Data Mining Used Hard Drives

linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."

Guess those pop up ads were right

There IS pornography on your computer!

Re:Guess those pop up ads were right

Fill a directory with goatse pics, so if your hd is data mined, whoever's doing it will have an unpleasant experience. :)

DPA

[kylegordon]

Another reason to securely erase your data. In the end, _you_ are responsible for data under the Data Protection Act (in the UK anyway)

Re:DPA

[reverse+flow+reactor]

and the only secure method involves a woodchipper.

Re:DPA

[shepd]

>In the end, _you_ are responsible for data under the Data Protection Act (in the UK anyway)

Unless it's encrypted, then it becomes the government's business.

Re:DPA

[tealover]

I remember working on my very first IBM pc. My girlfriend's mother was dating a guy and he gave her an old 8086 computer (this was back in '94 or thereabouts). Well, I started playing with the computer. He had an early version of Norton Utilities on it. I played with the undelete file utility and found that there were lots of deleted files. I recovered some of them and started to read them. Most were boring. One wasn't

This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.

Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!

I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.

I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.

Re:DPA

[Alien54]

and the only secure method involves a woodchipper.

Actually, I find extensive use of sandpaper after attaching the disk to a high speed drill works wonders.

Barring that, an old fashioned bulk tape eraser also has interesting effects.

I'm thinking of other options, including battery acid, and use as a grounding rod for a Tesla Coil.

Re:DPA

[Rolo+Tomasi]

Barring that, an old fashioned bulk tape eraser also has interesting effects.

Nope. A magnetic field that would be strong enough to erase a hard drive would probably also compress it into a lump of twisted metal. from http://www.usenix.org/publications/library/proceed ings/sec96/full_papers/gutmann/:

US Government guidelines class tapes of 350 Oe coercivity or less as low-energy or Class I tapes and tapes of 350-750 Oe coercivity as high-energy or Class II tapes. Degaussers are available for both types of tapes. Tapes of over 750 Oe coercivity are referred to as Class III, with no known degaussers capable of fully erasing them being known [19], since even the most powerful commercial AC degausser cannot generate the recommended 7,500 Oe needed for full erasure of a typical DAT tape currently used for data backups.

Degaussing of disk media is somewhat more difficult - even older hard disks generally have a coercivity equivalent to Class III tapes, making them fairly difficult to erase at the outset. Since manufacturers rate their degaussers in peak gauss and measure the field at a certain orientation which may not be correct for the type of medium being erased, and since degaussers tend to be rated by whether they erase sufficiently for clean rerecording rather than whether they make the information impossible to recover, it may be necessary to resort to physical destruction of the media to completely sanitise it (in fact since degaussing destroys the sync bytes, ID fields, error correction information, and other paraphernalia needed to identify sectors on the media, thus rendering the drive unusable, it makes the degaussing process mostly equivalent to physical destruction). In addition, like physical destruction, it requires highly specialised equipment which is expensive and difficult to obtain (one example of an adequate degausser was the 2.5 MW Navy research magnet used by a former Pentagon site manager to degauss a 14" hard drive for 1 minutes. It bent the platters on the drive and probably succeeded in erasing it beyond the capabilities of any data recovery attempts [20]).

The only way to be really sure is to use an acetylene torch.

Re:DPA

[photon317]

This is not good enough. Merely Zeroing the data prevents "undeletes" and reading raw sector data in conventional ways, but there are tools to recover data that was been zeroed.

A simplistic way of think about it is this (this isn't remotely close to what really happens, but it's sufficient to get the point across): Each bit on the drive can have a real value of 1-100. 1-50 is interpreted as zero, 51-100 is a one. However, changing a bit from one to zero doesn't usually apply enough magnetic force to move it a full 100 points. Therefore it's common that if you zero a bit that used to be a zero, it will end up being very very low, but if you zero a bit that used to be a one, it will be in the higher one range, say a 40. Based on this, data recovery experts can get a pretty good picture of what the data used to be.

The US DoD has a standard they established way back when for fully erasing data against these sorts of recovery techniques. I don't know how old it was, but it was well-known in the early 90's for sure. It may not be safe any more. It specified overwriting the data a total of 7 times with specific patterns (something like 00, FF, 77, 11, EE, 77, 00, FF .... I don't remember the actual sequence).

The moral of the story is, don't trust any software method for destroying data. Use a blowtorch or an electric sander on the raw platter surfaces after removing them from the drive casing. While you're at it hit the electronics and the heads too. Or throw the whole thin in an incinerator that's hot enough to melt case platters and all into a lump of metal.

Luckily for me, my Ebay'd hard drives are safe

[ObviousGuy]

I only sell broken ones.

Re:Luckily for me, my Ebay'd hard drives are safe

[Filik]

Nope, even broken ones can be read with the right equipment.

Re:Luckily for me, my Ebay'd hard drives are safe

[norton_I]

Even broken hard drives can be recovered, though it takes some rather expensive equipment to do so. However, with a little creativity and some equipment you would likely find in a EE department, much of it could be recovered.

Re:Luckily for me, my Ebay'd hard drives are safe

[ObviousGuy]

I'd just like it to be known that I do not shit on my HDs.

I do attempt to smear blood on the drives, though.

And I may have once ejaculated on a platter, but I was young and I needed the money.

Re:Luckily for me, my Ebay'd hard drives are safe

[broter]

"Even broken hard drives can be recovered..."

That's why it's the DoD way for me: scramble the data with many passes accross the media with a stong magnet, followed by hammer strikes until it's in small pieces.

You may find this lowers its value slightly in the "Computers & Office Products" category, while raising it dramatically in the "Art - Sculpture, Carvings" category (as glue as needed).

-RB

Re:Luckily for me, my Ebay'd hard drives are safe

[deranged+unix+nut]

If I remember right, the DoD standard was to erase the file by writing random bits over it 7 times....although that was before some researchers found that you could still read the original data if you had a scanning electron microscope.

Re:Luckily for me, my Ebay'd hard drives are safe

[WiPEOUT]

Not after they've been nuked for 10 seconds in a microwave oven set to "High". Trust me, or better yet, try it :)

Re:Luckily for me, my Ebay'd hard drives are safe

[13Echo]

Besides... Most of the can be "repaired" by just giving them an old fashioned pimp-slap. I'd say that I've "fixed" at least 4 old, stuck drives that way.

Re:Luckily for me, my Ebay'd hard drives are safe

[AlexCV]

Costly? Get two similar HD and swap the PCB. Chances are decent that only the PCB was dead, there ya go all the data and no need to load up some forensic software to read the deleted data since the drive is assumed "dead".

Yes, I have done this and recovered valuable information. Of course, Both drives where mine anyway, but still.

Alex

Re:Luckily for me, my Ebay'd hard drives are safe

[orthogonal]

[OP's hard drives won't be read, he claims] not if i've cracked them open and cum/shit/bled on the platters after perforating them with an awl

Well, in that case, first they'll read your DNA, have uncontestable proof you (or your identical twin) had had possesion of them, and then they'll read your data.

Re:Luckily for me, my Ebay'd hard drives are safe

[packeteer]

Assuming a DNA sample is not old or degraded too much you can tell between identical twins. Twins have the same genes but not the same DNA. Same thing with clones. A clone would not be exactly the same... there are many ways to tell the differance between the two.

Re:Luckily for me, my Ebay'd hard drives are safe

[archen]

Think I'd use killdisk before I leave the company I work for (not that I do anything wrong, but just to make sure they don't dig anything up). It allows for up to 99 passes.

Re:Luckily for me, my Ebay'd hard drives are safe

[akamoe]

Think I'd use killdisk before I leave the company I work for

Or you could use Eraser.

It's free, as a bonus, and it's floppy-based killer uses Gutmann's algorithim to do it's bit.

-- R

Full Article Text

Discarded computer hard drives prove a trove of personal info

JUSTIN POPE, AP Business Writer Wednesday, January 15, 2003

(01-15) 13:17 PST CAMBRIDGE, Mass. (AP) --

So, you think you cleaned all your personal files from that old computer you got rid of?

Two MIT graduate students suggest you think again.

Over two years, Simson Garfinkel and Abhi Shelat bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned, 69 still had recoverable files on them and 49 contained "significant personal information" -- medical correspondence, love letters, pornography and 5,000 credit card numbers. One even had a year's worth of transactions with account numbers from a cash machine in Illinois.

About 150,000 hard drives were "retired" last year, according to the research firm Gartner Dataquest. Many end up in the trash, but many also find their way back onto the market.

Over the years, stories have surfaced about personal information turning up on used hard drives, raising concerns about privacy and the danger of identity theft.

Last spring, Pennsylvania sold used computers that contained information about state employees. In 1997, a Nevada woman bought a used computer and discovered it contained prescription records on 2,000 customers of an Arizona pharmacy.

Garfinkel and Shelat, who reported their findings in an article to be published Friday in the journal IEEE Security & Privacy, said they believe they are the first to take a more comprehensive -- though not exactly scientific -- look at the problem.

On common operating systems such as Microsoft's Windows, simply deleting a file, or even following that up by emptying the "trash" folder, does not necessarily make the information irretrievable. Those commands generally delete a file's name from the directory. But the information itself can live on until it is overwritten by new files.

Even reformatting a drive, or preparing the hard drive all over again to store files, may not do it. Fifty-one of the 129 working drives in the MIT study had been reformatted, and 19 of them still contained recoverable data.

The hard-to-erase quality of hard drives is seen as a good thing by some. Many users like believing that, in a pinch, an expert could recover their deleted files. Law enforcement officers can examine a computer and lift incriminating e-mails or porno images from the hard drive.

The only sure way to erase a hard drive is to "squeeze" it: writing over the old information with new data -- all zeros, for instance -- at least once, but preferably several times. A one-line command will do that for Unix users, and for others, inexpensive software from companies such as AccessData works well.

But few people go to the trouble. Many ordinary computer users toss their old drives into the closet, or take a sledgehammer to it.

As it turned out, most of the hard drives acquired by the MIT students came from businesses that apparently had a misplaced confidence in their ability to "sanitize" old drives.

Tom Aleman, who heads the analytic and forensic technology group at the accounting firm Deloitte & Touche, often encounters companies that get burned by failing to fully sanitize, say, the laptop of an employee who leaves the company for a job with a competitor.

"People will think they have deleted the file, they can't find the file themselves and that the file is gone when, in fact, forensically you may be able to retrieve it," he said.

Garfinkel has learned his lesson. As an undergrad at MIT in the 1980s, he failed to sanitize his own hard drive before returning a computer to his father. His father was able to read his personal journal.

HD Abuse

[helix400]

I have some fun with my old drives.

Take them outside, and throw them as high into the air as possible. Then watch them land on concrete.

I think that render the drive useless. =)

Re:HD Abuse

[Xeo2]

Take them outside, and throw them as high into the air as possible. Then watch them land on concrete.

I think that render the drive useless. =)


Probably not. Most commercial harddrives are rated for at least 50gs of acceleration. My Deskstar is good for up to 100. You might dent the outer case, but it'll probably still work.

Re:HD Abuse

[davidc]

Take 'em apart and use the magnets as fridge magnets. They hold up an enormous amount of paper, although they do tend to nip one's fingers occasionally :)

Re:HD Abuse

[Pig+Hogger]

My favourite method is to put them down, and run over them with a EMD SD90MAC...

Re:HD Abuse

[mlyle]

Something doesn't have to be going very fast to cause a 50G deceleration. A few feet of drop onto concrete is plenty. That being said, chances are the platters and the data will be fine, even if the mechanism of the drive is screwed up.

For a 25 foot fall with (nearly) no drag, the drive will get up to a speed of 40.0 ft/sec (27.3 MPH). If the drive stops over a 1/8" distance, with -uniform deceleration- (this is pretty generous for a fall onto concrete), this equates to 1600 G's. Halve the distance, and quadruple the force. Decelerate it in a non-uniform fashion (as it realistically would) and you'll get even more spectacular results.

See this review of a hitachi drive. Note that they say a drive designed for a non-operating shock of 800G's can take a fall of -one foot- onto concrete. I destroyed a maxtor by dropping it 3 feet onto carpet in a past life, and I'd suspect it was rated for a non-operating shock of at least 50G's.

I'd love to see you try it with your drive with your valuable data sometime though.

Re:HD Abuse

[ryanvm]

What are they made of? They seem ceramic, not even metal.

My guess would be a glass or ceramic. The first time I opened up a hard drive I assummed the platters were metal because of their reflectivity. After trying to bend one of them and having it shatter into a million pieces in my face, I discovered that they are not.

Data worth more than the computer

[blamanj]

It's long been know that laptop theives are often more interested in the data than the computer.

Some computers sold on eBay are sold for the data.

yes

[Stanley+Feinbaum]

nowadays most companies do not sell used systems anymore.. Since a simple format is not enough to protect sensitive data.

Where I work we generally destroy then throw away the entire computer when we no longer need it, the only thing part we keep is the monitor.

It's the safest way to go!

Re:yes

[silas_moeckel]

That was the Policy at the IBM facility I worked at in the early 90's. I tossed piles of computers into this big ugly compacting trailor once that was done with it I doubt you could recover anything. Funny thing about that is employies took piles of "compacted" parts home with them well I guess if they wanted the data in the first place they could have gotten it anyway in building security was light network wise untill you hit big iron.

Re:yes

[cbuskirk]

Why not remove the hard drive and donate the computer to a local school. Even at a couple of years old the computer is still useful for students and the school would be more than happy to pick up a new hard drive for it.

Gary Glitter

[cornjchob]

If only he had but known...

Re:Gary Glitter

If only he had but known...
... then he could've tipped off Pete Townshend.

scary

It's one thing to make sure you securely wipe any drive of your own you get rid of, but you can't do anything about old drives or paper files that a company or hospital might discard containing sensitive info about you.

Occasionally there are new reports about someone finding a stack of files by a dumpster containing sensitive medical or financial information about a lot of people. The same surely holds true for old drives or computers disposed of by careless companies.

I can relate

[l33t-gu3lph1t3]

Picked 6 or 7 old 4gig HDDs from my father's company a few years ago, found their company credit line information, personal (and some very erotic) email, and a surprisingly large collection of nudie photoshopped Gillian Anderson photos. Oh yeah, and like 100 different (and I must say, very well-done) quake2 "crackwhore" models and skins lol. I love the people who don't clear their HDDs, it's like treasure chests, you never know what you're gonna get.

Re:I can relate

[wideBlueSkies]

Do you have an FTP site for those Quake models?

Re:How many credit cards per hard disk???

[ZzzzSleep]

I think it's much more likely that there were only a few of these retail drives with CC numbers on them, but the ones that did have the numbers on them would have had a shitload of numbers.

Re:How many credit cards per hard disk???

[DAldredge]

They are using the NEW, IMPROVED RIAA/MPAA counting system.

Your old HD is safe.

[missing000]

I can get creditcard numbers faster on kazaa.

Re:Your old HD is safe.

[deranged+unix+nut]

I like the stack of lost floppy disks sitting in the campus lab. One day I started looking through them.

On the third disk I noticed a file named "Moms Credit Card". We can all guess what the file contained.

Fortunately for that poor student, I'm a nice guy and I wiped the disk so that the information wouldn't be abused. However, the next disk contained Frat Party planning meeting minutes that were quite entertaining. (Someone was violating campus alcohol rules.)

Anyway, I stopped looking after the 5th disk, and there were over 500 lost disks in that lab. All of the disks were found withing the last 4 months. If you want to get dirt to use on people, visit a college lab, shuffle through the lost disks, hold onto the information for a few years and then see how much that lost disk is worth to them.

Not so bad.

[Annatar2]

Thats not so bad. My dad happens to be a garbage man and often brings along an occasional system he's scavanged from the dumpsters along his route. Currently I have in my possession an old IBM Aptiva with some guys bank account information on it (He did his checking and stuff with it apparently), but worst of all I have what appears to be an old Gateway tower used to store Medical information for a major hospital in the area my father works. I have over 2 gigs of peoples medical history, including what they were put in the hospital for, insurance information, release dates ect.

I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.

Re:Not so bad.

[Compuser]

Why reformat it? Contact people on the list,
and if there is a class action suit, then be
a witness.

Re:Not so bad.

A goverment contractor donated some old PowerBook 140/180s to our school and one of them had an unformatted HD. Imagine my suprise when I booted it up and there were documents on there that said something along the lines of "This document has been classified Top Secret by the Department of Defense" at the top of them. I don't know what is more pathetic, the fact that this laptop was allowed to get out with confidential data on it or that it was unencrypted to begin with.

Also that same year, the school councilor retired his trusty quadra 610(?) and he had all the psychological, academic, and disciplinary records on there from 1993 and up on there. No password. No encryption. No attempts to even get rid of data.

A few months back, my brother picked up an old computer for $8 at a garage sale. He wanted me to fix it up for him and get it to do something. I was in for a nasty suprise when I found about 200 MB of gay pr0n jpegs on there.

When I was taking my A+ class at my HS, we were given some old computers from the county office of education to get in working order to give to people who couldn't afford computers. There was a small text file on it that contained passwords for most of the servers in the COE.

You can get quite a bit without even recovering files. People are idiots.

Re:Not so bad.

[MarcQuadra]

LOL! I had the same thing, from an old server at a medical center, giant 2GB SCSI-II drives full of insurance info, dental records, and who knows what else. I tossed the drives after a while because I didn't want the bad karma, but all I had to do was ask for them, they were willfully handed over to me by a doctor when I was 17.

PGP!

[wirelessbuzzers]

PGP (for windows or mac, ie not GPG) has two commands related to this: wipe file and wipe free space. They overwrite the appropriate sectors of the disk with several patterns designed to ensure that no matter what (common) encoding scheme the hard disk uses, every bit will have been set at least once, zeroed at least once, and overwritten with pseudorandom data at least once. If you set in on a lot of passes, it does an even better job. This would be a cheap (free, except for time and bandwidth to download it) way to make sure your sensitive data doesn't get out.

That said, experts would tell you that the only reliable way to make sure sensitive data doesn't get out is to thermite your drive.

Also, what's the one-line unix command (running MacOS X here).

Re:PGP!

[sam+the+lurker]

$ dd if=/dev/zero of=/dev/hda

Note: This is a "Linux-centric" answer to the question since /dev/hda is usually the name give to the first IDE hard drive under Linux.

You may also want to fill the hard drive with (semi)random data.

$ dd if=/dev/urandom of=/dev/hda

If you do this for a couple of weeks you should be fine :)

Re:PGP!

[delta407]

what's the one-line unix command

Easy.

# dd if=/dev/zero of=/dev/hda

...being sure, of course, to make 'hda' the actual drive you want to zero. (You could blank individual partitions by using the appropriate names, of course.) Also, you could use '/dev/urandom' instead to fill your disk with random data.

Ah, the joys of *nix.

Re:PGP!

[jnik]

Also, what's the one-line unix command (running MacOS X here).

for i in 1 2 3 4; dd if=/dev/zero of=filename bs=1 count=filesize; sync; dd if=/dev/random of=filename bs=1 count=filesize; sync; done

Roughly speaking that'll do it. I'm sure there's nice trickery you can do to, say, get the equivalent of /dev/true (opposite of /dev/zero) and get the size from the file, etc. etc. Note the sync's so it actually hits disc rather than buffer. Technically there should be a sleep or two in there in case of a journalled filesystem....

Re:PGP!

[kiolbasa]

Several passes of /dev/random is certainly more secure. Writing a predictable pattern, such as /dev/zero (which, given HD encoding schemes does not actually mean all zero bits on the disk) only gives an attacker a pattern to subtract from the signal on the disk and recover the original data. Writing zero over a one looks different than writing a zero over a zero when you look at the disk on a low-level.

Re:PGP!

[bourne]

PGP (for windows or mac, ie not GPG) has two commands related to this: wipe file and wipe free space.

And for those wishing for only mid-grade free space wiping, check out "cipher" which comes with Win XP and Win2K SP3. 'cipher /w:c:' will wipe all the free space on c: with 0s, then with 1s, then with random data.

I have mine cron'ned - er, "Task Scheduled" - to run several times a week, just to keep things on the sanitary side. You never know when the layoffs will leave you wondering who is looking at your old hard drive.

On par for Ebay..

[nolife]

bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned

Everyone knows that HD's contain data.. I would be more impressed if they broke down the numbers of where the BAD drives came from. That would make a much more informative story. I've bought as-is before in person but never online.

Old news or not...

[Ironica]

People still don't get it. My old boss wondered why I was "wasting my time" doing stuff like writing all zeros to drives of computers we were giving to charity. "I only told you to format them!"

I tried to explain the concept to her, but for an IT manager, she was woefully bad at technology.

Actually, come to think of it, she was about average...

start an extortion & blackmail company..

[netnerd.caffinated]

or do like this guy did...
icanstilltellyourwifebill.com
he brought a hard drive, found all this cool stuff on it.. & put it to DVD for the masses

Re:start an extortion & blackmail company..

[gribbly]

*sigh*

From the terms of use page on this site:

"Please note, the content of this interactive movie, including characters and any and all elements, hereof, is entirely fictional, and is not based upon any actual individual or of any other legal entity"

grib.

Speaking of data recovery

[bdigit]

Anyone happen to know any share/freeware programs out there for Windows 2k that will recover deleted files. I am intrested in running it on my computer to actually see what I can recover and see how well PGP's disk wipe function works.

Re:Speaking of data recovery

[saur0n]

Try "Undelete 3.0" for Windows XP/NT/2000. It's freeware (and in English) if you're a home user.. :]

Re:Speaking of data recovery

[wirelessbuzzers]

I am intrested in running it on my computer to actually see what I can recover and see how well PGP's disk wipe function works.

Even a non-PGP disk wipe (eg zeroing) should make it impossible to recover in software, unless there were fragments of the data outside its file (eg in swap). What the PGP wipe function does is make it harder for EE departments/major labs/G-men to recover your data by looking for signatures of what was there before. This cannot be done by zeroing it. In fact, if the stuff you're deleting is really important, the only perfect way to remove it from the drive is with thermite (or C4, or acid, or...)

Re:Speaking of data recovery

[saur0n]

Oops, forgot to put a link. http://www.oosoft.de/english/products/ooue/index.h tml

Re:How many credit cards per hard disk???

[LostCluster]

Sounds like one of the drives belonged to a business that left something like QuickBooks on their drive, and that accounts 98% of the card numbers found, with there being one or two on each of the remaining drives.

This isn't exactly news...

[japhar81]

But the CC info bothers me. Presumably, this is a corporate drive that got resold (Unless you know of 170 ppl with 25 credit cards a piece, in which case it's time to re-evaluate the financial system in this country).

Personally, I have a standing policy in my department to take apart every HDD, take a magnet to each platter, and send the platters to Iron Mountain for destruction. Then again, we deal with large financial institutions, so we have to be extreme and obsessive-compulsive, which brings me to my actual point;

This stuff should be regulated. If you store personal info on an HDD for business purposes, you should have a legal responsibility (i.e. one that comes with repricussions if not met) to ensure that even after a drive is retired, the data is safe.

Just my $.02

Shouldn't the title be...

[NoMoreNicksLeft]

Data Fishing? I mean, you never know if you'll catch anything.

You don't need any external software!

[ObviousGuy]

Right inside your Recycle Bin there's the option to recover any program that you've deleted.

It's like magic!

Re:You don't need any external software!

[wirelessbuzzers]

Parent is troll, but I'll bite:

grep --binary-files=text -A 500 -B 500 "A phrase from my paper" < /dev/hd0

Used this the other day to save (most) a termpaper for someone in my dorm.

CIA

[Eric_Cartman_South_P]

Thinking back to a Discovery channel show on the CIA, they dispose of hard drives with a good data wipe then they drill holes in them. Drives that held Super Top-Secret stuff (MS source code?) also got burned in a furnace. All of this on-site.

In regards to Wiping data, do yourself a favor and check out http://www.heidi.ie/eraser/

Beyond the wonderfull wiping the program does, there is the option to make an emergency boot floppy that wipes the HD with DOD style 7-pass or a GutherSomething 36 pass! Niffty for the paranoid.

we destroyed our harddrives right

[haa...jesus+christ]

my old company had the best method for destroying our sensitive data (like the gig of porn some asshat left on the XML server) - leave them in the old building! god bless those terrorists and their whacky flight skills.

btw, has anyone seen my old ti calculator? it was on the 21st floor of two.

Re:we destroyed our harddrives right

[b1t+r0t]

Nothing beats the companies who decided that a great site for their "offsite backups" was in the other tower.

Unfortunate

[Kourino]

Since the only thing that's going to retain data is the hard drive ... what a waste. Come on, companies should sell the rest of the computer! Where do you think poor college students are going to get their "used to be high end hardware half a decade a go" supplies, huh? ;_;

I mean, I agree, don't let the drive itself slip out, but ...

Re:How many credit cards per hard disk???

[Jason1729]

Among the data found on the 158 drives were 5,000 credit-card numbers

The RIAA/MPAA system recognizes that each digit is a number taken by itself. Since credit cards have 16 digit numbers, 31 numbers/person sounds about right, it's an average of just under 2 cards/person.

Jason
ProfQuotes

Re:This is news?

[yellowstone]

Welcome to 1979 [...] a 50MB external Sun SCSI enclosure [...] hooked it up to my Linux box,

Sun Microsystems was founded in 1982. And Linus didn't start Linux until 1991. What year was that again?

Above average.

[NoMoreNicksLeft]

Most of mine never knew what "format" was...

Your wayback machine is broken

1979? I was there, home skillet.

50 MB? Try 5 MB.
SCSI? Not in production.
Sun? Sure...
Linux? Try CP/M.
hexedit? Try debug.
Asian Students? First wave Vietnamese refugees, maybe.
E-mails? If you were working on ARPA.
Porn? Maybe PG rated adventure games...

Tax dollars at work? In 1979, we had to walk
10 miles up hill (both ways) to pay our taxes, and they only accepted krugerrands and virgins without
herpes, both of which were in even shorter supply
and higher demand than they are now.

I sledge them!

[callipygian-showsyst]

We go through a large # of computers a year, and I try to donate the carcass, or at least make sure it's recycled properly. (Charitable organizations, unless specially equipped to handle PCs, are wary of junk computer donations.)

However, I *always* remove the hard disk drive, disassemble it, and give it the sledge hammer treatment. I just don't have the time to get them running again, and write the erase patterns to every track and sector.

Maybe if there's ever a good, transparent, drive-level PGP available, I'll rethink this strategy, but until then, I put on the safety glasses and hammer away, after opening the drive case to expose the platters.

Here's a sugesstion to drive manufacturers--make a convention where if certain pins on the IDE connector are jumpered together, and the drive powered up, it will do a low-level format automatically. Then I might choose to erase the disks, so long as I didn't have to hook them up to a computer and run a program.

Re:I sledge them!

[jasonditz]

Speaking of this, whatever happened to the BIOS lowlevel format option? My old Laser 386 allowed you to lowlevel format any of the harddrives through CMOS setup... it would seem like that's a pretty simple feature to add, and plenty useful.

Re:I sledge them!

[flonker]

Back in the good old days, low level format actually did something. It rewrote the tracks and sectors on the platters. Nowadays, with high data density and whatnot, it's much more difficult to write the tracks and sectors, and special machinery is used to do so. The standard head isn't able to get enough accuracy.

A lesson is "fully sanitizing your drive"

[cscx]

Always use one of these when installing a hard drive. That's sure to keep it sanitary.

RTFA

[commodoresloat]

If you read the article you'll notice that many of the drives belonged to businesses; the CC#s were probably in customer lists. Now why was the parent modded "+5 insightful" rather than "-1 didn't RTFA"?

Re:RTFA

[ehiris]

Because most likely nobody else read it.
Are you surprised?

Re:Oh, man. Hear it comes.

[bsharitt]

I once got a 286 from my school, that they had gotten from Redstone Arsenal. The hard drive wasn't even erased on it. There wasn't any important information, most stuff contracts regarding missile building contracts. There were some that had stickers on them say they were cleared for processing classified material, but their hard drives were empty. Maybe I should take a second look at those drives, the military may not have known how to completely erase them back then. I've probably already said to much.

Wait, were did those black helicopter come from? Uh oh.

Re:This is news?

[unicron]

What's sad is he didn't even HAVE to post a date, just say "there was this time".

Homer: An F turns into a B so easily, you just got greedy.

Re:This is news?

[Anonvmous+Coward]

"Sun Microsystems was founded in 1982. And Linus didn't start Linux until 1991. What year was that again"

-1, Bullshit? Heh.

This is why I always mark my used drives...

[achurch]

"Out Of Order".

I just shoot mine.

I dont bother sanitizing them, squeezing or anything else. I just shoot them.

They're great target practice when set up at 50 yards. Plus, they're rendered more or less ultra-highly unreadable, with half the platters coated in vaporized lead spall, and then with the platters dramatically warped, penetrated, stretched and shattered. Many areas are complete and totally lost, the ones that arent, would require precise magnetic microscopy to observe the actual state.

These pictures were of a seagate 40mb eide, splashed with a 158grn jacketed hollowpoint in .357 magnum, after being accelerated to about 1700 fps from a Marlin 1894C lever-action carbine.

Re:I just shoot mine.

Guns don't kill hard drives. People kill hard drives.

It's not just hard drives

[b1t+r0t]

A few years back I found some backup cartridge tapes (the big 4x6 kind) and a couple of tape drives at a Goodwill store. While there wasn't anything particularly useful on it, I could tell that it was the shell account machine used by half a dozen or so Ingres developers.

No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.

I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.

Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.

"Thrift store hard drives are like a box of chocolates... you never know what you'll find!"

Re:Oh, man. Hear it comes.

[QuaZar666]

Now days the dod drills a hole through the platter on drives that are bad that have to be RMA'd and have contracts so all they have to return is the top of the drive with the label. as for drives they no longer need i do not know. im guessing they write 0 and 1 patterns on the drive 7+ times. (even then data recovery services could recover it)

Not so fast my friend.

[BoomerSooner]

You can move the platters to another drive mechanism and read the data in that manner. There have been several articles on this very topic (for those who don't have data that is so critical it's worth $1000s to recover but it's still worth a shot).

I'd look them up but it's willy's time from 6-6:30.

Who's Bill?

[Robber+Baron]

I have a sneaking suspicion but...

Whoa! That's one pissed off female!

Re:Oh, man. Hear it comes.

[TheOnlyCoolTim]

I have heard that the DOD way of "sanitizing" a hard drive is to open it up and dissolve the platters in acid.

Tim

this is also a problem for warranty.

[Unknown+Poltroon]

I have had 2 drives fail well within the warranty period, and did not return them for just this reason.

Re:this is also a problem for warranty.

[Cyberdyne]

I have had 2 drives fail well within the warranty period, and did not return them for just this reason.

This is a big problem for DoD-type datacenters; for non-classified (as in "this stuff shouldn't get out") stuff, they open the disk up, sand-blast the platters to remove the magnetic material, then return the carcass to the manufacturer for a warranty claim. For the really secret stuff (as in "people will die if this stuff gets out"), they just destroy the disk completely, then buy a new drive.

Of course, if you kept all the data on the disk encrypted, you'd be fairly safe, but once you're making a warranty claim, the disk probably isn't working well enough for you to wipe using 'dd'...

Speaking of 'dd': Beware of sector remapping. Any sectors on the disk which the firmware has marked 'bad' won't be touched by any user-level command - and those 'bad' sectors could still be recovered if they open the disk up. For most people, 'leaking' a couple of sectors wouldn't be the end of the world, but for (say) VISA's customer records, there are probably a couple of valid CC numbers and other info in those sectors...

Data on Drives

[sparkhead]

Was it Pete Townshend's drive?

Re:All Saddam's email are belong to us!

[hazem]

When I was in the army, we decommissioned a whole bunch of those old hard-drives with 8" platters. We took them apart, removed each platter and and used a belt sander to destroy the surfaces. The sanded platters were then sent to a facility on base that would melt them down.

The bodies of the drives were mostly magnesium, and I came away with about $250 from the scrap metal dealer.

Of course, who knows what I breathed by sanding those platters...

Scary Thought

[Sayten241]

So even if I take all the steps necessary to make sure my data is safe on my computer, odds there is a business throwing away hardrives that have my data on them without properly removing all the data? Wow, I can't believe this isn't a hotter topic. I also wonder how this affects certain websites privacy statements. Sure, they don't give your information away intentionally, but they may give away a harddrive full of personal data without even realizing it.

That's fake, bud

See
http://www.videopremiereawards.com/HTMLNews/News IC anStillTell.html

Re:How many credit cards per hard disk???

[stellar7]

In RIAA terms it'd be more like 156 credit card numbers were found, but since some of them had high limits, it was the equivalent of 5000 credit cards.

a few minutes with tomsrtbt

[g4dget]

Erasing your disks before selling your PC is easy:

• Get out your favorite Linux installer CD or download a copy of Tom's RTBT and write it to floppy or CD-R.
• Boot from the floppy or CD.
• Log in as root.
• Run dd if=/dev/zero of=/dev/hda to erase the master drive on the primary IDE controller (/dev/hdb etc. for the remaining disks)

That's all. It erases all the blocks normally accessible by the disk controller and is probably safe enough for most people. Bad blocks that have been replaced may still contain a little bit of data, and inter-track data may be recoverable by analog means.

Re:$1000s to recover?!?

You could always charge it to all the credit card numbers you get.

This does not surprise me at all.

Now for or something really scary.
I run a computer shop in the southeastern United States, much of my work involves the local school systems.
Several years ago (Long before 9-11) a local school received a donation of several pallets of computers, monitors, printers, and other equipment from a local military installation. The donation was properly processed through the Defense Reutilization and Marketing Service (DRMS) and should have been cleared of any sensitive materiel.
I was contracted by the school to take the entire load and build as many working systems as I could out of the parts. As I begin to put systems together and power them up I was staggered by the fact that at least half of the hard drives were FULLY intact and no attempt at all had been made to remove sensitive data.
I of course had to take a closer look. Much of the data concerned simple day to day non-sensitive routine base operations (I am x-military so much of it was familiar to me). HOWEVER on one of the intact drives I found something that KNOCKED MY SOCKS OFF! Setting there on that hard drive spinning on my work bench was pile of data concerning the moving of NUCLEAR weapons and other nuclear materials and conventional weapons around the United States. The data contained information such as routes, schedules, manifests, and duty rosters. I WAS DUMBSTRUCK. How could this have happened? This drive should never have left a controlled area, EVER, it should have been destroyed. This was inexcusable!
Of course in a situation such as this all manner of thoughts go though your head. Thoughts such as; What kind of damage could a enemy of the U.S. do with this data. What would this data be worth to someone unethically inclined. If they knew I saw this data they would probably lock me up and throw away the key just for good measure, and of course WHAT SHOULD I DO WITH THIS DATA?
In the end I destroyed the hard drive and the data it contained and kept my mouth shut. That has been at least 8 or 9 years ago and until this day I have never told anyone and thank God that due to the passage of time I have forgotten most of the particulars of the data I saw.

shred(1) will securely delete files

[jrstewart]

It's not enough to write 0's to remove traces of a file. Writing random patterns is much better and for older drives you can even do better than random (i.e. more erasing in less passes). The shred(1) command from the GNU fileutils will take care of this for you in Unix-alikes.

http://btr0xw.rz.uni-bayreuth.de/cgi-bin/manpage s/ shred/1

See also http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html for an informative paper about the details of how secure deletion works.

Re:shred(1) will securely delete files

[jbrandon]

Most recent GNU/Linux distros use Ext3, so shred won't work:

$ man shred

[snip]

CAUTION: Note that shred relies on a very important assumption: that the filesystem overwrites data in place. This is the traditional way to do things, but many modern filesystem designs do not satisfy this assumption. The following are examples of filesystems on which shred is not effective:

* log-structured or journaled filesystems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)

[snip]

Re:shred(1) will securely delete files

[juhaz]

Why would I want to do it several times?

If someone is willing to toss millions of dollars into getting something out of my only-once-overwritten drive, then they are perfectly welcome to do so.

Indeed, if someone is willing to give out that kind of money, they are welcome to give it to me and I give them that drive in perfect working order and all data fully readable without special tools!

FYI: HOWTO: Secure HD for Donation or Disposal.

[dameron]

Backup all important data to both magnetic and optical media (another HD/tape -and- cd/dvd).

Re-format HD using the NTFS file system if the drive is larger than 2 GB, otherwise install NT Server from the earliest available service pack.

Install Windows NT 4 Server, apply service patch 6. Make sure you use a meaningless administrator password.

Upgrade MS Internet Information Server to version 4.0 from NT Option Pack. Create a default web site using the following as the index page (*.htm, *.html, *.shtml):

Why are Chinese, Dutch, German, and Russian Hackers So Homosexual?"

Chinese, hackers, IIS rules, Counterstrike, Dutch, mothers, US ALL THE WAY, Germany sucks, script kiddie, porn, pr0n, disable X10 ads, warez, firewall, Bill Clinton, rar, zip, romz, roms, direct downloads, Long Live Pakistan, How do I secure III?, index of, Ronald Reagan Library

Boot the HD in a computer with an internet connection.

Wait about four days.

Repeat the process three times.

Reformat the drive.

Donate/Discard.

Hey, at least it won't have -YOUR- important data on it.

-dameron

What about RAM?

[n3rd]

At a former employer who will remain nameless they had secure areas. To get in you needed a clearance and if you didn't have a full government clearance all of the people in there would power off their boxes until you left. You were also constantly watched and doing sysadmin stuff in there was an adventure because they could do whatever they wanted since they weren't hooked up to the regular network.

When they moved some of these labs all of the equipment was shrinkwrapped and escorted to the new location to prevent tampering while in transit.

I think I had something to say. Oh yeah. Ok, when hard drives and backup tapes got old they had to format them X number of times (I forgot the exact number), then physically smash them and then burn the remains. All in a secure manner (ie: not taking them to the local Springfile Tire Fire).

Anywho, a friend of mine had to replace RAM from one of their Suns, and I went with him. They let us leave with the RAM and didn't think twice about it. 2 or 3 minutes after we left my friend realized he may be able to take the RAM and actually read the data off of it somehow, assuming it was still saved.

Perhaps this could be applied to other things including external processor caches and VRAM as well.

The proper way

[nightsweat]

Idiots!

Everyone knows you must write zeros over old drives 137 times, then bulk erase them then dip them in acid, smash them to teeny tiny bits, incorporate those bits into construction concrete for buildings on three separate continents and only then your data will be safely gone.

Though there is this one data recovery firm in Wisconsin that can get data off the drive even after all that...

Random Bit Overwrite

[akamoe]

US DoD Spec: 3 passes
German DoD Spec: 7 passes

(from http://www.ontrack.com/library/dataeraser.pdf)

-- R

Re:Random Bit Overwrite

[jareds]

A hard drive is not an abstract mathematical entity. A 0 written over a 0 is magnetically distinguishable from a 0 written over a 1.

Re:Random Bit Overwrite

[MillionthMonkey]

Can anyone tell my why there has to be numerous random-bit passes when one could do something like this:
dd if=/dev/zero of=/dev/hda bs=512
What's wrong with just zeroing out the drive once?

Say the child porn file has a one bit and a zero bit. You overwrite it with two zero bits. The magnetic domains where the one bit was are presumably weaker or smaller because they were flipped, not reinforced like the zero bit domains. Of course the drive's read head itself won't be useful for extracting this information, because it's only designed to determine the last bit written by the write head- a binary zero/one determination. But with special equipment you can measure domain strengths carefully, and pull more information than a single bit out of them. You can tell which domains were flipped by the zero-out process and which were reinforced. (Of course this is a simplification because each bit is composed of multiple domains.)

So there are a few trivially obvious considerations when writing an erasing program-

-Don't write zeroes, write ones and zeroes.
-Go in more than one pass. A single pass leaves the bits in 4 possible states- (0,0), (0,1), (1,0), and (1,1) (where (c,r) are the child-porn and random-overwrite bits, respectively). An attacker can in theory tell all four states apart by close physical examination, so he knows c. Two passes (c,r1,r2) leaves 8 possible states- (0,0,0), (0,0,1), (0,1,0), (0,1,1), (1,0,0), (1,0,1), (1,1,0), and (1,1,1). Now the attacker's equipment needs more than twice as much precision, because some of them, like (0,0,1) and (1,0,1), are starting to look physically similar. 10 passes leaves 1024 possible domain states, many of which are indistinguishable.
-Writing zeroes over the file ten times is much better than writing zeroes over it once, but still leaves it in one of only four possible states. (Which are admittedly harder to tell apart, but you never know.)
-Do not allow the content of the file you're erasing to influence your decision of what bits to overwrite it with. You avoid a whole class of problems this way.
-Be aware that when you are writing random numbers, you are actually encrypting, not erasing, the file. The seed you used for your random number generator becomes a key for decrypting the file (given special equipment).
-You want to prevent the attacker from knowing what bits you wrote and in what order you wrote them. You will favor erasure over encryption if you can continually introduce entropy into the process. But entropy is scarce in most software environments. The variations in the timings of the drive's mechanical movements, ping responses from remote servers, mouse movements, and keypresses are well-known sources.
-Don't use a lousy random number generator. There are many ways for a random number generator to be bad. The simplest type produces numbers where n-tuples fall on a regular lattice when plotted in n dimensions. Generators like that are used a lot in scientific and graphics applications, but have no business being in security applications. If an attacker gains access to a few of the numbers in the generator's sequence, he can predict the rest of the sequence. They also loop after generating 2^N numbers.
-If applying this process to a single file, hide the size of the file.
-Ideally you should hide all traces of the file's existence. This means clean up after yourself by writing zeroes in the last several passes, so that even the domain randomness is physically removed (its presence implies that something was erased).

Re:Random Bit Overwrite

[numark]

And then you got Guttman deletion, which uses 35 passes, each of which, when combined together, basically flips the bits so much that the data is really unrecoverable. It's even designed to get around caching and the various encoding standards for hard drives.

Use encryption such as Linux Crypto API

[Tracy+Reed]

Because I pretty much run my life by computer I end up with all kinds of info on my computer. And it is for this reason that I use the Linux Crypto API (formerly the international kernel patch). I have an encrypted volume (a big file which gets mounted on loopback fs) on my machine where I keep any sensitive information including all of my email once it has been read. Every so often I mount it, copy the stuff in, and unmount it. It works great and is so easy to use that I actually use it. The only chance someone has of catching sensitive information is if they get it before I copy it into the encrypted volume (passwords, keys, company private data, etc. all go straight in) or if they can somehow recover it from the raw device from when it was written in cleartext. My disk has enough activity and accidentally fills up often enough that I'm not too worried. It's not like I'm protecting national secrets or anything.

That Rarely Works Any More

At today's densities, all drives have many many bad sectors that are mapped out in a sector translation ROM on the drive's logic board and no two are the same. Swap boards and it's almost always lights out. I guess you could swap the ROM if you can identify it and have the right surface mount rework tools.

Re:That Rarely Works Any More

[Nogami_Saeko]

That's another good point that this article doesn't mention:

If you have a HD that has sectors that go bad, many HDs (or operating systems) will mark the block as bad and off-limits so it doesn't get used any more.

This of course poses a problem with most "erase" type programs, as there may not be a way that the eraser can override either the operating system "bad block" mark, or the drive's "bad block" internal mapping.

If something critical happens to be in a block marked bad on the HD, there may not be any way to securely erase it 100% via software and you'd need to destroy it physically.

Re:That Rarely Works Any More

[packeteer]

The process of locating bad sectors is done dynamically. Bad sectors just appear after manufacturing and all kinds of things happen before it gets to you. A modern drive is made with "extra" space where it translated bad sectors to so that you dont feel conned by losing data space. Personally i would rather have that extra space and deal with the bad sectors since not all of the "extra" space is taken BUT because of the marketing of hard drives i wont ever get to see that happen.

multiple writes

[Forgotten]

There doesn't seem to be much point in overwriting more than once with the same zero pattern (the article makes this mistake too, though the original authors probably don't). There are really two levels of sophistication we're hoping to elude here:

a) People using the drive's own interface to retrieve "deleted" data
b) People doing direct signal analysis of the magnetic media to find successive generations of overwritten data

Once you've overwritten the disk once (whether with dd, a real SCSI low-level format, or some other means), you're in regime (b). Assuming you're paranoid and/or justifiably concerned enough to bother with repeated writes, using the same bit pattern does little - and zeroing is especially non-optimal, from what I've read. Random bit patterns seem a likely candidate, but randomness is actually particularly easy to divine in a signal.

People have experimented with instead writing various repetitions of constant strings with good success, but what might be ideal is a chaotic pattern that approximates the look of the expected data without divulging anything real (interesting thought - perhaps this is what some of the porn they found was for!). Write that a few times and you have a honeypot that might mislead a naive investigator into thinking there's nothing more to be found - but even this is difficult because the "freshness" of the bit patterns can be determined by their relative signal strength, and you can't simulate age using the default write current no matter how many new patterns you lay on. You can only hope you've made the old, real data so faint that it disappears into the background noise. Since there's no real way to guarantee this, people with real secrets to hide have to physically destroy the media. So much for reduce, reuse, recycle. ;)

The technique of extracting the data is akin to the work of deep-sky astronomers, military listening posts, or even sedimentary archaeology. It's quite an interesting problem, as is making the data unrecognisable. The parallel with copy-protection is obvious, and the outcome is the same - an escalating war of technique between intrigued hackers, where the party acting later in time (the deprotector / signal analyst) always has an advantage.

As an aside, when using dd to copy large amounts of data to disk you can often speed things up immensely by tailoring the (output) block size to the destination device.

This is NOT Data Mining!

[Commykilla]

Data Mining is NOT the process of recovering or otherwise retrieving data. Data Mining is the process of discovering knowledge through data that has already been obtained (usually through statistical and/or AI techniques). I.e., data retrieval/collection is a prerequisite for Data Mining.

GNU shred is your friend

[fo0bar]

I'm going to be sending a company HD to Dell to RMA since it's starting to fail (stupid IBM DeskStar 60GB drives)... From what I've heard (and contrary to a few other posts in this story), it is still possible to retrieve some data from a hard drive where you've done "dd if=/dev/zero of=/dev/hda" (I still don't get how, but I err on the side of caution).

Enter GNU shred. Its default operation does 25 passes at the drive, with passes such as random data, random patterns and all zeros. Theoretically, the drive has been overwritten so many times that there is almost no chance of recovering data.

Of course, just to play it safe I'll also run it across my stereo speakers a few times too :)

Secure deletion

There is no substitute for destruction, but if you want to re-sell, use:

Autoclave

Autoclave is a boot disk w/ a Linux distro that will securely delete on five levels:

Zero fill
One random pass
3 binary overwrite passes
10 passes, some structured
25 structured passes

For *true* secure deletion. Policy at the University of Washington requires level 3 at least. Of course, I've bought some UW surplus computers with still-functioning Win98 on the drives...

This is not data mining

[rev063]

Data mining is statistical analysis of structured or unstructured data to discover unknown relationships.

At best, this is voyeurism. At worst, it's espionage.

Interesting reaction on hard drive wiping

Last year, my employer of 12 years went out of business. The company was secretly being run improperly for quite a while and the owner closed the doors the same day he found out about the mismanagement.

Being the IT director, I helped the owner, my friend, with the office computers. I planned on wiping all the hard drives and I informed the owner of my plan. He agreed that it was a good idea.

From the next three months, watching the bankruptcy process unfold, I got questioned left and right as to why I wiped the data. The accountants wanted to know why...the lawyers wanted to know why...the liquidators wanted to know why...the court wanted to know why. I understand that a system with an installed OS is more valuable than one that has been wiped clean(the data had been backed up so there was no question of whether data had been destroyed) but this should not be unusual. Nobody asking me these questions were newbies--their jobs involved dealing with bankrupt companies and it was as if they had never seen this before!

Simson Garfinkel

[andy@petdance.com]

It's not as if it's just any "[t]wo MIT grad students". Garfinkel has written more than a handful of security books over the years.

How do I destroy an HD?

[HeyBob!]

I just wait for my warantee to run out - it becomes unreable shortly thereafter!

Some info found on Hard Drives .... interesting

[adzoox]

I once found out crucial recruiting info for a university sports team. Ended up there were recruiting violations and I could have ruined the athletic department with the evidence on the laptop I had. But technically, I "wasn't suppose to have seen that" - Also, it is illegal to view "known" private data. Even if in one's possesion. I think these "lookers" in this story should be prosecuted. They give people like myself who buy surplus a bad name and cause problems with buying surplus as MOST items require original hard drive data to function.

Better options than dd

[alansz]

Actually, using dd from /dev/zero is not a highly secure way to wipe a drive (though it's a lot better than nothing!)

For stuff like medical data, financial data, etc., I'd seriously consider looking into wipe instead, which uses Peter Gutman's patterns.

A more humorous case of this...

[rawshark]

http://www.craigslist.org/about/best/2822956.html

I built a time capsule!

[IGnatius+T+Foobar]

Last summer I was building a two foot high poured-concrete wall ... extending one, actually, at the edge of my patio, where a big oak tree had been taken down. Well, I poured the concrete in and it turned out that I hadn't bought enough.

So I went down into the basement and pulled out all the old computer crap I could find -- old hard disk drives, AOL CD's, ISA boards of various types, etc. and just threw them into the cement mix until the level rose to where I wanted the wall to be.

Perhaps someday after I die (or move) someone will dismantle that wall. When they do, they'll unearth some hard disk drives, complete with a 1997 or 1998 vintage of Red Hat Linux and other software of the time.

A hammer may not be enough!

[dragonsister]

Depending how much someone is out to get you.

There was a quote somewhere saying that a heap of data could be recovered from even a square millimetre of hard disk platter.

So let's have a think about the maths. I don't know what the physical interior of a hard disk is like, but the exterior is in the vicinity of 10cm (4in) across. If the platter were square, that'd be 100*100 square millimetres. (It'd be round, so the actual number would be about 25% smaller.) Suppose we were talking about a 40gig disk. That's 4 meg per square millimeter.

Now if hard disks were made up of lots of layers, say 1000 of them, that's still 4K per square millimeter per layer, and you've got one hell of a pulverising job ahead of you!

There's good reason why high-security areas go through their elaborate sequences of electronic shredding (multiple data overwrites), physical shredding (makes the hammer look weak) and thermodynamic shredding (I daresay *someone* can get data off a hard-disk after you've treated it with thermite!)

Rachel

Book and Nuke

[scubacuda]

Use Boot and Nuke.

Burn the ISO, boot to the CD, then wait a *really* fucking long time for it to scamblefuck the drive. (You can also use a floppy disk...but nowawayd why use something that a magnet could possibly fuck?)

(I have no idea whether or not this is military-grade. Can anyone comment? And if not, provide something *better*?)

Re:Oh, man. Hear it comes.

[chewedtoothpick]

Magnetic Speperator...

I have one, honest to god..

It literally removes the magnetic code/signatures from the HDD. I used to work at a data recovery shop (yes one with static room where we physically remove the data etc...) and even we couldn't recover anything off a HDD that has been passed through one...

The only bummer is they draw lots of amperage on a 220... (meaning they literally dim the lights even on my very well powered home...)

The NSA/DOD/Whatever probably uses these when they erase a HDD for redistro/etc...

Similar story

[Monkelectric]

Ok, this is offtopic because it doesn't really involve undeleting, so mod me off topic if you want, but its still a good story.

When I was 14 or 15 (long ago), I took a trip with my friend to visit his father and step mother for the day. We would have to help his father in his print shop for the day, but my friend promised in return we would be able to sneak access to his dads porn collection.

After we ended up working in his dads shop all day, we had dinner, went to his dads house, and his dad left us alone with his computers to play games on. We had brought a palette of 100 disks to hopefully sneak our porn home on, so we began copying all those pcx and gif files onto disks as fast as we could. We couldn't risk looking at them for fear of being caught. It wasn't that unusual to have a huge pile of disks because that was how things got copied in the olden days, his dad thought we were copying some of his games.

Low and behold, we fill all 100 disks with porn (an incredible stash in like 90 or 91). We go home for the evening to each of our houses, divide up the stash, and we both head straight to the computer to um, count our booty.

I get home, pop the first disk into the computer, and just about then I get a phone call -- its my friend, he says "dude, don't look at the pics, trust me." But he's piqued my interest so I have to. I load one up and what do I see? A big juicy cock. We had copied his dads gay porn stash.

Uses for your destroyed drive

[Brad1138]

I disassemble my old drives. The Magnet makes one hell of a good Refrigerator magnet and the discs make good pocket mirrors for wife or frisbies for kids.

Here's a question:

[nightherper]

Say you are working on an uber secret project (or miltary plans or viewing gay pr0n) and the "men in black" come running in your house. Assuming you are more than 5 seconds away from being on the floor with a knee on your neck, how would you keep intruders from getting your data? (Or looking at what you were viewing, you sick freak)

Some sort of explosive device on a trigger next to your mouse?
A shotgun blast? (Hoping you hit the drives and don't get shot...)
Fast acting fantasy software to write random data 144 times over the disk in mere milliseconds?

Re:Here's a question:

[dmaxwell]

Assuming that you have at least a few seconds to react when they come knocking then planning takes care of a lot of this. The system in question which I'll I call the Naughty Super Secret System or NSSS for short needs to be specially configured. It should have no swap files or swap partitions of any sort. The /tmp directory or any equivalent should be a ramdisk formatted with an encrypted filesystem. Any permanent datastores should also be on encrypted filesystems. The best part is that the NSSS also has a "panic script" thats triggered with a hotkey combination. There will be no time to actually type a command. The panic script will lock the terminal, unmount any ramdisks, change the filesystem password to a random collection of characters if possible and clobber the control structures of the encrypted filesystems with random data (superblocks, fat tables, etc). This is not a lot of data and won't need more than a few seconds to royally bollix. Actually, random data sprayed across an encrypted filesystem will do far more damage than a conventional filesystem. If the clobber script has enough time to hit those control structures with seven passes it should then spray random bytes across the remainder of the partition as long as it's permitted to run. In any case, the clobber script will run until some quick thinking MIB pulls the power cord. That can be made a pisser as well. Remove any obvious way to quickly power off the machine and make it necessary to spend a few more seconds getting at the power cord or UPS. Hmmmm....how's this? Put the UPS inside the machine and rig the physical power switch well inside the case. The machine can be powered up or down by sticking a screwdriver into a hole to operate the switch. LOL, put lots of extra screws in the case too.... That should buy more than enougn time for the panic script to do it's work.

I suppose what remains of those filesystems will be subject to cryptanalyis but it should be a bit more difficult at least. The only other option would be coming up with something to physically destroy the hard drive in a hurry that won't physically destroy the operator as well.
I like the idea of digging a fire pit in the basement and having the system rigged to be burned by a panic trigger. The shotgun would work too but it needs to be permanently mounted on the machine. You won't have time to aim. You'll be lucky if you have time to reach over and pull the trigger.

In all though, if the MIBs bust your door down you have much larger problems than what they are going to find on your computer.

Re:Oh, man. Hear it comes.

[rela]

Don't forget degaussing. Someone is going to have to make the obligatory link to Secure Deletion of Data from Magnetic and Solid-State Memory, so there it is.

shit i pull the platters

[Sir+Spank-o-tron]

I've had to RMA a drive (Seagate, I think) that had all our magic encryption keys. So I opened it, pulled the platters, and sent it in.

They didn't say a damned thing, and sent us a new drive. Each of the engineers took a platter and did away with it. No problem!

You don't really want none of this...

[Mulletproof]

Unfortunately, I suspect you're gonna have an unplesant time getting your hard drive to that state...

I guess you really SHOULDN'T sell anything on eBay

[saskboy]

This only goes to prove that selling on eBay comes with certain unavoidable risks. You never know who your buyer is going to be...

It could be some smart ass college kid who is going to get your old porn collection you thought was lost.

Shoot a drive while it is spinning?

Has anybody tried applying +12&+5VDC to an old hard drive, allow it to spin up to full operating speed (pref. 15KRPM), and THEN shoot it?

Should produce some interesting results. It'd be interesting to see the different effect from hitting dead center on the hub as compared to (on a different, identical drive) the outermost rim.

Re:yeah right

[Flounder]

yeah right.. who the hell keeps a journal on there computer?

If it's good enough for Doogie Howser, it's good enough for me.

Re:DOD has specific guidelines that define Overkil

[Afrosheen]

7. Profit!!!

A story of DISK, SRAM and DRAM data recovery

[tagman2]

Summary of the long posting below:

• Data from a hard disk that as been wiped multiple times can be recovered.
• Data left in SRAM and DRAM for a long period of time can be recovered even though the system has been powered off for a while and the SRAM has been cleared.
• While it is hard to recover wiped and old data, it is not impossible.

First, a little background:

I belong to a group that polls/tracks certain elections around the world. In one recent election, there were a number of claims of voting irregularities. Our group became part of a post-election analysis team to look into these irregularities.

We were able to determine that one desktop system in particular contained some critical raw voting data (raw precinct counts of per ballot slot data). The election officials were more than reluctant to give us a copy of that raw data. By the time we were granted a order requiring the election officials to let us access the data, someone had attempted to throughly wipe the desktop system of all traces of data.

We thought we had lost that critical data. But thanks to a chain of contacts we were referred to a consultant that specializes in extremely difficult data recovery. After checking some references (and obtaining more money from OUR client: the consultant was VERY expensive), we hired this consultant.

Much to the surprise of the election officials we obtained an order that allowed us to physically take possession of the system. The system was turned over to the consultant who recovered enough critical election data for our needs.

The recovery included data from the wiped system hard drive as well as from SRAM and DRAM.

Regarding disk recovery:

The disk drive had been wiped by a utility that, we presume, had been run from a CDROM. The wipe tool wrote over the entire disk 35 times, 8 of them were random and 27 of them were fixed patterns of 3 bytes each.

Not all disk data was recovered. Part of the reason was that the data recovery method was not 100% perfect. Part of the reason that some data was not recovered was a simple matter of time. (The consultant was in between two already committed projects and only had a limited amount of time to work for us.)

The consultant did recover some deleted files that were critical to our work. Not everything was recovered, however. Parts of the swap/VM-paging area that might have contained some useful data were not recovered. Also some disk data critical to file and directory layout was not recovered making recovery of parts of the file system layout difficult to map.

Still, some important files (a spreadsheet, simple database file, browser cache, some EMail, etc.) were recovered even though the drive had been wiped 35 times!

Regarding SRAM recovery:

n3rd posted a comment asking about recovering data from RAM.

There are methods that can recover RAM data. Both SRAM and DRAM can be recovered.

According to the consultant, the storage of the same data in SRAM over a long period of time has the effect of altering the preferred power-up state. They said that SRAM can ''remember'' data for days after it held it for a long period of time. This memory can be determined by a ''partial powerup'' (I presume they mean a lower than normal voltage?) and then going ''full on'' and reading the initial values of memory.

In the case described above, the SRAM had been deliberately cleared prior to our group taking possession of the system. The consultant was able to recover the original data even though the SRAM had been cleared and the system has been powered off for more than a day. A simple clearing of memory was not enough to wipe out the long held memory effect.

Regarding DRAM recovery:

DRAM data was also recovered. Data left in DRAM for a long period of time can leave an ''impression'' thru a process somewhat different from SRAM.

As explained by the consultant: With DRAM, recovery comes not from detecting any left over charge, but rather detecting the stress (or lack of stress) from the thin oxide of the cells storage capacitor dielectric. The effect of this stress can be measured by using the DRAM self-test feature. In self-test mode, a small voltage is applied to a cell in order to measure its margin for error. The self-test margin is increased or decreased by the amount of oxide stress.

Not all of the DRAM memory was recovered. However certain critical portions of the DRAM held values for long enough period of time that data was recovered, even though the system has been powered off for more than a day. Data recovered included memory associated with a browser and a spreadsheet. Even though both the browser and the spreadsheet were closed prior to the system being wiped, they were left running long enough to leave behind their DRAM oxide stress.

Based in part on the recovered data, we concluded that candidate A was declared the winner due to a ''mistake'' in mapping ballot slot numbers to candidates. In some cases the slots for candidate A and B were reversed.

An incorrect vote count was reported by the election officials. It is our guess that when we came around asking for the raw data, someone began to collect it. At some point some official(s) discovered the blunder. The system was left on while they stalled for time. When it was clear that we were going to force them to turn over the data someone wiped the system and shut it down.

BTW: The majority of the election officials involved were supporters of candidate B. Even though their blunder caused them to declare candidate A the winner, they still tried to coverup their mistake.

Our conclusion was that the attempt to coverup the mistake was motivated by not wanting to admit the major blunder instead of because of candidate A's influence. This conclusion was reached in part because of messages that we recovered on another system that was not wiped. However we would have never been able to find that other system, nor would we have been able to match the raw slot numbers with the reported vote counts by candidate name without the help of the data recovery consultant and the critical data that they recovered.

I'll offer a few observations:

• Volatile data such as SRAM and DRAM is not as volatile as you might think.
• With enough will, skill and effort, old data can be recovered from a disk that has been overwritten multiple times.
• Packages such as PGP file wipe, GNU shred or Boot and Nuke are likely to only make it harder, but not impossible to recover the data.
• To quote from a paper by Peter Gutmann:

  '' Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple (sic) overwriting them, no matter how many overwrite passes are made or what data patterns are written.''

  And even though in that paper next says:

  '' However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.''

  For our consultant, the recovery process was hard but not extremely difficult. It was expensive for us, however. :-( But we were happy to pay to have it done. :-)
• Whoever wrote the 35-pass disk wipe tool must have read that paper, or one similar to it because the overwrite patterns looked similar to the recommended list.

P.S. I know that some people doubt that one can obtain old data from SRAM and DRAM after poweroff. I did too until it was done for our group. To those who still doubt this: I will refer you to Peter Gutmann's paper on Secure Deletion of Data from Magnetic and Solid-State Memory for another source on data recovery methods.

Wiping and physics

[Antity]

If you wipe, remember to take your device's physics into account.

Wipe it once when it is completely "cold" (computer has been turned off for at least several hours), then wipe it again after it has been running for an hour or so, and wipe it a third time after you've giving the disk some serious thrashing (that is, disk activity that moves the head around quite a bit).

The reason is temperature. Data is saved on circles on a magnetic medium. The read/write head has a certain amount of thickness, and so have the tracks on the platter (the tracks have to be a bit widther than the head is, to take thermal expansion into account so the head won't overwrite data on neighbour tracks).

So, for some specialized data recovery company, it may even be possible to recover different data from the same track, because after a while of use, a track can look like this:

................ Free space to next track
---------------- Outer track end
AAAAAAAAAAAAAAAA Older data 1
BBBBBBBBBBBBBBBB
BBBBBBBBBBBBBBBB Actual data
BBBBBBBBBBBBBBBB
CCCCCCCCCCCCCCCC Older data 2
---------------- Inner track end
................ Free space to next track

So, your drive will always read the data in 'B'. In 'C' there might still be data your computer saved when the drive had just spun up and was cold, while 'A' might still hold a copy of data that was written on very heavy disk activity when the drive was really hot.

To overwrite all of this data, you need to have the drive write in any of the temperature states that it has been in within this life.

"Simple" writing might only destroy all 'B' data and leave all 'A' and 'C' data intact on the drive, where they can be recovered.

Secure Harddisk Eraser (boot floppy, GPL)

[infolib]

what you need to do is overwrite the whole harddisk several times with different patterns. Peter Gutmann recomends 35 passes with different patterns. The DoD 5220.22-M NISPOM recomends 3 passes.

Secure Harddisk Eraser implements these 35 or 3 passes on a single floppy. Just boot from the floppy, wait 60 seconds and the harddisk will start to erase.

The homepage

Computer Repairs

[Gigacorpse]

One thing to consider is turning your system in for repairs. I used to own an Apple G4 Cube and when I sent it in for repair, Apple decided simply to send me a new one. While I didn't have anything on the hard drive except some MP3s and Email, who knows where that disk is now and who has it? It is something to think about if you have your computer serviced.

After reading all the posts of this topic, I have concluded that physical destruction is the best way to go. Although I have no doubt that a program designed to securely erase the hard disk would be effective enough for me, my hard disks are simply too big for this approach. Who wants to wait on 7 or more passes on a 120GB hard disk?

Hard Drive Destructo Kit

[mrobinso]

First, a night in a box with a dozen or so neodymium iron boron magnets, and then a few minutes of lovin with one of these puppies, and presto, hard drive toast.

Throwing drives in the trash reminds me of the age old story of the bank robber that goes into a bank and hands the teller one of those nifty holdup notes. You know, the one with his name and social insurance number on the other side. .mike

-- Ok ok, I'll be good. Gimme back my karma.--

Get Data Back

[Shanep]

I've tried lots of data restoration software, from shareware to super expensive. Almost all of them worked pretty badly. Except one, and I mention it here if it helps someone who is desperate and thinks there's no hope, to go down a potentially fruitfull track...

I've tried Get Data Back for FAT and for NTFS on drives that were formatted, partially zeroed (both FAT's gone on a FAT drive) and new partitions partially used and they restored perfectly almost all files (luckily every file I needed). They cost money (frequently found on warez sites though) and the programs and web site don't look all that professional, but I've never found anything that worked as well. I rekon these guys deserve to be paid for this great software.

A useful idea for the Trolls! Fill a hard drive!

[Anonym0us+Cow+Herd]

Trolls, got too much time on your hands? Here is an idea to get your rocks off. Build a small Linux distribution CD that "erases" a hard drive by filling it with...

• Pr0n
• Convincing evidence of some popular conspiracy theory
• Fake contrived evidence of some crime (say, a murder)
• ...anything else you can think of to yank someone's chain

A feature I'd like to see in hard drives

[Anonym0us+Cow+Herd]

I'd like to see IDE hard drives that encrypt every sector -- but done in the drive's electronics.

Before the drive can be used, the mainboard (bios?) must first issue an ide command to set the key that the drive used for reading/writing each sector.

WIth a properly configured bios, the bios could ask you for the key during power on self test.

You run your computer off a UPS. If the bad guys are going to serve a warrant, raid you and steal your gear, they might first cut the power to prevent you from inserting a linux "reformt-the-drive" floppy and punching reset. The UPS helps against this.

But even if you can't get the drive reformatted, and the bad guys attach your drive to one of those drive copying gizmos to collect evidence, all they get is encrypted blocks. Or better, if the drive electronics detects an attempt to do this, massive sequential copying of blocks, but without first having issued the decryption key command, then the drive electronics could simultaneously return random bytes to through the ide interface to the copying gizmo while actually overwriting the corresponding sector on the drive with different random data.

Another way to look at this from the point of view of the drive electronics is that if the drive is powered up, and very much access is attempted without the decryption key command, then the drive can assume that it is NOT physically in the good guy's computer where it belongs.

While the technique described here is also good to prevent data mining of your hard drive, it is most useful in preventing data mining by the bad guys who might steal your drive for evidence.

Re:Better yet!

[ktambascio]

Check out Autoclave

Its a mini-linux distribution that boots off a floppy, then allows you to pick which hard drive you want to wipe clean.

YASS (yet another similar story)

[lhand]

Years ago I bought a CP/M system complete with a 30MB 14" hard disc at a computer show consignment table. I couldn't get it to boot up but I was able to poke around on the disc by writing and reading directly to the controller. I discovered some erased files and one was the previous owner's resume, a developer for Pickles and Trout. So....I called him up and he helped me get it working. He was suprised I found his deleted resume and I assured him I'd wipe it as soon as I got it working. That drive also had the source to most of their CP/M development. It made for some fun reading, pre-DMCA, of course.

Re:Better yet!

[R2.0]

Blowfish http://bsn.ch/Lasse/bfacs.htm
(sorry, me mechanical engineer, me think link is machine part)

Has a utility to blow away hard drives, or at least clear all the empty space.