How often do windows and mac run the trim command and therefore when will a deleted file become unrecoverable?

Question

I am trying to determine the security of an SSD drive and comparing Windows vs Mac for a project. Reading online, I understand all about trimming and how that process works, however I can’t determine how often each OS runs this process by default.

Is there any information on this available from either Microsoft or Apple?

It seems that both operating systems, for obvious longevity reasons, either don’t allow or make it very hard to manually clear all deleted data and I am attempting to determine how soon after deletion a file will be unrecoverable in its entirety from an SSD drive on either MacBook or Windows comparing, for instance, to the old style data wipe tools for HDDs, which could be run ad hoc and wipe data from a device in its entirety.

Answer 1

I am not a 'Mac person', but Windows usually sends TRIM command right away. It is easy to test.

Make sure TRIM is enabled.

Now create folder > stuff twenty or so files in there > select them > press DEL while holding SHIFT. Check files using R-Studio, you do not even have to recover them, simply check contents in HEX view.

In my tests I get zero filled files which suggests data was trimmed (RZAT: return zeros which in my experience is most common).

More confirmation for example here: https://youtu.be/hzClnwGeJUM

Some make the mistake assuming that since TRIM (also) runs scheduled that this is the only way TRIM runs in Windows. There can be all sorts of reasons that TRIM does not 'fire' or is simply dropped from the command queue and the scheduled TRIM solves that.

So is data unrecoverable?

There is no simple yes/no answer.

• TRIM is a command, that merely informs the drive. The drive can drop the command. So, it's a way for the OS to let SSD know, "hey I will not be needing the data from LBA 21334 - 22000 anyomore!".

• Most common behavior is that drive returns zeros for 'trimmed' LBA ranges. IOW the drive does not even attempt to read the sectors, it 'knows' these were trimmed and just returns zero filled sectors.

• TRIM does not mean erase. The trimmed pages are now simply 'stale' and until the SSD firmware decides to erase them, the data may not be recoverable using file recovery tools, a data recovery lab may still be able to recover the data. Most drives simply remove trimmed sectors from LBA user space, thus they can no longer be read, and again the firmware simply returns bogus data.

• Even after the trimmed sectors are actually erased, data may be recoverable. The TRIM command is only valid for the last LBA addresses in which your data was stored. It's however not uncommon that multiple copies of sectors exist: firmware is constantly copying data from one page to the other to consolidate blocks that completely consist of stale pages. Only then the block can be erased. So although the LBA address for you stored data does not change, the physical location may change several times.

• Only two options to really get rid of data: (1) delete encryption key (many modern SSD's are self encrypting (SED)) even if you never asked to encrypt anything, or (2) run enhanced secure erase type command that is built in to the drive. In both cases we can only hope these mechanisms are properly implemented.

Answer 2

Your question is based on a false premise that TRIM erases data. It doesn't.

TRIM marks a part of a drive as containing data that's not relevant anymore. The drive may then reuse that part at its convenience. It doesn't mean that the drive will proceed to erase it immediately. It will probably use that area at some point in the future for wear leveling, but you don't know when that will happen. Only the SSD controller knows.

The only reliable way of erasing data from SSDs is based on encryption: you have to destroy the secret that was used to encrypt it. Some drives transparently encrypt all data without being asked to, and securely erasing them is pretty easy: you just send a command that makes it forget the encryption key. But that will effectively erase the whole drive.

If you want to be able to erase individual files, you have to encrypt each of them individually, with a dedicated secret which you can't store on the same disk (for reasons which should already be clear). That's not very practical, so I would suggest a different approach: use full disk encryption and don't let untrusted users (and software) access your system. This will keep the remains of deleted files safe.

What exactly will work for you depends on your use case and threat model.