How does this process differ with SSDs? Does trimming the drive with
disk optimizer remove the files completely?
We need to consider:
- LBA sectors are dynamically mapped to physical addresses
- There's typically over provisioned space that's not mapped to LBA
- TRIM =/= Erasure
- Compression: data being compressed prior to saving to NAND
Over-provisioning
If we consider a 240 GB SSD for example one might expect if we zero-fill that 240 GB we have overwritten every LBA block with zero and thus the data being unrecoverable.
This is incorrect, we're more likely dealing with a 256 GB SSD drive however that missing space is reserved for over-provisioning at the firmware level.
TRIM =/= Erasure
Many mistake 'trimming' for erasing data. This is not correct. TRIM is a 'command' that allows the OS or a utility to message to the drive: "I will not be needing these LBA blocks anymore, do with them as you please".
Typically the SSD firmware un-maps these LBA addresses. This means if you read from them, the drive does not actually read the data from these sectors, but typically returns zero filled sectors (RZAT). If you write to them, available sectors are mapped to these BA addresses.
The unmapped sectors are part of pages. A page is the smallest area an SSD can write to, and it is only after the SSD firmware actually erased the data from these, the data is not securely erased and could be recoverable.
Linux tools exist that allow 'trimming' a drive, Windows ports for these exist too and although these allow to zero a drive quickly, it does not guarantee data is actually erased even though you may only be able to read zeros back from the drive.
A data recovery lab may be able to recover data using equipment like the PC3000.
Compression
Compressing data at the firmware level before writing it to the NAND memory has been an idea for a while and is now actually being implemented. I'm not saying every SSD does it, but it's something you should consider as a possibility when settling for a secure erase method.
One practical implication is, that if we use a so called zero-filler to overwrite existing data with, zeros tend to compress pretty good. And so the amount the data that is actually written to the drive may be far less than you might expect.
So, how?
From the above we can distill we we need to write non-compressible (high entropy) data to the drive to overwrite existing data, and we need to write, say twice the amount of data of LBA addressable space to have some certainty over-provisioned space is overwritten too.
Even if we do that, this still isn't a guarantee all data is overwritten if we consider discarded blocks (removed from the pool due to media errors) for example.
Alternatively we can rely on built-in secure erasing methods as specified in various specifications (ATA, NVMe etc.).
https://www.usenix.org/system/files/conference/inflow14/inflow14-zuck.pdf - on firmware level compression
https://www.intel.com/content/dam/www/public/us/en/documents/technology-briefs/ssd-520-tech-brief.pdf - on firmware level compression
https://en.wikipedia.org/wiki/Entropy_(information_theory) - On 'entropy'
https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/ - Recover data after TRIM