How Encryption And SSDs Can Make Data Recovery Harder

How Encryption And SSDs Can Make Data Recovery Harder

Don’t get us wrong: encryption is a sensible strategy for protecting private data and switching to a solid-state drive (SSD) provides impressive performance benefits. However, both approaches make the task of recovering data in the event of an emergency much more difficult.

[credit provider=”shutterstock”]

I caught up last week with Adrian Briscoe, APAC general manager for data recovery service Kroll Ontrack. Much of the impetus for data recovery activity is driven by natural disasters; for example, Kroll Ontrack’s US operations are still working through recovery operations associated with Hurricane Sandy. While that activity can’t be predicted, the shift towards encryption across a range of platforms and the increasing use of SSDs does make the task of retrieving data in the event of a hardware failure or natural disaster much more difficult. “With the development of encryption techniques, we are seeing more challenges with people recovering data,”

The difficulty with encryption isn’t so much when companies make a conscious choice to encrypt confidential data, but when encryption is added routinely to basic hardware elements. For instance, Western Digital drives now routinely utilise a hardware encryption bridge, which makes data recovery more complicated.

An obvious manifestation of the problem is on Apple’s iPhone platform, which both encrypts data and uses a non-conventional file system. That means in practical terms that once a file has been erased on a working iPhone, it’s virtually impossible to retrieve it, Briscoe said.

With SSDs, the difficulty is that failure of an individual chip can make recovering data across the entire drive much more time consuming. By Kroll Ontrack’s reckoning, recovering a single SSD can be more complex than recovering a 16-drive RAID array.

The key lesson? When you adopt new technologies, especially for work use, you need to ensure you have a plan for how you’re going to recover that information in an emergency. Whatever the platform, that starts with the basics: a proper continuous backup plan.


    • Yeah, that was a major flaw with spinning-platter disks: a deleted file should not be recoverable. SSDs and encryption making this harder is definitely A Good Thing.

      The difficulty pulling data off a physically damaged drive is less good, but I’ll accept the trade-off for better security.

      • Contrary to what a data recovery company looking to charge you extra for things people don’t understand would have you believe, SSDs are much easier to recover data from than mechanical drives. SSD storage cells have limited write cycles, so a firmware controller on the drive manages the cells to ensure writes are distributed as evenly as possible across the pool. At its simplest, that means if you write a text file “Hello” to your SSD, and it gets stored in cell 1, if you rewrite that text file to say “World” instead, it’ll get saved to cell 2 instead – and cell 1 remains. Sure, the index updates and says you only have one file, but with direct access to the cells you can very easily pull not only deleted files but a history of modified files too.

        There’s similarly no guarantee that a software-driven low level format will erase data on an SSD either, because cells that have been written to more times than the others already aren’t going to be written to again any time soon.

        • You’re correct, but TRIM changed that a bit.

          Before you can write to a flash cell the SSD has to erase what’s already on the cell. Older SSDs would perform this immediately before writing, which meant the data was recoverable but your write performance degraded badly(because after a while, every write operation had to be preceded by an erase)

          TRIM commands are meant to fix that problem. The OS sends a message to the SSD whenever a block can be cleared without issue, and then the SSD can do whatever it wants with the block. Most drives will gradually erase them in the background so that when it’s time for the next write operation they run at maximum speed. Once the blocks have been erased they’re essentially unrecoverable

          This does have a few caveats: Your drive and OS both need to support TRIM, so if you’re running XP it won’t affect you. It only erases entire blocks at once, so file fragments will probably remain.

          Wthout TRIM enabled, data recover is pretty easy – I’ve done it myself on some early SSDs. With TRIM, it gets much more difficult. Any time the drive is powered on it might be (and probably is) quietly clearing data.

          (disclaimer: I’m not an expert and might be off on a few details)

          • That’s pretty much correct, yeah. The problem is how the drive firmware handles a trim command. It’s similar to garbage collection in managed programming languages – for most purposes an object told to delete is gone, but when it’s actually physically erased is unpredictable and up to the algorithms of the garbage collector. My understanding is different manufacturers and even different models of SSD implement their garbage collection in different ways, so there’s no way to safely say ‘yes, this stuff is gone’. The trim command just flags a cell for wiping, you never know when, if ever, it’ll actually go.

Show more comments

Log in to comment on this story!