According to research carried out by the Non-Volatile Systems Laboratory at the University of California San Diego’s (UCSD), techniques designed for sanitising hard drives are unreliable at erasing SSDs, especially single files and the same goes with the built-in secure erase commands of some SSDs.
Due to SSD’s wear levelling, when a sector or file is overwritten with new data, the SSD will use different NAND blocks to write the new data, so while the sector or file may appear to be overwritten to the operating system, on the NAND itself, the original data may still be left intact for a long time.
As a result, even with the most advanced hard disk sanitisation methods, the laboratory was still able to recover between 10MB and 1GB of data by directly accessing the NAND flash chips. While 10MB may not seem like a lot of data, if the SSD was used in a database server, 10MB could potentially mean 1,000′s of records left intact and a serious data leak if this fell into the wrong hands, depending on what type of information the database held.
Most modern SSDs have a built-in secure erase feature, but the laboratory found that these can be unreliable and in a few cases left all the data fully intact on the NAND. Some SSDs such as with the Sandforce controller will automatically encrypt data on the fly to prevent the NAND from being directly read, so in theory any remaining data after a traditional sanitisation method or secure erase would be unrecoverable, assuming the controller’s security is not compromised.
One sanitisation method not mentioned, but which many large organisations use is with hard drive degaussers. As SSDs do not use magnetic fields to store data, a hard disk degausser would very likely leave all the data intact on an SSD. Another potential issue is hybrid hard disks, which cache frequent read operations on NAND to give SSD-like performance.
On a hybrid hard disk, a hard disk degausser would blank the platters, but leave the NAND data intact. The same would happen with a regular sanitisation technique, since as a regular sanitisation involves pure write operations across the platters, the NAND would be left intact due to the lack of read operations from the sanitisation process. For the Seagate Momentus XT series, there would be up to 4GB of data left and with the NAND being used for frequent read operations, there is the possibility of recovering up to 4GB of sensitive information if the drive was not encrypted, assuming the drive does not encrypt the NAND.
