexx0186
  • 161
  • 3
  • 4
    Possible duplicate of [How can I reliably erase all information on a hard drive?](http://security.stackexchange.com/questions/5749/how-can-i-reliably-erase-all-information-on-a-hard-drive) – Polynomial Jan 09 '17 at 14:17
  • 1
    Was the sensitive data encrypted before being written to the drive? If not, someone who is particularly determined might be able to recover it, although they may have to use more invasive methods than running software on the drive. Is that likely? Probably not. – Matthew Jan 09 '17 at 14:23
  • 1
    there is no _software_ to recover your old data. SSDs are very difficult to forensically recover, compared to magnetic platters. over-writing both clobbers the data bits and re-shuffles the "table of contents". Theoretically, there could be recoverable data in marked-bad locations, but they will be orphaned chunks, likely of little value. see http://www.reclaime.com/library/recover-overwritten-data.aspx for more example software. – dandavis Jan 09 '17 at 14:30
  • 2
    Oh man - SSD's are easy to recover from.. you just need the right tools :D Hahahah. The problem is wiping the chips - Because of self managed wear levelling the same sector you think you are overwriting may be a completely different sector the next time you write to it.. leaving your old data unwipped in the old section of the chip. The only secure way to wipe HDD's - even SSD is to invoke the BIOS standard full format. The specification says that each HDD must have this function to fully erase all sectors, mapped or umnapped - From BIOS to comply with DOD standards.Not all bios's support this – Piotr Kula Jan 09 '17 at 14:59
  • 4
    Send it to a data recovery service and ask them to restore the data. Will cost ~700 €. When they found nothing you can sell the SSD: – Thomas Weller Jan 09 '17 at 14:59
  • What Thomas says is true. If somebody wants to steal your data they will go to great lengths to do it. By doing a OS full format will be enough to detour noobs from using EasyRecoveryPro software to get full stuff back. But if somebody really wants your data... they will spend hours and days investigation sector by sector trying to recompile data.. like data recovery specialists... If you so paranoid then shred the SSD instead. :D – Piotr Kula Jan 09 '17 at 15:01
  • 1
    Secure enough *for what*? This is a major part of the question that must sway the answer one way or another. Sensitive data that simply must not get out is one thing; regulated data (e.g. HIPAA or PCI DSS) will have their own peculiar requirements; and simply private data from an old personal computer is yet another issue. – Peteris Jan 09 '17 at 15:04
  • 2
    @ppumkin The standard you're referring to is called ATA Secure Erase, and it has nothing to do with the DoD specifically. It's not a BIOS feature; it's an ATA command supported by the hard disk controller, which causes it to destroy and change the master key used to encrypt all previously written data. – Polynomial Jan 09 '17 at 15:14
  • 1
    Yea sorry I made it sound like BIOS feature.. I meant it is (was) usually started from the BIOS (or MHDD if you know how to use it) - And yes. ATA Secure Erase.. that is what I was looking for. It is DoD complaint though.. that is what I meant. Been a long time since I talked about that. – Piotr Kula Jan 09 '17 at 15:15
  • 2
    @ppumkin Yeah, it's considered sufficiently secure by most data security standards. Just be careful not to refer to it *as* a DoD standard, because it isn't at all. – Polynomial Jan 09 '17 at 15:17
  • Hi everyone, thanks for your responses. I want to make sure my text files (tax returns, social security etc) and pictures are not recovered by anyone. What do you think about the programs made by the SSD manufacturers themselves to securely erase their own SSD's? Are these BIOS or ATA commands? – alexx0186 Jan 09 '17 at 16:31
  • Also, some data was not encrypted before they were written on the SSD in my case. I filled my 120GB ssd with irrelevant data (like a 10GB movie file 10 times over) until the disk had zero space available. Then I simply erase everything. I understand it only covers maybe 95% of the disk, but does that mean that every thing that was in this 95% is gone? – alexx0186 Jan 09 '17 at 16:34
  • 1
    @alexx0186 I suggest you use the Secure Erase utilities from your SSD vendor and not worry too much about other methods. Remanence varies depending on the individual SSD model and configuration, but there will be some data in wear-levelling sectors (also called overprovisioning sectors) left over if you try to just overwrite the accessible sectors. – Polynomial Jan 09 '17 at 16:52
  • like shampoo, some like to rinse and repeat overwrites. if you assume 10% "extra" might get missed (very generous imho), then repeating leaves 10% of 10% : 1%: feeling lucky? on a newish drive, there shouldn't be a lot of bad spots, and newer flash doesn't reserve as much. SLC chips will tend to reserve less than TLC since they are more reliable, and i thought 2.5% was common, but i don't _know_ ...(who does?) – dandavis Jan 09 '17 at 23:02

4 Answers4

2

Some drives conform to higher ATA standards than others. An ATA secure wipe (if available) will tell the controller to "release the charge in the NAND chips", effectively making it appear that there is no data on the drive. This can brick drives, as some overwrite firmware as well.

More importantly, a study done by the University of California San Diego showed that an ATA secure erase command may not sufficiently destroy data: http://nvsl.ucsd.edu/index.php?path=projects/sanitize

Some older consumer SSDs (and some newer ones) are SEDs, or Self Encrypting Drives. Each write to drive is first passed though the drive's controller which encrypts data before it is written. The advantages of these types of drives is that by changing the key used for encryption, one can have some level of confidence that the data is not recoverable. Data is unrecoverable by consumers.

As others have pointed out, with SSDs, there are other "reserve" blocks of memory which do not tend to be overwritten when preforming a disk wipe (especially generic disk wipes). This again should not be of significant worry for consumers as consumer level disk recovery software would be unable to recover from those special blocks.

dark_st3alth
  • 3,052
  • 8
  • 23
2

SSDs are rather odd when it comes to secure erasing them because their behavior is not deterministic. With their mapping table and spare space etc you can't ever really be sure that data is actually being overwritten, in fact it usually isn't. On the other hand as soon as a Trim command is processed by the drive the data should be completely unrecoverable by trying to read the drive normally. Once the drive no longer knows where the information is trying to read the blocks will only return 0's and can't return your data. It may still be on the drive in some piece of flash somewhere but once it is trimmed the drive won't read it again.

Assuming you aren't being targeted by some three letter state agency a simple trim of all the space on the drive is all that is needed to make all the data on the SSD unrecoverable from un-delete type programs.

Evan Steinbrenner
  • 393
  • 1
  • 7
0

This doesn't answer the question as asked, but I believe it addresses the spirit of the question.

The fact is that you really can't ever be totally sure. Even if a drive advertises itself to support ATA Secure Erase, even if it claims to wipe the master key as a Self-Encrypting Drive, you can't know for certain.

If you think the value of the contents of the drive is enough that someone would be willing to spend the time and money to recover its contents, the best options you have are: use OS-level full-disk encryption from the start, or destroy the drive when you're done using it.

Stephen Touset
  • 5,736
  • 1
  • 23
  • 38
-1

Try using a application called BCwipe, it does a military secure level wipe writing 1's and 0's over entire drive 7 times

kdmiller
  • 19
  • 4
    This is terrible advice for modern hard disks, particularly for SSDs. – Polynomial Jan 09 '17 at 14:54
  • please explain, especially when the military use it for that reason. NEW: Wipe Hard Drive Data & Securely Erase SSD with v.3 – kdmiller Jan 09 '17 at 14:57
  • 1
    SSDs have over-provision space to limit the effects of flash wear, which cannot be properly erased by direct writes to the disk. Any data wipe approach lessens the lifespan of SSDs, whereas there is a standard called ATA Secure Erase which properly erases the contents of an SSD by discarding the master key used for transparent full-disk encryption performed automatically by all modern SSDs. – Polynomial Jan 09 '17 at 15:02
  • 4
    Additionally, DoD specification wipe passes (as well as others such as Guttmann passes) are based upon old theorised attacks such as magnetic force microscopy (MFM) recovery, which have not been possible since magnetic hard disks grew beyond the tens of gigabytes in capacity, due to the effects of increased platter density. A single random pass is sufficient for wiping modern magnetic hard disks. The only reason that DoD data erasure specifications are still used in government work is for compliance with old standards which were written before more modern research was completed. – Polynomial Jan 09 '17 at 15:05
  • A Low Level Format (LLF) should suffice in clearing the maximum amount of sectors. LLF is different than OS Full Format as OS does sector by sector wipe while LLF sends an ATA command for the drive to start its own format. Triggered from BIOS and maybe software like HDDGURU LLF Format tool – Piotr Kula Jan 09 '17 at 15:05
  • @ppumkin LLFs are irrelevant these days too. Back in the earlier days of the PC/BIOS architecture the concept of a separate low-level format option was necessary in order to be able to wipe the boot sector and partition tables for the case of operating systems which did not implement a partition manager or direct (non-filesystem) disk access. These days modern OSes have the ability to manage disk structures, so LLF is no longer a feature. Again, the old LLF procedure does not safely erase SSDs, due to the flash over-provision space. HDDGURU's software (and naming) is just marketing hype here. – Polynomial Jan 09 '17 at 15:09
  • Pretty evident to me you know what you're talking about so I would take his advice – kdmiller Jan 09 '17 at 15:12
  • Yea that is what I suspected about the SSD LLF - Technically there is no 100% guarantee that you can wipe your SSD. You could just encrypt your entire drive as that is pretty fast now a days for on the fly encrypt/decrypt and supported on all major OS's - That way you don't even need to format.. as even trying to read sectors will all be gibberish and brute forcing just too time consuming (or too expensive) – Piotr Kula Jan 09 '17 at 15:13
  • @kdmiller If you'd prefer a more official approval of single-pass wipe on mechanical disks, [NIST 800-88](http://csrc.nist.gov/publications/nistpubs/800-88/NISTSP800-88_with-errata.pdf) approves single-pass wipes on magnetic storage media. – Polynomial Jan 09 '17 at 15:20
  • @ppumkin Everything on your SSD is encrypted anyway. The disk controller chooses a random key at manufacture time, then transparently encrypts all of your data at the sector level when it writes to the flash. When you invoke the Secure Erase command via ATA it simply flushes the key and picks a new one, then marks all sectors as free. All old data (including wear leveling sectors) is now unreadable despite not having overwritten any user data. – Polynomial Jan 09 '17 at 15:22
  • Ahh right.. I did not realise that is how it is done on the SSD now a days. But if SecureErase was not started the key will be the same.. potentially allowing for some data to be recovered by snooping the sectors or if you have to tools to read the entire chips. Sounds like OS's should offer SecureErase on their built in software to offer the highest level of privacy to the end user. Sadly - I have not seen this on any standard OS tools. – Piotr Kula Jan 09 '17 at 15:25
  • 2
    @ppumkin Tools are available from most SSD manufacturers to issue a Secure Erase command. Alternatively you can use hdparm on Linux to do it. Additionally, most modern operating systems support TRIM, which blanks sectors to zero on the fly when they are not in use by the filesystem, which is actually done for performance reasons but doubles up as a nice security benefit too. – Polynomial Jan 09 '17 at 15:51
  • 1
    This no longer answers the question after edits. – schroeder Jan 19 '17 at 07:36
  • I agree with schroeder. I did not recommend deletion in case the author still wants to add to the answer and make it suitable again. – J.A.K. Jan 19 '17 at 14:40