Can wiped SSD data be recovered?
I was reading another post on destroying IDE drives, and how you could remove data, wipe it, or just destroy the drive. The removed data would still be there in some state, although not easily reachable without software. Wiped data is just removed data, but it has been overwritten and is essentially gone. A destroyed disk, if done well enough, will remove everything, or make it nearly impossible to recover anything. (These are from my understandings)
What about a solid state drive? Can the data on one of these be recovered once deleted? It seems that this would be the way to go if you constantly dealt with and removed sensitive data, but they only have so long of a life span (As I understand, again =p). So can data from a SSD be recovered in any way once it is removed, even if it has not been overwritten?
The short answer is, yes. But the more question is: what's the objective...to retrieve or destroy data? The only fully secure way to destroy data on the flash SSD is device destruction, which depends on form factor. for small USB flash devices, pulverization is more secure because most shredders have some small spaces between their crushing metal cylinders. Pulverization converts flash USBs to a fine dust.
Yes off course the deleted data can be recovered easily but it is not possible to recover the data once overwritten. Even I have came across the problem where I have accidentally deleted partition from my SSD drive that contained important files folders, photos, videos etc. I used Yodot Hard Drive Recovery for SSD partition recovery. This softwares features are really good. Just try it out. It might help you as well.
In some ways yes: Data is not always overwritten, In other ways no: Due to garbage collection on modern SSDs the longer a drive is in use the harder it will be to locate and read the data.
I know this thread is a bit old but I was looking for information on this topic and thought it might be worth mentioning the following: Although one can recover data from SSDs using third party tools it seems that one use case was omitted here.. From my understanding, deleted DATA on internal SSDs with "TRIM" enabled cannot be recovered (see this article)..
Related (and of special interest to @JayC), the following thread provides interesting explanation how the underlying NAND chip handles cells marked as unused and may actually reset them: Does the ATA Trim command irrecoverably delete data on an SSD?
Yes. If you do a normal format, the old data can be recovered. A normal format only deletes/overwrites a tiny bit of filesystem metadata, but does not overwrite all of the data itself. The data is still there. This is especially true on SSDs, due to wear levelling and other features of SSDs.
The following research paper studies erasure of data on SSDs:
- Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. Reliably Erasing Data From Flash-Based Solid State Drives. USENIX Conference on File and Storage Technologies, 2011.
One takeaway lesson is that securely erasing data on a SSD is a bit tricky. One reason is that overwriting data on a SSD doesn't work the way you'd think it does, due to wear-leveling and other features. When you ask the SSD to "overwrite" an existing sector, it doesn't actually overwrite or delete the existing data immediately. Instead, it writes the new data somewhere else and just change a pointer to point to the new version (leaving the old version laying around). The old version may eventually get erased, or it may not. As a result, even data you think you have erased, may still be present and accessible on the SSD.
Also, SSDs are a bit tricky to sanitize (erase completely), because the methods that used to work for magnetic HDDs don't necessarily work reliably on SSDs (due to the aforementioned wear levelling and other issues). Consequently, utilities that are advertised as providing "secure drive erase" functionality may not be fully secure, if applied to a SSD. For instance, the FAST paper found that, in most cases, performing a full overwrite of all of the data on the SSD twice was enough to sanitize the disk drive, but there were a few exceptional cases where some of the data still remained present. There may be other reasons not to want to perform repeated overwrites of the full drive: it is very slow, and it may reduce the subsequent lifetime of the drive.
The FAST paper also found that degaussing (a standard method used for sanitizing magnetic hard drives) is not effective at all at sanitizing SSDs.
Moreover, the FAST paper found that standard utilities for sanitizing individual files were highly unreliable on SSDs: often a large fraction of the data remained present somewhere on the drive. Therefore, you should assume there is no reliable way to securely erase individual files on a SSD; you need to sanitize the whole drive, as an entire unit.
The most reliable way to securely erase an entire SSD is to use the ATA Secure Erase command. However, this is not foolproof. The FAST paper found that most SSDs implement this correctly, but not all. In particular, 8 of the 12 SSDs they studied supported ATA Secure Erase, and 4 did not. Of the 8 that did support it, 3 had a buggy implementation. 1 buggy implementation was really bad: it reported success, but actually left the data laying around. This is atrociously bad, because there is no way that software could detect the failure to erase. 2 buggy implementations failed and left old data laying around (under certain conditions), but at least they reported failure, so if the software that sends the ATA Secure Erase command checks the result code, at least the failure could be detected.
The other possible approach is to use full disk encryption: make sure the entire filesystem on the drive is encrypted from the start (e.g., Bitlocker, Truecrypt). When you want to sanitize the drive, forget all the crypto keys and securely erase them, and then erase the drive as best as possible. This may be a workable solution, though personally I would probably want to combine it with ATA Secure Erase, too, for best security.
See also the following questions on this site:
I have done a "secure erase" by writing random data sequentially to the whole drive, twice. If the drive recycles its spare block pool to minimize wear, this MAY work by having written every physical block at least once. But I really have no idea if every block really would get used in one pass or the other. Maybe three passes?
Hi @Skaperen: SSD drives are very complex. I doubt anyone will be able to answer your question authoritatively, from first principles. Instead, I think the only way to know is to conduct experiments and look at the resulting data. For some data on how well overwriting twice works, see my answer above, the part starting with "The FAST paper found that, in most cases, performing a full overwrite of all of the data on the SSD twice was...". For data on another way to erase a SSD, see the paragraph beginning "The most reliable way to securely erase an entire SSD is...". That's all I know.
Degaussing hasn't worked for silicon platter drives since the 90's, FYI. They're just too dense and not magnetic enough anymore. A hammer always works, though.
You only need to overwrite the whole drive with random data once, as no thresholds exist for flash chips. The original data will be gone.
I didn't see any mention of the TRIM command. SSD's can't write to a previously written location without first erasing it. Which also means that an SSD's wear leveling algorithm will write new data to a smaller and smaller area of the flash memory, wearing the drive out faster, unless some background process regularly runs TRIM to erase released flash memory, or the memory is erased immediately before a write. The latter has serious performance implications.
@Craig: Of course, if you're trying to erase the whole drive anyway, TRIMming the whole thing between passes would likely go a long way.
so if I *switch* to full-disk encryption, am I wiping my SSD? https://security.stackexchange.com/questions/176572
I'd like to refer to this video. It explains how data can be recovered from HDDs using thresholds. Which includes that the given signal-level returned from a HDD ain't only based on the current content, but also on what was previously there. By changing the 'accuracy' of the signal-detection you can find what was previously there. However this is of course just theory, in practice this is almost never done. View other post.
It also explains why erasing data on flash-drives/SSDs ain't that secure as you might think. Because when you delete data on a SSD, the micro-controller in that SSD doesn't delete/overwrite those blocks containing that data instantly, but put them on a 'delete in future'-list.
Also, to lengthen the lifetime of SSDs, they make use of wear leveling. Which means that when overwriting a specific block, the micro-controller remaps the blocks, and make a new block which points to the old unmarked one. Note that writing to all free space will defeat wear-leveling because then the micro-controller doesn't have blocks left to remap.
However, note that if you want to make sure data is not recoverable. Encrypting the drive and dropping the key (deleting from drive/not storing anywhere) will also be an extra level of security. Unless they're able to crack your key of course.
Encrypted data cannot be decrypted unless you use the hash key or password, but it is an offence to withhold the key when ordered to reveal it by a court.
Also, securely shredding may get rid of the content, but links, search terms and temp files can remain elsewhere, which can point to illegal actions that can get you charged by the Police if they have reason to search your life or activity. At the least you might lose all of your digital hardware while they carry out forensic tests, and you might forfeit it permanently if the courts find you guilty of anything.
If the information is really that sensitive, or if you are paranoid, you should physically destroy all of the drives in the machine and fit new ones. And be aware of cloud backups, and IP providers who log search terms...
This is not a direct answer to your question, but if you are concerned about data recovery then encrypting the data from the beginning might be a solution.
Of course the devil is in the details: you must either use software full-disk encryption or relying on the SSD's encryption capabilities. And while the former comes with a performance cost, the latter be a liability for some of the reasons explained in other posts such as buggy implementation, etc.
Also, if your concern is to protect data at rest from a motivated attacker over a long period of time (e.g. 10, 20 years) then encryption might not be the best solution for you: attacks against software encryption might make it uneffective, and the chances of an implementation bug in an SSD firmware aren't zero.
Its possible to recover data from SSD bare chips by fluctuating the power voltage very quickly while the array is being scanned- sometimes this works. I've also had some success reading totally dead-but-draw-voltage microSD cards by using a proprietry method involving low energy X-rays and modified readers, got about a 25-30% success rate this way. My working hypothesis is that this activates the broken wear leveling and allows some data to be read from nearly dead chips, also nudging molecules around sometimes temporarily works because the bond wires are gold and heat up a bit under the X-ray fluence. Sometimes extreme cold also works for the same reason, if done carefully (ie less than 5c/minute)
Are you sure this works for _erased_ data, not just for SSDs or microSDs that have broken and are not returning reads under normal conditions? It seems extremely unlikely that any of these would work for a _wiped_ flash device.
I did test it on a non working (bricked but otherwise electrically OK) AData card. Also had some success reading back wiped-with-Winhex uSD cards with some fragments surviving only one zerofill cycle. I did also find out that the X-ray technique may have worked because it writes noise into the array randomly allowing marginal bits to read back their original data if they have only ever been set to a complement (1 or 0) once. Each time you overwrite it does alter the molecular structure slightly with modern flash chips. so the error correction takes this into account.
If there is a legitimate reason to wipe data and the wiping of the data is legitimate Totally format your drive, or do an OS restore that will compact all essential data in a less fragmented space so that maximum empty space is available again, run a drive wipe program such as ccleaner and then format or restore the os again, then rewrite long high quality superfine videos that use up maximum pixels onto it until it is completely full, remove the drive, then delete some and overwrite again. If using a phone, run an OS restore, use a drive wiper such as ccleaner, then set video recording to highest pixels and superfine and walk about recording random stuff that can't just be removed from the reconstruct equation like a movie until the storage is full, don't delete it all immediately but make what space you need for data copy. If possible, move some of the new random videos to external sd and record new random videos.
Bear in mind that many data wipe software use small blocks such as 1gb to overwrite and may leave spaces, especially if you are using your device in the process, the device's high quality random video recording should be capable of writing the whole empty storage space in one single file and there is usually no known "x" factor to remove from the process when attempting a restore.