Data Recovery & Solid State

theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"

Pointless

[mlyle]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Sure, data recovery is much less likely to work when SSDs fail-- as it's more likely to be the actual memory failing than controller chips or ancillary electronics. However, normal disk recovery places can only recover your data from a failing/failed drive perhaps 60-75% of the time. Thus, the actual incidence of unrecoverable data on a SSD is likely to be much lower than with rotating media, and the overall failure rate lower still. This is nothing but a win, as the normal data recovery rackets are made irrelevant in the case of media failure and overall reliability is improved.

Secure erase

[trainman]

Actually my concern would be more the exact opposite, what are the implications for secure erasure of these drives? Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed? Are there other implications because of this flash memory for secure erase utilities?

If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology. ;-)

Re:Honk! Honk!

[Aardpig]

I seem to recall hearing that US spy planes have a special 'eraser' built into onboard HDDs, that behave like arc welders. Turn it on, and within less than a second the platters are completely slagged.

well that makes it easy

[Anonymous Coward]

Just put your drug deals, k1dd13 pr0n, and terrorist plans in a file called attorneyconfidential.doc. That way when you erase them you can claim attorney-client privilege with a straight face.

Re:SSDs have one infallible data recovery option

[Z00L00K]

Most filesystems only does a removal of the reference to a file when a file is deleted. A few may offer the added feature of overwriting when deleting a file. If I remember right OpenVMS actually has an option to the DELETE command that allows this.

The second question here is if it is possible to recover data that has been overwritten on a solid state device. It is possible on magnetic disks, but a solid state device is encapsulated in a much more rigorous manner which means that it will be a lot harder. However, it may still be possible using the right equipment.

And don't forget: Never store your important data under the directory /tmp or /var/tmp on any *NIX machine. It will be erased! I know that this has happened, since I was working for a company where a consultant did EXACTLY this. That consultant stored all his sources there! And the system erased all files older than 14 days, and since it was /tmp there was no backup. That person had to do it the HARD way because there was no way that there was any possibility to recover that data. I have no idea what became of that consultant after that was cleaned up, but I sure hope that he at least didn't make that mistake again!

One of the classical Murphy's law [murphys-laws.com] moments...

Re:Honk! Honk!

[segfaultcoredump]

While it is true that the data can be recovered after multiple passes, what most folks forget to mention is the level of effort required to recover such data.

Think hanging chads, but on a much larger scale.

You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.

Yes, it is possible, but it would take a very, very long time.

Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)

The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.

Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")

Re:Honk! Honk!

[alen]

when i was in US Army Europe the intel guys would take the HD's out of their PC's when it was time to toss them and open them up and scrub the platters with brillo or some other wire brush to destroy the platter. The PC's would then get turned in via usuall channels.

For monitors if you wanted to process classified info it was a whole lot of paperwork because with the old CRT's you can read what is on the screen from like 3 blocks away just by the radiation they put out. ditto with Cat5. if you had a classified laptop you would have a short cat5 to a special encryption device, then cat5 out to the datacenter downstairs which had the same encryption device and then it would run out to the servers. NSA said you could read cat5 traffic from like 3 blocks away as well

Re:Honk! Honk!

[afidel]

You are wrong [usenix.org], in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind.

Datarecovery of SSD drives.

[rew]

I work for www.harddisk-recovery.com .

We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.

The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....

Re:Honk! Honk!

[Anonymous Coward]

The important thing to note is that you just mentioned the current NSA standard which takes into account massive paranoia and stupid theory.

More NSA paranoia, they're not sure if they need to start destroying UTP/STP Ethernet cable because it could store residual images of classified data making the cables themselves permanently classified. I am not even close to joking about this, they're that screwed up and over budgeted that your tax dollars are being pissed away on this kind of "research."

Oh, and then there's the new NSA-backed encryption with a built-in back door. Why bother breaking the encryption when you can just get in the easy way?

It's totally out of hand, so next time someone mentions the NSA and computer security in the same sentence, put your fingers in your ears and start yelling as loud as you can until they're done talking. It will make you feel less dumb about paying your taxes.

Re:Honk! Honk!

[Anonymous Coward]

As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth...

Re:Honk! Honk!

[Firethorn]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

Is it overkill? Certainly. But apparently 3 passes isn't considered enough.

Now, a simple overwrite is considered sufficient for flash, so we do have some standards.

Re:not impossible

[smooth wombat]

where the data was overwritten, and then melted with thermite.

WHAT?!!!! I'm hoping I'm parsing your sentence incorrectly because any hard drive subjected to thermite becomes nothing but a puddle of molten then solidified metal.

What I'm hoping you meant to say was that even though the hard drives in our surveillance plane had been subjected to thermite, parts of the drives remained intact enough so the data on the unmelted parts could be retrieved despite the data also having been overwritten.

Allow/Deny?

fire insufficient in and of itself...

[Firethorn]

Having operated a makeshift incinerator a few times, I have to point out that fire can be insufficient in and of itself.

I've actually held bits of ash with legible writing still on it. I was burning old checks for my parents.

I wouldn't count it destroyed until the ashes are stirred well.

the effect of wear-levelling on recoverability?

[Tumbleweed]

Okay, so the new wear-levelling ability of SSDs, (where if it cannot write to a block/bit/whatever, it marks that as bad and writes somewhere else), brings a question to mind:

Let's say you have had your SSD for awhile, and some data is in areas that subsequently get marked as 'bad'. You 'format' your SSD clean, but does the format change those marked-bad bits? If not, just because they cannot be written to, doesn't necessarily mean they couldn't be READ from by some utility that ignores the marked-bad flags, in theory. So, is it possible for an SSD to have data recoverable from 'marked bad' areas, that might even pass a format/multi-write randomizing utility? Something to think about. Hopefully someone knows the answer...

Re:Honk! Honk!

[nasor]

And perhaps more importantly, there are currently no established forensic procedures for recovering data that has been overwritten. Police can't just use any random forensic procedure that they feel like - only certain established procedures can be used, and at present no such procedure exits. Which means that even if it were physically possible for the police to do it, the resulting evidence would almost surely be inadmissable in court. The NSA might take an electron microscope to your hard drive if they think you have the plans for China's new invisible tank on it or something, but in general the police won't be able to do a thing.

Re:Honk! Honk!

[Gordonjcp]

Then you get to make a guess as to the 'bit' being a 1 or a 0.

That's the tricky bit. Any hard drive built in the last ten years or so won't actually write ones and zeros to the disk, but uses something like QAM to pack even more bits per symbol on. Think in terms of one nybble being represented as an analogue value from 0 to 15 - was that 6 really a 6, or is it a faint 7? Or was it a 5 that wasn't particularly strongly erased?

Overwrite each track once, and the data is gone.

Re:Honk! Honk!

[s13g3]

My techniques would take too long to outline in this space, and can be discovered by anyone willing to take the time to research software data recovery techniques. While the archive method violates several copyright laws, there is an excellent compendium of related tools on the "Hiren's BootCD" that you can find by searching for a torrent of the same name - this is a pretty comprehensive group of tools for many applications, and the collection of data recovery tools is excellent, especially if you know how to use them in addition to other recovery methods.

As far as data recovery on a drive that has in theory been flipped to pure 0, to 1, and then back to 0 again, ask anyone who works or has worked at a data recovery facility where they physically disassemble the disks for analysis. They'd be able to give you a much more scientific explanation (that's not what I do for a living), but the short of it is that the platters retain a magnetically-resonant harmonic latent in the background that is not immediately apparent to the standard read-heads built in to the disk, or is not apparent to them on individual sectors; however, when all the platters on an entire disk are examined, the standing magnetic harmonic (this may not be exactly the right term, but it's close enough, iirc) may be seen and analyzed in order to reconstruct the data on the disk. When I worked at D.E.C., we had an engineer in the "warp core" downstairs who had purchased a mil-spec "portable clean-room" for dirt cheap at an Army/Navy Surplus store that didn't realize what he had. I distinctly remember him making the claim (other engineers in the building validated his claim, though I never witnessed it myself) that he could even recover about 60%-70% of the data from a disk that had been subject to a "military format", which iirc, at the time referred to a disk that had been formatted to 0 then to 1, 0, 1, 0, 1, 0 (i.e. seven full flips). It is my understanding that a fully outfitted and funded data recovery analyst (i.e. large corporate or military/government) can still recover similar amounts of data after numerous "disk-shredding" operations.

I'm mainly limited by drive-failure in my ability to recover data. Enough formats or overwrites of the individual sectors may prevent me from being able to see or recover the data with what tools I have available. A full-on format, however, still doesn't ensure I can't get data, unless you use an application specifically meant to wipe a disk that runs from a bootable (non-windows) environment, and some of those seem to do better jobs than others; that said, a full wipe (which happens to generally be a very slow process too) is your best bet short of physical destruction in order to prevent any software based recovery... As far as preventing actual recovery analysts from finding data, use the methods I and Bill Stewart mentioned above - Drill/sandblast the platters, degaussing (and no, a regular magnet will NOT prevent a real analyst from recovering data... you need a particularly high-strength electromagnet), or thermite; these are the only guaranteed methods. You could try rigging up a method using the magnetron from a microwave, but that would bear experimentation and I have no certainty of it's effectiveness.

Examine the "Hard Disk", "Recovery Tools" and "Partition tools" portions on the Hiren's disk, and experiment with the tools available there. It still takes a little experimentation on my part depending on the nature of the data-loss to find exactly the correct or safest procedure for data recovery, but if you know what you're about when it comes to computers, it shouldn't be too hard to figure out. There are also a number of tools on the CD that run in Windows instead of from the bootable portion of the CD, and a number of these are also very successful at recovering data - GetDataBackNTFS did for the first recovery on the machine I referenced above... Even though it had been NTFS full formatted and re-installed since, I could have recovered all the data on the disk, incl. OS (except what