Slashdot Mirror
Data Recovery & Solid State
theoverlay writes "With all of the recent hype about solid-state drives in both consumer applications and enterprise environments I have a real concern about data recovery on these devices. I know there are services for flash memory restoration but has anyone been involved in data restoration projects on ssd drives? What are the limits and circumstances that have surfaced so far? What tools will law enforcement and government use to retrieve data for investigations and the like?"
What tools will law enforcement and government use to retrieve data for investigations and the like?"
Waterboarding, tasers, sleep deprivation, bright lights and loud obnoxious music.
-1, didn't read the question. He is NOT asking about how reliable the drives are, since he acknowledges that ANY media can fail. Instead, he asks about recovery options when there are no other alternatives, such as extreme disasters or criminal cases where data was intentionally lost. This is a good question, I look forward to constructive answers and the discussion that follows. Yours, however, is a dead end.
I know that is not enough to securely wipe a traditional hd. the current standard is 7 passes of random 1s and 0s. even worse than that, I have had people who formerly worked nsa tell my that really sensitive data is only considered gone when they have dismantled the drive and melted the platters in acid.
thats right, I rarely use capitals. deal with it. but don't mistake my laziness for stupidity
Actually my concern would be more the exact opposite, what are the implications for secure erasure of these drives? Before we could just open the drives and smash the platters if you wanted to be really paranoid. Now, do we have to make sure we find all the flash chips and ensure each one of them is destroyed? Are there other implications because of this flash memory for secure erase utilities?
;-)
If your hard drive dies and you don't have a backup, I have very little sympathy for you. You should know better. Especially anyone reading slashdot. Let's get back to our NSA fearing roots and talk about how to protect ourselves with the latest in encryption technology.
That may have worked with old drives, forensics experts tell me these MFM/RLL things, but with modern drives and the used recording tech, it's practically impossible. But hey, keep pandering to these myths.
Ask Slashdot: For when you've got time to write up a whole paragraph, but not a 5-word google search...
Google results, which seem rather informative
"Quoting famous computer scientists out of context is the root of all evil (or at least most of it) in programming." - K
That is a myth based on a theoretical paper. The principle is good, but you would need to know the starting voltage of each bit and exactly how many times that bit had been written to. Overwrite your files once, and they're gone, for good.
I'd figure the same as with regular harddisks apply. One pass and gone the data is.
Except that unlike normal HDDs, SSDs intentionally fragment the data across the drive to avoid writing to a specific section of the drive repeatedly (an attempt to avoid over-writing to the flash). Assuming you don't fill up the ENTIRE DRIVE, your data might very well still be there.
I'd love to ask Ontrack or Drivesavers about it, to be honest.
While it is true that the data can be recovered after multiple passes, what most folks forget to mention is the level of effort required to recover such data.
Think hanging chads, but on a much larger scale.
You get to pull the disks, and start walking them with an electron microsocope looking for the 'residual' images. Then you get to make a guess as to the 'bit' being a 1 or a 0. Then you get to start assembling a filesystem on top of all of that.
Yes, it is possible, but it would take a very, very long time.
Generally speaking, overwriting the data _once_ is enough to tormet your local law enforcement agency. The level of effort required is just too much for them to deal with the issue given the other things that they need to do. (rumor has it that in the old days they could just modify the firmware to shift the drive heads over a touch, but that trick does not appear to work as much with newer drives since there is not much space between tracks anymore)
The reason that the Military/NSA/FBI/CIA want to actually destroy the disks is because even though it is _difficult_, it is still _possible_ to recover the data.
Please note that for this to work, you must overwrite the actual sectors on the disk (aka "wipe"), not just blow away the metadata (aka "delete")
One confounding aspect of trying to permanently erase things from solid state drives is the fact that most flash drives incorporate wear-leveling. You may not be able to over write specific physical sectors without just overwriting the whole drive several times.
"Prefiero morir de pie que vivir siempre arrodillado!"
How do we know you're not an NSA mole, paid to persuade us that one pass is enough? Or maybe your experts are an NSA moles and they've tricked you.
echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
I work for www.harddisk-recovery.com .
We will gladly reverse engineer the data-distribution algorithms that the SSD device uses on a case-by-case basis. We have done so in the past for several different USB sticks. We will desolder and read the individual data-holding chips and then reverse engineer their scrambling algorithms. We will then recover your data from whatever chips still work sufficiently to provide us with some data.
The first time this will take us a few days extra. Expect about a week turnaround time the first time anyone sends us a failed SSD disk.....
Here's the relevant part of new epilogue: Looking at this from the other point of view, with the ever-increasing data density on disk platters and a corresponding reduction in feature size and use of exotic techniques to record data on the medium, it's unlikely that anything can be recovered from any recent drive except perhaps a single level via basic error-cancelling techniques. In particular the drives in use at the time that this paper was originally written have mostly fallen out of use, so the methods that applied specifically to the older, lower-density technology don't apply any more. In fact, the same man has written paper that somewhat addresses the original question regarding forensic recovery of erased data in sold-state memory for usenix 2001.
When information is power, privacy is freedom.