Failure SSDs

Delete data on the SSD completely and safely

David Wolski, Michael Schmelzle

The controller logic of an SSD controls all write processes in order to use memory cells as evenly as possible. A side effect: conventional programs cannot safely and completely erase SSDs. Only direct ATA commands allow a reliable reset of each individual memory cell. The guide shows which tools are available for this and how a complete reset of the SSD works.

In SSDs, flash memory is used as the storage medium, which can only cope with a limited number of write processes. Because over time, the cells lose the ability to store charge. Then the memory cell becomes “forgetful” and can no longer store any new data, but it remains readable. The less information the SSD has to save per memory cell, the more durable the cells are - and the more expensive the SSDs:

Current memory cells of the SLC (Single Level Cell) type can withstand between 100,000 write operations and store one bit per cell. In the end customer segment, this NAND type actually only occurs in Intel Optane SSDs. The single-layer 2D variant of the MLC flash memory (Multi Level Cell) can withstand between 10,000 and, as a stacked 3D NAND, up to 35,000 write operations and store two bits per cell. MLC-NAND is reserved for the expensive and fast SSDs, such as Samsung's PRO models in M.2 or 2.5-inch format.

SSDs with TLC memory (Triple Level Cell), which save three bits per cell and are designed for up to 300 (with 2D-NAND) and up to 3000 (with 3D-NAND) write cycles, are even cheaper. Popular SSD series are, for example, the Crucial MX and the Samsung EVO. At the lowest end of the shelf life are SSDs with layered QLC flash memory (Quadruple Level Cell) that store four bits per cell and are designed for a maximum of 1000 write cycles. QLC-NAND use, for example, the very inexpensive series Crucial P1 or Samsung QVO.

Bestseller:The best and most popular SSDs on Amazon

Manufacturers therefore rely on a trick to avoid an early failure of memory cells: An internal controller distributes write commands evenly to all memory cells of the SSD with so-called wear leveling. Every write command that the operating system sends to the SSD is optimized by the firmware and distributed to different memory cells. The SSD itself decide where it writes which data.

The side effect: a reliable deletion and overwriting of data is not possible in the conventional way. Overwriting files multiple times or the entire SSD does not guarantee that the previously saved data is actually completely gone. For example, a team of researchers at the University of California led by Michael Wei has succeeded in reading supposedly deleted data from SSDs with a specially developed controller module (report).

EnlargeIn order to read data directly from SSDs, the research group led by Michael Wei developed this adapter.
© Michael Wei, Laura M. Grupp, Frederick E. Spada, Steven Swanson

Background: How deletion works at the file system level

In general, even with magnetic storage media, simple deletion does not completely remove the data from the disk. If you delete a file under Windows, Linux or another operating system, the previously occupied sectors are marked as free and writable at the file system level. The data itself is physically retained, however, until any new files that may have been added at a later point in time rewrite the same sectors. The reason for this approach is obvious:

The storage area of ​​a file is quickly marked as free and usable again, even if it is several gigabytes in size. A complete physical overwriting of all sectors, on the other hand, would be a barely acceptable system brake and the benefit would be low. Because the operating system doesn't care whether a sector is overwritten or just marked as empty. Incidentally, this is what the usual data recovery tools such as Recuva and Photorec make use of. These programs analyze the free area of ​​a hard disk sector by sector and reassemble the data they find into complete files.

If you want or have to be on the safe side, you do not rely on the deletion functions of the operating system. Additional programs help to specifically overwrite a file after deletion and thus to remove it irretrievably. The Secure Eraser is suitable for Windows, for example, and the bootable, operating system-independent Dban for erasing entire hard drives. Incidentally, it is sufficient to overwrite data on hard drives only once. Multiple overwriting, also known as the Gutmann method, is superfluous. Because with the dense storage structure of hard disks of 15 GB or more, even an analysis with a magnetic force microscope is not sufficient to reconstruct individual bits afterwards.

EnlargeConventional tools for secure erasure fail with SSDs, such as DBAN here

Why conventional methods fail with SSDs

With magnetic storage, overwriting is completely sufficient to thoroughly erase data. However, this does not apply to SSDs, because they behave completely differently than hard drives when it comes to organizing data and free storage space. There are several reasons for this:

A Flash Translation Layer (FTL), which assigns addresses to the physical memory, ensures the internal division of the flash memory. Direct access to a specific address like a hard drive is therefore impossible. In addition, the controller logic takes over every write and delete command in order to ensure both speed and even occupancy of all memory cells (wear leveling).

The internal controller of an SSD does not immediately release deleted storage space. If a block is already partially occupied, it is quicker with flash memory to first write to a free block. An internal clearing function of the SSD (Garbage Collection) later ensures that free memory areas are combined into complete, rewritable blocks.

Newly written data does not end up on an SSD where storage space has just been free. This also applies to the overwriting methods of deletion programs. The usual erasure tools such as Secure Eraser, Dban and Co. have no direct influence on the use of the flash memory. The use of these programs is not only pointless - it is also harmful if they are overwritten several times, as the SSD is unnecessarily stressed with write processes.

EnlargeInternal garbage collection on SSDs keeps moving data on the flash memory to make room

Secure Erase: ATA Secure Erase

SSDs do not present data remnants on a silver platter and software alone is not enough to read them. Instead, it is necessary to bypass the Flash Translation Layer (FTL) and read out each memory cell individually. But this is always possible, at least under laboratory conditions. Michael Wei's research group at the University of California built an adapter to look directly at the SSD.