Is it more secure to encrypt rather than overwrite an SSD?

When it comes to securely deleting a flash drive or SSD we all know that simply overwriting is not secure due to wear leveling. It appears that even the much debated Gutmann 36 pass overwrite is not sufficient to say an SSD has been securely deleted.

So is the best option to simply encrypt the entire drive and then reformat it to like new?

Surely the 35 (unless one has been added lately) passes are (in the words of the Author himself)
https://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html

In the time since this paper was published, some people have treated the 35-pass overwrite technique described in it more as a kind of voodoo incantation to banish evil spirits than the result of a technical analysis of drive encoding techniques. As a result, they advocate applying the voodoo to PRML and EPRML drives even though it will have no more effect than a simple scrubbing with random data. In fact performing the full 35-pass overwrite is pointless for any drive since it targets a blend of scenarios involving all types of (normally-used) encoding technology, which covers everything back to 30+-year-old MFM methods (if you don't understand that statement, re-read the paper). If you're using a drive which uses encoding technology X, you only need to perform the passes specific to X, and you never need to perform all 35 passes.

of very little use, however, it is not like "we all know that simply overwriting is not secure", as a matter of fact there is not a single, documented, report or publication reporting that any meaningful real world data has ever been recovered after a single overwrite.

The issue with SSD is not with wear leveling in itself, but rather with overprovisioning.

So if from day one you write all data to it encrypted, then you are fairly secure (and a single overwrite will do anyway) but if not encrypted data is ever written to the device there is the (very remote) possibility that it gets stored on an area that will be later re-mapped and an even more remote possibility that someone devises a way to access these (not anymore used) areas and read their contents.

Physical destruction is the top level kind of security, as it has always been.

jaclaz

I think running ATA Enhanced Secure Erase command would be enough. It does not wipes cells, instead it regenerates encryption key used to access all cells. With new encryption, all data in cells turn into garbage. And there's no way to recover previous encryption key. So as for me it is a forensically sound way.

I think running ATA Enhanced Secure Erase command would be enough. It does not wipes cells, instead it regenerates encryption key used to access all cells. With new encryption, all data in cells turn into garbage. And there's no way to recover previous encryption key. So as for me it is a forensically sound way.

Yes, in theory it is ) and normally works, but - at least for SSD's - the issue is that the actual WEI's research found that Secure Erase was not implemented correctly on a number of devices
http//cseweb.ucsd.edu/~m3wei/assets/pdf/safe-paper.pdf
http//cseweb.ucsd.edu/~m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf
http//cseweb.ucsd.edu/~m3wei/assets/pdf/LISA2011-sanitize.pdf
and more generally other techniques, including encryption rely anyway on the correct implementation in the SSD controller firmware.

See also
http//www.forensicfocus.com/Forums/viewtopic/t=9847/

So the theory applies ONLY in practice to the devices after they are tested and verified to be compliant.

It is entirely possible that in the 5 years since those papers were published all manufacturers made compliant devices but AFAIK noone bothered to do the tests (and/or report results).

jaclaz

Yes, in theory it is ) and normally works, but - at least for SSD's - the issue is that the actual WEI's research found that Secure Erase was not implemented correctly on a number of devices
http//cseweb.ucsd.edu/~m3wei/assets/pdf/safe-paper.pdf
http//cseweb.ucsd.edu/~m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf
http//cseweb.ucsd.edu/~m3wei/assets/pdf/LISA2011-sanitize.pdf
and more generally other techniques, including encryption rely anyway on the correct implementation in the SSD controller firmware.

Agree with you of course. The drives are different and it is difficult to be perfectly sure in the way how they function.

SSD firmware is not the only place where can be bugs or, so to speak, alternate feature implementations. The same can be said about HDD firmwares. To be perfectly strict, either verification is necessary for all storage devices including hard drives or we should rely upon 99%-working algorithms. There is no silver bullet to sanitize both SSDs and HDDs in an ideal manner. You can have one buggy drive among hundreds where data will remain after sanitizing.

Long story short, that turns into a problem of balance and depends on requirements needed for a court.

Long story short, that turns into a problem of balance and depends on requirements needed for a court.

Anyway, were I a digital forensic investigator, I would do the following to sanitize the drive
1) take my SSD
2) read first and last drive sectors, and 98 in between them
3) run Enhanced Security Erase command if drive supports it
4) repeat step 2 and compare all sectors