Entirely possible according to the oft-cited paper, Reliably Erasing Data From Flash-Based Solid State Drives, written by members of University of California San Diego’s Non-Volatile Systems Laboratory (NVSL), including Michael Wei, Laura M. Grupp, Frederick E. Spada, and Steven Swanson. The paper’s abstract stated, “While sanitizing entire disks and individual files is well-understood for hard drives, flash-based solid state disks have a very different internal architecture, so it is unclear whether hard drive techniques will work for SSDs as well.”
What exactly does sanitize mean?
Much of the confusion associated with removing data from SSDs centers on how one defines data removal. The paper begins by describing data removal or sanitizing as “The process of erasing all or part of a storage device so that the data it contained is difficult or impossible to recover.” Next, the paper subdivides sanitize into the following categories:
- Logical sanitization makes stored data unrecoverable via standard hardware interfaces using standard ATA/SCSI commands.
- Digital sanitization makes it impossible to recover data via any digital means, including undocumented drive commands, and subversion of the device’s controller or firmware.
- Analog sanitization degrades the analog signal used to encode the data so reconstructing the signal is impossible.
- Cryptographic sanitization works by sanitizing the memory location storing the cryptographic key used to encrypt data stored on the drive.
As for hard drives, the paper considers software-based overwrite techniques (digital sanitization) sufficient, “No one has publically demonstrated bulk recovery of data from a hard drive after such erasure.” SSDs are a completely different matter.
SSDs are a different story
Hard drives use magnetic storage platters, so overwriting memory locations is not a problem. But SSD technology uses flash memory, and overwriting or modifying storage locations is not possible. Each location must be erased first. That may not seem like much, but the added step does, in fact, create a processing bottleneck.
To avoid the bottleneck-causing delay, SSDs use Flash Translation Layer (FTL) firmware to find and store data at new locations and revise the data map.
As a result, only logical sanitization (not readable using standard ATA or SCSI commands) is achieved, because data assumed to be overwritten remains intact and readable.
What the researchers found
The research team then set about determining which if any of the sanitizing methods made it impossible to recover data from an assortment of SSDs. To begin, 12 different SSDs were sanitized using the computer’s built-in sanitize command (legacy ATA/SCSI “Erase Unit” command). Only four were sanitized completely. The paper concludes this approach was not reliable and to be avoided.
Next, the researchers tried overwriting the entire visible address space of an SSD. They determined running the whole-disk (to avoid the FTL issue) overwriting process twice (for those remembering my Coca Cola question) is usually, but not always, sufficient to sanitize the drive. The researchers then added a note of caution, “Overall, the results for overwriting are poor: while overwriting appears to be effective in some cases across a wide range of drives, it is clearly not universally reliable.”
The researchers tried degaussing (designed to erase magnetic-style memory) the flash memory and it had no effect, the data remained intact. Trying to sanitize a single file was the next test. Simply put, none of the existing hard drive-oriented techniques for individual-file sanitization were effective when applied to SSDs.
The bright spot was encrypted SSDs, effectively deleting the encryption key makes the stored data useless. The one concern forwarded by the researchers is that there is no way to verify that the memory locations storing the encryption key data were sufficiently sanitized.
The research team did not come out and say it, but reading between the lines has one believing there is no reliable way to sanitize SSDs other than physically destroying the device.
Working on a solution
On the NVSL website, the researchers made mention they have a solution:
“At NVSL, we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips to audit the success of any given sanitization technique.”
The fix means simply adding three extensions to the FTL firmware. The hard part, it appears, is getting SSD manufacturers’ buy-in.