I’m reasonably familiar with the fact that deleting a file on the hard drive simply removes the link to the various sectors where the file is written. Those actual ones and zeros are still there until a newly created file overwrites those sectors. The ones are simply a small spot that is magnetized. A zero has no magnetism. You can overwrite a “deleted” sector with a program that writes ones to every location, or maybe random ones and zeros a bunch of times.
But what I recall from decades ago was that even though those spots have been overwritten there is a chance that somehow the original data has “burned in” and can be recovered. This is super spy type recovery probably by the NSA or something. It involved the fact (?) that the spot was relatively large compared to the magnetic coil on the read/write head and the head might have magnetized one portion of the spot and subsequent operations could have been writing to a different spot. That seems a like a lot of maybes and “could haves” to really work. Was this ever a real thing? If so has this “flaw” been corrected over the years?
You will, however, note that overwriting data is not considered an acceptable technique of data sanitization by the DoD, only degaussing or physical destruction of the drive.
All of your hard drives are encrypted, anyway, right?
Is that new? Norton used to (1990’s) claim it could wipe drives to DoD standards. IIRC all 1s on the first pass, all 0s on the second then three passes of random 1s and 0s.
ETA: read the link after posting.
Answer to self: Yes new after 2007
Yes, recovering data is as easy on an SDD. Its still doing the same thing - re-writing the first character as an 0, until the data is over-written.
Yes, overwriting the data is the only way to make sure that its gone forever.
Speaking with experience, when the previous hard drives died, you had a chance or two to get the plates to spin up so you could recover the data (e.g. the freezer trick). However, when these SSD’s die, they are dead-dead, and its really difficult to get stuff back in a non-professional way.
At one time I worked for a disk drive company on the read/write systems. There were ways to go slightly off-track and read “erased” data from the remnants. We were told that some companies used this to recover data from erased files, but it was extremely expensive. Surely the NSA knows this trick.
Here is a research paper from 2008 (should be freely readable at that link) that gives the answer as “no.” They put drives under an atomic force microscope to see what they could get. They couldn’t get much. Data has only gotten denser on drives since the article was written—it’s only gotten harder.
From their conclusions:
The forensic recovery of data using electron microscopy is infeasible. This was true both on old drives and has become more difficult over time. […] The fallacy that data can be forensically recovered using an electron microscope or related means needs to be put to rest.
I am right this moment truly deleting everything on an SSD. I do this by completely filing the SSD with pseudorandom data. It doesn’t matter that each layer is lying to each other layer about what is happening; once the drive is full, all old data has been overwritten. I don’t care where the data happened to land or that any particular block contains any particular piece of data.
Yes, the SSD has reserve blocks which I can’t overwrite this way. Anyone else who gets the drive is going to have as hard of a time reading them as I do writing them.
Once the disk is full, I erase the files, and trim the drive. Some SSD drives have a “secure erase” feature, which should erase everything including the reserved blocks.
After all of that, I can be pretty sure the drive is clean enough to let someone else put it in service.
On a related note I read that removable (thumb) drives do not have a recycle bin so when you delete a file on them they are not cached for possible recovery.
These are two different concepts. The Windows Recycle Bin is a programmed-recovery system: “Oops, I deleted this file when I shouldn’t have, my bad, I know it’s only been moved to the Recycle Bin so I’ll recover it intact from there and move it back to its original spot.” The Recycle Bin has a size limit so it will typically delete a file “for real” when it runs out of room. It’s true that thumb drives typically don’t participate in the Window Recycle Bin: when you delete a file on a thumb drive, it’s “for real” and Windows won’t allow you to undo.
But what’s being discussed here is what happens after a file is deleted “for real”, without a Recycle Bin. Deleting “for real” is about deleting the directory entry: the file name, some metadata and the indication of where to find the content on the disk. On a spinning hard disk or a SSD or a thumb drive, the content itself is still on the media until something else happens to overwrite it. So, with appropriate software, if we hurry, we may be able to recover that deleted picture of a politician on a forbidden island, and the recovery software will call it IMG0000452.jpg because the original name is forgotten.
And, so the legend goes, even after the content is overwritten and this software-only approach has become powerless, the NSA may be able to get the data that was there before, using the magnetic equivalent of a séance.
IIRC once upon a time, in a galaxy far far away, the problem was that on overheated drives the head and the arm it was on could no longer align with tracks previously written. Putting the drive in a freezer would cause the arm to shrink to either line up with the tracks, or warp the head read angle to realign.
Modern mechanical drives are using all sorts of tricks to stuff more data onto the platters. One trick is shingles - the tracks slightly overlap, since the write has to write a larger area to ensure the signal is good enough for the read head. What the trick is, is to slightly overlap the writes, layering them like shingles. The problem is, this requires a whole set of tracks to be rewritten to update one track, so it’s best for a high density write rarely read often use.
Also, an old recovery technicque was based on the fact that heads would wobble randomly, so overwriting one track left the risk that one of the edges would still contain recoverable data with high-tech analysis. What you did get was fragments (blocks) that would indicate some of the content of a file, which for forensic or espionage purposes was probably informative.
I can testify that the “freezer trick” worked for me. This was perhaps 15-20 years ago and I should have realized the drive was failing because I was getting the clicking noise that was a known indicator. Put the drive in the freezer for a few hours, took it out, hooked it up temporarily and hanging out of the computer case and read what I could until it warmed up and stopped reading. Rinse and repeat. I’m much more careful about backups now.
If it were reliably possible to read the old contents of a drive, even after it’s been overwritten, then you could use those same techniques as part of the design of the drive to get a drive that holds twice as much data. And if, after using those techniques, it were still possible to reliably read the old content, you could use those techniques to hold four times as much data, and so on. Capacity is the main selling point for hard drives, so the manufacturers are always trying to do everything they can to increase the amount of capacity. Hence, one can conclude that it is not possible to reliably recover data this way.
Off-topic(?) Nitpick. That’s not how the recording details work. You would need separate clock bits to cope with long strings of zeros if you recorded that way. Instead “self-clocking” data is used. The Wikipedia article “Modified frequency modulation” describes a method from the 1970’s with exactly 1, 1½ or 2 transitions per bit (whether 0 or 1). Even more efficient methods are in use today.
This is what they tested in the article I cited. They found they could read about 1% of bytes in the best case (I think, it’s been a few hours since I read it), or maybe it was a 1% chance of reading any particular byte.
It’s an interesting idea, and at least for these people it did not work out when tested with actual microscopes. As @Chronos says, any data left behind is just more places to squeeze useful data.
I agree with your conclusion, but IMO the real world situation is not quite as open and shut as your syllogism would suggest.
It might, in principle, be possible to read a usefully large fraction of leftover data if the only way to do so was much slower or require much higher precision read heads than was economic for mass production use.
The “squeeze more data in if we can” motivation you describe is 100% real. But there’s a second half to that sentence: “… cheaply and at the same high speed as writing.” It turns out that in the real world there’s limited scope for such slower more precise reading to extract remanent data. But that’s more a matter of technology than principle.