Data Recovery & Solid State

theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"

Such tools as...

[Anonymous Coward]

What tools will law enforcement and government use to retrieve data for investigations and the like?"

Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.

Re:Such tools as...

[Anonymous Coward]

I like loud obnoxious music you insensitive clod!

Re:Such tools as...

[urcreepyneighbor]

Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.

Sounds like my last date. :(

Re:Such tools as...

[ari_j]

No wonder she never called back.

Re:Such tools as...

[Nodamnnicknamesavial]

Wow, Kenny G will have a busy schedule for the next few years.

Re:

[TheGratefulNet]

suppose 'bad guys' are at your door, trying to 'steal' your computer records.

can you erase your disk? not really, not fast enough.

you can grind cd/dvd roms - they make paper shredders that take opto discs.

much better though: a hammer smashing a usb key drive! no amount of 'forensics' can recover broken silicon chips.

there you go - anti-spook protection should you need it. afterall, its a dangerous world out there. many 'people' mean you harm.

Re:

[Amouth]

http://www.pcpro.co.uk/features/113080/what-does-it-take-to-destroy-a-hard-disk/page1.html [pcpro.co.uk]

i would never agree that "no amount of 'forensics' can recover broken silicon chips"

sure it might be hard.. but it is still more than possiable - the trick is how much is it worth to the person/people trying to get the data back.

i was trying to find a better artical where they went over how ontrack recovered 90+% (don't remember exactly) from the drives on the 2003 shuttle that turned into a fireball and shreaded..

i se

Tools Depend on Who's Attacking You

[billstewart]

The tools that get used to investigate your disk drives are going to depend a lot on who's trying to investigate you and your computers - how much are they willing to spend.

Law enforcement organizations aren't going to waterboard you, which would be against the law, though they might have fun tasing you. And courts have simpler methods - they issue you a subpoena that says to turn over any information you've got, and can make you sit in jail or pay heavy fines for not handing it over, or if it's a civil la

Honk! Honk!

[tripwirecc]

I'd figure the same as with regular harddisks apply. One pass and gone the data is.

Re:Honk! Honk!

[Vicarius]

Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.

Re:Honk! Honk!

[tripwirecc]

That may have worked with old drives, forensics experts tell me these MFM/RLL things, but with modern drives and the used recording tech, it's practically impossible. But hey, keep pandering to these myths.

Re:Honk! Honk!

[Hal_Porter]

How do we know you're not an NSA mole, paid to persuade us that one pass is enough? Or maybe your experts are an NSA moles and they've tricked you.

Re:

[afidel]

You are wrong [usenix.org], in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind.

Re:Honk! Honk!

[Anonymous Coward]

You're citing a 1996 paper when discussing modern HDDs?

Re:

[afidel]

Why not, GMR technology was already on its way out of the lab by 1996, the only HDD tech more advanced than that is vertical recording which is still new and only used in a handful of drives.

Re:

[SP33doh]

I'd consider seagate a little more than a handful.

Re:

[misleb]

The only difference between theory and practice is that, in theory, there is no difference. Congrats for referencing the same old paper that everyone else references on this subject. Now try finding reports of people who've actually recovered a meaningful amount of data from a drive that has been overwritten with random data.

Re:Honk! Honk!

[Firethorn]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

Is it overkill? Certainly. But apparently 3 passes isn't considered enough.

Now, a simple overwrite is considered sufficient for flash, so we do have some standards.

Re:

[Jah-Wren Ryel]

I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

Please cite a government document that specifies this 21-pass overwrite (or any number of overwrites). No amount of overwriting serves to 'sanitize' a classified hard disk. At least not for the US government.

Re:

[Rakishi]

Government mandates also include grinding, shredding and melting the hard drive then storing the molten brick for 50+ years.

Re:Honk! Honk!

[Jah-Wren Ryel]

You are wrong, in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind.

You are wrong. [auckland.ac.nz] You should have cited the author's follow-up to the original paper, like I just did.

Here's the relevant part of new epilogue:

Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more.

In fact, the same man has written paper that somewhat addresses the original question regarding forensic recovery of erased data in sold-state memory for usenix 2001. [cypherpunks.to]

Re:

[gardyloo]

Given the _same_ coercivity of a magnetic domain, given temperature, and a given external field, I would think smaller domains should be _easier_ to flip, on average, than large domains. The nearest- and next-nearest-neighbor influences would be much larger for small domains than large ones. After all, given the scaling laws of diffusion-driven "averaging" processes, fluctuations spaced closer together always converge to an average much faster than those spaced further apart.

I _guess_

Re:

[richlv]

hmm. are we talking here about cat /dev/zero > /dev/sda or cat /dev/random (or urandom) ?
because while i can clearly see that being possible with zeroes, overwriting with random source doesn't look such a likely candidate for recovery.
now, if i had some information i would like to be really gone, i'd probably use /dev/zero and [u]random at least a couple times each. anybody (except the known cia moles :) ) with insight how possible could _that_ be for recovery ?

Re:

[Jah-Wren Ryel]

FWIW - a data zero does not produce a string of zeros on disk. The encoding mechanism is a lot more complicated than that. It's not random, but it isn't anywhere near that straightforward either.

not impossible

[tempest69]

The chinese used some very impressive tech to read the hard drives from a US surveillance plane, where the data was overwritten, and then melted with thermite. Magnetic domains aren't that easy to erase, it like erasing a whiteboard with a slotted eraser, there will still be traces of the magnetic domains even after two rewrites. And the extra data that drives store for CRC info helps a bunch in getting the data right.

Re:not impossible

[smooth wombat]

where the data was overwritten, and then melted with thermite.

WHAT?!!!! I'm hoping I'm parsing your sentence incorrectly because any hard drive subjected to thermite becomes nothing but a puddle of molten then solidified metal.

What I'm hoping you meant to say was that even though the hard drives in our surveillance plane had been subjected to thermite, parts of the drives remained intact enough so the data on the unmelted parts could be retrieved despite the data also having been overwritten.

Allow/Deny?

Re:

[jacksonj04]

Now that *is* impressive. I've seen thermite go through some pretty thick reinforced metals, so lord knows what those disk platters were made of.

[Citation Needed]

[pragma_x]

I call shennanigans. Recovery after thermite? Not a chance.

Any ferrous material brought above the Curie Point [wikipedia.org] is no longer magnetic, and looses any magnetism it had prior to heating. You can test this yourself with a magnet, a butter knife and a blowtorch. No matter what combination of iron and impurities your drive surface has, its Curie Point is easily below the temperature of molten iron - the product of your thermite reaction.

So even if the discs were heated by thermite, rather than just plain destr

Re:

[TheSkyIsPurple]

If the thermite only hit part of the platters, and burned so fast that the rest of the platter didn't have a chance to hit the curie point, maybe some percentage of the sectors was readable?

I would love to experiment with that one... =-)

Re:Honk! Honk!

[s13g3]

How in the name of CowboyNeal did parent get modded as +5 Informative?

I recover deleted data WITHOUT a clean room or disk disassembly process on a nigh-daily basis. There are plenty of software tools that will recover data post-format, deletion, or crash; some even after multiple passes. Just yesterday I recovered about 3.4GB of data from a hard drive (that I didn't know at the time was failing with bad read-heads that were pinging the disk surface and creating physically-bad sectors) that had been reformatted (full format, not quick) and re-installed. The particular sequence of apps and methods I used enabled me to recover almost all the important docs on the machine minus a handful of unrecoverable files in the physically failed sectors. The disk later crashed again after the recovery, which was when I discovered the drive was failing. The MFT and MBR were completely shot and most bootable diagnostic applications listed the disk as unreadable. Others would attempt to read the disk but showed no data, even some tools that are supposed to seek data outside the MBR by examining individual clusters. Once again by using the right tools in the right sequence, I am, as I write this, recovering data from the disk yet again (this time as a slave drive in another machine, backing up to a known good archive drive)... Looks like I'm once again going to get all the data but another handful of files that were stored on physically damaged sectors.

So, no one is pandering - please to know what you're talking about first... Yes, my ability to recover data via software tools extends even to many (but not all) software applications that are supposed to securely and irrevocably destroy data. Also, if you're insistent about staying off-topic in regards to data-destruction in the face of law enforcement, not only are all the software methods you might use to destroy data far too slow, but chances are they just won't do the trick. This was a giant concern for the U.S. Air Force after the collision of a P-3 Orion with a Chinese fighter jet, where it was forced to land in China, and NONE of the data destruction techniques available to the crew were remotely sufficient to destroy enough data in the time available to them, but even if they had been, chances are a devoted enough analyst with the proper equipment and time still would have been able to recover more data than desirable (which, since it was all highly classified, means any data at all) outside of explosives, which they had, but are not generally a good idea to detonate on the inside of a flying aircraft. Since then the U.S.A.F. has developed a method of data destruction that utilizes what is essentially a modified medical defibrillator with a somewhat greater total output and replacement of the standard shock paddles with high-strength electromagnets that are placed on both sides on the drive and then discharged, functionally flipping the polarity of the entire disk and destroying all lingering magnetically resonant harmonics.

A dedicated and determined analyst with the right tools and time can recover vast quantities of data on disk subject even to a "military format"... Modern drives and recording techniques have nothing to do with anything in this regard. The only fool-proof way is massive electromagnetic discharge, incineration or to sand or otherwise physically damage the platters themselves... To quote 'Zerth' from above, "Fe2O3+2Al is your friend." Nothing will do the job quite as readily as Thermite, however it obviously presents it's own issues... especially since setting it off to erase your hard-drives before the authorities arrive is almost certain to earn you a large number of other very serious criminal charges, and liable to burn your home or office down; it's also hard to get the stuff to ignite reliably sometimes.

I'd STILL like to hear an answer to the actual question put forth in the article... We all know that hard disks can be disassembled and forensically recovered in the case of serious failure or attempted data destruction... But a

We liked Sandblasting our RM05s

[billstewart]

Back during the Reagan Administration, when I was working as a tool of the military-industrial complex (:-), we had a VAX lab that we used for classified projects. The Army's rules for wiping disks before declassifying them said that you could either use NSA-approved software (didn't want to do the paperwork to find out if any of that was supported on our Unix versions), an NSA-approved Big Degaussing Magnet (not near *my* lab, thank you!), or physical destruction (yee-hah!)

Our disk drives were RM-05s, whi

Re:

[someone1234]

Hmm, so you practically double or treble your disk capacity, considering you can safely recover data using software tools after 1 or 2 overwrites?

Why isn't this method on the market yet ?

Re:Honk! Honk!

[Jagen]

That is a myth based on a theoretical paper. The principle is good, but you would need to know the starting voltage of each bit and exactly how many times that bit had been written to. Overwrite your files once, and they're gone, for good.

Re:

[SharpFang]

Not really - if the values are orders of magnitude apart. You pick a bunch of zeros and try to separate them in two distinct groups, "deeper zeros" and "shallow zeros". These that have been ones in previous life, and the ones that have been zeros. The groups will be quite distinct with very little/no "specimens" on the border, because the residual value from "two lives ago" has very little influence. Then you can take each of these groups and split it in half again. The difference will be much smaller but s

Re:

[Sanat]

Back in the 70's before hard drives were small enclosed devices, I had worked on a hard drive that would give old outdated data of customer's information... things like an old telephone number, or old contact names, addresses, etc.

The drive used every other cylinder with the idea of one day doubling density of the drive with the addition of a jumper wire on the track counting circuit. Well the zero track sensor was defective and so the disk was formatted twice with each interleaving the other as the first f

Re:Honk! Honk!

[Jagen]

"As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth..."

You my anonymous friend, are a no good, stinking liar. There is no software method for reading the magnetic flux levels of the bits of a hard drive as obviously the drive firmware interprets that data itself and present the 1 or 0 to you, and you do not have an ETM that can be anything like precise enough for the density of modern hard drives, and even if you did how quickly could you read the data and what could you do with it? The bits are essentially stored as analogue data so apart from what the current setting is supposed to represent (1 or 0) how do you propose to get any useful information about the history of that bit?
I can believe you recover data from drives people think they have "wiped", but if I overwrite every bit on my hard drive with garbage you are not going to get anything but garbage from it.

Re:

[misleb]

Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.

Yes, that is the common myth. And some say it is theoretically possibly. But nobody has ever published anything that I am aware of showing it actually being done. Can you point to reports of anyone actually do it? Anyone sell these "special readers?"

That said, i think i

Re:

[William-Ely]

I work in the data recovery field and I can say that it _might_ be possible to recover overwritten data on older drives by messing with their calibration but at that point the likelihood of success has to be incredibly small. With the data density of modern drives being as high as 250Gb/in^2 you would need some serious equipment and a lot of time, money, and patience. In fact I imagine that if the data was that important that you would go to such lengths to recover it you should shoot yourself for not havin

Re:Honk! Honk!

[farkus888]

I know that is not enough to securely wipe a traditional hd. the current standard is 7 passes of random 1s and 0s. even worse than that, I have had people who formerly worked nsa tell my that really sensitive data is only considered gone when they have dismantled the drive and melted the platters in acid.

Re:

[Aardpig]

I seem to recall hearing that US spy planes have a special 'eraser' built into onboard HDDs, that behave like arc welders. Turn it on, and within less than a second the platters are completely slagged.

Re:

[farkus888]

built into the device? now that is cool! personally I've always wanted to watch one of the thermite grenade emergency data "deletions"

Re:Honk! Honk!

[FesterDaFelcher]

Not in less than a second, but all of the hard drives we used on the AWACS plane had toggle switches that would begin writing random 1s and 0s to the drive for as long as there was power applied. One complete rewrite took appox 15 seconds, and the T.O. specified flipping the switch at least 2 minutes before a catastrophic event (read: plane crash). We also had another tool for physical destruction of our equipment, commonly called an "axe". :)

Re:

[mikael]

I once heard a story that there is a layer of magnesium between the magnetic layer and the glass/aluminium platters. The entire component is sealed hermetically with inert gas. To destroy the data all that has to be done is to pull out a small plug and the oxygen in the atmosphere reacts with the magnesium to turn the drive into toaster waffles.

Re:Honk! Honk!

[uncqual]

I believe the requested feature is best implemented in the file system layer rather than the physical media layer (SSD vs. HD).

There is a good proof-of-concept available (but it currently works only for wives) that could probably be easily enhanced to implement the mother-in-law eraser function (actually, perhaps it's already there, I've not used Reiser4 much).

Re:Honk! Honk!

[segfaultcoredump]

While it is true that the data can be recovered after multiple passes, what most folks forget to mention is the level of effort required to recover such data.

Think hanging chads, but on a much larger scale.

You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.

Yes, it is possible, but it would take a very, very long time.

Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)

The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.

Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")

Re:

[nasor]

And perhaps more importantly, there are currently no established forensic procedures for recovering data that has been overwritten. Police can't just use any random forensic procedure that they feel like - only certain established procedures can be used, and at present no such procedure exits. Which means that even if it were physically possible for the police to do it, the resulting evidence would almost surely be inadmissable in court. The NSA might take an electron microscope to your hard drive if they t

Re:

[Kjella]

The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.

And at some level, the risk/gain ratio becomes so abysmal you just destroy it anyway, even if you don't think it's possible.

Re:

[segfaultcoredump]

When dealing with the military, you also have to factor in the difficulty level of the instructions.

Which is easier:

Run this application, selecting the entire drive, following these procedures, bla, bla, bla

_or_

Smash drive into little bits

Now, you also have to take the 'fun' factor into it while you are at it. Smashing the drive is a lot more fun :-)

Re:

[gnick]

Smashing is effective and very simple. I work in areas where, if a CD needs to be destroyed, it is degaussed, crushed, and incinerated. At first, it seemed ludicrous to degauss a CD. But they use the same procedure for everything and it's (usually) very effective. Got data to be destroyed? Toss it in a burn box and it's toast. Really toast. Very effective, very easy, and basically no thought or instruction. Better for data to be accidentally destroyed than accidentally saved in some arenas.

Re:

[Gordonjcp]

Then you get to make a guess as to the 'bit' being a 1 or a 0.

That's the tricky bit. Any hard drive built in the last ten years or so won't actually write ones and zeros to the disk, but uses something like QAM to pack even more bits per symbol on. Think in terms of one nybble being represented as an analogue value from 0 to 15 - was that 6 really a 6, or is it a faint 7? Or was it a 5 that wasn't particularly strongly erased?

Overwrite each track once, and the data is gone.

Re:Honk! Honk!

[SharpFang]

The recovery services can recover data up to 4 passes deep. Thing is the magnetic orientation is not really boolean but float. So the transitions of the values of the plate surface are like (new) = (0.9*trans)+(0.1*old), so:

0->0 = 0
1->1 = 1
1->0 = 0.1
0->1 = 0.9
0.9->1 = 0.99
0.9->0 = 0.09
0.09->1 = 0.909

so you can guess the sequence of transitions from the value.

I know battery-backed RAM can't be recovered that way - it's like it was constantly writing to itself, you'll have a thousand write cycles in matter of miliseconds. I don't know how data is stored in flash though.

Makes you wonder if you could quadruple the capacity of the harddrives that way too.

References please...

[Joce640k]

Makes you wonder if you could quadruple the capacity of the harddrives that way too.

I think you just proved to us why your statement is false.

If old data is recoverable, the disk would hold more data.

Re:

[misleb]

The recovery services can recover data up to 4 passes deep.

Which 'recovery services' are these? Can you reference any authoritative reports of ANYONE recovering a meaningful amount of data even 1 pass deep?

Re:Honk! Honk!

[alen]

when i was in US Army Europe the intel guys would take the HD's out of their PC's when it was time to toss them and open them up and scrub the platters with brillo or some other wire brush to destroy the platter. The PC's would then get turned in via usuall channels.

For monitors if you wanted to process classified info it was a whole lot of paperwork because with the old CRT's you can read what is on the screen from like 3 blocks away just by the radiation they put out. ditto with Cat5. if you had a classified laptop you would have a short cat5 to a special encryption device, then cat5 out to the datacenter downstairs which had the same encryption device and then it would run out to the servers. NSA said you could read cat5 traffic from like 3 blocks away as well

Re:Honk! Honk!

[Nintendork]

I remember reading about this in regards to CRT. Here's a good article [newscientist.com]. Regarding the reading of CAT5 from a distance, I call BS. There isn't enough leakage due to the positive/negative pairs. In any case, IPSec in transport mode should be used for secure transmission on any media. No standalone device required. Even fiber can have a splitter installed for eavesdropping if the traffic isn't encrypted.

Quick and Most Secure Drive Erasing

[Nintendork]

DoD5220.22-M is what most use and is becomming old-school. That means three passes. Ones, Zeros, then Random. However, the national standard in America is NIST 800-88. Newer drives have a function built into the firmware that do a secure erase in one pass, even covering spare sectors. It's called Secure Erase or SE. The NSA likes it, rating it higher than using an external program. It meets security requirements of HIPAA, PIPEDA, GLBA, and Sarbanes-Oxley. If you want it, check into this man's [ucsd.edu] utility and its educational document [ucsd.edu].

Re:Honk! Honk!

[_KiTA_]

I'd figure the same as with regular harddisks apply. One pass and gone the data is.

Except that unlike normal HDDs, SSDs intentionally fragment the data across the drive to avoid writing to a specific section of the drive repeatedly (an attempt to avoid over-writing to the flash). Assuming you don't fill up the ENTIRE DRIVE, your data might very well still be there.

I'd love to ask Ontrack or Drivesavers about it, to be honest.

Re:

[_KiTA_]

But if you delete the file, then for example cat /dev/urandom > /mnt/sdd/largefile on the drive, it will keep 'catting' until the drive is full.
Lather, rinse, repeat...


So all I have to do is every time I want to delete a file, wait for a 15-319 gig file to write to the drive?

Woo, Thank god I get extra performance out of Solid State Drives.

In all seriousness, working in tech support, I am much less concerned about data security per say and somewhat more about "whoops, my SSD drive died, wonder if I can re

Er, what's the actual question?

[broken_chaos]

Is it "How can I recover data from a failing/failed solid-state drive?"? Or is it "How easily can someone else find my 'deleted' data on my solid-state drive?"?

I'm not sure of the answer to either question, directly, but I'd suggest multiple backups for the first one, and encryption for the second one (full/near-full disk encryption is quite fast on a multi-core system).

Pointless

[mlyle]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Sure, data recovery is much less likely to work when SSDs fail-- as it's more likely to be the actual memory failing than controller chips or ancillary electronics. However, normal disk recovery places can only recover your data from a failing/failed drive perhaps 60-75% of the time. Thus, the actual incidence of unrecoverable data on a SSD is likely to be much lower than with rotating media, and the overall failure rate lower still. This is nothing but a win, as the normal data recovery rackets are made irrelevant in the case of media failure and overall reliability is improved.

Re:Pointless

[TooMuchToDo]

I agree with your post, and would like to point out that the original question is moot. Between SSD media, redundant drive systems, and autonomous remote backup platforms, you should care little about the media data recovery rate. Only care that you've put an intelligent data management system into place. Don't have a single point of failure (like the media) and you'll be fine.

Re:

[QuantumRiff]

However, if your not concerned so much about recovering your data as you are about someone else recovering your data, I would zap the chip with 110V ac current. We used to play with EEPROMS and the like in college, putting too much current to them, it literally melts the logic gates.

Re:

[TooMuchToDo]

Or wrap the SSD device with thermite, and enclose it within a fireproof safe. Poof.

Re:Pointless

[TubeSteak]

It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower.

Generally speaking, solid state media don't fail. You lose sectors over time and these get replaced from the resevoir. When the resevoir runs out, the size of the available space shrinks, but AFAIK, data doesn't get corrupted when a sector gets stuck.

AFAIK, the only way you get data corruption in a SSD is from power fluctuations causing a bad write.

Re:

[Kjella]

I'm not sure which law it is, perhaps Titanic's law, but anything that's claimed to be infallible will find a way to fail on you. Redundancy is the only real answer - and preferably a lot of that too, I had two disks fail simultaniously in a RAID5.

What is the Data recovery % for non SSD drives?

[Bill, Shooter of Bul]

I realize there are "professional" companies that specialize in data recovery, but in my ( admittedly limited) experience I've only heard of sob stories of people paying $$$ and not getting any data back. On the plus side, Its always taught them to back up their data.

Re:

[sBox]

Not recovering the data you want is always a risk. In my experience I have recovered everything I've needed using a pay-for service. Expensive? Yes, but you (or your client) must weigh benefit.

Backup, backup, backup. Those that don't will pay the price. Literally.

Re:

[darthflo]

A relative of mine paid some $2500 for what probably were a few broken sectors. Years later, the recovered data (and all the stuff accumulated in between) was, without any backups, stored on the disk he got it from the recovery service. Which started failing, too.
Some people never learn.

Simple

[Kjella]

If you want security, encrypt before you store. If you want recoverability, get a real backup. Seriously, this has been this way ever since computers got fast enough to do AES on the fly against disk. Ubuntu supports it in the alternate installer, Debian and probably the rest too. On Windows various closed source software like DriveCrypt++, Bitlocker and whatnot is available. This isn't really all that difficult...

Secure erase

[trainman]

Actually my concern would be more the exact opposite, what are the implications for secure erasure of these drives? Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed? Are there other implications because of this flash memory for secure erase utilities?

If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology. ;-)

Re:

[Mr_eX9]

Well, you could take the principle behind the Etherkiller [fiftythree.org] and apply it to SATA or USB or whatever your SSD's connection is. Sending 120 volts to your flash chips should quite literally toast them, right?

Re:Secure erase

[darthflo]

If it doesn't, move to Europe. 230V will kill more.

Re:

[Firethorn]

Step 1: Find two sockets that are on different circuits.
Step 2: Verify that the circuits are on seperate phases
Step 3: Rig a cable going from hot 1 to hot 2*
Step 4: Fry circuits using etherkiller type cable@240V

Alternatively, use a dryer socket or something.

*Make sure both circuits aren't GFI, otherwise they'll pop pretty much instantly.

Re:

[ACMENEWSLLC]

Secure Delete; http://www.microsoft.com/technet/sysinternals/Security/SDelete.mspx [microsoft.com]

I use this to zero out drive space on virtual machines, which allows for their virtual drive to be shrunk.

sdelete -p 2 -z -c -s c:\

It's batch scriptable to run in %tasks% nightly.

"Delete implements the Department of Defense clearing and sanitizing standard DOD 5220.22-M, to give you confidence that once deleted with SDelete, your file data is gone forever. Note that SDelete securely deletes file data, but not file names locat

Re:

[Kjella]

If someone wanted to (already has?) invent a drive reader for a smashed up Solid State or Disk Platter drive, I'd bet that they could given enough time/money.

From what I understand, this is standard (but not cheap) service at IBAS and such, at least for hard disks. Damaged platters and such would be insane to spin up, they could fly apart and some might be already be so damaged they can't be spun around the axis. Instead they'll open the drive in a cleanroom and bring the reading head to the platter rather than the other way around. A wipe is probably more effective, at least I think IBAS will tell you to forget it if you bring them a wiped drive. What the NSA

Use the gForce

[carpe_noctem]

Ask Slashdot: For when you've got time to write up a whole paragraph, but not a 5-word google search...

Google results, which seem rather informative [google.com]

Re:Use the gForce

[carpe_noctem]

Looks like I misspoke a bit... looks like the point of this post isn't to ask something that could have been easily googled, it was for this chump to plug his blog. So, let me rephrase:

Ask Slashdot: When a slashvertisement just won't do, since you've only got yourself to sell.

Its a good thing

[mrroot]

And why is it considered a desirable effect that someone can forensically recover data that the owner indended to destroy? If SSD really does not allow data to be recovered like this, then in general thats good, IMO. Not just for legal reasons, but for any reason of privacy.

If you are concerned about protecting against data loss there are other more effective ways like implementing RAID and maintaining off-site backups.

Datarecovery of SSD drives.

[rew]

I work for www.harddisk-recovery.com .

We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.

The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....

Re:

[Reziac]

Very interesting, thanks. So all is not lost. :)

What does this cost, compared to recovery from conventional hard drives??

Destroying sensitive data

[Venik]

If you have any data that you may need to destroy quickly and permanently, I would suggest using DVDs. Sure, it's slow and a hassle but, when you need to get rid of a large volume of information in a hurry, you just take your DVDs and put them in a microwave for a few seconds.

The damage microwave radiation causes to the data on the DVD extends beyond visible damage to the metal layer. That is to say that, even though it may seem like there are undamaged areas left on the DVD's surface, they are still unreadable. And it only takes 2-3 seconds to completely destroy a whole stack of DVDs, if they are arranged in a microwave with some space between them. Rewriting a hard drive with multiple passes may take hours and still leaves a possibility that some data may be recovered.

It seems to me that with SSD data recovery should work better than with conventional hard drives. You may need to overwrite the entire disk multiple times, as opposed to overwriting just the selected data, as you would with a conventional hard drive.

Re:

[DarkSarin]

Yes, but what does a microwave do to a HDD? Of course, the HDD does have the reverse damage feedback spell enabled, so it will probably kill the microwave too, but if you were in a hurry to kill sensitive data, that's a risk I'd take...

Telling the gov't why your HDD was in the microwave might be a little trickier...

Re:

[Kjella]

Yes, but what does a microwave do to a HDD? Of course, the HDD does have the reverse damage feedback spell enabled, so it will probably kill the microwave too, but if you were in a hurry to kill sensitive data, that's a risk I'd take...

Little to none, I'd wager. Oh, you might manage to melt the circuit board a little but the platters will probably do just fine, at the very least you'd need to open the HDD and expose the platters to the microwaves directly. I don't think that either would work, but in any case that certainly rules out any kind of fast erasure.

The real danger is a loss of recovery companies...

[PortHaven]

My experience with Flash medium has been extremely impressive (especially versus harddrives):

I've encountered a nearly a dozen hard drive and micro-drive failures in recent years. Meanwhile, I have experienced only one partial failure of a flash device - it had a bad sector. I could extract all the rest of the data except for the file written in that sector of a 512mb Compact Flash card. So it was merely a partial loss and very small percentage. While this was enough to lead me to cease using this card,

Re:The real danger is a loss of recovery companies

[lcoughey]

Being one who is an owner of a data recovery company [recoveryforce.com], I have been contemplating the idea of writing an article about the implications of SSHD and data recovery. I guess this discussion has beaten me to it.

I have a few thoughts on this matter and will post them in point form:

1. The elimination of the clean room?
- For obvious reasons, the necessity of a clean room for solid state devices will be drastically reduced. However, due to the price and size constraints, I don't foresee the elimination of th

the effect of wear-levelling on recoverability?

[Tumbleweed]

Okay, so the new wear-levelling ability of SSDs, (where if it cannot write to a block/bit/whatever, it marks that as bad and writes somewhere else), brings a question to mind:

Let's say you have had your SSD for awhile, and some data is in areas that subsequently get marked as 'bad'. You 'format' your SSD clean, but does the format change those marked-bad bits? If not, just because they cannot be written to, doesn't necessarily mean they couldn't be READ from by some utility that ignores the marked-bad flags, in theory. So, is it possible for an SSD to have data recoverable from 'marked bad' areas, that might even pass a format/multi-write randomizing utility? Something to think about. Hopefully someone knows the answer...

Re:

[glop]

Hi,

You are correct. Hard disks have the same kind of feature I believe.
The manpage for shred (*nix utility that erases files "securely" by writing random data several times) warns about this problem if I remember correctly.
You may also find Truecrypt's documentation interesting, they list features (such as disk paging) that may cause data in RAM to be written to hard disks. They could then fall in the spare sectors and survive your efforts to shred the hard disk (computing the probability of such an event s

Re:SSDs have one infallible data recovery option

[jeffmeden]

-1, didn't read the question. He is NOT asking about how reliable the drives are, since he acknowledges that ANY media can fail. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.

Re:SSDs have one infallible data recovery option

[sm62704]

...criminal cases where data was intentionally lost

You can completely and unretrievable wipe data from both paper and disk drives. With paper, shredding is no good but a single match or Bic will do the trick. Cheaper than a shredder, too. With a disk drive, just disassemble it and sand off all the oxide. Or alternatively, if you have a smelter or other really really hot mass of molten metal, you can just drop the thing in there. The smelter option works for CDs and tape as well.

Or you can bury it in the bridge abutment your construction company is building with tax dollars, right next to Jimmy Hoffa.

Oh oh, am I on my way to Gitmo now?

-mcgrew

(still no journal although the last one was updated Friday. Mod me down for this?)

fire insufficient in and of itself...

[Firethorn]

Having operated a makeshift incinerator a few times, I have to point out that fire can be insufficient in and of itself.

I've actually held bits of ash with legible writing still on it. I was burning old checks for my parents.

I wouldn't count it destroyed until the ashes are stirred well.

Re:

[DaveV1.0]

Most of a hard drive is made of aluminum. Disassemble, mix, and sell to local recycling plant.

Re:

[yabos]

I just feed all my shredded documents to my worms(no joke)

Re:

[TubeSteak]

When someone asks a question like: "What tools will law enforcement and government use to retrieve data for investigations and the like?"

The issue isn't just 'how do I recover data' it's also 'how do I erase it permanently'

In my experience, you can recover anything that hasn't been overwritten on a flash drive with most recovery programs.

Keep in mind, that even if you've "erased" your files, not all wipe/erase programs will delete the file & folder names from your drive. Programs like DirSnoop can recov

Re:SSDs have one infallible data recovery option

[JesseL]

One confounding aspect of trying to permanently erase things from solid state drives is the fact that most flash drives incorporate wear-leveling. You may not be able to over write specific physical sectors without just overwriting the whole drive several times.

Re:

[Zerth]

Yup, it can be extra hard to wipe a flash drive without knowledge of its particular wear-leveling algorithm. In these cases, Fe2O3+2Al is your friend.

SSDs have one infallible data erasure option

[Amiga Lover]

Which is the same infallible data erasure option for any media. Incineration.

Trusting data loss to just one delete command is being broken in the head.

Re:

[ichigo 2.0]

-1, didn't read the question. He is NOT asking about how to eliminate the drive, since he acknowledges that ANY matter can be destroyed. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.

Re:well that makes it easy

[dotancohen]

Just put your drug deals, k1dd13 pr0n, and terrorist plans in a file called attorneyconfidential.doc.

What's wrong with attorneyconfidential.odf? Not everyone has MS Office, you insensitive clod!

Re:

[snowraver1]

Awwe, how cute! Would you like an apple shaped cookie?

Re:

[misleb]

I don't know about NAND chips , but apparently ram isn't all that "volatile" as it should be( http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html [auckland.ac.nz] [auckland.ac.nz] , part 7). If nand flash is anything like ram the ware leveling algorithms would still ruin any forensics in a system were data changes frequently.

Grr, why does everyone reference that paper and just assume it has actually been proven in teh field? That whole paper is just THEORY which has never been show to be practical, as far as I know