Slashdot Mirror
Data Mining Used Hard Drives
linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."
5000 divied up between say 200 disks is 25 cards per disk, are these retail discarded drives? Perhaps this should be regulated.
It's long been know that laptop theives are often more interested in the data than the computer.
Some computers sold on eBay are sold for the data.
It's one thing to make sure you securely wipe any drive of your own you get rid of, but you can't do anything about old drives or paper files that a company or hospital might discard containing sensitive info about you.
Occasionally there are new reports about someone finding a stack of files by a dumpster containing sensitive medical or financial information about a lot of people. The same surely holds true for old drives or computers disposed of by careless companies.
Picked 6 or 7 old 4gig HDDs from my father's company a few years ago, found their company credit line information, personal (and some very erotic) email, and a surprisingly large collection of nudie photoshopped Gillian Anderson photos. Oh yeah, and like 100 different (and I must say, very well-done) quake2 "crackwhore" models and skins lol. I love the people who don't clear their HDDs, it's like treasure chests, you never know what you're gonna get.
------- "From bored to fanboy in 3.8 asian girls" ----------
Thats not so bad. My dad happens to be a garbage man and often brings along an occasional system he's scavanged from the dumpsters along his route. Currently I have in my possession an old IBM Aptiva with some guys bank account information on it (He did his checking and stuff with it apparently), but worst of all I have what appears to be an old Gateway tower used to store Medical information for a major hospital in the area my father works. I have over 2 gigs of peoples medical history, including what they were put in the hospital for, insurance information, release dates ect.
I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.
bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned
Everyone knows that HD's contain data.. I would be more impressed if they broke down the numbers of where the BAD drives came from. That would make a much more informative story. I've bought as-is before in person but never online.
Bad boys rape our young girls but Violet gives willingly.
That was the Policy at the IBM facility I worked at in the early 90's. I tossed piles of computers into this big ugly compacting trailor once that was done with it I doubt you could recover anything. Funny thing about that is employies took piles of "compacted" parts home with them well I guess if they wanted the data in the first place they could have gotten it anyway in building security was light network wise untill you hit big iron.
No sir I dont like it.
Anyone happen to know any share/freeware programs out there for Windows 2k that will recover deleted files. I am intrested in running it on my computer to actually see what I can recover and see how well PGP's disk wipe function works.
Data Fishing? I mean, you never know if you'll catch anything.
Why not remove the hard drive and donate the computer to a local school. Even at a couple of years old the computer is still useful for students and the school would be more than happy to pick up a new hard drive for it.
However, I *always* remove the hard disk drive, disassemble it, and give it the sledge hammer treatment. I just don't have the time to get them running again, and write the erase patterns to every track and sector.
Maybe if there's ever a good, transparent, drive-level PGP available, I'll rethink this strategy, but until then, I put on the safety glasses and hammer away, after opening the drive case to expose the platters.
Here's a sugesstion to drive manufacturers--make a convention where if certain pins on the IDE connector are jumpered together, and the drive powered up, it will do a low-level format automatically. Then I might choose to erase the disks, so long as I didn't have to hook them up to a computer and run a program.
Best Buy can have you arrested
Roughly speaking that'll do it. I'm sure there's nice trickery you can do to, say, get the equivalent of
Take 'em apart and use the magnets as fridge magnets. They hold up an enormous amount of paper, although they do tend to nip one's fingers occasionally :)
No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.
I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.
Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.
"Thrift store hard drives are like a box of chocolates... you never know what you'll find!"
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
If I remember right, the DoD standard was to erase the file by writing random bits over it 7 times....although that was before some researchers found that you could still read the original data if you had a scanning electron microscope.
Not after they've been nuked for 10 seconds in a microwave oven set to "High". Trust me, or better yet, try it :)
I have heard that the DOD way of "sanitizing" a hard drive is to open it up and dissolve the platters in acid.
Tim
Omnia vestra castrorum habetur nobis.
I have had 2 drives fail well within the warranty period, and did not return them for just this reason.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
So even if I take all the steps necessary to make sure my data is safe on my computer, odds there is a business throwing away hardrives that have my data on them without properly removing all the data? Wow, I can't believe this isn't a hotter topic. I also wonder how this affects certain websites privacy statements. Sure, they don't give your information away intentionally, but they may give away a harddrive full of personal data without even realizing it.
Costly? Get two similar HD and swap the PCB. Chances are decent that only the PCB was dead, there ya go all the data and no need to load up some forensic software to read the deleted data since the drive is assumed "dead".
Yes, I have done this and recovered valuable information. Of course, Both drives where mine anyway, but still.
AlexNow for or something really scary.
I run a computer shop in the southeastern United States, much of my work involves the local school systems.
Several years ago (Long before 9-11) a local school received a donation of several pallets of computers, monitors, printers, and other equipment from a local military installation. The donation was properly processed through the Defense Reutilization and Marketing Service (DRMS) and should have been cleared of any sensitive materiel.
I was contracted by the school to take the entire load and build as many working systems as I could out of the parts. As I begin to put systems together and power them up I was staggered by the fact that at least half of the hard drives were FULLY intact and no attempt at all had been made to remove sensitive data.
I of course had to take a closer look. Much of the data concerned simple day to day non-sensitive routine base operations (I am x-military so much of it was familiar to me). HOWEVER on one of the intact drives I found something that KNOCKED MY SOCKS OFF! Setting there on that hard drive spinning on my work bench was pile of data concerning the moving of NUCLEAR weapons and other nuclear materials and conventional weapons around the United States. The data contained information such as routes, schedules, manifests, and duty rosters. I WAS DUMBSTRUCK. How could this have happened? This drive should never have left a controlled area, EVER, it should have been destroyed. This was inexcusable!
Of course in a situation such as this all manner of thoughts go though your head. Thoughts such as; What kind of damage could a enemy of the U.S. do with this data. What would this data be worth to someone unethically inclined. If they knew I saw this data they would probably lock me up and throw away the key just for good measure, and of course WHAT SHOULD I DO WITH THIS DATA?
In the end I destroyed the hard drive and the data it contained and kept my mouth shut. That has been at least 8 or 9 years ago and until this day I have never told anyone and thank God that due to the passage of time I have forgotten most of the particulars of the data I saw.
At a former employer who will remain nameless they had secure areas. To get in you needed a clearance and if you didn't have a full government clearance all of the people in there would power off their boxes until you left. You were also constantly watched and doing sysadmin stuff in there was an adventure because they could do whatever they wanted since they weren't hooked up to the regular network.
When they moved some of these labs all of the equipment was shrinkwrapped and escorted to the new location to prevent tampering while in transit.
I think I had something to say. Oh yeah. Ok, when hard drives and backup tapes got old they had to format them X number of times (I forgot the exact number), then physically smash them and then burn the remains. All in a secure manner (ie: not taking them to the local Springfile Tire Fire).
Anywho, a friend of mine had to replace RAM from one of their Suns, and I went with him. They let us leave with the RAM and didn't think twice about it. 2 or 3 minutes after we left my friend realized he may be able to take the RAM and actually read the data off of it somehow, assuming it was still saved.
Perhaps this could be applied to other things including external processor caches and VRAM as well.
US DoD Spec: 3 passes
German DoD Spec: 7 passes
(from http://www.ontrack.com/library/dataeraser.pdf)
-- R
There doesn't seem to be much point in overwriting more than once with the same zero pattern (the article makes this mistake too, though the original authors probably don't). There are really two levels of sophistication we're hoping to elude here:
a) People using the drive's own interface to retrieve "deleted" datab) People doing direct signal analysis of the magnetic media to find successive generations of overwritten data
Once you've overwritten the disk once (whether with dd, a real SCSI low-level format, or some other means), you're in regime (b). Assuming you're paranoid and/or justifiably concerned enough to bother with repeated writes, using the same bit pattern does little - and zeroing is especially non-optimal, from what I've read. Random bit patterns seem a likely candidate, but randomness is actually particularly easy to divine in a signal.
People have experimented with instead writing various repetitions of constant strings with good success, but what might be ideal is a chaotic pattern that approximates the look of the expected data without divulging anything real (interesting thought - perhaps this is what some of the porn they found was for!). Write that a few times and you have a honeypot that might mislead a naive investigator into thinking there's nothing more to be found - but even this is difficult because the "freshness" of the bit patterns can be determined by their relative signal strength, and you can't simulate age using the default write current no matter how many new patterns you lay on. You can only hope you've made the old, real data so faint that it disappears into the background noise. Since there's no real way to guarantee this, people with real secrets to hide have to physically destroy the media. So much for reduce, reuse, recycle. ;)
The technique of extracting the data is akin to the work of deep-sky astronomers, military listening posts, or even sedimentary archaeology. It's quite an interesting problem, as is making the data unrecognisable. The parallel with copy-protection is obvious, and the outcome is the same - an escalating war of technique between intrigued hackers, where the party acting later in time (the deprotector / signal analyst) always has an advantage.
As an aside, when using dd to copy large amounts of data to disk you can often speed things up immensely by tailoring the (output) block size to the destination device.
I remember working on my very first IBM pc. My girlfriend's mother was dating a guy and he gave her an old 8086 computer (this was back in '94 or thereabouts). Well, I started playing with the computer. He had an early version of Norton Utilities on it. I played with the undelete file utility and found that there were lots of deleted files. I recovered some of them and started to read them. Most were boring. One wasn't
This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.
Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!
I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.
I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.
-- You see, there would be these conclusions that you could jump to
There is no substitute for destruction, but if you want to re-sell, use:
Autoclave
Autoclave is a boot disk w/ a Linux distro that will securely delete on five levels:
Zero fill
One random pass
3 binary overwrite passes
10 passes, some structured
25 structured passes
For *true* secure deletion. Policy at the University of Washington requires level 3 at least. Of course, I've bought some UW surplus computers with still-functioning Win98 on the drives...
Last year, my employer of 12 years went out of business. The company was secretly being run improperly for quite a while and the owner closed the doors the same day he found out about the mismanagement.
Being the IT director, I helped the owner, my friend, with the office computers. I planned on wiping all the hard drives and I informed the owner of my plan. He agreed that it was a good idea.
From the next three months, watching the bankruptcy process unfold, I got questioned left and right as to why I wiped the data. The accountants wanted to know why...the lawyers wanted to know why...the liquidators wanted to know why...the court wanted to know why. I understand that a system with an installed OS is more valuable than one that has been wiped clean(the data had been backed up so there was no question of whether data had been destroyed) but this should not be unusual. Nobody asking me these questions were newbies--their jobs involved dealing with bankrupt companies and it was as if they had never seen this before!
It's not as if it's just any "[t]wo MIT grad students". Garfinkel has written more than a handful of security books over the years.
Depending how much someone is out to get you.
There was a quote somewhere saying that a heap of data could be recovered from even a square millimetre of hard disk platter.
So let's have a think about the maths. I don't know what the physical interior of a hard disk is like, but the exterior is in the vicinity of 10cm (4in) across. If the platter were square, that'd be 100*100 square millimetres. (It'd be round, so the actual number would be about 25% smaller.) Suppose we were talking about a 40gig disk. That's 4 meg per square millimeter.
Now if hard disks were made up of lots of layers, say 1000 of them, that's still 4K per square millimeter per layer, and you've got one hell of a pulverising job ahead of you!
There's good reason why high-security areas go through their elaborate sequences of electronic shredding (multiple data overwrites), physical shredding (makes the hammer look weak) and thermodynamic shredding (I daresay *someone* can get data off a hard-disk after you've treated it with thermite!)
Rachel
I used to work for the Queensland Police's IT department. We had to take used HDD to the dump personally and arrange for one of the bulldozers to crash them. Basically anything that had a memory chip had to be physically destroyed, old ram, old NICs, everything.
Burn the ISO, boot to the CD, then wait a *really* fucking long time for it to scamblefuck the drive. (You can also use a floppy disk...but nowawayd why use something that a magnet could possibly fuck?)
(I have no idea whether or not this is military-grade. Can anyone comment? And if not, provide something *better*?)
Magnetic Speperator...
I have one, honest to god..
It literally removes the magnetic code/signatures from the HDD. I used to work at a data recovery shop (yes one with static room where we physically remove the data etc...) and even we couldn't recover anything off a HDD that has been passed through one...
The only bummer is they draw lots of amperage on a 220... (meaning they literally dim the lights even on my very well powered home...)
The NSA/DOD/Whatever probably uses these when they erase a HDD for redistro/etc...
Erutangis ym si siht.
Assuming a DNA sample is not old or degraded too much you can tell between identical twins. Twins have the same genes but not the same DNA. Same thing with clones. A clone would not be exactly the same... there are many ways to tell the differance between the two.
unzip; strip; touch; finger; mount; fsck; more; yes; unmount; sleep
Actually, I purposely break old HDs by taking them apart. Why? There's a set of cool ultra powerful rare-earth magnets inside usually. (I'm talking strong enough to hold a book to a fridge.) ;)
My wifes company - health care company - gave away the old office computers a few years ago. With out wiping the hard disks. We got two computers - both the co-owners with all of the memos intact. It made for some interesting reading - filling in those awkward questions about people who didn't come to the company picknick.
I disassemble my old drives. The Magnet makes one hell of a good Refrigerator magnet and the discs make good pocket mirrors for wife or frisbies for kids.
If you could reason with religious people, there would be no religious people
Some sort of explosive device on a trigger next to your mouse?
A shotgun blast? (Hoping you hit the drives and don't get shot...)
Fast acting fantasy software to write random data 144 times over the disk in mere milliseconds?
I've had to RMA a drive (Seagate, I think) that had all our magic encryption keys. So I opened it, pulled the platters, and sent it in.
They didn't say a damned thing, and sent us a new drive. Each of the engineers took a platter and did away with it. No problem!
-- Spankmeister General
Should produce some interesting results. It'd be interesting to see the different effect from hitting dead center on the hub as compared to (on a different, identical drive) the outermost rim.
I like the stack of lost floppy disks sitting in the campus lab. One day I started looking through them.
On the third disk I noticed a file named "Moms Credit Card". We can all guess what the file contained.
Fortunately for that poor student, I'm a nice guy and I wiped the disk so that the information wouldn't be abused. However, the next disk contained Frat Party planning meeting minutes that were quite entertaining. (Someone was violating campus alcohol rules.)
Anyway, I stopped looking after the 5th disk, and there were over 500 lost disks in that lab. All of the disks were found withing the last 4 months. If you want to get dirt to use on people, visit a college lab, shuffle through the lost disks, hold onto the information for a few years and then see how much that lost disk is worth to them.
That's another good point that this article doesn't mention:
If you have a HD that has sectors that go bad, many HDs (or operating systems) will mark the block as bad and off-limits so it doesn't get used any more.
This of course poses a problem with most "erase" type programs, as there may not be a way that the eraser can override either the operating system "bad block" mark, or the drive's "bad block" internal mapping.
If something critical happens to be in a block marked bad on the HD, there may not be any way to securely erase it 100% via software and you'd need to destroy it physically.
"Nothing strengthens authority so much as silence." - Charles de Gaulle
First, a little background:
Regarding disk recovery:
Regarding SRAM recovery:
Regarding DRAM recovery:
Based in part on the recovered data, we concluded that candidate A was declared the winner due to a ''mistake'' in mapping ballot slot numbers to candidates. In some cases the slots for candidate A and B were reversed.
An incorrect vote count was reported by the election officials. It is our guess that when we came around asking for the raw data, someone began to collect it. At some point some official(s) discovered the blunder. The system was left on while they stalled for time. When it was clear that we were going to force them to turn over the data someone wiped the system and shut it down.
BTW: The majority of the election officials involved were supporters of candidate B. Even though their blunder caused them to declare candidate A the winner, they still tried to coverup their mistake.
Our conclusion was that the attempt to coverup the mistake was motivated by not wanting to admit the major blunder instead of because of candidate A's influence. This conclusion was reached in part because of messages that we recovered on another system that was not wiped. However we would have never been able to find that other system, nor would we have been able to match the raw slot numbers with the reported vote counts by candidate name without the help of the data recovery consultant and the critical data that they recovered.
I'll offer a few observations:
P.S. I know that some people doubt that one can obtain old data from SRAM and DRAM after poweroff. I did too until it was done for our group. To those who still doubt this: I will refer you to Peter Gutmann's paper on Secure Deletion of Data from Magnetic and Solid-State Memory for another source on data recovery methods.
I bought a refurbished power mac not so long ago and it appeared to come from united airlines and did contain quite an amount of serious sensitive data. Reports/emails about illness of an employee, financial stuff, flight planning etc.
It was right there, no attempt had been made to delete it at all. Sigh.
Another interesting case came up when my company was in its death throes and was firing people left and right. When the admin was backing up the content of their hard drives prior to wiping, a lot of interesting non-work-related stuff cropped up. I'm not talking about a little gay porn. One guy had dozens of documents related to different couples' divorce proceedings! Ouch ;)
The real lesson here is that the people you sometimes have to entrust your data to can't necessarily be trusted.
One thing to consider is turning your system in for repairs. I used to own an Apple G4 Cube and when I sent it in for repair, Apple decided simply to send me a new one. While I didn't have anything on the hard drive except some MP3s and Email, who knows where that disk is now and who has it? It is something to think about if you have your computer serviced.
After reading all the posts of this topic, I have concluded that physical destruction is the best way to go. Although I have no doubt that a program designed to securely erase the hard disk would be effective enough for me, my hard disks are simply too big for this approach. Who wants to wait on 7 or more passes on a 120GB hard disk?
I'd like to see IDE hard drives that encrypt every sector -- but done in the drive's electronics.
Before the drive can be used, the mainboard (bios?) must first issue an ide command to set the key that the drive used for reading/writing each sector.
WIth a properly configured bios, the bios could ask you for the key during power on self test.
You run your computer off a UPS. If the bad guys are going to serve a warrant, raid you and steal your gear, they might first cut the power to prevent you from inserting a linux "reformt-the-drive" floppy and punching reset. The UPS helps against this.
But even if you can't get the drive reformatted, and the bad guys attach your drive to one of those drive copying gizmos to collect evidence, all they get is encrypted blocks. Or better, if the drive electronics detects an attempt to do this, massive sequential copying of blocks, but without first having issued the decryption key command, then the drive electronics could simultaneously return random bytes to through the ide interface to the copying gizmo while actually overwriting the corresponding sector on the drive with different random data.
Another way to look at this from the point of view of the drive electronics is that if the drive is powered up, and very much access is attempted without the decryption key command, then the drive can assume that it is NOT physically in the good guy's computer where it belongs.
While the technique described here is also good to prevent data mining of your hard drive, it is most useful in preventing data mining by the bad guys who might steal your drive for evidence.
The price of freedom is eternal litigation.
Years ago I bought a CP/M system complete with a 30MB 14" hard disc at a computer show consignment table. I couldn't get it to boot up but I was able to poke around on the disc by writing and reading directly to the controller. I discovered some erased files and one was the previous owner's resume, a developer for Pickles and Trout. So....I called him up and he helped me get it working. He was suprised I found his deleted resume and I assured him I'd wipe it as soon as I got it working. That drive also had the source to most of their CP/M development. It made for some fun reading, pre-DMCA, of course.
Blowfish http://bsn.ch/Lasse/bfacs.htm
(sorry, me mechanical engineer, me think link is machine part)
Has a utility to blow away hard drives, or at least clear all the empty space.
"As God is my witness, I thought turkeys could fly." A. Carlson