Too TRIM? When SSD Data Recovery is Impossible

by Rob Williams on March 5, 2010 in Security, Storage

It goes without saying that solid-state drives are well-worth the investment in order to give your PC some responsiveness, but with all the benefits they can offer, there’s one lesser-known issue that we’ll talk about here. That issue is simple. As soon as you delete a file on a TRIM-enabled SSD, the data is gone, for good.


Have you ever upgraded your PC from one generation to the next and wondered where the performance-boost was to be found? Certainly, our CPU’s continue to get through tasks faster and faster, but when it comes to real responsiveness, that brand-new $2,000 beast could easily leave you with little more than a sigh. And if you’re anything like me, you load up numerous applications after booting to the desktop, and that’s when you really notice the lack of responsiveness.

But here comes along the modest solid-state drive, a brilliant invention that places ultra-fast NAND flash and effective controller in a small 2.5-inch chassis that can make even the fastest mechanical hard drive eat dust. It’s true, SSD’s can drastically improve your PC’s responsiveness, and to be honest, I don’t think it was until they hit the market that many of us realized just how much of a bottleneck our mechanical storage has been.

But not to detract from our topic at hand, our focus of this article isn’t to push SSD’s, but rather to take a look at a problem that doesn’t seem to have attracted much attention since TRIM was introduced last fall. It’s arguably a small issue, to be fair, but it’s certainly one that deserves being talked about.

The Reason for TRIM, and its Downside

As solid-state drives began to catch on, and Intel was quickly becoming known as a God-like controller developer, a major flaw was discovered… speed degradation. At first, it was believed that only Intel’s drives were at risk, but it turns out that pretty much every model on the market shared the same inherent issue.

Almost all of the storage devices we use on a regular basis handle files we delete similarly. Once a file is deleted, the link to that data, stored in the storage device’s indexer (normally the LBA for mechanical drives) is simply wiped clean. As a real-world comparison, imagine having a paper index of all of the movies in your collection, but you burn it up. The indexer would essentially be gone, but your movies haven’t moved. It’s the same situation with data storage.

Because the data is left in tact, data recovery is possible – at least, until that exact block is overwritten with fresh data. Anyone who’s accidentally deleted a file and later recovered it with a recovery tool can probably appreciate this sort of fail-safe. When SSD’s came along, this method of handling data didn’t change, but what did change was the speed that the process could complete.

Kingston's SSDNow M Series Solid-State Drives
Kingston’s SSDNow M Series – 1G & Non-TRIM (Left), 2G & TRIM (Right)

Mechanical drives are able to overwrite data with virtually no performance penalty, which is why even after years of use, the performance doesn’t seem to degrade. The situation is different with SSD’s, though, due to how NAND flash works.

To give a brief explanation of why this is the case, picture simple fragmentation. As more and more data is written to various blocks on a storage device, anything to be deleted later from the same block isn’t likely to take all of the data within the block with it. There may be a few 4K blocks that are part of an image, for example, and another few 4K blocks that are part of a Word document. If you delete that image, the remnants of the Word document remain.

After a certain amount of time, these blocks end up in a very cluttered state, which basically explains the reason of performance degradation. So then we have garbage collection schemes, which help in this area by occasionally removing all loose data in a certain block and moving it to a more convenient one. But that doesn’t rid the issue of an SSD having to write more than a block’s worth of data.

For that process to take place, the SSD must first purge the data in the block, then write the fresh data to it. Compare this to a mechanical drive which simply overwrites the old data. It’s easy to spot why there would be a hit in performance on the SSD. That’s where TRIM comes in.

First widely deployed with Windows 7, TRIM is a brand-new ATA command that the OS will issue to the SSD when a certain request is made, such as Delete, Format or Discard. What it does is rather simple, but it’s immensely helpful. When you either delete a file, or format the entire SSD, TRIM will purge both the data and the link to it, so in essence, it’s gone. There is no trickery, or any advanced algorithms being used to wipe the block clean… it’s simply cleaned, and left in a ready-to-use state.

SSD's - TRIM and Data Recovery

The final statement in the last paragraph is the reason for this article. One of the more overlooked aspects of TRIM, as amazing and helpful as the command is, is that once it’s issued, your chance of data recovery has essentially gone to 0. As mentioned earlier, data recovery on hard drives, and even non-TRIM affected SSD’s, is made rather simple. You just need to run a reliable recovery tool and you’ll likely get the data back, as long as that particular block or set of blocks hasn’t been overwritten since you deleted your file.

You might be asking, “What’s the big deal?”, and if so, that’s a great question. I am sure I’m not alone in having deleted an important file at some point in the past. There have been occasions where I haven’t been able to get my data back, but other times, tools such as testdisk proved to be an absolute life-saver. There are few levels of relief as high as the one you get when you successfully recover that all-important file.

But on an SSD with TRIM enabled, if you delete a file (and subsequently empty the Recycle Bin / Trash), you’re simply not going to get your data back. As far as I’m aware, even with forensics, the data recovery simply isn’t going to be possible. Unlike mechanical hard drives, which hold data magnetically, all it takes for NAND to assuredly erase the data is that little command, and boom, gone.

Whether or not TRIM on a mechanical hard drive would absolutely render the data unrecoverable is impossible for me to say. If I had to assume, the data would be unrecoverable for a consumer, but in the right hands, and with the proper tools, it might be. NAND in some regards acts similarly to the memory (RAM) in our PCs. As soon as the charge is lost, the data in all the memory chips is gone (cold boot recovery from RAM is possible because the charge is never lost).