Case study, Story goes like:
| Accidentally deleted some pictures. Recovered them but they’re corrupted. Anyway to fix it? |
| “I used Recuva to recover a good chunk of my pictures that were deleted but it seems that even though the file was recovered I can’t view its contents? Any program that helps with this? They were on an SSD if that helps.” |
There’s ONE major contributing factor in this case. Can you spot it? I can tell you it is not about Recuva. Any other file recovery software, even the most expensive, would have run into this exact same problem. The major contributing factor is the fact that the files were deleted from an SSD.
File recovery scammers that promise SSD undelete
Almost every manufacturer has a or often multiple ‘honey-pot pages’ on which they try to score on search phrases like SSD and undelete or recover. They’ll vaguely suggest their software can help. 9 out of 10 times this is not the case. In the remaining case, any other decent file recovery software would have been able to help to. It all comes down to end user file recovery and undelete software not being able to do anything special when it comes to recovering data from an SSD. They’re trying to sell to you, and they sell BS. WonderShare (RecoverIt), Nucleus Technologies, Stellar and CleverFiles (DiskDrill) are some examples of that. Problem is that Google Search can’t detect the level of BS so these pages score good.
Back to the case
Anyway, since Recuva is free, it’s always worth a try. When you do however try, make sure to install/run Recuva from a different drive and to save the files you’re recovering to a different drive too.
Now back to our case. My hypothesis is the files contain only zeros. I ask him to send me some of the recovered photos. I use my JPEG-Repair software to diagnose the files. I want to determine the entropy of the data inside the file. Easiest way to do this is:
- Run JPEG-Repair
- Select Extract tool
- Select the file(s)
- Set minimum resolution to 0 MP (zero)
- OK and then click repair.
I then get the error log:
We can now tell the entropy for the file is 0.00 bits/byte. This means the file is filled with one byte value repeating over and over, so no actual meaningful data. Since this file was deleted from an SSD, this byte value is zero (most likely).
So even though Recuva and other file recovery software appear to be successful in recovering deleted data from an SSD, these files are useless in 99% of the cases.
What happens when you delete a file from a SSD?
This can be explained by the operating system, when you delete data will send a TRIM command to the SSD. By means of the TRIM command it let’s the drive know that the sectors associated with the deleted file aren’t needed anymore. Due to the way an SSD works, it has a constant need for free ‘space’ that it can erase so it’s ready for new data, but I won’t be going into that now.
In 9 out of 10 cases (not exact number, but to make the point) the drive will immediately remove these sectors from let’s call it ‘user addressable space’. If the contents of the sectors are requested (in our case by Recuva) the drive returns zeros. This is called ‘Deterministic Read Zero after TRIM’ (RZAT).
As you may know, in many cases the file system entry may be available after file deletion for a while. And this information can then be detected by Recuva. With that file system entry Recuva has everything it needs to determine the actual disk space that was assigned to the file before the deletion. Only trouble is, that when it copies that data to a new file, it’s only reading zeros.
For a moment yo may feel relieved seeing your files are recovered. However you’ll soon find that they’re ‘corrupt’ at least that’s what photo viewers and editors may suggest. Reality is that they do not contain ANY meaningful data and are therefor beyond repair.
Data recovery from an SSD impossible?
The answer to that would be NO. So we see key is, IF a TRIM command is send to the SSD. In many cases it may not or it may not reach the drive. You could say a TRIM command is sent when the deletion is intentional. So when you delete a file or format a drive, the OS will send a TRIM command. If files are lost due to some kind of file system corruption, then no TRIM command is issued.
Also, the interface you used to connect a drive to the PC may be incapable of relaying these TRIM commands so the command never reaches the drive.
Some drives may NOT use the RZAT or Deterministic TRIM (DRAT) mechanism (rare IMO but non the less) and may return actual data as long as it hasn’t been actually erased.
There are more reasons that may prevent data from being TRIMMED.
So, TRIMMED data can not be recovered?
This is not entirely true either. Actual erasure of TRIMMED blocks may take some time, and it’s typically something a SSD does when being idle. So generalizing, the data will be erased when the SSD is powered on and idle. This means the data is still somewhere on the drive even we can’t get to it.
As long as that’s the case a data recovery of forensic lab may still be able to recover the data using special hardware. This hardware is normally not within reach of end users like you and me unless you have say $10000 to spare and are willing to invest loads of time in learning to work with these tools.
So my best advise is, that IF you deleted vital files from an SSD, is to pull the power and contact a reputable data recovery lab.