Imagine for a second, that the notebook recently stolen from Coca-Cola contained a Solid State Drive (SSD), the
employee responsible for the notebook was privy to the sacred formula for Coca-Cola, and at one time stored the formula on the notebook’s SSD. Could the thieves
excise the formula from the SSD even though the file containing the formula was
erased, and the locations on the SSD where the file was stored were overwritten?

Entirely possible according to the oft-cited paper, Reliably Erasing Data From Flash-Based Solid State Drives, written by members of University of
California San Diego’s Non-Volatile Systems Laboratory (NVSL), including Michael Wei, Laura M. Grupp,
Frederick E. Spada, and Steven Swanson. The paper’s abstract stated, “While sanitizing entire disks and individual files is well-understood
for hard drives, flash-based solid state disks have a very different internal
architecture, so it is unclear whether hard drive techniques will work for SSDs
as well.”

What exactly does
sanitize mean?

Much of the confusion associated with removing data from SSDs centers on
how one defines data removal. The paper begins by describing data removal or sanitizing
as “The process of erasing all or part of a storage device so that the data it
contained is difficult or impossible to recover.” Next, the paper subdivides
sanitize into the following categories:

  • Logical sanitization makes stored data
    unrecoverable via standard hardware interfaces using standard ATA/SCSI commands.
  • Digital sanitization makes it
    impossible to recover data via any digital means, including undocumented drive
    commands, and subversion of the device’s controller or firmware.
  • Analog sanitization degrades the
    analog signal used to encode the data so reconstructing the signal is
    impossible.
  • Cryptographic sanitization works by
    sanitizing the memory location storing the cryptographic key used to encrypt
    data stored on the drive.

As for hard drives, the paper considers software-based overwrite
techniques (digital sanitization) sufficient, “No one has publically
demonstrated bulk recovery of data from a hard drive after such erasure.” SSDs
are a completely different matter.

SSDs are a
different story

Hard drives use magnetic storage platters, so overwriting memory
locations is not a problem. But SSD technology uses flash memory, and
overwriting or modifying storage locations is not possible. Each location must
be erased first. That may not seem like much, but the added step does, in fact,
create a processing bottleneck.

To avoid the bottleneck-causing delay, SSDs use Flash Translation Layer (FTL) firmware to find and store data at new locations and revise the
data map.

 

 

As a result,
only logical sanitization (not readable using standard ATA or SCSI commands) is
achieved, because data assumed to be overwritten remains intact and readable.

What the
researchers found

The research team then set about determining which if any of the
sanitizing methods made it impossible to recover data from an assortment of
SSDs. To begin, 12 different SSDs were sanitized using the computer’s built-in
sanitize command (legacy ATA/SCSI “Erase Unit” command). Only four were
sanitized completely. The paper concludes this approach was not reliable and to
be avoided.

Next, the researchers tried overwriting the entire visible address space
of an SSD. They determined running the whole-disk (to avoid the FTL issue) overwriting
process twice (for those remembering
my Coca Cola question) is usually, but not always, sufficient to sanitize the
drive. The researchers then added a note of caution, “Overall, the results for
overwriting are poor: while overwriting appears to be effective in some cases
across a wide range of drives, it is clearly not universally reliable.”

The researchers tried degaussing (designed to
erase magnetic-style memory) the flash memory and it had no effect, the data remained
intact. Trying to sanitize a single file was the next test. Simply put, none of
the existing hard drive-oriented techniques for individual-file sanitization
were effective when applied to SSDs.

The bright spot was encrypted SSDs, effectively deleting the encryption
key makes the stored data useless. The one concern forwarded by the researchers
is that there is no way to verify that the memory locations storing the
encryption key data were sufficiently sanitized.

The research team did not come
out and say it, but reading between the lines has one believing there
is no reliable way to sanitize SSDs other than physically destroying the
device.

Working on a
solution

On the NVSL website, the researchers made mention they have a solution:

“At NVSL, we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips to audit the success of any given sanitization technique.”

The fix means simply adding three extensions to the FTL firmware. The hard part, it appears, is getting SSD manufacturers’ buy-in.