8

I occasionally see people reference the difficulty of deleting data from an Solid State Disk. Because of the nature of SSDs (wear leveling, etc), simply writing to the same sector of the disk doesn't guarantee that it's deleted.

But modern operating systems support the ATA Trim command, which informs the SSD that the sector is no longer used by the operating system.

Does the trim command actually delete the data on the disk, or do you have to wait for the disk to do "garbage collection". If so, how long do you have to wait before the data has been cleared?

Steve Sether
  • 21,530
  • 8
  • 50
  • 76
  • 1
    Short answer: the "trim" command target is to improve SSD performance on erasing scheme, not to securely erase data. – dan Jan 07 '16 at 07:44
  • 1
    Addendum to short answer: despite TRIM not being designed to secure erase data, it does an exceptional job of doing so. Nothing short of de-soldering the flash chips out of the drive AND physically opening the flash chip, exposing the raw silicon, so you can bypass the flash chip's signal levels to 0 or 1 and replace it with probability outputs instead you have no chance of recovering anything that has had TRIM run on it. Seeing as modern OSes run TRIM all the time, your deleted data is GONE after several minutes of idle for SSD garbage collection. – BeowulfNode42 Mar 31 '19 at 16:49
  • @BeowulfNode42 TRIM makes it impossible to read the contents of wiped sectors from your OS (they will typically by zeroed-out), but the data isn't actually gone. With access to the physical chips, or the ability to put the drive in factory access mode, data can be recovered. See https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/ – craig65535 Feb 01 '21 at 23:05
  • 1
    @craig65535 a very good article. One additional complexity it left out, is the SSD controller will tend to leave a small number of pages in a block physically on the chips, until it makes sense, to the garbage collector, to shift any remaining valid data pages to a new block, and erase the whole block. I would change your phrase "data isn't actually gone" to be "data isn't necessarily actually gone quickly". Then change "data can be recovered" to be "some data may be recovered sometimes". However if you format an SSD, and leave it powered on for long enough your data is actually gone. – BeowulfNode42 Feb 02 '21 at 06:07
  • @BeowulfNode42 It wasn't clear to me from reading that article if the data is unrecoverable (even at the chip level/factory access mode) once the post-TRIM GC cycle is complete. Is that the case? I made a new question at https://security.stackexchange.com/q/244154 and perhaps you could weigh in – craig65535 Feb 02 '21 at 19:40
  • @BeowulfNode42 What I'm most curious about is "how long is long enough?". I know the answer is going to be "well it depends on the manufacturer", which is a true, but useless answer. In the real world, there's typical answers that at least limit the time for GC to some kind of time scale. Is the time scale hours, days, weeks, months, or years? People around here seem to like this sort of mathematically precise answers, and it gets frustrating to get "it depends" when no mathematical precision exists. Also, is there some way to TELL when GC happens, and how much? – Steve Sether Feb 07 '21 at 17:14
  • @SteveSether the only way I know to be sure, is to put the SSD in factory access mode and read the raw data (after the SSD has done error correction), to check that your data is gone. I suppose you could also monitor the power usage of the SSD and see when it's power draw reduces, as that should indicate the GC has finished. – BeowulfNode42 Feb 07 '21 at 23:50

1 Answers1

8

The trim command does not delete the data but simply marks a block of data as currently unused by the OS. It will probably return the block as zero if asked by the OS (although I don't know if this is guaranteed) but internally the data might be still there and could be extracted when accessing the flash storage directly, which is usually not possible by the OS but can often be done by computer forensic experts. When (and if at all) the block gets reused, i.e. overwritten with new data fully depends on the logic in the flash controller and how much data get written at all and how much this block was written already. Since a block of flash will wear out after too much writes the controllers usually prefers to write "fresher" blocks first and thus it can take a long time before a block gets reused for writing.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 2
    My understanding if that to re-write to an SSD sector, it has to be first erased before being written to. One of the points of the trim command is to mark the sector ready to be erased, (and hopefully eventually actually erase the sector). So the question is really about how often firmware actually erases sectors that have been trimmed. – Steve Sether Jan 07 '16 at 03:29
  • 1
    @SteveSether: It is true that a flash segment has to be erased before any writes can be done to it but flash segments don't map 1:1 to OS blocks. Thus I think it depends on the firmware on the SSD drive and where the freed block is internally relative to existing free blocks (i.e. which flash segment). The OS has no control when this will be erased and I don't think that you can get any kind of guarantees when and if at all the blocks gets erased. – Steffen Ullrich Jan 07 '16 at 05:39
  • 1
    A block on SSD won't be erased "if asked by the OS". The OS doesn't have control on the SSD allocation scheme. A block on SSD will be erased based upon the internal SSD scheme. This scheme will erase consecutive set of blocks (128 or 512kB at a time), to make them **ready for the next write**. It is this SSD internal scheduling which determines when old data is **securely erased**. – dan Jan 07 '16 at 07:41
  • 1
    @SteffenUllrich depending on the internal implementation of the SSD, blocks marked with trim may also be immediately or periodically [erased by the SSD garbage collection mechanism](https://articles.forensicfocus.com/2014/09/23/recovering-evidence-from-ssd-drives-in-2014-understanding-trim-garbage-collection-and-exclusions/#_Toc393289147). – Enos D'Andrea Apr 11 '18 at 06:00
  • @danielAzuelos SSD internal algorithms only overwrite data, they do not normally "securely erase" it, because the latter whould require multiple overwrites with random data which would reduce performances and prematurely wear out the cells. A forensic expert with the proper equipment may in theory still be able to retrieve voltage differences between zeroed ones and zeroed zeros. – Enos D'Andrea Apr 12 '18 at 03:03
  • 2
    @EnosD'Andrea - According to an article published by BelkaSoft (https://belkasoft.com/download/info/SSD%20Forensics%202012.pdf), it suggests that TRIM deletes data permanently and cannot be recovered. – Motivated Jan 07 '19 at 06:40
  • @Motivated Did you read the whole document? It states "in most modern SSDs" and "the TRIM command [...] adds them to a queue of pending blocks for being cleared by the garbage collector". So not all blocks and not immediately. – Enos D'Andrea Oct 05 '19 at 08:37
  • If https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/ is to be believed, TRIM makes it impossible to read the contents of wiped sectors from your OS (they will typically by zeroed-out), but the data isn't actually gone. With access to the physical chips, or the ability to put the drive in factory access mode, data can be recovered. – craig65535 Feb 01 '21 at 23:09