Data Recovery & Solid State 249
theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"
Pointless (Score:5, Interesting)
Secure erase (Score:5, Interesting)
If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology.
Re:Honk! Honk! (Score:3, Interesting)
well that makes it easy (Score:1, Interesting)
Re:SSDs have one infallible data recovery option (Score:1, Interesting)
The second question here is if it is possible to recover data that has been overwritten on a solid state device. It is possible on magnetic disks, but a solid state device is encapsulated in a much more rigorous manner which means that it will be a lot harder. However, it may still be possible using the right equipment.
And don't forget: Never store your important data under the directory /tmp or /var/tmp on any *NIX machine. It will be erased! I know that this has happened, since I was working for a company where a consultant did EXACTLY this. That consultant stored all his sources there! And the system erased all files older than 14 days, and since it was /tmp there was no backup. That person had to do it the HARD way because there was no way that there was any possibility to recover that data. I have no idea what became of that consultant after that was cleaned up, but I sure hope that he at least didn't make that mistake again!
One of the classical Murphy's law [murphys-laws.com] moments...
Re:Honk! Honk! (Score:5, Interesting)
Think hanging chads, but on a much larger scale.
You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.
Yes, it is possible, but it would take a very, very long time.
Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)
The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.
Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")
Re:Honk! Honk! (Score:5, Interesting)
For monitors if you wanted to process classified info it was a whole lot of paperwork because with the old CRT's you can read what is on the screen from like 3 blocks away just by the radiation they put out. ditto with Cat5. if you had a classified laptop you would have a short cat5 to a special encryption device, then cat5 out to the datacenter downstairs which had the same encryption device and then it would run out to the servers. NSA said you could read cat5 traffic from like 3 blocks away as well
Re:Honk! Honk! (Score:3, Interesting)
Datarecovery of SSD drives. (Score:5, Interesting)
We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.
The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....
Re:Honk! Honk! (Score:1, Interesting)
More NSA paranoia, they're not sure if they need to start destroying UTP/STP Ethernet cable because it could store residual images of classified data making the cables themselves permanently classified. I am not even close to joking about this, they're that screwed up and over budgeted that your tax dollars are being pissed away on this kind of "research."
Oh, and then there's the new NSA-backed encryption with a built-in back door. Why bother breaking the encryption when you can just get in the easy way?
It's totally out of hand, so next time someone mentions the NSA and computer security in the same sentence, put your fingers in your ears and start yelling as loud as you can until they're done talking. It will make you feel less dumb about paying your taxes.
Re:Honk! Honk! (Score:1, Interesting)
Re:Honk! Honk! (Score:4, Interesting)
Is it overkill? Certainly. But apparently 3 passes isn't considered enough.
Now, a simple overwrite is considered sufficient for flash, so we do have some standards.
Re:not impossible (Score:4, Interesting)
WHAT?!!!! I'm hoping I'm parsing your sentence incorrectly because any hard drive subjected to thermite becomes nothing but a puddle of molten then solidified metal.
What I'm hoping you meant to say was that even though the hard drives in our surveillance plane had been subjected to thermite, parts of the drives remained intact enough so the data on the unmelted parts could be retrieved despite the data also having been overwritten.
Allow/Deny?
fire insufficient in and of itself... (Score:3, Interesting)
I've actually held bits of ash with legible writing still on it. I was burning old checks for my parents.
I wouldn't count it destroyed until the ashes are stirred well.
the effect of wear-levelling on recoverability? (Score:3, Interesting)
Let's say you have had your SSD for awhile, and some data is in areas that subsequently get marked as 'bad'. You 'format' your SSD clean, but does the format change those marked-bad bits? If not, just because they cannot be written to, doesn't necessarily mean they couldn't be READ from by some utility that ignores the marked-bad flags, in theory. So, is it possible for an SSD to have data recoverable from 'marked bad' areas, that might even pass a format/multi-write randomizing utility? Something to think about. Hopefully someone knows the answer...
Re:Honk! Honk! (Score:3, Interesting)
Re:Honk! Honk! (Score:3, Interesting)
That's the tricky bit. Any hard drive built in the last ten years or so won't actually write ones and zeros to the disk, but uses something like QAM to pack even more bits per symbol on. Think in terms of one nybble being represented as an analogue value from 0 to 15 - was that 6 really a 6, or is it a faint 7? Or was it a 5 that wasn't particularly strongly erased?
Overwrite each track once, and the data is gone.
Re:Honk! Honk! (Score:2, Interesting)
As far as data recovery on a drive that has in theory been flipped to pure 0, to 1, and then back to 0 again, ask anyone who works or has worked at a data recovery facility where they physically disassemble the disks for analysis. They'd be able to give you a much more scientific explanation (that's not what I do for a living), but the short of it is that the platters retain a magnetically-resonant harmonic latent in the background that is not immediately apparent to the standard read-heads built in to the disk, or is not apparent to them on individual sectors; however, when all the platters on an entire disk are examined, the standing magnetic harmonic (this may not be exactly the right term, but it's close enough, iirc) may be seen and analyzed in order to reconstruct the data on the disk. When I worked at D.E.C., we had an engineer in the "warp core" downstairs who had purchased a mil-spec "portable clean-room" for dirt cheap at an Army/Navy Surplus store that didn't realize what he had. I distinctly remember him making the claim (other engineers in the building validated his claim, though I never witnessed it myself) that he could even recover about 60%-70% of the data from a disk that had been subject to a "military format", which iirc, at the time referred to a disk that had been formatted to 0 then to 1, 0, 1, 0, 1, 0 (i.e. seven full flips). It is my understanding that a fully outfitted and funded data recovery analyst (i.e. large corporate or military/government) can still recover similar amounts of data after numerous "disk-shredding" operations.
I'm mainly limited by drive-failure in my ability to recover data. Enough formats or overwrites of the individual sectors may prevent me from being able to see or recover the data with what tools I have available. A full-on format, however, still doesn't ensure I can't get data, unless you use an application specifically meant to wipe a disk that runs from a bootable (non-windows) environment, and some of those seem to do better jobs than others; that said, a full wipe (which happens to generally be a very slow process too) is your best bet short of physical destruction in order to prevent any software based recovery... As far as preventing actual recovery analysts from finding data, use the methods I and Bill Stewart mentioned above - Drill/sandblast the platters, degaussing (and no, a regular magnet will NOT prevent a real analyst from recovering data... you need a particularly high-strength electromagnet), or thermite; these are the only guaranteed methods. You could try rigging up a method using the magnetron from a microwave, but that would bear experimentation and I have no certainty of it's effectiveness.
Examine the "Hard Disk", "Recovery Tools" and "Partition tools" portions on the Hiren's disk, and experiment with the tools available there. It still takes a little experimentation on my part depending on the nature of the data-loss to find exactly the correct or safest procedure for data recovery, but if you know what you're about when it comes to computers, it shouldn't be too hard to figure out. There are also a number of tools on the CD that run in Windows instead of from the bootable portion of the CD, and a number of these are also very successful at recovering data - GetDataBackNTFS did for the first recovery on the machine I referenced above... Even though it had been NTFS full formatted and re-installed since, I could have recovered all the data on the disk, incl. OS (except what