It’s common wisdom that deleted files can’t be recovered from solid-state media, only from traditional mechanical hard drives. But this only applies to internal drives — USB flash drives and external solid-state drives are vulnerable to file-recovery attacks.
On the one hand, this can be good news – you can recover files you accidentally deleted from such drives. On the other hand, other people can recover your sensitive deleted data if they get access to these drives.
When you delete a file on these traditional drives, the file isn’t actually deleted. Instead, its data is left on the hard disk drive and marked as unimportant. Your operating system will get around to overwriting these sectors whenever it needs more space. There’s no reason to empty the sectors immediately — this would just make the process of deleting a file take much, much longer. It’s just as fast to overwrite a used sector as it is to overwrite an empty sector. Because bits of deleted files are sitting around, software tools can scan the drive’s unused space and recover anything that hasn’t yet been overwritten.
Why You Can’t Recover Deleted Files From Internal Solid-State Drives
Solid-state drives work differently. Before any data can be written to a flash memory cell, the cell must first be cleared. New drives come empty, so writing to them is as fast as possible. On a full drive with bits of deleted files lying around, the process of writing to the drive is slower because each cell must first be emptied before it can be written to. But this means that solid-state drives tended to slow down over time. TRIM was introduced to fix this. When your operating system deletes a file from an internal solid-state drive, it sends the TRIM command and the drive immediately clears those sectors. This speeds up the process of writing to the sectors in the future and has a side-benefit of making it practically impossible to recover deleted files from an internal solid-state drive.
Solid-state drives work differently. Before any data can be written to a flash memory cell, the cell must first be cleared. New drives come empty, so writing to them is as fast as possible. On a full drive with bits of deleted files lying around, the process of writing to the drive is slower because each cell must first be emptied before it can be written to. But this means that solid-state drives tended to slow down over time. TRIM was introduced to fix this. When your operating system deletes a file from an internal solid-state drive, it sends the TRIM command and the drive immediately clears those sectors. This speeds up the process of writing to the sectors in the future and has a side-benefit of making it practically impossible to recover deleted files from an internal solid-state drive.
TRIM Only Works For Internal Drives
The common knowledge is that you can’t recover deleted files from solid-state drives. But this is wrong because there’s a big catch here: TRIM is only supported for internal drives. TRIM isn’t supported over USB or FireWire interfaces. In other words, when you delete a file from a USB flash drive, external solid-state drive, SD card, or another type of solid-state memory, your deleted files sit around in memory and can be recovered.
In practical terms, this means these external drives are just as vulnerable to file recovery as traditional magnetic drives are. In fact, they’re even more vulnerable because it’s easier to grab a USB stick or internal drive. You may leave them sitting around, let people borrow them, or give them away when you’re done with them.
Don’t just take our word for it. You can test this for yourself. Grab a USB flash drive, connect it to your computer, and copy a file to it. Delete that file from the USB drive and then run a file-recovery program — we’re using Piriform’s free Recuva here. Scan the drive with your file-recovery program and it will see your deleted file and allow you recover it.
Recuva found the file we deleted with a quick search.
Quick Formats Won’t Help
You might think that formatting the drive could help. Formatting will erase any files on the drive and create a new FAT32 file system.
To test this, we formatted the drive in Windows with the default “Quick Format” option enabled. Recuva failed to find any deleted files with the normal quick scan, which is an improvement. A longer “Deep Scan” found a variety of other deleted files that existed before the drive was formatted. A quick format won’t wipe your drive.
We then tried performing a longer formatting operation by unchecking the “Quick Format” option. Recuva failed to find any deleted files afterwards. If you want to ensure no one can recover deleted files from your drive, be sure to uncheck the “Quick Format” option when formatting your drive.
To format a drive, right-click it in Windows Explorer or File Explorer and select the Format option. You shouldn’t do this every single time you delete a file, as it will add additional writes to your drive and reduce the life of its flash memory.
How to Ensure Deleted Files Can’t Be Recovered
You can use an encryption solution like the cross-platform TrueCrypt, Microsoft’s BitLocker To Go, Mac OS X’s built-in encryption feature, or Linux’s USB drive encryption features to encrypt your drive instead. People won’t be able to recover deleted files without your encryption key, so this protects all the files on your drive – deleted and otherwise.
This is obviously only important if you have sensitive files on your drive. If you have tax returns or business information on the drive, you probably want to protect it. On the other hand, if you’re just using a USB drive for less sensitive data – maybe you’re transporting video files from your computer to your home entertainment center – you don’t need to care so much.
TRIM is a feature that helps you get the best performance out of your internal solid-state drives. It was not intended as a security feature, but many people have taken it for granted that all that solid-state flash memory works the same. It doesn’t – external drives can still have files recovered from them. Be sure to take this into account when disposing of drives and keeping track of your sensitive data.