Can the data on an MacBook Pro SSD be recovered after formatting using Disk Utility
My MacBook Pro is going to a new owner and I want to be certain the data is adequately erased on the internal SSD (PCIe flash). There are two Stack Exchange questions/answers that appear to present conflicting facts about whether or not using Disk Utility to erase a partition will make it sufficiently difficult enough to prevent data recovery:
Suggests that a simple "Erase" in Disk Utility will do the job:
How to get the "securely erase" function of Disk Utility on El Capitan & Sierra
Suggests that an SSD that has been erased can be reasonably recovered:
https://security.stackexchange.com/questions/12503/can-wiped-ssd-data-be-recovered
So based on this conflicting information, how can I be reasonably sure that the data on the erased SSD is gone and none-recoverable? Is it true that when you format a drive on a MacBook Pro (late 2016) that the TRIM
function will erase all remnants of the files or are they still on the drive, ready for someone with a recovery program to access them?
I am tempted to try the diskutil secureErase
but I don't want to accedentiallly erase the wrong disk/partition nor put unnecessary wear on the SSD.
Solution 1:
Since I was the author of the answer linked, I'll have a go at explaining what's going on....
First off, it's important to note that the study FAST referenced from the SE Information Security community, Reliably Erasing Data From Flash-Based Solid State Drives is from 2011 and now 6 years old1.
The conference where this paper was presented was in Feb of 2011. Keep in mind that the SATA 3.1 spec which addressed the TRIM issues wasn't released until July of 2011
Within the TRIM specification, included in SATA 3.1,
A drawback of the original ATA TRIM command is that it was defined as a non-queueable command and therefore could not easily be mixed with a normal workload of queued read and write operations. SATA 3.1 introduced a queued TRIM command to remedy this.[62]
There are different types of TRIM defined by SATA Words 69 and 169 returned from an ATA IDENTIFY DEVICE command:
- Non-deterministic TRIM: Each read command to the Logical block address (LBA) after a TRIM may return different data.
- Deterministic TRIM (DRAT): All read commands to the LBA after a TRIM shall return the same data, or become determinate.
- Deterministic Read Zero after TRIM (RZAT): All read commands to the LBA after a TRIM shall return zero.
What all of this comes down to is which type of TRIM command your hardware is capable of executing. From the research I have done thus far, modern SSD's use either DRAT or RZAT depending on the "quality" of the drive (higher quality generally meaning RZAT is implemented).
In drives that implement DRAT, the deleted space is marked "unused" the data "can" be recovered, to a point. With drives that use RZAT, once the TRIM command is executed, the drive will return "zeros" regardless of whatever data is in that space.2
The 2016 MBP uses the SanDisk SDRQKBDC4 064G 64 GB3 NAND which is OEM'd specifically for Apple. Unfortunately, I haven't found detailed specs on concerning TRIM support for these particular drives (the White Paper they reference is 404). While I can't get my hands on any detailed tech specs of this drive, I would wager that it uses the RZAT TRIM command and not DRAT.
Long story short, if the SSD has only DRAT capability, there is the possibility of recovering data, but it's usually in a situation where you were able to stop the deletion process and immediately start data recovery. If it implement RZAT, you can be pretty sure the recovery will only get zeros back unless they take it (along with a court order) back to the manufacturer to get a low level recovery. 2
TL;DR
With new and modern Macs and macOS, if you wipe your drive and reinstall macOS on top of it it is highly unlikely that someone will be able to recover your files.
If you are concerned that the user will take the drive to a forensics lab to recover data, (that's a whole different issue), you should replace the drive. Anything less than that and you will be fine.
1USENIX Conference on File and Storage Technologies, 2011.
2Recovering Evidence from SSD Drives in 2014: Understanding TRIM, Garbage Collection and Exclusions. Sept. 23, 2014
3MacBook Pro 13" Touch Bar Teardown Ifixit.com, ~December 2016.
Solution 2:
The latter answer you cite has all the info. It is tricky to erase an SSD. So it depends on your security needs.
As the first article says, deleting files while using TRIM does a decent job of destroying data but there is a chance that some data might me recoverable.
For more security, you can either encrypt your disk with Filevault or wipe it. The result should be pretty much the same (wear and security wise). But as the latter answer says there is no 100% guarantee that some bits are recoverable.
Especially in the second case it would be pretty difficult for an attacker to reconstruct the data and some commercial undelete tool would probably not be sufficient to do so.