Just read the materials at the bottom of this site:
(NOTE: Please read the papers at the bottom of this site in their entirety before you reply to this post with an opinion.)
Couldn't help but notice a few things. First of all, this quote:
"We conclude that the complexity of SSDs relative to hard drives requires that they provide built-in sanitization commands. Our tests show that since manufacturers do not always implement these commands correctly, the commands should be verifiable as well. Current and proposed ATA and SCSI standards provide no mechanism for verification and the current trend toward encrypting SSDs makes verification even harder."
Also, noticed one of the SSDs they tested was an SLC 32GB (no model or manufacturer specifiec, but could be the X25-E series).
A key point here is that even though Intel (SSD Toolbox) or CMRR (HDDErase) has supplied tools for "erasing" your SSDs, it does NOT mean those SSDs should ever be released or tossed in the trash if they ever held confidential information (which they mostly like have, if you consider passwords, credit card numbers, or SSNs confidential). In the case of government, it means you shouldn't use a classified SSD and re-use it on an unclassified system, even after sanitizing.
Intel, can you provide some insight to this issue regarding your products? Specifically, will the SSD Toolbox verify and confirm all data is erased from an SSD, including any and all over-provisioned or "marked bad" data blocks? And, are there any tools which can let us, the end-user, visually check every writable bit of flash memory on the SSD?
Thanks to all for any input.
Sanitizing storage media to reliably destroy data is an essential aspect of overall data security. We have empirically measured the effectiveness of hard drive-centric sanitization techniques on flash-based SSDs. For sanitizing entire disks, built-in sanitize commands are effective when implemented correctly, and software techniques work most, but not all, of the time.
I want to point out the above.
What tool do you propose to check every readable bit of NAND? (Writable bit does not cover everything.) How would that tool work... what data would it present in an end-user usable form?
The conclusion (which you pointed out) only emphasizes purging techniques need more attention. Key phrases are "when implemented correctly" and in this context they are discussing the manufacturer's implementation, not the end-user's execution of it. "..most, but not all, of the time" is unacceptable when dealing with confidential or classified data. In other words, we (the end-users) should not (and cannot) trust the manufacturer to securely erase our data from their SSD without an additional verification process.
You asked about a proposed tool. As a mere example, a good start would be something similar to a forensic analyzer (such as you'd use to examine sectors on, or nibble bytes from, an HDD) but one which understands the addressable and non-addressable space within the SSD. It's because of this lacking area that the scientists literally tore out the chips and built a hardware analyzer. You read the entire article, right?
At the very minimum, a verification tool should check and count every writeable bit (or byte) to confirm it erased or not erased, including any over-provisioned space (used for extending life expectancy of the SSD) which is normally NOT accessible to the end-user, as well as any "bad" pages or blocks remapped by the firmware. "Secure erase" does not do this, thus the very fast "completion" of the command.
In theory, SSDs are easier to "secure erase" than HDDs, and the result will be much safer.
If all the NAND cells of a SSD are set to their "cleared" or "read to write to" state, there is no chance of recovering the data that was previously written on them. A single over-write of anything ('0', 'Z', etc) to the full capacity of an SSD will cause most if not all of the previous contents to be gone forever.
In HDDs, when the magnetic material used to store data is over-written, a remnant of the previous state the bit was in remains, and with the appropriate equipment can be retrieved. Apparently, that can be done even with several writes on top of the old data, as the DOD's specification for erasing data from HDDs calls for, I believe, 10 or more over-writes of the data before the other data can no longer be read forensically.
The question then becomes, do any of the "secure erase" tools actually perform a full clearing (for lack of a better term) of all the NAND cells. Or is there a lesser but equally effective equivalent to that. Add to that, the apparent issue of the SSD's controller or the FTL stopping a complete clearing of the NAND from occurring, as implied in the article.
For example, when the Intel SSD Toolbox Secure Erase option is said to "erase all data on the selected secondary SSD", and we assume the SSD will be put into it's "new, factory fresh" state, are both of those things actually happening? I would say the chances of that are much better with the Toolbox than with other programs. We should actually be educated as to what "erase" and "factory fresh state" actually is.
But as always with things in the world of computers, it is blissfully easy to conjecture, point fingers, and pass judgements upon extremely complicated things from our ivory tower of ignorance.
Regardless, if one wants to secure erase their SSD before disposing of it, I recommend giving it to a group of children or teenagers and challenge them to break it, or just give it a good shot with a hammer. Easier than a HDD, like I said earlier.
"If all the NAND cells of a SSD are set to their "cleared" or "read to write to" state, there is no chance of recovering the data that was previously written on them. A single over-write of anything ('0', 'Z', etc) to the full capacity of an SSD will cause most if not all of the previous contents to be gone forever."
For the average consumer, this may be, in theory, an acceptable state of clearing, but for corporate and government simply resetting the SSD to it's zeroed state (as implied by your quote) is most likely not enough. If you reference the second article on the subject website, "SAFE: Fast, Verifiable Sanitization for SSDs," you'll see that there's multiple steps recommended for trustworthy sanitizing because data CAN be recovered from flash/solid-state even after it's been erased. Data remnance is, and always has been, a serious issue with all forms of media, which is why a smart company would elect for proper destruction (even after sanitizing) whenever possible. However, forensic/labratory data remnance recovery isn't so much a sticking point for me as is neglegance.
If neglegance begins with the manufacturer, we have a serious problem on our hands no matter what kind of end-user we are. If a manufacturer's tool or firmware or implementation claims to do something, and it doesn't, then what? I believe the reason the researchers left out the branding/identification of their sample SSDs in those papers is due to the extremely high potential for lawsuits.
So a few questions remains for Intel to answer: Can they certify that the clearing functions work as expected and intended, and is there a way to verify it after it has occurred? If we were to discover the SSD Toolbox isn't actually clearing all the data, should we call our lawyers?
For the average consumer, this may be, in theory, an acceptable state of clearing, but for corporate and government simply resetting the SSD to it's zeroed state (as implied by your quote) is most likely not enough.
if secure erase is implemented correctly, it is enough to render the data irretrievable. however, this may not be enough to satisfy the security policy of the company or government agency you work for, in which case you should probably do what they require you to do even if it is overkill.
"if secure erase is implemented correctly, it is enough to render the data irretrievable."
Key word: IF. (And "irretrievable" is subjective depending on the sensitivity of the information and disposition procedures.) (Editing for clarification: The more sensitive the data is, the less likely clearing or erasing alone, should it work correctly, is the best solution. Government and corporate espionage is a lucrative market, and data remanance makes recovering "erased" data quite easy with just a few tools.)
Ignorance is not bliss in this SSD community. As I mentioned before, data remanance isn't why I started this thread. That big fat "IF" you stated above is the reason, and I wouldn't wish for anybody using these products to have it come back and bite them in the @$$.
Well mistermokkiri, you stated the facts and regrettably they were ignored. So irretrievable is subjective... and the more sensitive the data is apparently means the more difficult it is to remove. Oooh-kay. Bureaucrats are able to ignore the technical realities because of course they just know better.
Of course the need for correct implementation of SSD erasure is a good point, and that has yet to be determined. That is true and I am not challenging that point. Although the term "secure erase" is used in Intel's SSD Toobox, can you show me where Intel or other SSD manufactures advertise their products as being guaranteed to have the data on them removed to government specification? What tool do they specify to do that?
"you'll see that there's multiple steps recommended for trustworthy sanitizing because data CAN be recovered from flash/solid-state even after it's been erased."
IMO, whomever made that statement is wrong. Of course it is a general statement, ignoring the technical details, which I won't go into since I imagine you'll ignore them.
I would honestly like to know how data is retrieved from NAND memory once is has been cleared, that is a fascinating concept, I'd truly like to learn about it, no sarcasm intended.
"...can you show me where Intel or other SSD manufactures advertise their products as being guaranteed to have the data on them removed to government specification?"
Yes, I can. It's clearly defined in the ATA/ATAPI/SCSI specifications for secure erase, not from a government agency, and which was researched and submitted by the CMRR (Center for Magnetic Recording Research), again not a government agency. I'll save you some effort:
"The current ATA specification for Normal Erase mode states that the SECURITY ERASE UNIT command shall write binary zeroes to all user accessible data areas."
So, as you can see, secure erase has nothing to do with government specifications. It has to do with community-defined specifications, and clear expectations, which neither are apparently being met as per the website referenced above. This is even before we address the topic of data remanance (the part you would be fascinated by, apparently, should you choose to read it).
So, let's not talk about who has ignored which facts.
Any response to this thread?
Can you guarantee your SSD Toolbox erases all flash memory on your SSD products, or report when it hasn't/can't?
Is there a way or a tool for the end-user to verify all areas have been erased or attempted to be erased, including over-provisioned space and "bad" pages?
It really would be helpful to a large portion of the community if you could shed some light on this issue, or at least let us know you care and are looking into it...