SSD, TRIM, and NTFS

Reading the article on NTCompatible as they test data recovery software and fail to recover data from TRIM-enabled SSD (which is pretty much the expected behavior), I see they're a little bit puzzled because some data would still remain even on a TRIM-enabled SSD.

Interestingly, some traces to specific data remained, and that's one oddity I don't quite understand.

The answer is actually pertty simple - these were NTFS resident files. On NTFS, when the file is deleted, its MFT record is marked "free, available for reuse", but never actually relinquished back to the free space. Because NTFS uses MFT entry numbers internally to address a parent-child relationships. Removing one entry would require an entire volume to be reunmbered, which is cost-prohibitve.

So, the data outside MFT is zero-filled immediately once TRIM command is issued. The MFT entires however remain unchanged. This explains they were able to get file names and correct file sizes, but the data was all zeros.

Now there is one special case called resident file. If a file is small enough so that the file name, attributes, and data all fit into 1024-byte MFT record, the data is stored within the MFT record. This saves little bit of disk space, and, more importantly, saves one additional seek to get the data on the rotational hard drive.

Since the MFT entires are not relinquished into free space, and for a resident file a file data is stored within its MFT entry, it is possibe to recover a resident file even on a TRIM-enabled SSD. However, this is of little practical applicability becase only files smaller than approximately 800 bytes can become resident.

Comments

Popular posts from this blog

QNAP revisited

APFS Data Recovery