An SSD’s internal NAND chips and controller.
You’re selling an old solid-state drive (SSD) — or maybe you’re selling your computer, and you’re including the storage media. How can you make sure that nobody can recover the data and use it maliciously?
The quick answer: Perform a full format. Realistically, you don’t need to mess around with encryption, and you don’t need to perform multiple passes with data sanitization software.
Here’s why a full format is usually enough (and why you may need to go a bit further in certain cases).
Under normal circumstances, a full format will render solid-state media unrecoverable.
A full format on an SSD doesn’t erase data in the conventional sense. Unlike hard drives, it doesn’t overwrite every bit of information. Instead, it focuses on the Flash Translation Layer (FTL), which acts as a map for locating data on the SSD. Formatting essentially erases this map, making the data inaccessible to the computer.
Although the data might still exist on the SSD’s flash memory chips, the operating system and software can no longer find it. This is where garbage collection comes into play. This background process identifies and erases invalid data blocks – those no longer linked in the FTL. As you use the SSD after formatting, garbage collection reclaims and overwrites these blocks with new data.
This method is effective due to the complexity of flash memory and the SSD controller’s role. Without the FTL, reconstructing useful data becomes effectively impossible.
Related: SSD Data Recovery: Techniques and Challenges
If you need to comply with privacy/security laws, a full format isn’t enough.
While a full format is highly effective for most users, sophisticated data recovery techniques might still have a slight chance of recovering some data fragments, especially if employed soon after formatting. For complete data sanitization, methods like Secure Erase are recommended, as they go beyond simply invalidating the FTL.
Once again, after a full format, the chances of recovering full files are essentially 0 — but in some circumstances, “essentially 0″ isn’t good enough. For example:
- High-Security Environments: If you’re dealing with highly sensitive data (government, healthcare, etc.), a full format might not be enough to meet regulatory compliance (e.g., HIPAA, GDPR). In these cases, you’ll need to employ more robust methods like data sanitization software that meets specific standards (NIST 800-88) or even physical destruction of the drive.
- Enterprise SSDs and Advanced Features: Some enterprise-grade SSDs have advanced features like wear leveling and over-provisioning that can make data recovery slightly more challenging, even after a full format. While the chances of recovery are still extremely remote, data sanitization software provides an extra layer of assurance.
- Peace of Mind: Even though a full format is highly effective, using data sanitization software can provide additional peace of mind, especially if you’re particularly concerned about your privacy.
Related: Can You Recover Deleted Files From an SSD?
What about over-provisioning?
Over-provisioning (OP) in the context of SSDs is a technique where a portion of the SSD’s total storage capacity is intentionally reserved and made inaccessible to the user. This “hidden” space is used by the SSD’s controller for various background operations that improve the drive’s performance, longevity, and reliability. Over-provisioning may be used to improve error correction and reduce the wear on the flash memory.
Some amount of user data may be stored in the reserved space. Realistically, this isn’t a concern for private computer users — the buyer is unlikely to perform chip-off data recovery to try to access trace amounts of data.
However, you can target over-provisioned space via ATA or NVMe Secure Erase commands. These are accessible through the utilities that came with your SSD, and they trigger a comprehensive erasure of all areas of the drive — including inaccessible areas.
Utilities for popular SSDs can be found on their manufacturers’ websites:
The bottom line: A full format will protect data in the vast majority of circumstances.
However, a block-level erase is the most secure solution. You don’t need to worry about multi-pass overwrites unless you have specific compliance standards that you need to meet — and if that’s the case, we recommend working with a data services partner to ensure that sanitization is carried out properly, and that the sanitization process is recorded in a way that can demonstrate compliance.
Datarecovery.com provides secure data sanitization, data recovery, and related services for all types of storage media. For a risk-free price quote, submit a case online or call 1-800-237-4200 to speak with a member of our team.
