I heard that hard drive cache can mess with the shred command making it not useful on modern hard drives, but I can't find any other evidence to back up that claim.
Asked
Active
Viewed 354 times
1 Answers
1
It is a safeish on a modern spinning hard drive, but its not a good solution for an SSD as they remap stuff behind the scenes. FDE is a better solution where practical.
Caches will disappear when the power goes out unless its a hybrid drive (hybrid drives dont seem common anymore - and the hybrid part suffers from the ssd issues).
It's still possible - eg if a hard drive is failing - for data to be hidden because of remapped bad sectors, but this would be massively less common/exploitable then on SSD, and you can mitigate by checking SMART reallocated sector count.
davidgo
- 68,623
- 13
- 106
- 163
-
Note that getting remnant (remapped) data off an SSD is not easy. It requires physically disassembling the drive to bypass the controller and read raw data from the flash chips. This isn't something anyone's likely to do unless they have more resources than your typical hacker *and* consider you (/your data) a high-value target. – Gordon Davisson Apr 16 '22 at 09:07
-
@GordonDavisson You raise a fair point, but (a) this kind of soldering is not NSA level hard, its "board repair level hard" - plenty of shops can do it. Also, as flashable firmware is already available I woukd be surprised if -at least for some drives - there were not software tools to get at remapped sectors. – davidgo Apr 16 '22 at 09:33
-
@GordonDavisson Do a search for Factory Access Mode" at https://blog.elcomsoft.com/2019/01/life-after-trim-using-factory-access-mode-for-imaging-ssd-drives/ which I suspect will lead you to conclude that software / firmware based is practical on many SSD drives with software and/or affordable hardware. – davidgo Apr 16 '22 at 09:46
-
Wow, I hadn't heard about the Factory Access Mode trickery. But we're still talking about serious forensic gear to do the recovery, not something a typical hacker will have access to. (Of course, that doesn't mean someone won't figure out how to access it from generic Linux system and publish it for the script kiddies next year...) – Gordon Davisson Apr 16 '22 at 10:34