Data That Haunts You

Forensics investigators still find it's easy to pull old (and sensitive) data off used hard drives

Dark Reading Staff, Dark Reading

February 20, 2007

4 Min Read

9:05 AM -- Computer forensics specialists at Fulcrum Inquiry decided it was time to confirm their suspicions that most users don't properly wipe their hard drives clean of sensitive data. So they purchased 70 used but supposedly "clean" drives from various sources, including vendors at computer trade shows and off eBay. (See Data Destruction, at Your Disposal.)

Their findings weren't very promising: Fulcrum forensics investigators Steve Peskatis and Jared Schultz were able to recover sensitive information from 62 percent of the hard drives, and from over 80 percent of the ones they purchased off eBay. Overall, only 33 percent of the drives were properly wiped and cleaned of data. Another 14 percent were just non-operational.

"It was actually a little higher rate [of data recovery] than we anticipated," Peskatis told me in an interview. "It was intriguing to us to see what would happen when we find systems people donate or get used hard drives."

Peskatis says he and Schultz initially wondered if they'd just end up with a bunch of empty drives since all the vendors they purchased them from at computer shows claimed the drives had been level-formatted, which is usually enough to wipe them. But not so: "A couple of vendors said they had wiped the drives, and indeed they had," he says. "But we saw that others had quick-formatted them, and some were shredding or wiping them and after a couple of minutes, just stopped. Others just tried to write over it."

It took anywhere from one to five hours for the investigators to recover the data, and they used mostly basic forensics tools, which range from $1,000 to $3,000 apiece, as well as some free Linux tools, Peskatis says. He says these tools are an easy way for identity thieves to get what they need.

And the two hit the mother lode on one hard drive they had purchased on eBay: "It was kind of scary," Peskatis says. "This particular individual had everything you could imagine stored and scanned" on his computer, he says, some of which was not appropriate for public consumption.

"Bob," an unemployed construction industry worker on disability, apparently tried to format his hard drive before selling it online. But that didn't stop Peskatis and Schultz from easily recovering tens of thousands of his files that were an identity thief's dream come true -- images of Bob's birth certificate, driver's license, Social Security card, his will, pictures of his family, adult content, credit card statements, his memoirs, business receipts, information on his debts, and even a letter from Bob to his favorite female celebrity, which Fulcrum is keeping nameless.

Even more disturbing, however, was a drive they found that had belonged to a pediatrics nurse at a hospital. The Fulcrum forensics team pulled from the drive patient names and medical records, prescription data, and names of doctors. "Most of the data was in swap space, but it was still relevant information" that had not been properly erased, Peskatis says. He and Schultz contacted the hospital and returned the drive. Apparently, the information the nurse had been accessing from the hospital's database had been stored locally, he says.

The vendors who were reselling the drives were apparently either clueless or lazy. The hospital is investigating just how its drive got into circulation with the data improperly wiped clean. As for the consumers like Bob selling their drives on eBay, most had quick-formatted them.

"Most people would probably think that's it," Peskatis says. But reformatting one time won't erase your private data, and if you're Bob, every intimate detail of your life could be at an identity theft or other person's fingertips.

Some sure-fire options for properly wiping your hard drive, according to Fulcrum: Use low-level formatting, not a quick format; use wiping software that overwrites data; physically destroy the media with a big hammer or a strong magnet; or hire a third-party disposal firm to wipe or get rid of the drive.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights