Securely Wipe Free Space on SSD

What is the best/safest method to securely wipe free space on my SSD C: drive? I read here the following:

"If the TRIM function is automatically enabled, then the SSD will wipe free space automatically. Actually, when TRIM is enabled, Windows sends an instruction to the SSD every time you delete a file. Therefore, the SSD can then erase all the contents related to that file automatically. This thing helps in maintaining the speedy performance of your SSD."

I ran the fsutil behavior query disabledeletenotify command in cmd and trim is enabled in my case, so is trim as effective as performing multiple wipes using any 3rd party software?

In general the more overwrites the harder it is to recover data.

These links may be useful:

Erase Disk using Diskpart Clean Command in Windows 10

https://www.dell.com/support/kbdoc/e...ate-hard-drive

zbook said:

These links may be useful:

Erase Disk using Diskpart Clean Command in Windows 10

https://www.dell.com/support/kbdoc/e...ate-hard-drive

Thanks zbook, those links refer to wiping the entire drive, I was referring only to wiping the unused portion of the drive (free space)

steve108 said:

"Securely Wipe Free Space on SSD" - why would one want to do this? Getting rid of the PC?

There could be many reasons:
- You sell/transfer or dispose your PC or drive and want to destroy all personal data (wiping the entire drive)
- You deleted sensitive data thru the usual Windows Recycle Bin but want to make sure that data is unrecoverable for security reasons (wiping only the free space on the drive)

Hi,
Just make a system image and wipe the entire ssd
After restore the system image.

Just disable recycle bin on ssd/ hdd properties the prompt to delete is docile I leave that.

steve108 said:

Okay, so what's your reason?

If it's the first, wipe the whole drive and reinstall Windows.

2nd, I don't know.

My original post that started the thread, both its title and content, was asking for wiping free space only, not the entire drive

ThrashZone said:

Hi,

Just make a system image and wipe the entire ssd

After restore the system image.

Yes, I know I can wipe the entire drive and then restore from a backup, I was just trying to avoid that method which takes longer and just wipe the free space on the drive. But from what I read so far it seems that wiping the entire drive is both safer and more secure.

Hi,
Yes seeing you'd have to partition the free space and you can't use all C for that additional partition to format...

How to Use Cipher Command to Overwrite Deleted Data in Windows

On a typical consumer SSD, what you ask is simply not possible to achieve, due to how TRIM works (and because every SSD uses over-provisioning and wear-leveling). The TRIM command does not erase the pages in NAND, as instead it only marks them as invalid so that, when the garbage collection kicks in, the garbage collection algorithm will know that it may erase them. But the fact that it may erase them does not also mean that it necessarily always will, as a lot of SSDs use the kind of garbage collection that typically doesn't erase any pages until it becomes a necessity to do so, i.e., until a loss in performance would otherwise start to occur. Even if pages having been marked as invalid get erased during garbage collection, which cannot be guaranteed to always be the case, there still can be no guarantee that all of them always will be, and, there is no reliable way to tell when the garbage collection will kick in, and that can also turn out to be never.

As for the cipher command, nobody who is knowledgeable about the subject of data security uses that old method for secure erase anymore because it was found many years ago that this specific method has a major data security flaw. The format command with the /P:<count> parameter (that you can specify on Windows Vista and later) is what many people now use instead, but it still cannot be used on an SSD to secure erase only a specific portion of the data stored.

Off topic: most people aren't aware that secure erasing an entire volume (commonly referred to as a 'disk') that is stored on an SSD is not the same as secure erasing the whole SSD that this volume is stored on. The term 'disk' is referring to a logical drive, or logical disk... NOT a physical disk. Diskpart clean all typically doesn't help either, as it overwrites every sector with zeros, and, data that contains nothing but zeros has an entropy level of zero. It matters because the dynamical over-provisioning found in SSDs that use Seagate's DuraWrite technology or similar data compression based strategy relies heavily on the entropy level of the data stored.

The best way to protect the privacy of the data is to fully encrypt the entire SSD and every other SSD that might end up having decrypted copies of the data on it. This also includes the SSD that Windows is installed on. E.g., using standard BitLocker (not to be confused with BitLocker device encryption). This logically assumes that the encrypted SSDs will strictly be used within an isolated environment ONLY. If you want to be very certain that it will be secure erased, drill a hole through your SSD before you think about selling it. Alternatively, you could decide to use a program that lets you secure erase an entire SSD instead of only secure erasing an entire volume. One example of such a program is called DBAN.