Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data Recovery & Solid State

Posted by CmdrTaco on from the oops-sorry-you're-screwed dept.

theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"

43 of 249 comments (clear)

  1. Such tools as... by Anonymous Coward · · Score: 5, Funny

    What tools will law enforcement and government use to retrieve data for investigations and the like?"

    Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.

    1. Re:Such tools as... by Anonymous Coward · · Score: 5, Funny

      I like loud obnoxious music you insensitive clod!

    2. Re:Such tools as... by urcreepyneighbor · · Score: 5, Funny

      Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music. Sounds like my last date. :(
      --
      "The fight for freedom has only just begun." - Geert Wilders
    3. Re:Such tools as... by ari_j · · Score: 4, Funny

      No wonder she never called back.

    4. Re:Such tools as... by Nodamnnicknamesavial · · Score: 4, Funny

      Wow, Kenny G will have a busy schedule for the next few years.

      --
      I have spoken'eth.
  2. Honk! Honk! by tripwirecc · · Score: 3, Funny

    I'd figure the same as with regular harddisks apply. One pass and gone the data is.

    1. Re:Honk! Honk! by Vicarius · · Score: 4, Informative

      Actually with regular/magnetic drives data is not gone forever with one pass. You can still use specialized readers that will detect change in magnetic field and be able to tell whether the analyzed bit was 0 or 1 before it was overwritten.

    2. Re:Honk! Honk! by farkus888 · · Score: 5, Insightful

      I know that is not enough to securely wipe a traditional hd. the current standard is 7 passes of random 1s and 0s. even worse than that, I have had people who formerly worked nsa tell my that really sensitive data is only considered gone when they have dismantled the drive and melted the platters in acid.

      --
      thats right, I rarely use capitals. deal with it. but don't mistake my laziness for stupidity
    3. Re:Honk! Honk! by tripwirecc · · Score: 5, Informative

      That may have worked with old drives, forensics experts tell me these MFM/RLL things, but with modern drives and the used recording tech, it's practically impossible. But hey, keep pandering to these myths.

    4. Re:Honk! Honk! by Jagen · · Score: 5, Informative

      That is a myth based on a theoretical paper. The principle is good, but you would need to know the starting voltage of each bit and exactly how many times that bit had been written to. Overwrite your files once, and they're gone, for good.

    5. Re:Honk! Honk! by _KiTA_ · · Score: 5, Insightful

      I'd figure the same as with regular harddisks apply. One pass and gone the data is.

      Except that unlike normal HDDs, SSDs intentionally fragment the data across the drive to avoid writing to a specific section of the drive repeatedly (an attempt to avoid over-writing to the flash). Assuming you don't fill up the ENTIRE DRIVE, your data might very well still be there.

      I'd love to ask Ontrack or Drivesavers about it, to be honest.

    6. Re:Honk! Honk! by segfaultcoredump · · Score: 5, Interesting

      While it is true that the data can be recovered after multiple passes, what most folks forget to mention is the level of effort required to recover such data.

      Think hanging chads, but on a much larger scale.

      You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.

      Yes, it is possible, but it would take a very, very long time.

      Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)

      The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.

      Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")

    7. Re:Honk! Honk! by SharpFang · · Score: 3, Informative

      The recovery services can recover data up to 4 passes deep. Thing is the magnetic orientation is not really boolean but float. So the transitions of the values of the plate surface are like (new) = (0.9*trans)+(0.1*old), so:

      0->0 = 0
      1->1 = 1
      1->0 = 0.1
      0->1 = 0.9
      0.9->1 = 0.99
      0.9->0 = 0.09
      0.09->1 = 0.909

      so you can guess the sequence of transitions from the value.

      I know battery-backed RAM can't be recovered that way - it's like it was constantly writing to itself, you'll have a thousand write cycles in matter of miliseconds. I don't know how data is stored in flash though.

      Makes you wonder if you could quadruple the capacity of the harddrives that way too.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
    8. Re:Honk! Honk! by alen · · Score: 4, Interesting

      when i was in US Army Europe the intel guys would take the HD's out of their PC's when it was time to toss them and open them up and scrub the platters with brillo or some other wire brush to destroy the platter. The PC's would then get turned in via usuall channels.

      For monitors if you wanted to process classified info it was a whole lot of paperwork because with the old CRT's you can read what is on the screen from like 3 blocks away just by the radiation they put out. ditto with Cat5. if you had a classified laptop you would have a short cat5 to a special encryption device, then cat5 out to the datacenter downstairs which had the same encryption device and then it would run out to the servers. NSA said you could read cat5 traffic from like 3 blocks away as well

    9. Re:Honk! Honk! by Hal_Porter · · Score: 5, Funny

      How do we know you're not an NSA mole, paid to persuade us that one pass is enough? Or maybe your experts are an NSA moles and they've tricked you.

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    10. Re:Honk! Honk! by FesterDaFelcher · · Score: 4, Informative

      Not in less than a second, but all of the hard drives we used on the AWACS plane had toggle switches that would begin writing random 1s and 0s to the drive for as long as there was power applied. One complete rewrite took appox 15 seconds, and the T.O. specified flipping the switch at least 2 minutes before a catastrophic event (read: plane crash). We also had another tool for physical destruction of our equipment, commonly called an "axe". :)

      --
      My user number is prime. Is yours?
    11. Re:Honk! Honk! by Anonymous Coward · · Score: 4, Insightful

      You're citing a 1996 paper when discussing modern HDDs?

    12. Re:Honk! Honk! by uncqual · · Score: 4, Funny

      I believe the requested feature is best implemented in the file system layer rather than the physical media layer (SSD vs. HD).

      There is a good proof-of-concept available (but it currently works only for wives) that could probably be easily enhanced to implement the mother-in-law eraser function (actually, perhaps it's already there, I've not used Reiser4 much).

      --
      Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
    13. Re:Honk! Honk! by Jah-Wren+Ryel · · Score: 5, Informative

      You are wrong, in fact the small feature size of modern HDD's actually makes it easier in some cases as the smaller magnetic domains are harder to flip so even small changes in alignment will mean that recoverable data will be left behind. You are wrong. You should have cited the author's follow-up to the original paper, like I just did.

      Here's the relevant part of new epilogue:

      Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. In fact, the same man has written paper that somewhat addresses the original question regarding forensic recovery of erased data in sold-state memory for usenix 2001.
      --
      When information is power, privacy is freedom.
    14. Re:Honk! Honk! by Firethorn · · Score: 3, Interesting

      I figure the requirements for a 21 pass overwrite scheme is still a requirement for sanitizing government drives for a reason.

      Is it overkill? Certainly. But apparently 3 passes isn't considered enough.

      Now, a simple overwrite is considered sufficient for flash, so we do have some standards.

      --
      I don't read AC A human right
    15. Re:Honk! Honk! by William-Ely · · Score: 3, Insightful

      I work in the data recovery field and I can say that it _might_ be possible to recover overwritten data on older drives by messing with their calibration but at that point the likelihood of success has to be incredibly small. With the data density of modern drives being as high as 250Gb/in^2 you would need some serious equipment and a lot of time, money, and patience. In fact I imagine that if the data was that important that you would go to such lengths to recover it you should shoot yourself for not having a backup of it somewhere.

      The recovery process for SSD media is actually similar to normal flash memory. In fact it's easier than normal drives since there are no heads and platters to worry about. So yes deleted files can still be recovered and drive scrubbing utilities will still work as intended.

      --
      Mod me down with all of your hatred, and your journey towards the dark side will be complete!
    16. Re:Honk! Honk! by s13g3 · · Score: 3, Insightful

      How in the name of CowboyNeal did parent get modded as +5 Informative?

      I recover deleted data WITHOUT a clean room or disk disassembly process on a nigh-daily basis. There are plenty of software tools that will recover data post-format, deletion, or crash; some even after multiple passes. Just yesterday I recovered about 3.4GB of data from a hard drive (that I didn't know at the time was failing with bad read-heads that were pinging the disk surface and creating physically-bad sectors) that had been reformatted (full format, not quick) and re-installed. The particular sequence of apps and methods I used enabled me to recover almost all the important docs on the machine minus a handful of unrecoverable files in the physically failed sectors. The disk later crashed again after the recovery, which was when I discovered the drive was failing. The MFT and MBR were completely shot and most bootable diagnostic applications listed the disk as unreadable. Others would attempt to read the disk but showed no data, even some tools that are supposed to seek data outside the MBR by examining individual clusters. Once again by using the right tools in the right sequence, I am, as I write this, recovering data from the disk yet again (this time as a slave drive in another machine, backing up to a known good archive drive)... Looks like I'm once again going to get all the data but another handful of files that were stored on physically damaged sectors.

      So, no one is pandering - please to know what you're talking about first... Yes, my ability to recover data via software tools extends even to many (but not all) software applications that are supposed to securely and irrevocably destroy data. Also, if you're insistent about staying off-topic in regards to data-destruction in the face of law enforcement, not only are all the software methods you might use to destroy data far too slow, but chances are they just won't do the trick. This was a giant concern for the U.S. Air Force after the collision of a P-3 Orion with a Chinese fighter jet, where it was forced to land in China, and NONE of the data destruction techniques available to the crew were remotely sufficient to destroy enough data in the time available to them, but even if they had been, chances are a devoted enough analyst with the proper equipment and time still would have been able to recover more data than desirable (which, since it was all highly classified, means any data at all) outside of explosives, which they had, but are not generally a good idea to detonate on the inside of a flying aircraft. Since then the U.S.A.F. has developed a method of data destruction that utilizes what is essentially a modified medical defibrillator with a somewhat greater total output and replacement of the standard shock paddles with high-strength electromagnets that are placed on both sides on the drive and then discharged, functionally flipping the polarity of the entire disk and destroying all lingering magnetically resonant harmonics.

      A dedicated and determined analyst with the right tools and time can recover vast quantities of data on disk subject even to a "military format"... Modern drives and recording techniques have nothing to do with anything in this regard. The only fool-proof way is massive electromagnetic discharge, incineration or to sand or otherwise physically damage the platters themselves... To quote 'Zerth' from above, "Fe2O3+2Al is your friend." Nothing will do the job quite as readily as Thermite, however it obviously presents it's own issues... especially since setting it off to erase your hard-drives before the authorities arrive is almost certain to earn you a large number of other very serious criminal charges, and liable to burn your home or office down; it's also hard to get the stuff to ignite reliably sometimes.

      I'd STILL like to hear an answer to the actual question put forth in the article... We all know that hard disks can be disassembled and forensically recovered in the case of serious failure or attempted data destruction... But a

      --
      "Inveniemus Viam Aut Faciemus" 'We will find a way... Or we will make one!' --Hannibal of Carthage
    17. Re:Honk! Honk! by Nintendork · · Score: 4, Informative

      I remember reading about this in regards to CRT. Here's a good article. Regarding the reading of CAT5 from a distance, I call BS. There isn't enough leakage due to the positive/negative pairs. In any case, IPSec in transport mode should be used for secure transmission on any media. No standalone device required. Even fiber can have a splitter installed for eavesdropping if the traffic isn't encrypted.

    18. Re:Honk! Honk! by Jagen · · Score: 3, Informative

      "As someone who makes a living doing forensic recovery from drives that have been wiped please keep propagating the one overwrite myth..."

      You my anonymous friend, are a no good, stinking liar. There is no software method for reading the magnetic flux levels of the bits of a hard drive as obviously the drive firmware interprets that data itself and present the 1 or 0 to you, and you do not have an ETM that can be anything like precise enough for the density of modern hard drives, and even if you did how quickly could you read the data and what could you do with it? The bits are essentially stored as analogue data so apart from what the current setting is supposed to represent (1 or 0) how do you propose to get any useful information about the history of that bit?
      I can believe you recover data from drives people think they have "wiped", but if I overwrite every bit on my hard drive with garbage you are not going to get anything but garbage from it.

  3. Er, what's the actual question? by broken_chaos · · Score: 3, Insightful

    Is it "How can I recover data from a failing/failed solid-state drive?"? Or is it "How easily can someone else find my 'deleted' data on my solid-state drive?"?

    I'm not sure of the answer to either question, directly, but I'd suggest multiple backups for the first one, and encryption for the second one (full/near-full disk encryption is quite fast on a multi-core system).

  4. Pointless by mlyle · · Score: 4, Interesting

    It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Sure, data recovery is much less likely to work when SSDs fail-- as it's more likely to be the actual memory failing than controller chips or ancillary electronics. However, normal disk recovery places can only recover your data from a failing/failed drive perhaps 60-75% of the time. Thus, the actual incidence of unrecoverable data on a SSD is likely to be much lower than with rotating media, and the overall failure rate lower still. This is nothing but a win, as the normal data recovery rackets are made irrelevant in the case of media failure and overall reliability is improved.

    1. Re:Pointless by TooMuchToDo · · Score: 4, Insightful

      I agree with your post, and would like to point out that the original question is moot. Between SSD media, redundant drive systems, and autonomous remote backup platforms, you should care little about the media data recovery rate. Only care that you've put an intelligent data management system into place. Don't have a single point of failure (like the media) and you'll be fine.

    2. Re:Pointless by TubeSteak · · Score: 4, Informative

      It appears that solid state drives are going to have several times the MTBF of conventional media, and thus a failure rate several times lower. Generally speaking, solid state media don't fail. You lose sectors over time and these get replaced from the resevoir. When the resevoir runs out, the size of the available space shrinks, but AFAIK, data doesn't get corrupted when a sector gets stuck.

      AFAIK, the only way you get data corruption in a SSD is from power fluctuations causing a bad write.
      --
      [Fuck Beta]
      o0t!
  5. Re:SSDs have one infallible data recovery option by jeffmeden · · Score: 5, Informative

    -1, didn't read the question. He is NOT asking about how reliable the drives are, since he acknowledges that ANY media can fail. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.

  6. Simple by Kjella · · Score: 4, Insightful

    If you want security, encrypt before you store. If you want recoverability, get a real backup. Seriously, this has been this way ever since computers got fast enough to do AES on the fly against disk. Ubuntu supports it in the alternate installer, Debian and probably the rest too. On Windows various closed source software like DriveCrypt++, Bitlocker and whatnot is available. This isn't really all that difficult...

    --
    Live today, because you never know what tomorrow brings
  7. Secure erase by trainman · · Score: 5, Interesting

    Actually my concern would be more the exact opposite, what are the implications for secure erasure of these drives? Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed? Are there other implications because of this flash memory for secure erase utilities?

    If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology. ;-)

    1. Re:Secure erase by darthflo · · Score: 3, Funny

      If it doesn't, move to Europe. 230V will kill more.

  8. Use the gForce by carpe_noctem · · Score: 5, Funny

    Ask Slashdot: For when you've got time to write up a whole paragraph, but not a 5-word google search...

    Google results, which seem rather informative

    --
    "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
    1. Re:Use the gForce by carpe_noctem · · Score: 4, Informative

      Looks like I misspoke a bit... looks like the point of this post isn't to ask something that could have been easily googled, it was for this chump to plug his blog. So, let me rephrase:

      Ask Slashdot: When a slashvertisement just won't do, since you've only got yourself to sell.

      --
      "Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
  9. Re:SSDs have one infallible data recovery option by JesseL · · Score: 5, Informative

    One confounding aspect of trying to permanently erase things from solid state drives is the fact that most flash drives incorporate wear-leveling. You may not be able to over write specific physical sectors without just overwriting the whole drive several times.

    --
    "Prefiero morir de pie que vivir siempre arrodillado!"
  10. SSDs have one infallible data erasure option by Amiga+Lover · · Score: 4, Insightful

    Which is the same infallible data erasure option for any media. Incineration.

    Trusting data loss to just one delete command is being broken in the head.

  11. Datarecovery of SSD drives. by rew · · Score: 5, Interesting

    I work for www.harddisk-recovery.com .

    We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.

    The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....

  12. Destroying sensitive data by Venik · · Score: 3, Insightful

    If you have any data that you may need to destroy quickly and permanently, I would suggest using DVDs. Sure, it's slow and a hassle but, when you need to get rid of a large volume of information in a hurry, you just take your DVDs and put them in a microwave for a few seconds.

    The damage microwave radiation causes to the data on the DVD extends beyond visible damage to the metal layer. That is to say that, even though it may seem like there are undamaged areas left on the DVD's surface, they are still unreadable. And it only takes 2-3 seconds to completely destroy a whole stack of DVDs, if they are arranged in a microwave with some space between them. Rewriting a hard drive with multiple passes may take hours and still leaves a possibility that some data may be recovered.

    It seems to me that with SSD data recovery should work better than with conventional hard drives. You may need to overwrite the entire disk multiple times, as opposed to overwriting just the selected data, as you would with a conventional hard drive.

  13. Re:SSDs have one infallible data recovery option by sm62704 · · Score: 4, Funny

    ...criminal cases where data was intentionally lost

    You can completely and unretrievable wipe data from both paper and disk drives. With paper, shredding is no good but a single match or Bic will do the trick. Cheaper than a shredder, too. With a disk drive, just disassemble it and sand off all the oxide. Or alternatively, if you have a smelter or other really really hot mass of molten metal, you can just drop the thing in there. The smelter option works for CDs and tape as well.

    Or you can bury it in the bridge abutment your construction company is building with tax dollars, right next to Jimmy Hoffa.

    Oh oh, am I on my way to Gitmo now?

    -mcgrew

    (still no journal although the last one was updated Friday. Mod me down for this?)

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  14. Re:not impossible by smooth+wombat · · Score: 3, Interesting
    where the data was overwritten, and then melted with thermite.


    WHAT?!!!! I'm hoping I'm parsing your sentence incorrectly because any hard drive subjected to thermite becomes nothing but a puddle of molten then solidified metal.

    What I'm hoping you meant to say was that even though the hard drives in our surveillance plane had been subjected to thermite, parts of the drives remained intact enough so the data on the unmelted parts could be retrieved despite the data also having been overwritten.

    Allow/Deny?

    --
    We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
  15. Quick and Most Secure Drive Erasing by Nintendork · · Score: 4, Informative

    DoD5220.22-M is what most use and is becomming old-school. That means three passes. Ones, Zeros, then Random. However, the national standard in America is NIST 800-88. Newer drives have a function built into the firmware that do a secure erase in one pass, even covering spare sectors. It's called Secure Erase or SE. The NSA likes it, rating it higher than using an external program. It meets security requirements of HIPAA, PIPEDA, GLBA, and Sarbanes-Oxley. If you want it, check into this man's utility and its educational document.

  16. Re:The real danger is a loss of recovery companies by lcoughey · · Score: 3, Informative

    Being one who is an owner of a data recovery company, I have been contemplating the idea of writing an article about the implications of SSHD and data recovery. I guess this discussion has beaten me to it.

    I have a few thoughts on this matter and will post them in point form:

    1. The elimination of the clean room?
    - For obvious reasons, the necessity of a clean room for solid state devices will be drastically reduced. However, due to the price and size constraints, I don't foresee the elimination of the traditional hard drive for some time to come. Of course, that could be 5 years or 15 years, depending on industry trends.

    2. The stability of solid state hard drives?
    - I'd say that SSHD are more stable from the perspective of being bumped around. However, a simple power surge could render the data lost forever. This is where the traditional drive has a hope. The electronics can be toast, but the data is still on the platters.
    - To the most part, traditional hard drives show signs of dying before they completely crash where a SSHD is going to work or not work, with the exception of failing bits.

    3. Will SSHDs be the data recovery lab killer?
    - I doubt it. It is true that hardware failure is the number one reason for data loss. But, a close second is human failure and I believe that will never change. So, the SSHD may become a more stable drive, but it won't be the end of data loss. If anything at all, the SSHD technology will create more false security, making for more critical data loss.

    4. Will SSHDs affect the cost of data recovery?
    - I suspect that we will see three different quotes for these devices: 1. around $500, 2. around $2000 and 3. unrecoverable.

    All in all, I am excited about the technology and look forward to putting my first 250GB SSHD into my MacBook Pro. But, until we see the prices drop and the capacities increase, we won't be seeing these drives in anything other than a few overpaid executive's laptops.

  17. Re:well that makes it easy by dotancohen · · Score: 4, Funny

    Just put your drug deals, k1dd13 pr0n, and terrorist plans in a file called attorneyconfidential.doc. What's wrong with attorneyconfidential.odf? Not everyone has MS Office, you insensitive clod!
    --
    It is dangerous to be right when the government is wrong.