Slashdot Mirror
Data Recovery & Solid State
theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"
-1, didn't read the question. He is NOT asking about how reliable the drives are, since he acknowledges that ANY media can fail. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.
Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.
Not recovering the data you want is always a risk. In my experience I have recovered everything I've needed using a pay-for service. Expensive? Yes, but you (or your client) must weigh benefit.
Backup, backup, backup. Those that don't will pay the price. Literally.
That may have worked with old drives, forensics experts tell me these MFM/RLL things, but with modern drives and the used recording tech, it's practically impossible. But hey, keep pandering to these myths.
That is a myth based on a theoretical paper. The principle is good, but you would need to know the starting voltage of each bit and exactly how many times that bit had been written to. Overwrite your files once, and they're gone, for good.
Looks like I misspoke a bit... looks like the point of this post isn't to ask something that could have been easily googled, it was for this chump to plug his blog. So, let me rephrase:
Ask Slashdot: When a slashvertisement just won't do, since you've only got yourself to sell.
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
The recovery services can recover data up to 4 passes deep. Thing is the magnetic orientation is not really boolean but float. So the transitions of the values of the plate surface are like (new) = (0.9*trans)+(0.1*old), so:
0->0 = 0
1->1 = 1
1->0 = 0.1
0->1 = 0.9
0.9->1 = 0.99
0.9->0 = 0.09
0.09->1 = 0.909
so you can guess the sequence of transitions from the value.
I know battery-backed RAM can't be recovered that way - it's like it was constantly writing to itself, you'll have a thousand write cycles in matter of miliseconds. I don't know how data is stored in flash though.
Makes you wonder if you could quadruple the capacity of the harddrives that way too.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
One confounding aspect of trying to permanently erase things from solid state drives is the fact that most flash drives incorporate wear-leveling. You may not be able to over write specific physical sectors without just overwriting the whole drive several times.
"Prefiero morir de pie que vivir siempre arrodillado!"
AFAIK, the only way you get data corruption in a SSD is from power fluctuations causing a bad write.
[Fuck Beta]
o0t!
Not in less than a second, but all of the hard drives we used on the AWACS plane had toggle switches that would begin writing random 1s and 0s to the drive for as long as there was power applied. One complete rewrite took appox 15 seconds, and the T.O. specified flipping the switch at least 2 minutes before a catastrophic event (read: plane crash). We also had another tool for physical destruction of our equipment, commonly called an "axe". :)
My user number is prime. Is yours?
You and the troll above completely missed the point. Did you even read the post?
The submitter wants to know what tools are available to recover data from a SSD, not how to protect data. What tools do or will law enforcement use to recover data from an SSD? Does a criminal simply need to switch to using SSD and simply erase the data, then write over the disk once more and everything is completely gone forever, no chance of recovery?
Here's the relevant part of new epilogue: Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. In fact, the same man has written paper that somewhat addresses the original question regarding forensic recovery of erased data in sold-state memory for usenix 2001.
When information is power, privacy is freedom.
DoD5220.22-M is what most use and is becomming old-school. That means three passes. Ones, Zeros, then Random. However, the national standard in America is NIST 800-88. Newer drives have a function built into the firmware that do a secure erase in one pass, even covering spare sectors. It's called Secure Erase or SE. The NSA likes it, rating it higher than using an external program. It meets security requirements of HIPAA, PIPEDA, GLBA, and Sarbanes-Oxley. If you want it, check into this man's utility and its educational document.
Overwriting with a single pass of /dev/urandom will only make recovery very labour intensive and hugely expensive, but not impossible.
Two wipes makes it harder still. It is a statistics game, each write makes the odds go down (and steeply at that) that the data can be recovered.
Anyway, wiping once is not enough to keep our lab from looking at your pr0n.
Being one who is an owner of a data recovery company, I have been contemplating the idea of writing an article about the implications of SSHD and data recovery. I guess this discussion has beaten me to it.
I have a few thoughts on this matter and will post them in point form:
1. The elimination of the clean room?
- For obvious reasons, the necessity of a clean room for solid state devices will be drastically reduced. However, due to the price and size constraints, I don't foresee the elimination of the traditional hard drive for some time to come. Of course, that could be 5 years or 15 years, depending on industry trends.
2. The stability of solid state hard drives?
- I'd say that SSHD are more stable from the perspective of being bumped around. However, a simple power surge could render the data lost forever. This is where the traditional drive has a hope. The electronics can be toast, but the data is still on the platters.
- To the most part, traditional hard drives show signs of dying before they completely crash where a SSHD is going to work or not work, with the exception of failing bits.
3. Will SSHDs be the data recovery lab killer?
- I doubt it. It is true that hardware failure is the number one reason for data loss. But, a close second is human failure and I believe that will never change. So, the SSHD may become a more stable drive, but it won't be the end of data loss. If anything at all, the SSHD technology will create more false security, making for more critical data loss.
4. Will SSHDs affect the cost of data recovery?
- I suspect that we will see three different quotes for these devices: 1. around $500, 2. around $2000 and 3. unrecoverable.
All in all, I am excited about the technology and look forward to putting my first 250GB SSHD into my MacBook Pro. But, until we see the prices drop and the capacities increase, we won't be seeing these drives in anything other than a few overpaid executive's laptops.
FWIW - a data zero does not produce a string of zeros on disk. The encoding mechanism is a lot more complicated than that. It's not random, but it isn't anywhere near that straightforward either.
When information is power, privacy is freedom.
I'd consider seagate a little more than a handful.
I call shennanigans. Recovery after thermite? Not a chance.
Any ferrous material brought above the Curie Point is no longer magnetic, and looses any magnetism it had prior to heating. You can test this yourself with a magnet, a butter knife and a blowtorch. No matter what combination of iron and impurities your drive surface has, its Curie Point is easily below the temperature of molten iron - the product of your thermite reaction.
So even if the discs were heated by thermite, rather than just plain destroyed, it's unlikely that the heating would allow any data to survive unless the iron was already pretty cold.
That said, this was a surveillance plane flying over a foreign country in a (presumably) covert fashion. If it had such a self-destruct, it would be a mil-spec component. In case of a crash, I doubt there would be much of a plane left, let alone drive platter pieces to be recovered.
-1, didn't read the question. He is NOT asking about how to eliminate the drive, since he acknowledges that ANY matter can be destroyed. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.
Our disk drives were RM-05s, which had stacks of a dozen or so 14" platters. Most computer administrators had one on their wall showing the effects of a head crash, with various tracks scraped into the oxide finish. I was no longer running the lab when we decommissioned the VAX, but my successor got to take the disks down to the machine shop in the basement to have them sandblasted. The platter on her wall didn't have any oxide left - it was smooth and shiny metal.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I remember reading about this in regards to CRT. Here's a good article. Regarding the reading of CAT5 from a distance, I call BS. There isn't enough leakage due to the positive/negative pairs. In any case, IPSec in transport mode should be used for secure transmission on any media. No standalone device required. Even fiber can have a splitter installed for eavesdropping if the traffic isn't encrypted.
"As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth..."
You my anonymous friend, are a no good, stinking liar. There is no software method for reading the magnetic flux levels of the bits of a hard drive as obviously the drive firmware interprets that data itself and present the 1 or 0 to you, and you do not have an ETM that can be anything like precise enough for the density of modern hard drives, and even if you did how quickly could you read the data and what could you do with it? The bits are essentially stored as analogue data so apart from what the current setting is supposed to represent (1 or 0) how do you propose to get any useful information about the history of that bit?
I can believe you recover data from drives people think they have "wiped", but if I overwrite every bit on my hard drive with garbage you are not going to get anything but garbage from it.
Actually I sat in on an ACM lecture where a digital forensics professor from the University of New Orleans was asked this same question. He said that SSDs pose a new problem to forensics, and that further research into this field was required.