Data Recovery & Solid State

theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"

Such tools as...

[by Anonymous Coward]

What tools will law enforcement and government use to retrieve data for investigations and the like?"

Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.

Re:Such tools as...

[by Anonymous Coward]

I like loud obnoxious music you insensitive clod!

Re:Such tools as...

[urcreepyneighbor (1171755)]

Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.

Sounds like my last date. :(

Re:Such tools as...

[ari_j (90255)]

No wonder she never called back.

Re:Such tools as...

[Nodamnnicknamesavial (1095665)]

Wow, Kenny G will have a busy schedule for the next few years.

Honk! Honk!

[tripwirecc (1045528)]

I'd figure the same as with regular harddisks apply. One pass and gone the data is.

Re:Honk! Honk!

[Vicarius (1093097)]

Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.

Re:Honk! Honk!

[tripwirecc (1045528)]

That may have worked with old drives, forensics experts tell me these MFM/RLL things, but with modern drives and the used recording tech, it's practically impossible. But hey, keep pandering to these myths.

Re:Honk! Honk!

[Hal_Porter (817932)]

How do we know you're not an NSA mole, paid to persuade us that one pass is enough? Or maybe your experts are an NSA moles and they've tricked you.

Re:

[afidel (530433)]

You are wrong [usenix.org], in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind.

Re:Honk! Honk!

[by Anonymous Coward]

You're citing a 1996 paper when discussing modern HDDs?

Re:

[afidel (530433)]

Why not, GMR technology was already on its way out of the lab by 1996, the only HDD tech more advanced than that is vertical recording which is still new and only used in a handful of drives.

Re:Honk! Honk!

[Jah-Wren Ryel (80510)]

You are wrong, in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind.

You are wrong. [auckland.ac.nz] You should have cited the author's follow-up to the original paper, like I just did.

Here's the relevant part of new epilogue:

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more.

In fact, the same man has written paper that somewhat addresses the original question regarding forensic recovery of erased data in sold-state memory for usenix 2001. [cypherpunks.to]

Re:

[gardyloo (512791)]

Given the _same_ coercivity of a magnetic domain, given temperature, and a given external field, I would think smaller domains should be _easier_ to flip, on average, than large domains. The nearest- and next-nearest-neighbor influences would be much larger for small domains than large ones. After all, given the scaling laws of diffusion-driven "averaging" processes, fluctuations spaced closer together always converge to an average much faster than those spaced further apart.

I _guess_

Re:Honk! Honk!

[Firethorn (177587)]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

Is it overkill? Certainly. But apparently 3 passes isn't considered enough.

Now, a simple overwrite is considered sufficient for flash, so we do have some standards.

Re:Honk! Honk!

[s13g3 (110658)]

How in the name of CowboyNeal did parent get modded as +5 Informative?

I recover deleted data WITHOUT a clean room or disk disassembly process on a nigh-daily basis. There are plenty of software tools that will recover data post-format, deletion, or crash; some even after multiple passes. Just yesterday I recovered about 3.4GB of data from a hard drive (that I didn't know at the time was failing with bad read-heads that were pinging the disk surface and creating physically-bad sectors) that had been reformatted (full format, not quick) and re-installed. The particular sequence of apps and methods I used enabled me to recover almost all the important docs on the machine minus a handful of unrecoverable files in the physically failed sectors. The disk later crashed again after the recovery, which was when I discovered the drive was failing. The MFT and MBR were completely shot and most bootable diagnostic applications listed the disk as unreadable. Others would attempt to read the disk but showed no data, even some tools that are supposed to seek data outside the MBR by examining individual clusters. Once again by using the right tools in the right sequence, I am, as I write this, recovering data from the disk yet again (this time as a slave drive in another machine, backing up to a known good archive drive)... Looks like I'm once again going to get all the data but another handful of files that were stored on physically damaged sectors.

So, no one is pandering - please to know what you're talking about first... Yes, my ability to recover data via software tools extends even to many (but not all) software applications that are supposed to securely and irrevocably destroy data. Also, if you're insistent about staying off-topic in regards to data-destruction in the face of law enforcement, not only are all the software methods you might use to destroy data far too slow, but chances are they just won't do the trick. This was a giant concern for the U.S. Air Force after the collision of a P-3 Orion with a Chinese fighter jet, where it was forced to land in China, and NONE of the data destruction techniques available to the crew were remotely sufficient to destroy enough data in the time available to them, but even if they had been, chances are a devoted enough analyst with the proper equipment and time still would have been able to recover more data than desirable (which, since it was all highly classified, means any data at all) outside of explosives, which they had, but are not generally a good idea to detonate on the inside of a flying aircraft. Since then the U.S.A.F. has developed a method of data destruction that utilizes what is essentially a modified medical defibrillator with a somewhat greater total output and replacement of the standard shock paddles with high-strength electromagnets that are placed on both sides on the drive and then discharged, functionally flipping the polarity of the entire disk and destroying all lingering magnetically resonant harmonics.

A dedicated and determined analyst with the right tools and time can recover vast quantities of data on disk subject even to a "military format"... Modern drives and recording techniques have nothing to do with anything in this regard. The only fool-proof way is massive electromagnetic discharge, incineration or to sand or otherwise physically damage the platters themselves... To quote 'Zerth' from above, "Fe2O3+2Al is your friend." Nothing will do the job quite as readily as Thermite, however it obviously presents it's own issues... especially since setting it off to erase your hard-drives before the authorities arrive is almost certain to earn you a large number of other very serious criminal charges, and liable to burn your home or office down; it's also hard to get the stuff to ignite reliably sometimes.

I'd STILL like to hear an answer to the actual question put forth in the article... We all know that hard disks can be disassembled and forensically recovered in the case of serious failure or attempted data destruction... But a

Re:not impossible

[smooth wombat (796938)]

where the data was overwritten, and then melted with thermite.

WHAT?!!!! I'm hoping I'm parsing your sentence incorrectly because any hard drive subjected to thermite becomes nothing but a puddle of molten then solidified metal.

What I'm hoping you meant to say was that even though the hard drives in our surveillance plane had been subjected to thermite, parts of the drives remained intact enough so the data on the unmelted parts could be retrieved despite the data also having been overwritten.

Allow/Deny?

Re:Honk! Honk!

[Jagen (30952)]

That is a myth based on a theoretical paper. The principle is good, but you would need to know the starting voltage of each bit and exactly how many times that bit had been written to. Overwrite your files once, and they're gone, for good.

Re:Honk! Honk!

[Jagen (30952)]

"As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth..."

You my anonymous friend, are a no good, stinking liar. There is no software method for reading the magnetic flux levels of the bits of a hard drive as obviously the drive firmware interprets that data itself and present the 1 or 0 to you, and you do not have an ETM that can be anything like precise enough for the density of modern hard drives, and even if you did how quickly could you read the data and what could you do with it? The bits are essentially stored as analogue data so apart from what the current setting is supposed to represent (1 or 0) how do you propose to get any useful information about the history of that bit?
I can believe you recover data from drives people think they have "wiped", but if I overwrite every bit on my hard drive with garbage you are not going to get anything but garbage from it.

Re:Honk! Honk!

[farkus888 (1103903)]

I know that is not enough to securely wipe a traditional hd. the current standard is 7 passes of random 1s and 0s. even worse than that, I have had people who formerly worked nsa tell my that really sensitive data is only considered gone when they have dismantled the drive and melted the platters in acid.

Re:

[Aardpig (622459)]

I seem to recall hearing that US spy planes have a special 'eraser' built into onboard HDDs, that behave like arc welders. Turn it on, and within less than a second the platters are completely slagged.

Re:Honk! Honk!

[FesterDaFelcher (651853)]

Not in less than a second, but all of the hard drives we used on the AWACS plane had toggle switches that would begin writing random 1s and 0s to the drive for as long as there was power applied. One complete rewrite took appox 15 seconds, and the T.O. specified flipping the switch at least 2 minutes before a catastrophic event (read: plane crash). We also had another tool for physical destruction of our equipment, commonly called an "axe". :)

Re:Honk! Honk!

[uncqual (836337)]

I believe the requested feature is best implemented in the file system layer rather than the physical media layer (SSD vs. HD).

There is a good proof-of-concept available (but it currently works only for wives) that could probably be easily enhanced to implement the mother-in-law eraser function (actually, perhaps it's already there, I've not used Reiser4 much).

Re:Honk! Honk!

[segfaultcoredump (226031)]

While it is true that the data can be recovered after multiple passes, what most folks forget to mention is the level of effort required to recover such data.

Think hanging chads, but on a much larger scale.

You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.

Yes, it is possible, but it would take a very, very long time.

Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)

The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.

Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")

Re:

[nasor (690345)]

And perhaps more importantly, there are currently no established forensic procedures for recovering data that has been overwritten. Police can't just use any random forensic procedure that they feel like - only certain established procedures can be used, and at present no such procedure exits. Which means that even if it were physically possible for the police to do it, the resulting evidence would almost surely be inadmissable in court. The NSA might take an electron microscope to your hard drive if they t

Re:Honk! Honk!

[SharpFang (651121)]

The recovery services can recover data up to 4 passes deep. Thing is the magnetic orientation is not really boolean but float. So the transitions of the values of the plate surface are like (new) = (0.9*trans)+(0.1*old), so:

0->0 = 0
1->1 = 1
1->0 = 0.1
0->1 = 0.9
0.9->1 = 0.99
0.9->0 = 0.09
0.09->1 = 0.909

so you can guess the sequence of transitions from the value.

I know battery-backed RAM can't be recovered that way - it's like it was constantly writing to itself, you'll have a thousand write cycles in matter of miliseconds. I don't know how data is stored in flash though.

Makes you wonder if you could quadruple the capacity of the harddrives that way too.

Re:Honk! Honk!

[alen (225700)]

when i was in US Army Europe the intel guys would take the HD's out of their PC's when it was time to toss them and open them up and scrub the platters with brillo or some other wire brush to destroy the platter. The PC's would then get turned in via usuall channels.

For monitors if you wanted to process classified info it was a whole lot of paperwork because with the old CRT's you can read what is on the screen from like 3 blocks away just by the radiation they put out. ditto with Cat5. if you had a classified laptop you would have a short cat5 to a special encryption device, then cat5 out to the datacenter downstairs which had the same encryption device and then it would run out to the servers. NSA said you could read cat5 traffic from like 3 blocks away as well

Re:Honk! Honk!

[Nintendork (411169)]

I remember reading about this in regards to CRT. Here's a good article [newscientist.com]. Regarding the reading of CAT5 from a distance, I call BS. There isn't enough leakage due to the positive/negative pairs. In any case, IPSec in transport mode should be used for secure transmission on any media. No standalone device required. Even fiber can have a splitter installed for eavesdropping if the traffic isn't encrypted.

Quick and Most Secure Drive Erasing

[Nintendork (411169)]

DoD5220.22-M is what most use and is becomming old-school. That means three passes. Ones, Zeros, then Random. However, the national standard in America is NIST 800-88. Newer drives have a function built into the firmware that do a secure erase in one pass, even covering spare sectors. It's called Secure Erase or SE. The NSA likes it, rating it higher than using an external program. It meets security requirements of HIPAA, PIPEDA, GLBA, and Sarbanes-Oxley. If you want it, check into this man's [ucsd.edu] utility and its educational document [ucsd.edu].

Re:Honk! Honk!

[_KiTA_ (241027)]

I'd figure the same as with regular harddisks apply. One pass and gone the data is.

Except that unlike normal HDDs, SSDs intentionally fragment the data across the drive to avoid writing to a specific section of the drive repeatedly (an attempt to avoid over-writing to the flash). Assuming you don't fill up the ENTIRE DRIVE, your data might very well still be there.

I'd love to ask Ontrack or Drivesavers about it, to be honest.

Er, what's the actual question?

[broken_chaos (1188549)]

Is it "How can I recover data from a failing/failed solid-state drive?"? Or is it "How easily can someone else find my 'deleted' data on my solid-state drive?"?

I'm not sure of the answer to either question, directly, but I'd suggest multiple backups for the first one, and encryption for the second one (full/near-full disk encryption is quite fast on a multi-core system).

Pointless

[mlyle (148697)]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Sure, data recovery is much less likely to work when SSDs fail-- as it's more likely to be the actual memory failing than controller chips or ancillary electronics. However, normal disk recovery places can only recover your data from a failing/failed drive perhaps 60-75% of the time. Thus, the actual incidence of unrecoverable data on a SSD is likely to be much lower than with rotating media, and the overall failure rate lower still. This is nothing but a win, as the normal data recovery rackets are made irrelevant in the case of media failure and overall reliability is improved.

Re:Pointless

[TooMuchToDo (882796)]

I agree with your post, and would like to point out that the original question is moot. Between SSD media, redundant drive systems, and autonomous remote backup platforms, you should care little about the media data recovery rate. Only care that you've put an intelligent data management system into place. Don't have a single point of failure (like the media) and you'll be fine.

Re:Pointless

[TubeSteak (669689)]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower.

Generally speaking, solid state media don't fail. You lose sectors over time and these get replaced from the resevoir. When the resevoir runs out, the size of the available space shrinks, but AFAIK, data doesn't get corrupted when a sector gets stuck.

AFAIK, the only way you get data corruption in a SSD is from power fluctuations causing a bad write.

Simple

[Kjella (173770)]

If you want security, encrypt before you store. If you want recoverability, get a real backup. Seriously, this has been this way ever since computers got fast enough to do AES on the fly against disk. Ubuntu supports it in the alternate installer, Debian and probably the rest too. On Windows various closed source software like DriveCrypt++, Bitlocker and whatnot is available. This isn't really all that difficult...

Secure erase

[trainman (6872)]

Actually my concern would be more the exact opposite, what are the implications for secure erasure of these drives? Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed? Are there other implications because of this flash memory for secure erase utilities?

If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology. ;-)

Re:Secure erase

[darthflo (1095225)]

If it doesn't, move to Europe. 230V will kill more.

Use the gForce

[carpe_noctem (457178)]

Ask Slashdot: For when you've got time to write up a whole paragraph, but not a 5-word google search...

Google results, which seem rather informative [google.com]

Re:Use the gForce

[carpe_noctem (457178)]

Looks like I misspoke a bit... looks like the point of this post isn't to ask something that could have been easily googled, it was for this chump to plug his blog. So, let me rephrase:

Ask Slashdot: When a slashvertisement just won't do, since you've only got yourself to sell.

Datarecovery of SSD drives.

[rew (6140)]

I work for www.harddisk-recovery.com .

We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.

The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....

Destroying sensitive data

[Venik (915777)]

If you have any data that you may need to destroy quickly and permanently, I would suggest using DVDs. Sure, it's slow and a hassle but, when you need to get rid of a large volume of information in a hurry, you just take your DVDs and put them in a microwave for a few seconds.

The damage microwave radiation causes to the data on the DVD extends beyond visible damage to the metal layer. That is to say that, even though it may seem like there are undamaged areas left on the DVD's surface, they are still unreadable. And it only takes 2-3 seconds to completely destroy a whole stack of DVDs, if they are arranged in a microwave with some space between them. Rewriting a hard drive with multiple passes may take hours and still leaves a possibility that some data may be recovered.

It seems to me that with SSD data recovery should work better than with conventional hard drives. You may need to overwrite the entire disk multiple times, as opposed to overwriting just the selected data, as you would with a conventional hard drive.

Re:

[DarkSarin (651985)]

Yes, but what does a microwave do to a HDD? Of course, the HDD does have the reverse damage feedback spell enabled, so it will probably kill the microwave too, but if you were in a hurry to kill sensitive data, that's a risk I'd take...

Telling the gov't why your HDD was in the microwave might be a little trickier...

the effect of wear-levelling on recoverability?

[Tumbleweed (3706)]

Okay, so the new wear-levelling ability of SSDs, (where if it cannot write to a block/bit/whatever, it marks that as bad and writes somewhere else), brings a question to mind:

Let's say you have had your SSD for awhile, and some data is in areas that subsequently get marked as 'bad'. You 'format' your SSD clean, but does the format change those marked-bad bits? If not, just because they cannot be written to, doesn't necessarily mean they couldn't be READ from by some utility that ignores the marked-bad flags, in theory. So, is it possible for an SSD to have data recoverable from 'marked bad' areas, that might even pass a format/multi-write randomizing utility? Something to think about. Hopefully someone knows the answer...

Re:SSDs have one infallible data recovery option

[jeffmeden (135043)]

-1, didn't read the question. He is NOT asking about how reliable the drives are, since he acknowledges that ANY media can fail. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.

Re:SSDs have one infallible data recovery option

[sm62704 (957197)]

...criminal cases where data was intentionally lost

You can completely and unretrievable wipe data from both paper and disk drives. With paper, shredding is no good but a single match or Bic will do the trick. Cheaper than a shredder, too. With a disk drive, just disassemble it and sand off all the oxide. Or alternatively, if you have a smelter or other really really hot mass of molten metal, you can just drop the thing in there. The smelter option works for CDs and tape as well.

Or you can bury it in the bridge abutment your construction company is building with tax dollars, right next to Jimmy Hoffa.

Oh oh, am I on my way to Gitmo now?

-mcgrew

(still no journal although the last one was updated Friday. Mod me down for this?)

fire insufficient in and of itself...

[Firethorn (177587)]

Having operated a makeshift incinerator a few times, I have to point out that fire can be insufficient in and of itself.

I've actually held bits of ash with legible writing still on it. I was burning old checks for my parents.

I wouldn't count it destroyed until the ashes are stirred well.

Re:SSDs have one infallible data recovery option

[JesseL (107722)]

One confounding aspect of trying to permanently erase things from solid state drives is the fact that most flash drives incorporate wear-leveling. You may not be able to over write specific physical sectors without just overwriting the whole drive several times.

SSDs have one infallible data erasure option

[Amiga Lover (708890)]

Which is the same infallible data erasure option for any media. Incineration.

Trusting data loss to just one delete command is being broken in the head.

Re:well that makes it easy

[dotancohen (1015143)]

Just put your drug deals, k1dd13 pr0n, and terrorist plans in a file called attorneyconfidential.doc.

What's wrong with attorneyconfidential.odf? Not everyone has MS Office, you insensitive clod!

Re:The real danger is a loss of recovery companies

[lcoughey (975892)]

Being one who is an owner of a data recovery company [recoveryforce.com], I have been contemplating the idea of writing an article about the implications of SSHD and data recovery. I guess this discussion has beaten me to it.

I have a few thoughts on this matter and will post them in point form:

1. The elimination of the clean room?
- For obvious reasons, the necessity of a clean room for solid state devices will be drastically reduced. However, due to the price and size constraints, I don't foresee the elimination of th