Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

jimcoey

macrumors newbie
Original poster
Mar 3, 2018
3
0
Hello everyone, really hoping someone can help me out, i'd be very very grateful!

Its come to the time to upgrade and therefore sell my old laptop. Its a mid-2012 13" macbook pro with an intel core i5 and 4gb ram. Originally it came with a 500GB hard drive but I have upgraded this myself to a crucial 480GB SSD.


After I used time machine to back up my data, it came time to wipe the SSD. I did some research beforehand and was told a secure erase with multiple passes is unnecessary on an SSD, and I therefore followed apples instructions on how to prepare my laptop for sale: 1) I logged out of all icloud services, 2) restarted and booted into (i think) recovery or internet mode (command + R), 3) I went into disk utility, selected erase, selected my crucial SSD and erased it with the AFPS format, 4) I then reinstalled OSX High Sierra and created a new user.


I wanted to test if the erase had worked, so I went on the internet and downloaded some free data recovery applications (Disk Drill and Easeus). After a few hours, to my horror, all my data came back, in the exact same path and was easily readable and recoverable. I did some more research and was told that encypting the disk would be a good way to securely erase the data (i wish i knew this beforehand!), so I turned on filevault, let it encrypt the disk and then went through the same stages again of wiping the drive with AFPS format.


My question is, does firevault encypt data that has already been deleted? I ran the same recovery software for a second time, which again, found all my old files in the same paths, however this time I couldn't preview or open them once recovered. Is this filevault at work or has something else gone wrong that could easily be fixed by someone wanting to access my files?


Please can someone advise me on what to do? It's alarming me that the names of all my files are still easily found in the same directories with free software found at the top of a google search, but I don't mind too much if they cant be opened. Is there something else I should be doing to permanently erase this free space? is my data essentially safe?


Thank you so much for anyone that can help, hopefully you can highlight a stage that I may have gone wrong at!


Jim
 
The reason why your data was found again is because being in the user account that you used to turn filevault on, the volume is in an unlocked state. If you were to have it encrypted like you do now, use the recovery partition and erase it and reinstall the OS and give it to me, I would not be able to recover the data after I make my user account because the data was encrypted using the password you used to make the test user account.

If you would like to zero out or "randomize" the bits on disk, go to internet recovery, go to terminal, type 'diskutil unmountdisk disk0' and hit enter, then 'diskutil zerodisk disk0' or, I think this is still a thing, 'diskutil randomdisk disk0' both of which will take a long time as they write data, either zeros or random, over the entire disk. If you ran the recovery software after this it will find nothing.

EDIT: To answer something I missed, FileVault is whole disk encryption so every bit, even free space, is encrypted.
 
The reason why your data was found again is because being in the user account that you used to turn filevault on, the volume is in an unlocked state. If you were to have it encrypted like you do now, use the recovery partition and erase it and reinstall the OS and give it to me, I would not be able to recover the data after I make my user account because the data was encrypted using the password you used to make the test user account.

If you would like to zero out or "randomize" the bits on disk, go to internet recovery, go to terminal, type 'diskutil unmountdisk disk0' and hit enter, then 'diskutil zerodisk disk0' or, I think this is still a thing, 'diskutil randomdisk disk0' both of which will take a long time as they write data, either zeros or random, over the entire disk. If you ran the recovery software after this it will find nothing.

EDIT: To answer something I missed, FileVault is whole disk encryption so every bit, even free space, is encrypted.


Hi bluedog thank you for your reply - I think I may not have explained myself properly: I'm not in the user account I used to turn filevault on. I have already turned filevault on and then erased it using the recovery partition like you said. I set it up as a completely new user as if it was the buyer setting it up for the first time and I could still see all my files when I ran the data recovery software, just couldn't open them this time?

Thank you
[doublepost=1520108592][/doublepost]
give me the exact steps to reproduce the issue...

Sorry what else do you need to know? I've explained all the steps I went through
 
I set it up as a completely new user as if it was the buyer setting it up for the first time and I could still see all my files when I ran the data recovery software, just couldn't open them this time?

Hmm. By chance are you running these recovery programs off a flash drive or from another machine connected via target disk mode to the one you're selling? If so, I think the programs may just be showing sort of like a "history" of the last time they were run. Honestly if the drive was encrypted, then reformatted, I see no way the data would be recoverable.

Did you try my suggestion to zero the disk entirely?
 
Hmm. By chance are you running these recovery programs off a flash drive or from another machine connected via target disk mode to the one you're selling? If so, I think the programs may just be showing sort of like a "history" of the last time they were run. Honestly if the drive was encrypted, then reformatted, I see no way the data would be recoverable.

Did you try my suggestion to zero the disk entirely?

No I'm running the recovery programs off the SSD that has been wiped and set up as a new user. Just strange that I can still see all the files. I'm gonna try enabling TRIM, writing over the drive with zeroes and then running the system again - thanks again for all your help, I'll get there eventually! I'll let you know I've what happens after zeroing
 
It is not enough to reformat/erase a non-Apple SSD. The data is not deleted or overwritten when doing so, just hidden in plain sight. You are essentially just deleting the indexes, but not the data. The data blocks are still on there for recovery tools to see. Similarly, it is not enough to enable FileVault, especially not if you already erased the disk.

Usually the SSD manufacturer provides tools to erase SSDs properly. Alternatively, you can also zero-out the data (though this is inefficient and almost certainly not going to be 100% reliable for various reasons).

You should use FileVault right from the start and never turn it off. You should also enable TRIM to make sure that ‘deleted’ data is purged periodically.
 
OP:

If you're worried about what is on the internal SSD (which is replaceable), the solution is simple:

Buy a BRAND NEW SSD with nothing on it.
Remove the existing SSD (with your stuff on it), and put the new one in.
Install a completely fresh and clean copy of the OS.
Then, SELL IT THAT WAY.

Take the old SSD and repurpose it for your own use.

That takes care of any "security" issues, 100%.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.