Print 43 comment(s) - last by mindless1.. on Feb 26 at 10:51 AM

SSDs may be the key to snappy performance on laptops and desktops, but they also create security risks due to their inability to be fully wiped with present technology. Better encrypt that data!  (Source: Gear Diary)
Revelation could prove a nightmare to careless businesses and individuals

Businesses and government offices are constantly replacing computers and buying new hardware.  Typically when this is done, data on the hard drives of the defunct machines is wiped, lest it fall into the wrong hands.

However, an intriguing study [press release] by researchers at the University of California San Diego (UCSD) reveals that businesses thinking they've wiped NAND thumb drives or NAND solid-state drives (SSDs) may be in for a surprise.

Every time you write to a hard drive -- be it magnetic disk or NAND -- you make semi-permanent changes that persist until you overwrite that block of memory.  When you delete files on your computer, you typically are merely deleting the indexes of the files.  The actual data persists on the drive until you overwrite it.

Over a dozen methods have been worked out to try to fully overwrite data on a magnetic hard drive and permanently erase any traces of the drive's original contents.  Researchers tried those methods on flash drives and discovered that, at best, they left 10 MB of every 100 MB file intact.

To study how successful the data destruction was, the researchers took apart an SSD.  Rather than check the Flash Translation Layer (FTL), which would merely show data as indexed by the drive, they actually sliced out the physical chips and queried them via their pins.  This allowed them to test the data status at the lowest level.

The findings might shock some, but came as little surprise to the researchers who expected magnetic drive techniques to work less than optimally for SSDs.  

Some of the techniques attempted, such as Gutman's 35-pass method, Schneier 7-pass method, erased as much as 90 percent of data successfully.  But other techniques, like using pseudorandom numbers to overwrite data on the chip or using a British HMG IS5 baseline, left virtually the entire file intact.

Researchers Laura Grupp and Michael Wei comment, "Our results show that naïvely applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact. Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive."

Of course, if you encrypt all the data on the SSD to start, you make it harder to access.  The researchers note this and suggest that to completely prevent data loss, users then destroy their keys and use new technology to directly overwrite all of the drive's pages.

Chester Wisniewski, a senior security advisor for Sophos Canada, blogged on the study praising its accuracy.  He writes, "To properly secure data and take advantage of the performance benefits that SSDs offer, you should always encrypt the entire disk and do so as soon as the operating system is installed... [S]ecurely erasing SSDs after they have been used unencrypted is very difficult, and may be impossible in some cases."

These results are not only troubling for business and government users, but for home users as well.  You have plenty of things to worry about falling into the wrong hands -- personal emails from your family; credit card records; medical records; and other private info.  At present, you can't be 100 percent sure you can securely dispose of SSDs with this kind of information, but by using encryption you can reduce the likelihood of someone get your information to almost zero. 

According to a recent iSuppli report, only 2 percent of laptops currently carry SSDs.  However, iSuppli predicts that by 2014, that total will rise to 8 percent.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Blindingly Obvious
By Flunk on 2/22/2011 10:51:39 AM , Rating: 2
I don't know why anyone would be shocked by this. SSDs, like magnetic disks, persist data even after it being "deleted". For sensitive data, the only acceptable way to dispose of the drives is to physically destroy them. And with SSDs, that's easier to do than with hard drives.

RE: Blindingly Obvious
By Cr0nJ0b on 2/22/2011 11:51:01 AM , Rating: 2
Totally agree, when I read the tag line of the story, I was thinking that there might be some way to pull data from flash at the system level. If you need to break apart the chips and test the individual get 10% of the data...I would what? I'm sure that you could take the platters out of an HDD and do some low level, very low level electronic inspection and get data back...but that's only a real threat for gov't or very high security applications. I'm not really worried about this for common home use.

If you are really worried about this for home use...then encrypt the'll be safe for maybe 10-20 years depending on the encryption type...and I'm not sure how you would even unencrypt data fragments...but again...this is for the super paranoid...

RE: Blindingly Obvious
By jimhsu on 2/22/2011 2:04:54 PM , Rating: 3
Actually, after a proper overwrite, there should be NO recoverable information in any modern hard drive. The thing about using atomic force microscopy only applies to a subset of PRML drives, which were obsolete more than 10 years ago. For any hard drive made in the last decade or so, there is no known microscopy technology in existence that would allow usable data to be extracted after a proper overwrite, and below that you get into quantum effects that make such a microscope theoretically impossible anyways.

SSDs are different in that there IS actual recoverable information when "normal" wiping techniques are used. Hence, you either need encryption, or something like Secure Erase.


RE: Blindingly Obvious
By jimhsu on 2/22/2011 2:09:35 PM , Rating: 2
If that isn't good enough, liquefaction is actually the best alternative. Shredding could leave bits of data that could be theoretically recoverable (though the effort would be immense). Heating the disk above the Curie point (770C in iron) destroys all magnetization (the media essentially becomes paramagnetic, which eliminates all physically conceivable attempts to recover data). It's easy to verify success too ... just watch the thing melt.

RE: Blindingly Obvious
By cfaalm on 2/23/2011 4:17:37 AM , Rating: 4
just watch the thing melt.

I did that, but it put itself together afterwards, waved its finger and shook its head. It was scary.

RE: Blindingly Obvious
By Azsen on 2/22/2011 8:21:31 PM , Rating: 2
What I think is the problem is that the erasing programs overwrite a block of data then mark the overwritten data as writable again straight after. While the program is still running, the wear leveling algorithms in the SSD may force the program to write over that same block again instead of going through all the consecutive blocks.

You could probably fix it by modifying the program to fill up the drive with random data completely, then marking it all to be free space afterwards. Then do multiple passes with the same technique.

RE: Blindingly Obvious
By mindless1 on 2/23/2011 12:06:14 AM , Rating: 2
Thank you. Finally someone who "gets" it. Their methodology was flawed because they were trying to overwrite specific FILES instead of FILLING the SSD with random data - in the latter case it doesn't matter where the controller decides to put the data because once it starts to (does) run out of free space, all have been overwritten.

Ironically enough this topic is silly. You don't try to hunt and find individual files to multipass overwrite, you overwrite the entire HDD, so the distinction between HDD and SSD isn't really relevant except the technique that does the writing (query free space, create random data file that is that size).

RE: Blindingly Obvious
By mathew7 on 2/23/2011 9:42:30 AM , Rating: 2
I really don't think that they were overwriting only the files (although I have not read the links). I think they used current procedures to securely erase, but I wonder how many passes they made. If they only made one (1 write/LBA), then 10% of the data seems to be roughly the spare blocks.
Also, the ATA secure-erase command, if implemented by the drive, could be just erasing the LBA-to-flash block translation. So the data itself could still be there if you bypass the controller (what they actually did).

RE: Blindingly Obvious
By mathew7 on 2/23/2011 9:54:35 AM , Rating: 2
I have just read the press release, and indeed they also talk about "sanitizing single files". So the recovery of 900MB of 1000MB file is not surprising.

I was thinking that maybe large corporations/goverments have some "push-button-erase" devices, which would work on the whole drive. But it seems the graph is related to single files.

PS: Even on multiple overwriting of whole drive, the wear algorithm may still skip over heavily-written blocks.

RE: Blindingly Obvious
By bim27142 on 2/22/2011 11:58:11 AM , Rating: 2
exactly! just physically destroy it (as in like total destruction = incinirate, "powderize" it, melt it, whatever you can think of)... :)

By quiksilvr on 2/22/11, Rating: 0
RE: But....
By XZerg on 2/22/2011 10:58:15 AM , Rating: 5
Just because you delete a file does not mean they are wiped from the drive for either. They are just removed from the file allocation table (just entry where to look for the file is deleted and so the OS no longer knows the file exists). The data is still in tact and remains so until it is overwritten.

RE: But....
By gamerk2 on 2/22/2011 11:03:52 AM , Rating: 2
Correct. When you delete a file, you are only deleting the index to that file. The location where the data is stored is not changed in any way until something else overwrites it.

RE: But....
By fake01 on 2/22/2011 11:38:37 AM , Rating: 2
Don't SSD manufacturers have their own wipe programs that actually wipe the SSD's unlike normal wipe programs?

But speaking of deleting and recovering, I remember when my 250GB HDD died. I used Photorec to recover all the data from it and over 350GB of data was recovered. Yet it was only a 250GB HDD. I'm still trying to work out how that was even possible.

It even recovered data that was present after several formats and new OS installations, although most was corrupts or incomplete.

RE: But....
By mooty on 2/22/2011 11:45:59 AM , Rating: 2
Because the software was trying to follow every possible chain it found on the disk, even if the blocks in the chain were long since overwritten. There wasn't actually 350GB data on the 250GB HDD, just the software read parts of the data multiple times.

RE: But....
By melgross on 2/22/2011 12:28:04 PM , Rating: 2
In addition, a large amount of data is compressed. It's possible that upon recovery, that data was decompressed. If you look into the OS itself, for example, you‘ll find classes that are zipped. They're kept that way until needed, then unzipped, and then zipped again so that you aren't aware it's being done.

RE: But....
By GuinnessKMF on 2/22/2011 11:32:45 AM , Rating: 2
Software you use != pulling the individual silicone and addressing it directly. It doesn't just disappear because it's flash, these guys are talking about high level data recovery used in corporate espionage, hell I think one of the security papers reported on on this site had to do with being able to recover passwords from a stolen laptop by freezing the ram so that it could be unplugged and analyzed without the memory state being changed.

These aren't standard data recovery methods.

RE: But....
By AnnihilatorX on 2/22/2011 11:58:18 AM , Rating: 4
Try this experiment yourself

Delete a file from your USB stick.
Do not do any other file writes on the USB disk.
Use software like FreeUndelete and search for deleted files, I can gaurantee you that it can be recovered

You can recover it because when you delete stuff, only the index to where the file located on disk is deleted, the actual data is not overwritten and hence still there. Programs like FreeUndelete searches for all empty spaces to find valid files.

RE: But....
By ShaolinSoccer on 2/22/2011 11:24:09 PM , Rating: 2
FreeUndelete doesn't seem to work too good. Not even for something I deleted then immediately ran the program. There are tons of stuff it should've found but never did. I have 30GB of space left over on the drive it scanned and I know I deleted about 2GB's of stuff yesterday that it never found. And I haven't installed or downloaded 2GB's of data since yesterday.

By RU482 on 2/22/2011 12:13:34 PM , Rating: 2
So if I use a utility like DBAN, that does multiple writes of 0's and/or 1's over the entire drive, is the old data still able to be recovered?


By melgross on 2/22/2011 12:32:54 PM , Rating: 2
That's exactly what the article is saying. Secure erase methods aren't working well. It isn't only a problem when deleting a file. They're saying that when using the methods of erasing and writing zero's dozens of times, it doesn't work reliably, and that some secure erase methods don't work at all.

Apparently, these methods aren't actually writing those zeroes people think they're writing. That's why it's so confusing.

By XZerg on 2/22/2011 2:35:07 PM , Rating: 2
The problem with writing 1's and 0's is how the SSD's controllers handle writing and erasing data. To actually make sure that you have overwritten all your data to a point of no recovery is to actually fill the drive to the full capacity with 1's and 0's, without any deletes. Format and repeat.

By Azsen on 2/22/2011 8:24:24 PM , Rating: 2
That was my conclusion as well (posted above).

By vol7ron on 2/23/2011 12:51:11 PM , Rating: 2
I don't see why 0's need to be used at all.
Why not fully fill each node with 1's; erase, completely fill again, erase again.

Low Level Format.
By greylica on 2/22/2011 12:47:08 PM , Rating: 2
There is no LLF in SSDs (In older disks, 2 of those will wipe everything), they are a completetely diferent beast. Let me explain: SSDs have wear leveling in firmware, wich will always avoid data rewrites to save the life of the blocks, and now, with 34 NM, we have also data deduplication with checksum blocks. Both techiques are made to preserve the lifespan of those devices.
You send a command, for example, 35 rewrites over a file with random data. Your SSD controller will find that most of the chunks are already there, so there is no need to rewrite them, and then, your ''random data'' will be written by the base of the most notable differences of those blocks, then 90% of your data can be intact afterall. And there is a third factor, once you write a cell, even when you erase that cell, you will have to use more voltages and different voltage reads will turn back to you the history of your cell.
Your controller will never tell you that, but your chips will always tell...

And what about Zero Fill ?

RE: Low Level Format.
By greylica on 2/22/2011 12:53:33 PM , Rating: 2
Zero fill will load your SSD with checksums...
Hahah !

RE: Low Level Format.
By mindless1 on 2/23/2011 12:10:19 AM , Rating: 2
What about zero fill? It's what you are calling a LLF (low level formatting). Modern HDDs cannot be low level formatted except once, new at the factory. If you have a utility that claims otherwise it is simply doing a zero fill and calling it by the wrong name.

RE: Low Level Format.
By greylica on 2/23/2011 6:54:27 AM , Rating: 2
No, there is a hard difference between LLF and Zero Fill.
LLF is used to realocate cylinders/sectors in a physical disk, whereas zero fill will write your hdd with zeroes.
LLF can be used still today, and not only SCSI HDDs can use it, but some lucky guys that have some perc/cerc Sata raid cards with LLF in firmware also can wipe out and realocate sata HDDs.
The difference is when you do a LLF, your HDD hardware will scan your hard drive, reallocate bad sectors and will put hardware marks in blocks that cannot be used. It was often times used in the past because of physical expansion of the older disks. The physical expansion could then change the azymuth or alignement with the sectors of the hard disks, more often happening with step motors. In Sata and SCSI HDDs, you can do the same thing (Reallocation), but for other reasons, and the most important of them is to resolve bad block problems or to fully verify your disk health. Reallocated blocks will no longer be acessible even when you format your HDD, because the hardware marks will blind your formatting software from viewing those, changing the LBAs or CHS in a manner that you will no longer be able to reach them.
When you use LLF format, a bad block will be marked by hardware and you will loose that space. A Zero fill will still find those bad blocks, and will tell you that your HDD remains with the same size as before.
Also, there is a limit to mark bad blocks with LLF, to a point where some blocks cannot be reallocated due to firmware or spare space restrictions, in this case, even with LLF, you will see bad blocks when formatting your HDDs or zero filling.

More effective erasing method.
By Kary on 2/22/2011 1:39:12 PM , Rating: 3
I typically just hit old drives from old work computers with a sledge hammer and call them "erased".

Haven't really tested it, but I think it is good enough for my purposes and should translate well to SSD's...probably even better on SSD's since I strive for breaking chips.

RE: More effective erasing method.
By ralith on 2/22/2011 2:00:10 PM , Rating: 4
Using them for target practice is pretty effective too.

RE: More effective erasing method.
By chaos386 on 2/22/2011 3:27:03 PM , Rating: 1
Not if the reason for wiping the drive is because you're selling the computer it's a part of. Sure, you could just swap out the drive with a new one, but that's a lot of money to lose with the sale, especially if you've got an expensive SSD in there.

By Arctucas on 2/22/2011 7:53:12 PM , Rating: 2
Would data from an individual disk that was used as part of a striped raid array be usable even if recovered?

By mindless1 on 2/23/2011 12:15:45 AM , Rating: 2
To some extent, yes. For example, if you have two HDD in an array with a 32K stripe size and have your email on it, within each 32K block of contiguous data (stripe) on each drive you could have multiple entire plain text emails, or enough blocks from a typical JPEG image sized for monitor viewing to figure out what it was.

Whether that data is really "usable" depends quite a lot on what the use is.

To see for yourself, you can mount a HDD and view it with a sector editor. Most of it won't make sense but you will probably come across some embedded text.

By Arctucas on 2/23/2011 9:11:25 AM , Rating: 2
Then what would you say is the possibility of usable data recovery from an individual disk that was part of a six disk RAID 0 array with 4k block size, and has been encrypted and then filled with arbitrary data??

By mindless1 on 2/26/2011 10:51:15 AM , Rating: 2
The same as if it wasn't in a RAID array... zero since it is filled with arbitrary data.

File system used.
By drycrust3 on 2/22/2011 3:09:22 PM , Rating: 2
But other techniques, like using pseudorandom numbers to overwrite data on the chip or using a British HMG IS5 baseline, left virtually the entire file intact.

One option that doesn't seem to be mentioned is to change the actual file system used.
I'm making a big assumption here, but don't most flash drives use FAT32? Since it is easy enough to change the format to something else, e.g. EXT3, EXT4, XFS, ReiserFS, etc, then wouldn't the actual entire drive have to be re-written, and the actual meaning of a 0 or 1 change? If that is correct, then if a file on the drive was erased it would remain until written over, but if the file system used was changed from FAT32 to EXT4, for example, the entire drive would have to be written to the new format, thus the data would be over written.

RE: File system used.
By DanNeely on 2/22/2011 3:39:32 PM , Rating: 2
Nope. You'd write a new set of indexes of some sort to store the file system, but that wouldn't force writing to every cell in the flash chips.

Even if the format tool included a zeroing it's not guaranteed to get everything because the sectors of the drive as seen by the OS are not the same as those on the flash chips. As a result you could end up writing zeros to some locations repeatedly and never write to others even once.

I registered to post this
By flyingpants1 on 2/23/2011 1:48:16 PM , Rating: 2
Many people here are confused. Let's get something straight: Overwritten data cannot be recovered. Period. Not on a conventional hard drive, not on an SSD. If you overwrite a spinning hard drive with zeroes, you're not getting any of that data back. No, not even with an electron microscope.

The only reason multiple passes are even advocated is if something (like a hardware failure) prevents the hard drive from rewriting the data properly the first time (and fails to mention this to the user). Then you might have a trace of sensitive data left behind.

It shouldn't be a surprise that the exact same thing applies to SSDs. If the data has moved to another part of the disk due to wear-levelling or whatever, it hasn't been overwritten, it has been copied, and THEN overwritten. And if the data is outside of user-space, then, well..

It seems a new "secure erase" procedure is needed for SSDs. A firmware update would probably do the trick.

RE: I registered to post this
By Qapa on 2/23/2011 2:41:34 PM , Rating: 2
Not really true!

What you get in the computer are 0s or 1s. But in reality these are (don't know how to really call them) "power values" which are not really discrete, they are analogical and have a range.

So, lets say: -40 to -10 is 0, then 10 to 40 is 1, and then there is the "line between 1 and 0" which is really from -10 to 10. This means -10 to 10 you cannot understand if it is a 0 or a 1.

Also a write from a formatted drive to 1 could give you, say, 30, and for 0 would give you -30. (usually).

By from formatted to 1 and then a write to 0 would give you -20. So it is not so impossible that you can figure out what really happened... just not easy...

Even if I didn't explain myself correctly (which I probably didn't), remember, the world we really live in is ANALOGICAL! Digital is just what the interpreters of the computers give us as a result.

Um... Secure Erase anyone?
By jimhsu on 2/22/2011 10:37:09 AM , Rating: 2
I don't know how the authors expect individual file erasing to be effective, when SSDs are DESIGNED to distribute writes across all NAND in the drive. Secure erase is the only way to go (not even zero-filling, which can leave traces of data in headers).

Easy Fix
By Red Storm on 2/22/11, Rating: 0
RE: Easy Fix
By XZerg on 2/22/2011 2:37:04 PM , Rating: 2
Not entirely - the edited file will be written elsewhere on the drive, leaving the old file still in a recoverable state.

I know that...
By kleinma on 2/22/2011 2:26:18 PM , Rating: 2
I know that Intel's SSD toolbox has an option to totally wipe a drive. I would assume this feature is different than just a simple format, and actually does erase the data. Haven't tried it out yet, as the SSDs I current have are in use and I have no need to erase them until I upgrade later on.

“And I don't know why [Apple is] acting like it’s superior. I don't even get it. What are they trying to say?” -- Bill Gates on the Mac ads

Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki