If SSDs cannot be securely wiped then why can't we recover files after crypto virus attack?



  • It is my understanding that SSDs do not allow user to overwrite any specific file completely (wear-leveling). So in case of ransomware attack such as CryptoLocker, doesn't that mean there is still, always, an unencrypted copy of file on the disk? If so, can it be recovered without $100K equipment? Thanks.



  • When your operating system attempts to write to a sector on an SSD, the "real" (physical) sector that the data is written to may vary due to wear leveling. Even if the OS tries to write to that same sector again, the physical sector that is written to might be different, leaving the original data intact.

    Ransomware typically encrypts a lot of data, so the chance that all of the physical sectors containing the original data are not overwritten is quite low. Most likely, a lot of your data has been overwritten. You might be able to get snippets of the original data if you go to some rather extreme measures, but it will be extremely hard to reassemble it, and much of it will be missing. If you're lucky...

    If you are unlucky, then the ransomware created a new file and deleted the old one (rather than overwriting it), in which case the OS might have sent the TRIM command to the SSD, which causes the now-unused physical sectors (actually, flash pages) to be electrically zeroed. If that's the case, then recovering the data will easily exceed $100,000.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2