Veracrypt SSD encryption security analysis vs HDD



  • I have a SSD and wanted to use Veracrypt for plausible deniability and protection against any & all level attacks e.g. state sponsored, non sponsored. My goal was to use a VM and place it in the hidden VC container. After further research it seems using VC on a SSD won't "ensure" the level of security I desire for several reasons.

    As you know Veracrypt recommends not using SSD due to wear leveling https://www.veracrypt.fr/en/Wear-Leveling.html and the Trim operation. https://www.veracrypt.fr/en/Trim%20Operation.html Even tho Trim can be disabled the wear leveling is compromising enough.

    I was, considering replacing it with a HDD. But after reading "Comparing SSD Forensics with HDD Forensics" analysis paper from 2020 ( https://repository.stcloudstate.edu/cgi/viewcontent.cgi?article=1140&context=msia_etds ) SSD are superior in thwarting forensic efforts for several reason. The Trim function, and self-corrosion properties of the SSD play a large role in the prevention of data recovery. (Pg 101/102 Conclusion) "From the results obtained, this study concludes that data deleted on Hard Disk Drives can completely be retrieved, and data deleted on Solid-State Drives cannot be completely retrieved using Autopsy forensic tool, whereas sometimes it can be retrieved using ProDiscover Basic forensic tool".

    I'm conflicted. How does one interpret these facts from a Op-sec pov? On one hand SSD are vulnerable when encrypted due to wear leveling, yet against data recovery tools difficult to retrieve data from. HDD offer the better security when encrypted, but vulnerable to data recovery tools. If encryption is compromised, so is your data. Based on this information What are your thoughts? Does it still depend on the threat model?



  • When forensics experts say HDDs are easier to recover data from than SSDs, they're assuming a totally unencrypted drive, and they're assuming that the files were deleted (i.e. the metadata pointing to them was removed), but that the sectors containing the file data on the drive were not overwritten. SSDs only make forensic analysis more difficult because you can't recover deleted data as easily by taking a sector-for-sector image of the drive due to TRIM, and unallocated data manually requires piecing together the scattered (due to wear leveling) components if you take the drive apart.

    If the drive is fully encrypted, then an HDD may be superior. Not only does it not suffer from the metadata leakage you pointed out, but even a single-pass overwrite on a sector on a hard drive is sufficient to prevent the data from being recovered. On an SSD, even if TRIM is used to erase the contents, data might be recoverable due to the way bits are stored on the medium.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2