Information Security
forensics data-recovery ssd flash-memory trim
Updated Sat, 09 Jul 2022 03:39:03 GMT

Data recovery from TRIMmed SSDs


Assuming a given SSD supports TRIM, and is on a physical bus that supports sending that command, and the connected computer is running an OS that is aware of TRIM:

If the drive is formatted, or has had its files erased, will the data be unrecoverable after the drive's firmware has performed its full garbage collection cycle? For example, 24 hours after the fact?

I know that TRIM was initially introduced to flag blocks for later erasure to speed up writes to the underlying flash memory. However, I'm wondering if this erasure means that the data is actually unreadable, even when a user is able to put the drive in factory access mode, or has access to the physical flash chips. I've read that the data is zeroed-out (DZAT) or some other deterministic value (DRAT) when accessed sector-by-sector through the typical SAS/SATA interface, for example when using the dd command in Linux, but that only covers blocks mapped by the FTL and of course does not necessarily mean the physical memory is erased.

Are fully TRIMmed blocks truly, completely erased, or only presented as such to the OS?




Solution

If you want to use regular drive electronics, the answer is, there's absolutely no way to recover the erased data blocks from flash storage like SSDs, USB sticks, SD cards, etc.

See https://www.silicon-power.com/blog/index.php/guides/nand-flash-memory-technology-basics/ for some info on how flash memory storage works.

The tricky part of securely erasing an SSD comes from knowing that the data blocks you want to erase, have actually been erased, and are not just in the garbage collection queue, or in the reserve space area, or in some other special SSD controller area of storage.

There is also the possibility of some data still in blocks that are left over on the bad block list, that the drive is unable to erase any more times and has remapped those addresses to still working areas.

Something a lot of people seem to ignore, is that the SSD controller is continuously trying to maximise the number of erased data blocks. This is to maximise the drive performance. If the OS tells the drive to delete and TRIM (or UNMAP) all of the usable data areas then, giving the drive has long enough to complete the task, it should also cycle through the reserved space too. If the drive has zero remapped or bad blocks, then 100% of your data is unrecoverable, even by data recovery businesses.