Interview with Adrian Briscoe, general manager Kroll Ontrack for the Asia Pacific region
“SSD drives may be faster but they can be deadly if they are hardware encrypted and data is erased. iPhone 5 and iPad for example have encryption and the chance of recovery is almost nil,” he said.
Encrypted is the key word. There are two main types. The first is self-encrypting (SED) or AES hardware via an inline chip in the storage interface (like the iPhone). The other is software encrypted via a program like Truecrypt .
“For the hardware encryption, we have no way to recover data. For software encryption, we can usually access the key and that gives higher recovery odds. If you think you will need recovery do not use hardware encryption” he suggested.
Adrian told an interesting story “There are three main manufacturers of the traditional ‘SATA interface’ hard disk drives (HDD) – Western Digital, Seagate, and Toshiba. We can obtain spare parts to resurrect most of these in a cleanroom as they all conform to the universal standard. Even if a drive is non-functional, we can rebuild it and recover most, if not all data” he said.
“By comparison there are about 200 manufacturers of SSD drives. It is as simple as surface mounting flash memory on a controller card and the same equipment that makes toaster boards one day can be making SSD the next” Adrian said.
“The tried and true ATA standards don’t apply with each SSD manufacturer doing their own thing especially where SSD are surface mounted on the tablet and smartphone motherboards using a variety of interfaces and encryption.
Another issue is that data is not stored sequentially as it is on a HDD and SSD recovery is about painstakingly reassembling the data from millions of locations.
Adrian spoke about the vast difference between SSD memory chips in use. “Cheap SSD uses TLC (triple level cell), MLC (Multi level cell), eMLC (Enterprise MLC) but SLC (single level cell) is best and most expensive. Adrian points out that TLC based storage costs less than 25% of SLC but few consumers are aware of what they are buying.
“SLC has a theoretical endurance life of just over 6 years, eMLC about 2 years and MLC about 1 year. I won’t even predict the endurance life of TLC” he said. Adrian added that in data critical situations even traditional HDD’s must be replaced every few years despite having longer meantime between failure ratings.
Adrian’s advice is that if you use an SSD for mission critical purposes backup must be regular – the frequency of which depends on how it affects your business. “A financial company may need transactional level backup whereas a small business may get way with daily, weekly or even monthly backup” he said.
He was critical of the cost and speed of cloud backup but like all things admits it will get cheaper and ubiquitous. “I look forward to the day we don’t have to play ‘hero’ in recovering someone’s irreplaceable photos or corporate data – it will all be in the cloud” he said. In the meantime SSD has just made it that much harder.
While Kroll Ontrack is mainly concerned with data recovery, Adrian had some tales about sanitising HD and SSD especially if you are selling them or moving them on to other users.
Kroll OnTrack bought a second-hand laptop, rack mount server, and iPhone from the internet. The vendors claimed each had been properly sanitised (wiped).
“The iPhone contained personal text messages and images that had not been erased before it was offered online. While the server and laptop drives had been erased, the server had approximately 55GB of recoverable data in more than 70,000 files. It belonged to a financial services company” he said.
Kroll Ontrack perform secure erasure at a company’s premises or data centre and there is much more to it than deleting files and reformatting the drive. Adrian says that a HDD needs to be erased first using a certified program, then preferably degaussed (demagnetised) using special degaussing tool and in some case drill holes in the hard disk drive.
"SSD erasure will invariably leave about 10% of the data recoverable despite subjecting it to a DoD standard erasure” Adrian said. Format and deletion of the partition is no barrier to almost full recovery and currently most SSD’s require chips to be crushed to be sure.