Notifications
Clear all

Wiping SSDs  

Page 1 / 2
  RSS
pcstopper18
(@pcstopper18)
Member

Question
Can anyone recommend an effective way to wipe SSDs?

At this moment, I am aware that one could run traditional wiping methods (overwrites) but that may not work completely, and will degrade the drive more quickly over time than merely using a basic reformat and waiting on TRIM to do its work. I have read that some manufacturers have not implemented the TRIM design properly on their drives and as a result, TRIM may not be effective in some cases.

Context
Wiping system/storage drives between exams and for external storage or prior to release has been policy in places I have worked (accredited, obtaining accreditation) and I am just trying to find a way to do this that I can confirm will work.

Any thoughts greatly appreciated!

Quote
Posted : 04/09/2015 8:53 pm
bknowlton107
(@bknowlton107)
New Member

download the ssd "toolbox" directly from the manufacturers website which will allow you to run a wipe of the drive directly from the software.

ReplyQuote
Posted : 04/09/2015 9:09 pm
athulin
(@athulin)
Community Legend

Can anyone recommend an effective way to wipe SSDs?

Define 'effective'.

Just about any device that follows the ATA-6 protocol has a SECURE ERASE command. (Or was it present already earlier?) And it's entirely possible that specific manufacturers may have their own means of erasing.

That is, you need to understand the drives that you want to erase. Talk to the manufacturers for that.

At this moment, I am aware that one could run traditional wiping methods (overwrites) but that may not work completely, and will degrade the drive more quickly over time than merely using a basic reformat and waiting on TRIM to do its work. I have read that some manufacturers have not implemented the TRIM design properly on their drives and as a result, TRIM may not be effective in some cases.

There's a lot of 'may be's in there. Have you planned to do anything about them?

Doesn't matter what anyone suggests, you will have to verify. That will include possible points of variability – say different firmware releases. Test release A and it works – you still need to test release B.

ReplyQuote
Posted : 04/09/2015 10:24 pm
pcstopper18
(@pcstopper18)
Member

Ok, so I have manufacturer's software (bknowlton107) and SECURE ERASE (athulin). I have seen both of these as an option and will look into them further.

athulin

"Effective" as in when the wipe is performed, the drive is blanked (all zeros, all available, etc., etc.) regardless of the method or tool used.

There's a lot of 'may be's in there. Have you planned to do anything about them?

Doesn't matter what anyone suggests, you will have to verify…

I plan to confirm for myself once I have gathered as much pertinent information as I can, hence the

…I am just trying to find a way to do this that I can confirm will work.

ReplyQuote
Posted : 04/09/2015 10:59 pm
PaulSanderson
(@paulsanderson)
Senior Member

Just about any device that follows the ATA-6 protocol has a SECURE ERASE command. (Or was it present already earlier?)

I wrote BXDR over 10 years ago to utilise the secure erase function on IDE drives without looking it up - ISTR that the security feature set came in with ATA3

ReplyQuote
Posted : 05/09/2015 2:36 am
jaclaz
(@jaclaz)
Community Legend

The issue with ATA Safe/Secure Erase (when it comes to SSD's) may be that the manufacturer did not follow the specifications correctly, at least this is what came out
http//ru.belkasoft.com/en/why-ssd-destroy-court-evidence
http//www.usenix.org/events/fast11/tech/full_papers/Wei.pdf

We tested ATA commands for sanitizing an entire
SSD, software techniques to do the same, and software
techniques for sanitizing individual files. We find that
while most implementations of the ATA commands are
correct, others contain serious bugs that can, in some
cases, result in all the data remaining intact on the drive.


The wide variance among the drives leads us to con-
clude that each implementation of the security com-
mands must be individually tested before it can be trusted
to properly sanitize the drive.

Also
http//cseweb.ucsd.edu/~m3wei/assets/pdf/safe-paper.pdf
http//cseweb.ucsd.edu/~m3wei/assets/pdf/FMS-2010-Secure-Erase.pdf

In the meantime possibly the situation changed and the "new" ACS-2 Sanitize/Block Erase commands have been implemented, and in any case the information is make/model specific, as an example Kingston has a document
http//www.kingston.com/en/community/articledetail/articleid/10?Article-Title=SSD-Data-Wiping-Sanitize-or-Secure-Erase-SSDs
that while NOT actually stating it, implies that Kingston devices have the "classical" ATA ERASE command properly working.

jaclaz

ReplyQuote
Posted : 05/09/2015 3:40 pm
pcstopper18
(@pcstopper18)
Member

@jaclaz

This is the kind of information that was coming up in my initial research which is why I wanted to post the question to see if anyone else had either

- a method they knew worked that I could confirm with my drives
- or gather any methods that hadn't come up that I could test.

It seems that the most comprehensive method is to use SE, but to test each drive independently regardless of make or model as you and the authors noted.

I can also switch my OS drive to a HDD and just leave the SSDs for cache, pagefile, databases, etc., making a reformat operation sufficient for them.

Any other thoughts to add?

ReplyQuote
Posted : 05/09/2015 8:29 pm
jaclaz
(@jaclaz)
Community Legend

Yep the Safe Erase is the "best option", but there is no real reason to wipe the OS drive, while it is a good idea to re-image it from an image at each new case to avoid "remnants" or "cross contamination" see here
http//www.forensicfocus.com/Forums/viewtopic/t=13232/
the OS drive to all practical uses is only accessed as "logicaldrive" through the filesystem driver of the OS.

A disk drive where evidence is stored (a copy of) makes instead sense to be wiped before dding to it the evidence (if it is a clone or dd image), but it is also not really-really necessary from a technical viewpoint, if not to avoid explanations, whilst a "wipe after use=before re-use" has "security" advantages in the storage of the devices
http//www.forensicfocus.com/Forums/viewtopic/t=13055/

In a nutshell

  1. re-imaging (or formatting and reinstalling) the OS drive is not strictly *needed* but may be a good idea, but since no direct sector access is ever performed to it there is not much sense in wiping it
  2. wiping the evidence drive is not technically necessary, but is a handy way to avoid questions and helps in managing the storing of drives ready for re-use
  3. [/listo]

    So the issue IMHO only affect the cases where the SSD is the actual device where the evidence is stored and the risk is not much about cross contamination but rather with security of storage of used SSD's as in theory (and provided that you have a specific make/model where the Sata Erase has been poorly implemented) some data may be recovered from it.

    jaclaz

ReplyQuote
Posted : 06/09/2015 12:24 am
chanle
(@chanle)
New Member

Hi Preston !
My recommendation for wiping (sanitize) of SSDs is following
for
"classic" pattern based overwrite (of all user addressable areas) with 55(hex) or AA(hex) or a single random pattern (do not use 00 or FF !), 1 pass plus verify.
OR
use SECURE ERASE or ENHANCED SECURE ERASE, both methods need after erasure a deeper investigation per SSD type and firmware.
OR
Use manufacturer tools but only if state NIST 800-88 CLEAR (or PURGE) is guaranted.

For i recommend a combination of the above methods, last method must be a pattern based overwrite.
OR
do a classification and method based on NIST 800-88
-
Why i do not recommend SECURE ERASE and ENHANCED SECURE ERASE as universal methods
- there are too many faulty and incomplete implementations available.
- automatic and manual verification can be hard until not possible.

Christoph

ReplyQuote
Posted : 06/09/2015 9:23 pm
raydenvm
(@raydenvm)
Junior Member

One wiping cycle with plain WRITE SECTORS command would be completely enough.

To double-check that everything is wiped, there can be a reading cycle that compares every byte of every sector with pattern used for the wiping cycle before.

ReplyQuote
Posted : 07/09/2015 12:18 pm
pcstopper18
(@pcstopper18)
Member

Thanks all for the information thus far.

@jaclaz
I fully agree with your "in a nutshell", however I find it prudent to be proactive and have ways of doing something so I can, as you note, preempt discussion/questions on things that aren't a true concern but can be theoretically possible. (I am in a criminal justice/LE environment after all.)

@chanle
You mention using 55 or AA as a wiping pattern but not 00 or FF. Its the same type of pattern, so why do you say not to use those two?

@raydenvm
Although I understand your terminology, how exactly are you performing the "write cycle" and "read cycle"?

ReplyQuote
Posted : 08/09/2015 10:25 pm
raydenvm
(@raydenvm)
Junior Member

Nothing really special, just simple ATA commands.

Write cycle - WRITE SECTORS EXT commands covering full disk range from the first LBA till the last one.
Read cycle - READ SECTORS EXT commands for whole disk range as well.

ReplyQuote
Posted : 09/09/2015 1:39 am
jaclaz
(@jaclaz)
Community Legend

Nothing really special, just simple ATA commands.

Write cycle - WRITE SECTORS EXT commands covering full disk range from the first LBA till the last one.
Read cycle - READ SECTORS EXT commands for whole disk range as well.

Ok ) , so this needs to be asked
How exactly (running which OS and running which tool/commands) can you issue actual "simple" ATA commands?

Can you post an example of such "simple" commands and/or their sintax?

jaclaz

ReplyQuote
Posted : 09/09/2015 2:00 pm
raydenvm
(@raydenvm)
Junior Member

Just googled it a bit. Here is what I found for Linux
https://wiki.archlinux.org/index.php/Badblocks#read-write_Test_.28warningdestructive.29

Windows solution could be HDDSentinel with its WRITE + read test http//www.hdsentinel.com/help/en/61_surfacetest.html

I am pretty sure it is not difficult to find more tools on the Web. On top of that, any software engineer can write such a plain Write+Read wiper )

ReplyQuote
Posted : 09/09/2015 2:40 pm
jaclaz
(@jaclaz)
Community Legend

Just googled it a bit. Here is what I found for Linux
https://wiki.archlinux.org/index.php/Badblocks#read-write_Test_.28warningdestructive.29

Windows solution could be HDDSentinel with its WRITE + read test http//www.hdsentinel.com/help/en/61_surfacetest.html

Well, NO. (

Those are two examples of programs that DO NOT issue "simple ATA commands" whatever they issue is a SET of commands (and whether they are ATA commands or not is to be seen).

I am pretty sure it is not difficult to find more tools on the Web.

Sure. much more tools can be found, but the question was a tool capable of running the "simple ATA commands" you suggested.

On top of that, any software engineer can write such a plain Write+Read wiper )

Sure, and I will extend this to affirm that any hard disk manufacturer and most data recovery firms will have one, but again there are tens or hundreds of such tools, the question was about one that allows to use the suggested "simple ATA commands" as - AFAIK/AFAICT anything you can find works at a "higher" level and the actual "simple ATA commands" are leveraged through the OS driver for the device and rest assured that not *any* software engineer is capable to write an actual driver.

This is one of the tools that allows actually sending ATA commands
http//www.stbsuite.com/support/virtual-training-center/issuing-ata-commands
which at a mere US$ 4,995 apiece is not exactly what everyone can afford.

Most probably MHDD (Dos)
http//hddguru.com/software/2005.10.02-MHDD/
or WHDD (Linux)
http//whdd.org/
might do something *similar* but cannot say.

Udisks
http//www.freedesktop.org/wiki/Software/udisks/
may represent a valid tool, but sending a "simple" ATA command appears to be particularly "complex"
http//udisks.freedesktop.org/docs/latest/udisks2-ATA-commands.html

jaclaz

ReplyQuote
Posted : 09/09/2015 4:09 pm
Page 1 / 2
Share: