If you look at my posts, you'll see I like messing with drives as much as I do overclocking, so hmm let's try it! [TL;DR - TRIM beats a Piriform Recuva scan, but I'm still not trusting it if there are more proven techniques that take just a little more time.]
I'll use Piriform Recuva to try to get the data back - yes there are more complex methods, but its easy to use. If you know you're under attack by something significantly more complex (e.g. laboratory), then why isn't every disk you own encrypted?
Test setup:
Windows 10 Pro updated as of today
The drive with TRIM: AMD R3SL480G SSD (although I'm using a 2 GB partition because I'm lazy and don't want to full format the entire drive and waste a write cycle)
The drive with no TRIM: A 4 GB SD card plucked from a Nintendo 3DS
Partition type: FAT32
I'm using FAT32 for the filesystem because it's faster to recover from without all those journalling bits that NTFS has.
Here's what Recuva tells me for a volume that just got a full format (although I'm not sure if that bit of my SSD even had stuff on it to begin with).
For this test, each drive will contain "classified document" (docx), plain text passwords - real passwords by the way (txt), and "pr0n" (jpeg) - ten copies for each item.
To start the test, I used a full format through Windows.
First off, I'll start with a "control" test on a device that definitely doesn't have TRIM - a 4 GB SD card!
Here's what I start off with:
Now I QUICK format it.
Recuva seems to find the old contents of the files rather quickly, with 24 results almost immediately after starting the tool.
After it finished, it looks like Recuva only got the DOCX and the JPGs back. That's not to say plain text is unrecoverable! (e.g. you'd get it back quickly if you do a search for UTF-8 or ASCII encoded words in English)
recuvaresults
Now let's check the contents of the files...
Yup! The "pr0n" is there in all its glory, and the typo in the document is also still there.
So now for the SSD partition. I started it off with the same files as the SD card.
Now Quick Format, then Recuva similar to the first drive...
DISCLAIMERS:
- The fact that this one tool fails only tells you it's harder to recover stuff, not that it's impossible to recover stuff.
- This all hinges on TRIM working! Problems with drivers, USB enclosure not supporting TRIM, etc., will leave the SSD in the same state as my SD card after a quick format. On this item alone I personally won't risk it.
- This is nowhere near conclusive! (e.g. I'l probably have to do a low-level read to see what the drive actually reports)
Recuva can't find anything on the QUICK formatted SSD partition.
The result surprised me a bit that Windows TRIMed the drive so quickly, but still I'm too paranoid.
I just make heavy use of AES-NI available in CPUs these days and Veracrypt / Bitlocker everything. (That also saves me from worrying if I RMA a drive and hope that Seagate / WD's partners are not collecting my secrets.)
If I do want to wipe a drive for whatever reason, I usually use the hdparm command line tool with Linux and issue an internal secure erase (ISE) instruction. (An ISE is much faster on SSDs than an overwrite with random / zeros.) If I'm using a drive or computer that's incompatible with ISE (USB enclosure, laptop that doesn't have the right Linux drivers, etc), I'll use copywipe on Windows or Shred on Linux to do a pass with random values.