+43-1-2360101+49-40-5488756-0+31 252 621625
Danger for deleted data: TRIM command with Solid State Drives
The chances of data recovery from deleted data on SSDs depend primarily on the use and execution of TRIM. In the worst case, all data is gone before you can react accordingly - Attingo knows the problem very well.
DIAGNOSIS REQUEST

Danger for deleted data: TRIM command with Solid State Drives

If data is deleted from an SSD, the first action Attingo data recovery advises, is: Switch off the system as soon as possible - or even better pull the plug - and do not switch it on again. An active SSD or memory card is like a ticking time bomb for deleted data and can result in fatal data loss - with no chance of recovery.

Hamburg, Wien, Amsterdam - 28. February 2020 - Sebastian Evers

What is the TRIM command?

From a purely technical point of view, TRIM is a command for the ATA interface according to the T13 standard. Depending on the system configuration, however, this command can differ and have different names in different operating systems; is mostly known as the "TRIM" command. TRIM informs the controller of the solid state drive or the flash memory card about which data has been deleted and is no longer physically required.

TRIM supports the SSD with its regular garbage collection, whereby the SSD is informed of the deleted memory area. Not all - especially older - operating systems and SSDs support TRIM, so it is not a technical necessity. In the event of data loss and, in particular, deleted data, TRIM can even be a fatal disadvantage.

What is the benefit of TRIM?

TRIM tells the memory controller which memory areas still contain data but are no longer used. Based on how solid state drives process information, the data on the drive is not deleted at the direct command of the user. Instead of deleting the data, they are annotated as memory areas that are no longer used. TRIM informs the data carrier that this data can be removed.

In the event of write access to a section of the data block affected - in the case of an SSD, this consists of a large number of pages which are processed at the same time - the pages with the deleted data are no longer rewritten but remain empty. With other SSD models, such deleted pages are also deleted from the Active Garbage Collection when idle.

The TRIM command did not yet exist in the pre-Windows 7 or pre-macOS 10.6.8 era: SSDs therefore had no information that certain sectors contain information that is no longer required. These only became known as soon as the computer instructed the SSD to write new information to this location.

This process required considerably more time for writing processes, since occupied areas always have to be emptied before new information can be written into them. With the execution of TRIM and the subsequent Active Garbage Collection, future write commands can be executed much more efficiently.

In addition to the write efficiency, TRIM enables a longer lifespan of solid state drives. Each NAND cell has a limited shelf life, which correlates with the number of writes made. In order to ensure a high longevity, all cells should be used to the same extent.

This wear compensation is made possible by so-called "wear leveling" and is used for SSDs, memory cards and USB sticks. TRIM provides the flash medium with information to organize deleted but filled cells for writing, so that unnecessary deletion and rewriting processes can be avoided.

What are the advantages of TRIM?

Time saving is the greatest advantage of TRIM - since the SSD deletes invalid information from blocks while the computer is idle, it does not have to do so when writing new data. The interlocking of TRIM and Active Garbage Collection ensures that the service life of the SSD is increased. By bundling data segments that belong together so that they lie next to each other, the compensation of wear becomes even more efficient.

What are the disadvantages of TRIM?

Accidentally deleted data or formatted partitions on an SSD can be irretrievably lost very quickly . As soon as the computer sends TRIM and the SSD then cleans the corresponding blocks, they are also physically deleted, so that only 0x00 is output by the SSD controller.

What is the TRIM support for SSDs?

Microsoft Windows has supported TRIM since Windows 7, initially only for NTFS, later on also for ReFS. TRIM runs automatically in the background of the operating system, unless it has been deactivated manually. In the drive properties you can select Tools and Optimize and check whether TRIM is activated or TRIM is carried out manually.

A Mac implementation (with Apple SSD) has a TRIM implementation since macOS 10.6.8. Various MacOS versions support third-party SSDs via additional software. In the system information under Hardware you can check whether the respective memory interface has TRIM support. This is shown with yes or no.

As of Linux Kernel 3.7, the ext3, ext4, XFS, JFS and Btrfs file systems support TRIM. However, the used SSD must also support TRIM for this, which can be checked via the command line “sudo hdparm -I / dev / sd? | grep TRIM ”. If "Data Set management TRIM Supported" is put out, the SSD can process the TRIM command. With "sudo fstrim -v /" the TRIM command for the drive mounted on / can be executed manually. With " crontab -e " , an automatically recurring cronjob (scheduled task) can be set up, which can then be activated once a week, depending on requirements and configuration.

What is wear leveling for flash memories?

Flash memory cells have a finite rewritability. Depending on the design of the respective cell, between 3,000 and 100,000 P/E cycles (program erase cycles) are possible. Due to the block-wise erasure (which is necessary for rewriting), the memory cells are subject to a certain wear (English: to wear out).

Wear leveling ("wear compensation") is intended to distribute wear as evenly as possible to all cells of the flash data carrier (SSD, memory card, USB stick) in order to avoid gradual wear and tear on individual cells and to ensure that all flashes have a long service life Cells.

What is dynamic wear leveling?

Dynamic wear leveling distributes only dynamic data. This is the data that is constantly changing or that is changed frequently. Deleted blocks are bundled and the respective block with the lowest erase rate is made available for future writes and deleted if necessary. The SSD controller documents all writes in a dedicated non-volatile memory area. It is set to 0 at the factory and increases by 1 for each subsequent write process for the blocks concerned.

The problem with dynamic wear leveling is data that only has read access and/or is not frequently updated. They remain permanently within the assigned block without being evenly worn. This automatically reduces the durability of the other memory blocks.

What is static wear leveling?

Static wear leveling also moves unchanged (static) data segments into other blocks. This prevents certain areas of the memory cells from being written to only once in the entire lifespan of the SSD, while other memory areas are already failing due to wear. Wear Leveling selects the block with the lowest write or erase rate for the write process and deletes it if necessary. The affected block is then written with new data. This ensures that blocks with static data are only moved if they are below a defined threshold for the deletion rate.

This additional step of moving data can adversely affect write performance, which can result in overhead of the flash controller. In terms of durability, the efficiency of static wear leveling is far better than dynamic wear leveling.

What is the Active Garbage Collection?

Solid state drives consist of flash memories. Unlike hard drives: An SSD does not simply overwrite physical existing data with the new data. An SSD relies on invalid data to be deleted before new information can be written. To do so, the SSD must delete the larger unit - "block" - in order to write a substantially smaller data unit - "page".

If there are now five pages in one block, three of which are to be deleted, the remaining two pages must be written in a new empty block before the original block can be deleted. Only then can all five pages be deleted in the block so that it can be described with new information in the future.

If the solid state disk would not move the valid information - so that invalid information can be deleted - and continues to save new pages without cleanup, the SSD would be increasingly filled with data, many of which are not valid. To avoid this, the Active Garbage Collection examines the storage medium and moves each page, which contains valid information, to another block, so that the block with the invalid data, which TRIM has identified, can be deleted .

Active garbage collection support

The move and clean up process within the garbage collection takes place automatically; always using the respective proprietary Active Garbage Collection from the SSD manufacturer. In view of the immensely high importance for the functioning of the drive, all solid state drives have this elementary function.

What is the Secure Erase command?

In accordance with the ATA specification, Secure Erase should guarantee secure and residue-free deletion of all stored data on the storage medium. This means for solid state disks that support Secure Erase: The physical deletion of all blocks and pages. Secure Erase triggers a factory reset, so to speak, to restore the original performance of the SSD.

SSDs with proprietary encryption may have implemented the Secure Erase command differently than unencrypted SSDs. SSD drives designed in this way automatically encrypt all data at the moment of the write process. If Secure Erase is executed, it is sufficient if the key is removed securely - the data cannot be decrypted ; nevertheless, the data would still be physically available.

Some solid state drive models from Intel still delete all flash blocks of the SSD - despite the proprietary encryption algorithm and the option to delete the key. This is due to the fact that Secure Erase should primarily serve the purpose of resetting the performance of the SSD to the original or delivery state. In the event of uncertainty, a manual TRIM command should be triggered for SSDs with integrated encryption, in which secure erase and effects have not been documented sufficiently, in order to achieve an optimal SSD performance.

Dipl. Ing. Nicolas Ehrschwendner
CEO
+43-1-2360101
+49-40-5488756-0
+31 252 621625
info@attingo.com WhatsApp Live-Chat Online request
24h-Service 98% rescue success
staatliche Auszeichnung Austria A iso 9001 siegel grau https://www.allianz-fuer-cybersicherheit.de

Attingo-Magazin

Exhibition and conference dates
Blog
Catchword Index
FAQ - Frequently asked Questions
Case Studies: Data Recovery