We recently purchased 20 used hard disk drives from eBay and used basic file recovery software to examine the drive contents.
Data that people would consider extremely valuable – tax records, privileged attorney/client information, scans of completed federal forms, and more – often creates digital footprints we'd rather not leave behind.
This post is a part of a eight-part series from the white paper "Hard Drive Security Study". Can't wait to read the whole paper? You don't have to! Read it right here
METHODS OF RECOVERY AND HOW WE CHOSE WHICH DRIVES TO BUY
The methods used to discover data are methods readily available to anyone. We used free and inexpensive data recovery applications on both Mac OS X and Windows platforms to recover files from the hard drives. Unlike a normal drive recovery situation (where someone lost their hard drive and didn’t back up), the data thief can obtain useful information even from corrupted files. We did what a data thief can do easily—we looked for used hard drive listings on eBay that did not specifically describe the drive as “wiped.” It should be mentioned that many eBay listings did in fact list a drive as “wiped.” However, this only made it easy to know which drives to avoid. Our goal wasn’t to test if they wiped a drive if they said they did, but to seek data in the way that a data thief would. We would buy a drive if it said “formatted,” “tested,” or otherwise didn’t state what they had done to the drive.
For easy access to the bare drives we connected them to our computers with a WiebeTech Forensic ComboDock v5. This dock allows a read/write mode as well as a writeblock mode. This is the same hardware write-blocker used by all levels of local and federal government for forensic examination of hard drives.
After the discovery process all found files were permanently deleted and the hard drives were wiped correctly with a CRU Drive eRazer Ultra, a stand-alone hardware device that correctly wipes and sanitizes hard drives.
HOW OUR RESULTS COMPARED WITH OUR PREVIOUS STUDIES This year’s results are in line with previous years’ results. While we found more encrypted data than ever before, and several drives were uninteresting (such as partitions with nothing but a basic Windows install), we did not find a significant change in “properly erased” data from any previous study. We also didn’t see much of a change in the percentage of interesting data from previous years.
WHAT IS STANDING IN THE WAY OF HARD DRIVE USERS TO PROPERLY DELETE DATA?
- People don’t know they should
- People don’t know that what they’re doing is ineffective
- Dragging everything to the trash/recycle bin
- Formatting or reformatting the drive
- “Repartitioning” or removing the partition table from a drive
- People think that an “effective method” is so difficult to achieve, that they do nothing
- Physically obliterating the drive into small particle sizes
- Performing more than one wipe, in some cases, people think they need to erase 32 or more times.
The improper erasure methods outlined above don’t actually erase the files themselves—just the index that tells you where to find your data. Imagine a card catalog system that knows where books are located in a library: If you destroy the card catalog, the books themselves never moved from the shelf. You can still walk to the shelf and get the book. Likewise, when you erase only the index of a hard drive with one of the above methods, software can still read the file itself from the hard drive—this process is called file recovery.
This post is an excerpt from the white paper "Hard Drive Security Study".