E-discovery — the recovery, analysis, and production of evidence stored in digital form on various media — has become a major issue in litigation because of how much data simple devices can hold and the resulting duplication and multiplication of documents, files, and other digital types of evidence. Because of the risks and costs of e-discovery in litigation, many organizations have established written policies, often backed by automated tools, to erase and otherwise dispose of electronic files past a certain date or when no longer needed (absent pending relevant litigation, that is).
At the same time, classic rotating storage devices — such as platter-based hard disk drives — are slowly being supplemented and in some cases supplanted by solid-state media, that is, storage devices that have no moving parts at all. In particular, solid-state disks (SSDs) look and behave just like classic hard disk drives, but with usually faster response times and much lower chance of hardware failure. In particular, USB drives have become ubiquitous as a mechanism for moving files between unconnected computers, while laptops are starting to offer SSDs as the principal internal storage for both speed and weight improvements.
So far, so good. Except that out of the University of California at San Diego comes research that shows that in many cases, standard file- and disk-erasing techniques leave behind recoverable data when used on SSDs:
At the Non-volatile Systems Laboratory we have designed a procedure to bypass the flash translation layer (FTL) on SSDs and directly access the raw NAND flash chips to audit the success of any given sanitization technique. Our results show that naïvely applying techniques designed for sanitizing hard drives on SSDs, such as overwriting and using built-in secure erase commands is unreliable and sometimes results in all the data remaining intact. Furthermore, our results also show that sanitizing single files on an SSD is much more difficult than on a traditional hard drive. We are working on designing new FTLs that correct these issues and also exploit properties of flash memory to maintain performance while sanitizing the flash drive.
I imaging that word of this will quickly spread to companies that perform computer forensics (including recovery of data for storage devices). In the meantime, many organizations may continue to make us of USB drives and internal SSDs in laptops (and, eventually, desktops), and by so doing may leave themselves open to discovery of data that they thought purged in the course of normal, documented operations.