4

I use a Kingston V300 SSD (specifically SV300S37A)

According to this answer

The 'best' modern drives support a vendor-specific secure erase functionality. Examples of this are Intels new 320 series, and some Sandforce 22xx based drives

My SSD supposedly has SandForce's SF-2281 controller chip and SandForce's 5.0.5 firmware

My question now becomes: how do I make sure the free space does not contain recoverable information from deleted files?

Ideally, I want to CClean the %=!T out of my SSD, but I'll restrain myself. EDIT: to clarify, my (windows7) OS is on the disk so I have no interest in wiping it all.

Community
  • 1
Manumit
  • 579
  • 1
  • 5
  • 19

3 Answers3

4

If you just want to entirely wipe the disk and start over, ATA Secure Erase is what you want. It's a single command supported by almost all modern SSDs which changes the onboard crypto key (SSDs encrypt all data transparently at the physical level) to make all data on the disk unreadable. The reason for this mechanism existing is that wiping data from SSDs reduces their lifespan, so simply encrypting everything and discarding the old key when you want to start over is much more efficient.

If you're just looking to delete slack space, you don't need to bother. If your OS supports TRIM (Windows 7 and later, iirc) then it is already automatically wiping your slack space for you. TRIM causes unused blocks to be full zeroed in a single step, which means it doesn't cause as much disk wear and makes the disk perform better - SSD bits can only be set individually, but they must be cleared as an entire block, so having a blank slate to work with on unused blocks is faster.

The only downside of TRIM from a security perspective is that it can leak which blocks of data are being used on an encrypted volume, which may be exploited in order to prove the existence of a "hidden volume" configuration if an attacker can take multiple full snapshots over time. If you're not using hidden volumes on the disk, or your threat model doesn't include repeated low-level access by your adversary, then it shouldn't make a difference at all.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • +1 if I had had the rep. If I understand you correctly (yes I have TRIM): deleting a file on a SSD renders it unrecoverable unless we're talking about high priority evidence that is sent to manufacturer for low level analysis? – Manumit May 18 '15 at 01:03
  • @Sina As long as TRIM runs on the sector, you're fine. A potential failure case is if you get a power outage immediately after deleting something, before TRIM gets round to clear the affected sectors. Some drive firmwares have also been known to implement a faulty TRIM algorithm, but these are mostly documented and fixed. Check for firmware updates from your manufacturer. – Polynomial May 18 '15 at 08:00
  • TRIM makes it impossible to read the contents of wiped sectors from your OS (they will typically by zeroed-out), but the data isn't actually gone. With access to the physical chips, or the ability to put the drive in factory access mode, data can be recovered. See https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/ – craig65535 Feb 01 '21 at 22:59
2

To have a high confidence that deleted data is not recoverable you will want to use disk or file encryption that employs anti-forensic techniques like TKS1.

Many disk encryption systems empty anti-forensic measures. LUKS uses TKS1.

The basic idea is that you have some probability p of destroying a block through disk's deletion mechanism. This also means that a block has a 1 - p chance of surviving. To reduce the chance of recover, the key can be split up. Each piece is written into a separate block. To recover the key all of the parts must be used. If a single block can be successfully destroyed then the entire key is unrecoverable.

For example: assume the disk has a 99% chance of destroying a block when asked (a 1% chance it can be recovered). If the key is spread over 20 blocks there is 99.95% chance the key is destroyed (a 0.05% chance of recovery).

shamer
  • 131
  • 3
0

If you want to check by your own means if the secure erase has been successful, then you can always try to use some file restoration tools or, certainly better, directly edit the disk and manually check it.

However, there is still some trust remaining toward the disk manufacturer. Without mentioning backdoors, and sadly there are some, there are also simple bogus or inefficient implementation which may not delete the data as securely as expected.

If this uncertainty is not acceptable for you, there is still another possibility on which you can safely rely. No need to trust any hardware or software provider, a method used by major governmental and military organizations to discard disks containing sensible data, and even more it is free if you do it yourself: shredding the disk. I mean physically shredding it. For microship based memory like are SSD it seems the more suitable would be an electrical drill drilling a hole in each chip, possibly accompanied by a sander applied on the circuitry to finish the job. This would indeed provide a good guaranty that no data will be ever recoverable.

However, if you would-like to keep your disk intact, then you will have to cope with some uncertainty regarding the possible data restoration. Nevertheless, I think that a conventional disk wipe (ie. fill several successive times the disk with the total amount of data it can store) followed by a secure erase should be sufficient for most personal use-cases.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Because of the way SSD's work a file wipe will likely do preciously little. I certainly don't see much benefit to do it multiple times for an SSD - running the SECURE ERASE would make (slightly) more sense. – Maarten Bodewes May 17 '15 at 23:46
  • It's worth expanding on "preciously little". It's true that you can't wipe the whole disk, only what is currently mapped by the firmware (typically 85%-95% of the SSD's true capacity). Physical access to the chips, or putting the drive in factory mode could theoretically recover the rest. – craig65535 Feb 01 '21 at 22:56