Carder
Professional
- Messages
- 2,616
- Reaction score
- 1,940
- Points
- 113
Hello, friends! Today we will talk about how to permanently delete information from your hard drive when you decide to sell, donate, or simply throw away a disc, phone or computer.
I will say a banality: in different types of devices, the ways of storing information are very different. Moreover, the methods of permanently deleting data are also different. For users of "ordinary disks" - with rotating magnetic platters and without encryption - it is the deletion (rewriting) of data from other types of media that often causes surprise and confusion. So let's start with magnetic disks.
The traditional way to delete data from magnetic disks is formatting. Unfortunately, when using Windows, even fully formatting a disk can produce different - and sometimes unexpected - results.
So, if the operating system is on Windows XP (or an even older version of Windows), when the disk is fully formatted, the system will not write zeros to each sector at all. Instead, the OS will just search for bad sectors by sequential reads of data.
Therefore, if you are going to dump your old Windows XP computer, format the disk at the command prompt by specifying the / p: <number of passes> parameter. In this case, the format command will overwrite the contents of the disk with zeros as many times as specified by the <number of passes> parameter. Example:
Starting with Windows Vista, Microsoft developers changed the logic of the full format command. Now, formatting the disk actually overwrites the data with zeros, and the / p parameter becomes redundant.
Actually, for the average user, not suffering from paranoia, that's where it all ends. Users who are more usually concerned with the issue of reliable deleted data may recall the methods that existed a couple of decades ago (by the way, very expensive), with which they can try to recover data on special equipment by analyzing the residual magnetization of tracks.
The theoretical idea of the method is to detect traces of information that was previously recorded on a track by analyzing weak remanent magnetization (a variation of the method is edge magnetization analysis, when data from the gaps between tracks are attempted to be read). The method worked great for drives the size of a cabinet and electromagnets that could rip off a military cockade.
The method showed noticeably worse results on disks with a volume of tens of megabytes and worked very badly with drives whose volume was close to a gigabyte (no, this is not an error, here we are talking about megabytes and gigabytes).
In theory, traces of remanent magnetization can be tried to recover from the areas shown in yellow
For modern drives with a high recording density, the volume of which is measured in terabytes, there are no confirmed cases of successful application of this method, and for drives using "tiled" SMR recording, the approach is impossible in principle.
In modern storage devices, the data density is too high for the method to work
However, to exclude even the theoretical possibility of using it, it is enough to overwrite the disk not with zeros, but with some sequence of data - sometimes more than once.
Let's start with the well-known but misinterpreted American standard DoD 5220.22-M. Most free and commercial applications that support this standard refer to the older (pre-2006) revision.
Indeed, from 1995 to 2006, the "military" standard for information destruction allowed the use of the data overwriting method. The standard meant overwriting the disc three times. The first pass was to write any character, then - its XOR-compliment and, finally, in the last pass - a random sequence. For example, like this:
This algorithm is not currently used by the military; for sanitation, the carriers physically destroy or completely demagnetize them, as they say, "in the crucible of a nuclear explosion." However, for the destruction of unclassified information, this algorithm is still used in various US government agencies.
Canadian police destroy unclassified information using a proprietary DSX utility. The utility overwrites the data with zeros, then with ones, after which it writes to the disk a sequence of data, which encodes information about the utility version, date and time of data destruction. Secret information is still destroyed along with the carrier.
Like that:
In a similar way, Bruce Schneier, a well-known expert in the field of cryptography, offers to irrevocably destroy disk information. The algorithm proposed by him differs from the Canadian development only in that the third pass writes not a predetermined sequence of data, but a pseudo-random one.
At the time of publication, this algorithm, which uses a random number generator for rewriting, was criticized as being slower compared to algorithms that recorded a predefined sequence of data.
Like that:
In Germany, a slightly different approach has been adopted for the destruction of unclassified data. The BSI Verschlusssachen-IT-Richtlinien (VSITR) standard allows the use of two to six passes (depending on the classification of information), recording alternately a pseudo-random sequence and its XOR compliment. The last pass writes the sequence 01010101.
Like that:
Finally, as a technical curiosity, we present the algorithm of Peter Gutman, who proposed rewriting in 35 passes. Published in 1996, the algorithm was based on a theoretical assumption of a residual magnetism level of 5% and already at the time of publication looked like just a theoretical refinement.
Nevertheless, this algorithm is also supported by many information destruction applications. In fact, its use is redundant and completely meaningless; even a three-fold rewriting of information using any of the algorithms described above will give exactly the same result.
What algorithm to use for reliable data deletion? For modern (no older than 10–15 years) hard disks, a one-time rewriting with a pseudo-random sequence is more than enough for reliable information destruction. Anything beyond this can only calm the inner paranoia, but in no way reduce the likelihood of successful information recovery.
The DBAN program has proven itself well. The application works exclusively in boot mode (the program is distributed as a bootable image, more precisely, as a self-extracting archive, which will offer to create this image when launched) and supports most data destruction standards.
Open source allows you to make sure not only that the program does exactly what it promises, but also that the correct random number generator is used to generate the pseudo-random sequence.
Darik's Boot and Nume (BDAN)
An alternative option is the free but proprietary CBL Data Shredder app. The application was developed by forensics experts and supports most of the existing information destruction standards. CBL also allows you to create a bootable USB stick with which you can completely wipe the disk.
CBL Data Destruction Utility
There are several standards for hardware encryption, the most common are Opal and eDrive. What these standards have in common is that when encryption is enabled, all data on such a hard disk will be automatically encrypted when written and decrypted when read.
We are now interested in another feature of such disks, namely the instant and irrecoverable destruction of data. This is implemented through the standard ATA Secure Erase command, which can be performed using the standard hdparm utility. For magnetic drives that use hardware encryption, the Secure Erase command will instantly destroy the encryption key, so the information stored on the disk cannot be decrypted. When using a strong encryption disk with a key of 128 bits or more, it will be completely impossible to decrypt the data.
By the way, you can use hdparm on regular, unencrypted disks. True, the running time of the command will not differ much from the usual sector-by-sector rewriting of the disk contents - simply because it will perform the sector-by-sector rewriting.
However, hdparm is not a panacea. Hardware encryption is used primarily in hard drives designed for specific environments (corporations, hosting and cloud companies). Even if you install such a hard drive in your home computer and enable hardware encryption, there is a chance that the Secure Erase command will not work as expected due to the nature of the BIOS. At home, using pure hardware encryption without support from the operating system is not the best and far from the most reliable solution.
Perhaps it's worth mentioning that there is a whole class of hard drives that come with full drive encryption already activated. Any information that is written to such a disk will be automatically encrypted with a cryptographic key. If the user does not set a password, the cryptographic key will not be encrypted and all data will be available immediately after initializing the drive.
How a hardware-encrypted hard drive works if no password is set
If the user sets a password on the disk, then when the disk is initialized (only shutdown and power-on, but not sleep or hibernation - a number of attacks on such disks are built on this feature) the cryptographic key will be encrypted with a password and access to data will be impossible until then, until you enter the correct password.
How a hardware encrypted hard drive works with a password set
It is easy to guess that the destruction of the cryptographic key makes it impossible to access the data. Yes, you can read the information from the disk, but it will not be possible to decrypt it. On such disks, the ATA Secure Erase command primarily destroys the cryptographic key and only then begins to erase the data.
These drives are used by almost all hosting and cloud companies. Obviously, such encryption will not protect against attacks on an already loaded system in any way. Its purpose is to prevent unauthorized access to information when the disk is physically removed, for example, if the server is stolen.
So, if your data is stored on an encrypted BitLocker partition, then to instantly destroy it, you just need to format the partition with "quick" formatting. The format command on Windows correctly recognizes BitLocker volumes in both command line and GUI versions. Formatting BitLocker volumes, even "fast" volumes, destroys the cryptographic key, making it impossible to access the information further.
BitLocker Features Did you know that disabling encryption on an already encrypted BitLocker partition does not decrypt the data? If you disable encryption on a partition that has been protected by BitLocker, Windows will only store the cryptographic key for accessing data in cleartext (not encrypted with a password or data from the TPM). New write operations will be in cleartext, but existing data will be saved as it is - it will simply be automatically decrypted using a public cryptographic key. If you start encrypting this section again, the cryptographic key will be immediately encrypted, and the data previously written in unencrypted form will be gradually encrypted in the background.
But even here it was not without an ambush. Even if the encryption key from the BitLocker volume is destroyed in the first seconds, a copy of it may be found somewhere else. You don't have to look far for examples: when BitLocker Device Protection automatically activates encryption, the recovery key is automatically uploaded to the OneDrive cloud. So even destroying the encryption key won't help.
Using BitLocker? Log into your Microsoft account and check for any extra encryption keys.
You've probably heard that the memory chips used in SSD drives allow you to quickly read information, write data not very quickly into a blank block, and very slowly write information into an area occupied by other data. We are now interested in exactly the last property of SSD-drives. In order to write data to a cell, the drive controller will first have to clear (erase) the data in this cell, and only after that the write operation will become possible. Since the cell initialization process is very, very slow, manufacturers have developed a number of algorithms, thanks to which the controller always has a sufficient number of empty cells at its disposal.
But what happens if the operating system wants to write data to a cell with a specific address, but some data is already stored at this address? In this case, the SSD controller will perform an instant address substitution: the desired address will be assigned to another, empty cell, and the occupied block will receive a different address or even go to an unaddressed pool for subsequent background cleaning.
In normal use, much more data is written to the disc than it can hold. The pool of free cells decreases over time, and at some point, only the pool from the non-addressable space of the "spare" capacity becomes available to the controller. Manufacturers solve this problem by using the Trim mechanism, which works in conjunction with the operating system. If the user deletes a file, formats a disk, or creates a new partition, the system sends information to the SSD controller that certain cells do not contain useful data and can be cleared.
Please note: as a result of Trim work, the operating system itself does not overwrite these blocks and does not erase information. The controller is just passed an array of cell addresses that do not contain useful information. At this point, the controller can begin the background process of deleting data from cells.
What happens if the SSD contains a large amount of information, and the controller receives a Trim command for the entire contents of the disk? The rest does not depend in any way on the actions of the user or the operating system: the controller's algorithms will start clearing unnecessary cells. What happens if a user (or an attacker) tries to read data from cells that have already received a Trim command, but have not yet been physically cleared?
This is where the fun begins. Modern SSDs define three possibilities:
SSDs of the first type are currently practically not found (although eMMC drives still differ in this behavior). As a rule, manufacturers offer drives of the second type for general use, and SSDs with DZAT support are intended for use as part of multi-drive arrays.
From a practical point of view, this means only one thing: immediately after deleting the data (at least by file, at least by formatting, at least by repartitioning sections), the information will become inaccessible for reading both from a computer and on a special stand.
It would seem that everything is simple? No, there is a big catch here, and not even one.
First, are you sure that Trim is working correctly on your system? The fact is that Trim is supported at the operating system level since Windows 7 and only if a number of conditions are met. All conditions! First, the drive must be connected directly (SATA, NVME); for the vast majority of external (USB) drives, Trim is not supported (there are exceptions). Second, Windows only supports Trim for NTFS volumes. Finally, Trim must support both the drivers and the BIOS of the computer. You can check the performance of Trim in Windows with the command
Result:
One more point. Yes, it is impossible to stop the background garbage collection process: if the SSD is powered up, the controller will continue to destroy data after Trim no matter what. However, it is enough to remove the memory chips from the drive, and using a simple stand, the data from them can be read. Yes, the researcher will have a severe headache associated with the physical fragmentation of cells due to block forwarding and, moreover, logical fragmentation of data. Nevertheless, it is still possible to solve this problem.
Which brings us to the last point. A significant part of the storage capacity (in some models - up to 10%) is reserved for a non-addressable reserve pool. In theory, the cells in this pool should be flushed; in practice, due to numerous implementation features and firmware errors, this does not always work, and the data may physically remain in place even after cleaning is completed.
Thus, the situation with deleting data from an SSD is as follows.
Practice shows that in some cases Secure Erase does not completely clear cells from the backup pool (due to the simplest errors in the firmware). Thus, the guarantee will be given exclusively by the use of a cryptocontainer: if the cryptographic key is removed, it will be almost impossible to decrypt the rest of the content. But here there are also some bugs: we have already spoken about the deposited keys. Organizations working with classified information do not at all recognize any other way to clean an SSD other than physically destroying the media.
I will say a banality: in different types of devices, the ways of storing information are very different. Moreover, the methods of permanently deleting data are also different. For users of "ordinary disks" - with rotating magnetic platters and without encryption - it is the deletion (rewriting) of data from other types of media that often causes surprise and confusion. So let's start with magnetic disks.
How to permanently delete information from a hard drive
In this section, the term "hard drive" will mean a classic device with rotating platters and moving electromagnetic read / write heads. The information recorded on the platter remains on it until the moment when the data is overwritten.The traditional way to delete data from magnetic disks is formatting. Unfortunately, when using Windows, even fully formatting a disk can produce different - and sometimes unexpected - results.
So, if the operating system is on Windows XP (or an even older version of Windows), when the disk is fully formatted, the system will not write zeros to each sector at all. Instead, the OS will just search for bad sectors by sequential reads of data.
Therefore, if you are going to dump your old Windows XP computer, format the disk at the command prompt by specifying the / p: <number of passes> parameter. In this case, the format command will overwrite the contents of the disk with zeros as many times as specified by the <number of passes> parameter. Example:
Code:
$ format to: / fs: NTFS / p: 1Starting with Windows Vista, Microsoft developers changed the logic of the full format command. Now, formatting the disk actually overwrites the data with zeros, and the / p parameter becomes redundant.
Actually, for the average user, not suffering from paranoia, that's where it all ends. Users who are more usually concerned with the issue of reliable deleted data may recall the methods that existed a couple of decades ago (by the way, very expensive), with which they can try to recover data on special equipment by analyzing the residual magnetization of tracks.
The theoretical idea of the method is to detect traces of information that was previously recorded on a track by analyzing weak remanent magnetization (a variation of the method is edge magnetization analysis, when data from the gaps between tracks are attempted to be read). The method worked great for drives the size of a cabinet and electromagnets that could rip off a military cockade.
The method showed noticeably worse results on disks with a volume of tens of megabytes and worked very badly with drives whose volume was close to a gigabyte (no, this is not an error, here we are talking about megabytes and gigabytes).
In theory, traces of remanent magnetization can be tried to recover from the areas shown in yellow
For modern drives with a high recording density, the volume of which is measured in terabytes, there are no confirmed cases of successful application of this method, and for drives using "tiled" SMR recording, the approach is impossible in principle.
In modern storage devices, the data density is too high for the method to work
However, to exclude even the theoretical possibility of using it, it is enough to overwrite the disk not with zeros, but with some sequence of data - sometimes more than once.
Algorithms for guaranteed information removal
Many organizations use special procedures for the disposal of information storage devices, implying their reorganization (permanent destruction of information). For the reliable destruction of really important information, destructive methods are used, but for data that is not of particular value, it is permissible to use software algorithms. There are many such algorithms.Let's start with the well-known but misinterpreted American standard DoD 5220.22-M. Most free and commercial applications that support this standard refer to the older (pre-2006) revision.
Indeed, from 1995 to 2006, the "military" standard for information destruction allowed the use of the data overwriting method. The standard meant overwriting the disc three times. The first pass was to write any character, then - its XOR-compliment and, finally, in the last pass - a random sequence. For example, like this:
Code:
01010101> 10101010> 11011010 *
* random dataThis algorithm is not currently used by the military; for sanitation, the carriers physically destroy or completely demagnetize them, as they say, "in the crucible of a nuclear explosion." However, for the destruction of unclassified information, this algorithm is still used in various US government agencies.
Canadian police destroy unclassified information using a proprietary DSX utility. The utility overwrites the data with zeros, then with ones, after which it writes to the disk a sequence of data, which encodes information about the utility version, date and time of data destruction. Secret information is still destroyed along with the carrier.
Like that:
Code:
00000000> 11111111> 10110101 *
* predefined coded sequenceIn a similar way, Bruce Schneier, a well-known expert in the field of cryptography, offers to irrevocably destroy disk information. The algorithm proposed by him differs from the Canadian development only in that the third pass writes not a predetermined sequence of data, but a pseudo-random one.
At the time of publication, this algorithm, which uses a random number generator for rewriting, was criticized as being slower compared to algorithms that recorded a predefined sequence of data.
Like that:
Code:
00000000> 11111111> 10110101 *
* pseudo-random dataIn Germany, a slightly different approach has been adopted for the destruction of unclassified data. The BSI Verschlusssachen-IT-Richtlinien (VSITR) standard allows the use of two to six passes (depending on the classification of information), recording alternately a pseudo-random sequence and its XOR compliment. The last pass writes the sequence 01010101.
Like that:
Code:
01101101 *> 10010010 **> 01010101
* pseudo-random sequence 1
** XOR compliment pseudo-random sequence 1Finally, as a technical curiosity, we present the algorithm of Peter Gutman, who proposed rewriting in 35 passes. Published in 1996, the algorithm was based on a theoretical assumption of a residual magnetism level of 5% and already at the time of publication looked like just a theoretical refinement.
Nevertheless, this algorithm is also supported by many information destruction applications. In fact, its use is redundant and completely meaningless; even a three-fold rewriting of information using any of the algorithms described above will give exactly the same result.
What algorithm to use for reliable data deletion? For modern (no older than 10–15 years) hard disks, a one-time rewriting with a pseudo-random sequence is more than enough for reliable information destruction. Anything beyond this can only calm the inner paranoia, but in no way reduce the likelihood of successful information recovery.
Programs for safely erasing data from your hard drive
As we found out, in order to permanently delete data from a hard disk, it is desirable to overwrite its contents with a random sequence of bits, but you can also use one of the existing data destruction algorithms. The easiest way to do this is using one of the available programs. The only difficulty is the choice of a high-quality and at the same time free application, because utilities of the Secure Erase class are packed to capacity with numerous file archives and pop articles by pseudo-experts are devoted to.The DBAN program has proven itself well. The application works exclusively in boot mode (the program is distributed as a bootable image, more precisely, as a self-extracting archive, which will offer to create this image when launched) and supports most data destruction standards.
Open source allows you to make sure not only that the program does exactly what it promises, but also that the correct random number generator is used to generate the pseudo-random sequence.
Darik's Boot and Nume (BDAN)
An alternative option is the free but proprietary CBL Data Shredder app. The application was developed by forensics experts and supports most of the existing information destruction standards. CBL also allows you to create a bootable USB stick with which you can completely wipe the disk.
CBL Data Destruction Utility
Removing information from hardware-encrypted drives
Sometimes information needs to be removed quickly, literally instantly. Obviously, it is impossible to do this at the logical level for a magnetic disk: it is required to completely rewrite the entire amount of information, which can take many hours of work. However, a solution has existed for quite some time: these are hard drives with hardware encryption.There are several standards for hardware encryption, the most common are Opal and eDrive. What these standards have in common is that when encryption is enabled, all data on such a hard disk will be automatically encrypted when written and decrypted when read.
We are now interested in another feature of such disks, namely the instant and irrecoverable destruction of data. This is implemented through the standard ATA Secure Erase command, which can be performed using the standard hdparm utility. For magnetic drives that use hardware encryption, the Secure Erase command will instantly destroy the encryption key, so the information stored on the disk cannot be decrypted. When using a strong encryption disk with a key of 128 bits or more, it will be completely impossible to decrypt the data.
By the way, you can use hdparm on regular, unencrypted disks. True, the running time of the command will not differ much from the usual sector-by-sector rewriting of the disk contents - simply because it will perform the sector-by-sector rewriting.
However, hdparm is not a panacea. Hardware encryption is used primarily in hard drives designed for specific environments (corporations, hosting and cloud companies). Even if you install such a hard drive in your home computer and enable hardware encryption, there is a chance that the Secure Erase command will not work as expected due to the nature of the BIOS. At home, using pure hardware encryption without support from the operating system is not the best and far from the most reliable solution.
Perhaps it's worth mentioning that there is a whole class of hard drives that come with full drive encryption already activated. Any information that is written to such a disk will be automatically encrypted with a cryptographic key. If the user does not set a password, the cryptographic key will not be encrypted and all data will be available immediately after initializing the drive.
How a hardware-encrypted hard drive works if no password is set
If the user sets a password on the disk, then when the disk is initialized (only shutdown and power-on, but not sleep or hibernation - a number of attacks on such disks are built on this feature) the cryptographic key will be encrypted with a password and access to data will be impossible until then, until you enter the correct password.
How a hardware encrypted hard drive works with a password set
It is easy to guess that the destruction of the cryptographic key makes it impossible to access the data. Yes, you can read the information from the disk, but it will not be possible to decrypt it. On such disks, the ATA Secure Erase command primarily destroys the cryptographic key and only then begins to erase the data.
These drives are used by almost all hosting and cloud companies. Obviously, such encryption will not protect against attacks on an already loaded system in any way. Its purpose is to prevent unauthorized access to information when the disk is physically removed, for example, if the server is stolen.
The most reliable ways to delete information from your hard drive
The above method with the hdparm utility requires the drive to support hardware encryption, which is far from being the case for typical consumer drives. At home, it is faster and safer to destroy information from encrypted partitions, for which it is enough to overwrite the cryptographic key.So, if your data is stored on an encrypted BitLocker partition, then to instantly destroy it, you just need to format the partition with "quick" formatting. The format command on Windows correctly recognizes BitLocker volumes in both command line and GUI versions. Formatting BitLocker volumes, even "fast" volumes, destroys the cryptographic key, making it impossible to access the information further.
BitLocker Features Did you know that disabling encryption on an already encrypted BitLocker partition does not decrypt the data? If you disable encryption on a partition that has been protected by BitLocker, Windows will only store the cryptographic key for accessing data in cleartext (not encrypted with a password or data from the TPM). New write operations will be in cleartext, but existing data will be saved as it is - it will simply be automatically decrypted using a public cryptographic key. If you start encrypting this section again, the cryptographic key will be immediately encrypted, and the data previously written in unencrypted form will be gradually encrypted in the background.
But even here it was not without an ambush. Even if the encryption key from the BitLocker volume is destroyed in the first seconds, a copy of it may be found somewhere else. You don't have to look far for examples: when BitLocker Device Protection automatically activates encryption, the recovery key is automatically uploaded to the OneDrive cloud. So even destroying the encryption key won't help.
Using BitLocker? Log into your Microsoft account and check for any extra encryption keys.
Removing information from solid state drives
Permanently deleting data from an SSD is both easier and more difficult than from a magnetic hard drive. Let's take a look at what happens inside an SSD when data is deleted.You've probably heard that the memory chips used in SSD drives allow you to quickly read information, write data not very quickly into a blank block, and very slowly write information into an area occupied by other data. We are now interested in exactly the last property of SSD-drives. In order to write data to a cell, the drive controller will first have to clear (erase) the data in this cell, and only after that the write operation will become possible. Since the cell initialization process is very, very slow, manufacturers have developed a number of algorithms, thanks to which the controller always has a sufficient number of empty cells at its disposal.
But what happens if the operating system wants to write data to a cell with a specific address, but some data is already stored at this address? In this case, the SSD controller will perform an instant address substitution: the desired address will be assigned to another, empty cell, and the occupied block will receive a different address or even go to an unaddressed pool for subsequent background cleaning.
In normal use, much more data is written to the disc than it can hold. The pool of free cells decreases over time, and at some point, only the pool from the non-addressable space of the "spare" capacity becomes available to the controller. Manufacturers solve this problem by using the Trim mechanism, which works in conjunction with the operating system. If the user deletes a file, formats a disk, or creates a new partition, the system sends information to the SSD controller that certain cells do not contain useful data and can be cleared.
Please note: as a result of Trim work, the operating system itself does not overwrite these blocks and does not erase information. The controller is just passed an array of cell addresses that do not contain useful information. At this point, the controller can begin the background process of deleting data from cells.
What happens if the SSD contains a large amount of information, and the controller receives a Trim command for the entire contents of the disk? The rest does not depend in any way on the actions of the user or the operating system: the controller's algorithms will start clearing unnecessary cells. What happens if a user (or an attacker) tries to read data from cells that have already received a Trim command, but have not yet been physically cleared?
This is where the fun begins. Modern SSDs define three possibilities:
- Non-deterministic Trim: undefined state. The controller may return actual data, zeros, or whatever, and the result may differ between attempts (SATA Word 169 bit 0).
- Deterministic Trim (DRAT): The controller is guaranteed to return the same value (most often, but not necessarily zeros) for all cells after the Trim command (SATA Word 69 bit 14).
- Deterministic Read Zero after Trim (DZAT): guaranteed return of zeros after Trim (SATA Word 69 bit 5).
Code:
$ sudo hdparm -I / dev / sda | grep -i trim
* Data Set Management TRIM supported (limit 1 block)
* Deterministic read data after TRIMSSDs of the first type are currently practically not found (although eMMC drives still differ in this behavior). As a rule, manufacturers offer drives of the second type for general use, and SSDs with DZAT support are intended for use as part of multi-drive arrays.
From a practical point of view, this means only one thing: immediately after deleting the data (at least by file, at least by formatting, at least by repartitioning sections), the information will become inaccessible for reading both from a computer and on a special stand.
It would seem that everything is simple? No, there is a big catch here, and not even one.
First, are you sure that Trim is working correctly on your system? The fact is that Trim is supported at the operating system level since Windows 7 and only if a number of conditions are met. All conditions! First, the drive must be connected directly (SATA, NVME); for the vast majority of external (USB) drives, Trim is not supported (there are exceptions). Second, Windows only supports Trim for NTFS volumes. Finally, Trim must support both the drivers and the BIOS of the computer. You can check the performance of Trim in Windows with the command
Code:
$ fsutil behavior query DisableDeleteNotifyResult:
- 0 - Trim is enabled and works correctly;
- 1 - Trim is inactive.
One more point. Yes, it is impossible to stop the background garbage collection process: if the SSD is powered up, the controller will continue to destroy data after Trim no matter what. However, it is enough to remove the memory chips from the drive, and using a simple stand, the data from them can be read. Yes, the researcher will have a severe headache associated with the physical fragmentation of cells due to block forwarding and, moreover, logical fragmentation of data. Nevertheless, it is still possible to solve this problem.
Which brings us to the last point. A significant part of the storage capacity (in some models - up to 10%) is reserved for a non-addressable reserve pool. In theory, the cells in this pool should be flushed; in practice, due to numerous implementation features and firmware errors, this does not always work, and the data may physically remain in place even after cleaning is completed.
Thus, the situation with deleting data from an SSD is as follows.
- You can instantly erase data from the built-in SSD by simply formatting the partition (use NTFS as your new file system). Trim will mark the blocks as unused and the controller will gradually remove information from these cells.
- If everything went right, then it will be impossible to get to the information by any non-destructive means. Moreover, if an attacker connects the drive to another computer or a specialized stand, the SSD controller will continue to methodically overwrite the cells.
- If the chips are removed from the SSD, then the data remaining in the cells can be read. Moreover, even if the cleanup process appears to be complete, there may be cells in the unaddressed standby pool that contain "deleted" data.
Practice shows that in some cases Secure Erase does not completely clear cells from the backup pool (due to the simplest errors in the firmware). Thus, the guarantee will be given exclusively by the use of a cryptocontainer: if the cryptographic key is removed, it will be almost impossible to decrypt the rest of the content. But here there are also some bugs: we have already spoken about the deposited keys. Organizations working with classified information do not at all recognize any other way to clean an SSD other than physically destroying the media.
