5

This article on thomas-krenn.com states:

Because an ATA trim will be performed by NTFS with Windows 7 or when formatting using Ext4 from mke2fs 1.41.10 or XFS from xfsprogs 3.1.0, the secure erase procedure is no longer necessary [...].

From my understanding, the SSD's garbage collector will run some time after the SSD's controller has received the trim command from the operating system, resetting all blocks to zero.

This answer and this article suggest that most controllers of SSDs will return zeros for the trimmed blocks immediately, making it impossible to retrieve data from the formatted SSD with software like testdisk or foremost:

today’s SSD controllers are designed to report a data block empty as soon as the [trim] command is received – even if the actual wipe of that block occurs at a later point. [...] Regardless of the manufacturer, you can say it for a fact that the execution of the TRIM command is a nearly 100% guarantee of file deletion.

Gubanov and Afonin mention in this 2012 paper to physically detach the SSD's controller to prevent the garbage collector from zeroing out the blocks in flash memory but go on to say that the time window for this is small:

most information is lost from an SSD drive in just a few counted minutes after the user deletes a file or issues a quick format command.

On the other hand, Wei et al. write in a footnote that

The ACS-2 draft standard provide a “TRIM” command that informs drive that a range of LBAs is no longer in use, but this does not have any reliable effect on data security.

Is it safe to assume that after formatting an SSD¹, its data is irretrievably deleted? Are there counterexamples where files were restored from the formatted drive?


¹ Given that the formatting program (e.g., mke2fs) sends the trim command and the SSD supports it.

Matthias Braun
  • 459
  • 3
  • 13
  • Different drives have different constraints and performance requirements. I wouldn't be surprised if a SLC drive erased everything immediately but an MLC drive used a bunch of tricks to pretend the blocks have been erased when they actually haven't, since block erasure is much slower on the latter. I wouldn't be surprised if many drives just put the erased block in the overprovisioning space and keep it there until it needs more free blocks, preferring to use already-erased blocks for new writes. Of course a format will affect _all_ blocks, but then the SSD may use other screwy tricks... – forest Jan 24 '21 at 22:03
  • Possibly useful tool for checking how your SSD implements TRIM: https://github.com/CyberShadow/trimcheck – forest Jan 24 '21 at 22:34

1 Answers1

5

In theory, yes.* In reality, it depends on the SSD's implementation of TRIM.

TRIM is an optimization. Its actual implementation is left up to the manufacturer. Currently, most SSD manufacturers will queue a block for erasure by the garbage collector when it is discarded by TRIM, and this erasure is considered to be irreversible when it actually happens. But it is not designed for security, and it is not guaranteed to immediately erase data, even if some drives will erase it seconds or minutes after the command is issued. Just because the feature is usually implemented in such a way that precludes data recovery does not mean it can always be relied upon to do so in all cases.

The FTL may batch TRIM commands and execute them later, sometimes way later, and there's no way to know for sure if it really has occurred. Whether or not a TRIM operation on the entire drive will trigger foreground garbage collection depends on the firmware itself, for example. Furthermore, the operating system and filesystem driver need to support TRIM for the operation. If one chain in the link does not support transferring the command to the next link in the chain, it won't work.

Finally, although there's currently no known way to recover deleted data from a flash block that has had TRIM correctly applied, it's far more likely that the data is unrecoverable if you use ATA Secure Erase which, on modern SSDs, uses SED (Secure Encrypted Drive). With SED, the entire drive is transparently encrypted, and ATA Secure Erase simply removes the SED key, rendering all of the data instantly unrecoverable. The drive can then be formatted normally with your preferred tools.


Since you asked for specific examples, here is an article in which a manufacturer does not implement TRIM in such a way that erasure will occur in a timely manner:

Instead of the original Silicon Motion controller, the new batch of PNY Optima drives had a different, SandForce-based controller known for its less-than-perfect implementation of garbage collection leaving data on the disk for a long time after it’s been deleted.

The same article makes it clear that the type of TRIM supported may also affect erasure:

However, the implementation of the Deterministic Read After Trim (DRAT) protocol by many recent SSD drives makes trimmed pages inaccessible via standard SATA commands. If a particular SSD drive implements DRAT or DZAT (Deterministic Read Zero After Trim), the actual data may physically reside on the drive for a long time, yet it will be unavailable to forensic specialists via standard acquisition techniques. Sending the SSD drive to the manufacturer might be the only way of obtaining this information on a physical level.

* Actually, even in theory the answer might be no, depending on your adversary.

Glorfindel
  • 2,263
  • 6
  • 19
  • 30
forest
  • 65,613
  • 20
  • 208
  • 262