Erasing a Hard Drive? Not so Fast...
It’s surprisingly difficult to permanently and securely delete data from a Solid State Drive (SSD) or USB flash drive, some researchers have discovered. If you have a portable USB flash drive, or a laptop with an SSD hard drive, here's something you need to know...
Sanitizing Flash and SSD Hard Drives
I've written previously about erasing all the data from your hard drive, in my article Completely Erase a Hard Drive. So you may know that simply issuing the DELETE and/or FORMAT commands really just hide (rather than irretrievably erase) the data. That's why there are special programs written for that purpose.
What you probably didn't know is that those programs work very well for traditional magnetic hard drives, but not well at all for flash drives or SSD hard drives. Even worse, researchers at the Non-Volatile Memory Lab at UC San Diego have discovered that many solid-state drive vendors have not properly implemented the “sanitizing” features of SSD standards, leaving random clusters of data still on a supposedly “cleaned” drive.
Even physically damaging an SSD drive may not be enough. In a paper entitled, Destroying Flash Memory-Based Storage Devices, the researchers calculate how finely one must grind up a flash-based storage device to ensure that its contents can’t be retrieved by spies of three different levels of sophistication.
It’s not enough to just break a flash drive in half or drill a few holes in it. At the least, you must make sure the biggest piece is no more than 7.5mm (about ¼-inch) in its longest dimension. Frustrating a hypothetical worst-case spy who has unlimited resources and time requires grinding the storage device up into nanoparticles.
Why Is This Important?
The USCD team's findings are important because there are lots of USB flash drives bearing sensitive data, and because SSD hard drives are the growing future of mass storage. Flash drives are small and cheap; they get lost or are casually discarded. SSDs are currently expensive but their prices are falling rapidly; eventually, they may surpass magnetic media as the most popular mass storage medium.
Even though the UCSD report was issued in 2011, there are plenty of USB flash drives still in use that are more than three years old. Ditto that for laptops with SSD hard drives. And even though the authors of the study suggested ways for solid state drive makers to improve the built-in sanitizing software, I can't find any evidence that they've done so. (If you can, I'd love to update this article with that information.)
There are standard commands programmed into drive controllers for sanitizing whole flash drives or specific files on a drive. Every drive maker incorporates these commands into its products in a proprietary program. The UCSD team tested the sanitizing effectiveness of a dozen vendors’ flash drives, with widely varying results.
The tests revealed that while some drives could be completely sanitized by overwriting the entire drive with random patterns of bits and then deleting the disk-filling file, none of the drives was 100 percent reliable in purging specific files. (Unfortunately, the study does not mention the actual brands or models used.)
The “Erase Unit” command to overwrite the entire drive was fully effective in only four of the dozen SSDs tested. One model reported that the drive had been completely sanitized but, in fact, did absolutely nothing! The drive partition could still be mounted and all of the data remained intact.
Sanitizing individual files was also erratically effective, or ineffective. Between 4 and 75 per cent of each “sanitized” file’s contents remained readable on SSDs. On USB flash drives, between 0.57 and 84.9 per cent of a “sanitized” file’s contents remained readable.
Part of the blame for these dismaying results clearly lies with vendors who write buggy drive controller software. But the international standard on which all such software is based is another culprit; it was written with magnetic media in mind, not electronic memory. SSDs and flash drives use a different, more complicated scheme to store data.
An Alternate Approach
The researchers recommend a different approach to ensuring that data is rendered permanently unreadable on electronic storage devices. Instead of overwriting the data, lock it up and throw away the key. Encryption software such as TrueCrypt or PGPdisk can apply 128-bit AES encryption to entire drives or individual files. Erase the key used to decrypt the data and it becomes virtually impossible to retrieve. (See FREE Encryption Tools to Protect Your Data)
If you're like me, you may have a drawerful of USB flash drives dating back ten or more years, and most of them are just too small to be useful nowadays. With this information in mind, it's wise to think twice about donating, selling or even casually disposing of any that could be storing sensitive data. The same applies to a laptop with an SSD hard drive. Unless you're 100% certain that your personal data can be permanently erase, it would be better to install a new SSD drive in the laptop, and do a fresh install of the operating system.
Of course, if your solid-state drive contains nothing of great value, putting it inside a paper bag and giving it a few good whacks with a hammer will probably be sufficient. A determined person would have to spend lots of time and money to recover the data. Encrypting the drive before inflicting physical damage would make recovery much more difficult. If you've got personal, confidential or proprietary business data on the drive, don't rely on tools written for magnetic drives. A commercial hard drive shredding service would be my recommendation.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 15 Apr 2014
|For Fun: Buy Bob a Snickers.
Beware of Key Generators
The Top Twenty
Geekly Update - 16 April 2014
There's more reader feedback... See all 25 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Erasing a Hard Drive? Not so Fast... (Posted: 15 Apr 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved