Data Mining Used Hard Drives

linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."

Guess those pop up ads were right

There IS pornography on your computer!

Re:Guess those pop up ads were right

Fill a directory with goatse pics, so if your hd is data mined, whoever's doing it will have an unpleasant experience. :)

DPA

[kylegordon]

Another reason to securely erase your data. In the end, _you_ are responsible for data under the Data Protection Act (in the UK anyway)

Re:DPA

[tealover]

I remember working on my very first IBM pc. My girlfriend's mother was dating a guy and he gave her an old 8086 computer (this was back in '94 or thereabouts). Well, I started playing with the computer. He had an early version of Norton Utilities on it. I played with the undelete file utility and found that there were lots of deleted files. I recovered some of them and started to read them. Most were boring. One wasn't

This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.

Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!

I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.

I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.

Re:DPA

[Alien54]

and the only secure method involves a woodchipper.

Actually, I find extensive use of sandpaper after attaching the disk to a high speed drill works wonders.

Barring that, an old fashioned bulk tape eraser also has interesting effects.

I'm thinking of other options, including battery acid, and use as a grounding rod for a Tesla Coil.

Re:DPA

[Rolo+Tomasi]

Barring that, an old fashioned bulk tape eraser also has interesting effects.

Nope. A magnetic field that would be strong enough to erase a hard drive would probably also compress it into a lump of twisted metal. from http://www.usenix.org/publications/library/proceed ings/sec96/full_papers/gutmann/:

US Government guidelines class tapes of 350 Oe coercivity or less as low-energy or Class I tapes and tapes of 350-750 Oe coercivity as high-energy or Class II tapes. Degaussers are available for both types of tapes. Tapes of over 750 Oe coercivity are referred to as Class III, with no known degaussers capable of fully erasing them being known [19], since even the most powerful commercial AC degausser cannot generate the recommended 7,500 Oe needed for full erasure of a typical DAT tape currently used for data backups.

Degaussing of disk media is somewhat more difficult - even older hard disks generally have a coercivity equivalent to Class III tapes, making them fairly difficult to erase at the outset. Since manufacturers rate their degaussers in peak gauss and measure the field at a certain orientation which may not be correct for the type of medium being erased, and since degaussers tend to be rated by whether they erase sufficiently for clean rerecording rather than whether they make the information impossible to recover, it may be necessary to resort to physical destruction of the media to completely sanitise it (in fact since degaussing destroys the sync bytes, ID fields, error correction information, and other paraphernalia needed to identify sectors on the media, thus rendering the drive unusable, it makes the degaussing process mostly equivalent to physical destruction). In addition, like physical destruction, it requires highly specialised equipment which is expensive and difficult to obtain (one example of an adequate degausser was the 2.5 MW Navy research magnet used by a former Pentagon site manager to degauss a 14" hard drive for 1 minutes. It bent the platters on the drive and probably succeeded in erasing it beyond the capabilities of any data recovery attempts [20]).

The only way to be really sure is to use an acetylene torch.

Luckily for me, my Ebay'd hard drives are safe

[ObviousGuy]

I only sell broken ones.

Re:Luckily for me, my Ebay'd hard drives are safe

[norton_I]

Even broken hard drives can be recovered, though it takes some rather expensive equipment to do so. However, with a little creativity and some equipment you would likely find in a EE department, much of it could be recovered.

Re:Luckily for me, my Ebay'd hard drives are safe

[broter]

"Even broken hard drives can be recovered..."

That's why it's the DoD way for me: scramble the data with many passes accross the media with a stong magnet, followed by hammer strikes until it's in small pieces.

You may find this lowers its value slightly in the "Computers & Office Products" category, while raising it dramatically in the "Art - Sculpture, Carvings" category (as glue as needed).

-RB

Re:Luckily for me, my Ebay'd hard drives are safe

[orthogonal]

[OP's hard drives won't be read, he claims] not if i've cracked them open and cum/shit/bled on the platters after perforating them with an awl

Well, in that case, first they'll read your DNA, have uncontestable proof you (or your identical twin) had had possesion of them, and then they'll read your data.

Data worth more than the computer

[blamanj]

It's long been know that laptop theives are often more interested in the data than the computer.

Some computers sold on eBay are sold for the data.

I can relate

[l33t-gu3lph1t3]

Picked 6 or 7 old 4gig HDDs from my father's company a few years ago, found their company credit line information, personal (and some very erotic) email, and a surprisingly large collection of nudie photoshopped Gillian Anderson photos. Oh yeah, and like 100 different (and I must say, very well-done) quake2 "crackwhore" models and skins lol. I love the people who don't clear their HDDs, it's like treasure chests, you never know what you're gonna get.

Re:How many credit cards per hard disk???

[DAldredge]

They are using the NEW, IMPROVED RIAA/MPAA counting system.

Your old HD is safe.

[missing000]

I can get creditcard numbers faster on kazaa.

Not so bad.

[Annatar2]

Thats not so bad. My dad happens to be a garbage man and often brings along an occasional system he's scavanged from the dumpsters along his route. Currently I have in my possession an old IBM Aptiva with some guys bank account information on it (He did his checking and stuff with it apparently), but worst of all I have what appears to be an old Gateway tower used to store Medical information for a major hospital in the area my father works. I have over 2 gigs of peoples medical history, including what they were put in the hospital for, insurance information, release dates ect.

I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.

PGP!

[wirelessbuzzers]

PGP (for windows or mac, ie not GPG) has two commands related to this: wipe file and wipe free space. They overwrite the appropriate sectors of the disk with several patterns designed to ensure that no matter what (common) encoding scheme the hard disk uses, every bit will have been set at least once, zeroed at least once, and overwritten with pseudorandom data at least once. If you set in on a lot of passes, it does an even better job. This would be a cheap (free, except for time and bandwidth to download it) way to make sure your sensitive data doesn't get out.

That said, experts would tell you that the only reliable way to make sure sensitive data doesn't get out is to thermite your drive.

Also, what's the one-line unix command (running MacOS X here).

Re:PGP!

[delta407]

what's the one-line unix command

Easy.

# dd if=/dev/zero of=/dev/hda

...being sure, of course, to make 'hda' the actual drive you want to zero. (You could blank individual partitions by using the appropriate names, of course.) Also, you could use '/dev/urandom' instead to fill your disk with random data.

Ah, the joys of *nix.

Old news or not...

[Ironica]

People still don't get it. My old boss wondered why I was "wasting my time" doing stuff like writing all zeros to drives of computers we were giving to charity. "I only told you to format them!"

I tried to explain the concept to her, but for an IT manager, she was woefully bad at technology.

Actually, come to think of it, she was about average...

start an extortion & blackmail company..

[netnerd.caffinated]

or do like this guy did...
icanstilltellyourwifebill.com
he brought a hard drive, found all this cool stuff on it.. & put it to DVD for the masses

This isn't exactly news...

[japhar81]

But the CC info bothers me. Presumably, this is a corporate drive that got resold (Unless you know of 170 ppl with 25 credit cards a piece, in which case it's time to re-evaluate the financial system in this country).

Personally, I have a standing policy in my department to take apart every HDD, take a magnet to each platter, and send the platters to Iron Mountain for destruction. Then again, we deal with large financial institutions, so we have to be extreme and obsessive-compulsive, which brings me to my actual point;

This stuff should be regulated. If you store personal info on an HDD for business purposes, you should have a legal responsibility (i.e. one that comes with repricussions if not met) to ensure that even after a drive is retired, the data is safe.

Just my $.02

CIA

[Eric_Cartman_South_P]

Thinking back to a Discovery channel show on the CIA, they dispose of hard drives with a good data wipe then they drill holes in them. Drives that held Super Top-Secret stuff (MS source code?) also got burned in a furnace. All of this on-site.

In regards to Wiping data, do yourself a favor and check out http://www.heidi.ie/eraser/

Beyond the wonderfull wiping the program does, there is the option to make an emergency boot floppy that wipes the HD with DOD style 7-pass or a GutherSomething 36 pass! Niffty for the paranoid.

Your wayback machine is broken

1979? I was there, home skillet.

50 MB? Try 5 MB.
SCSI? Not in production.
Sun? Sure...
Linux? Try CP/M.
hexedit? Try debug.
Asian Students? First wave Vietnamese refugees, maybe.
E-mails? If you were working on ARPA.
Porn? Maybe PG rated adventure games...

Tax dollars at work? In 1979, we had to walk
10 miles up hill (both ways) to pay our taxes, and they only accepted krugerrands and virgins without
herpes, both of which were in even shorter supply
and higher demand than they are now.

Re:HD Abuse

[davidc]

Take 'em apart and use the magnets as fridge magnets. They hold up an enormous amount of paper, although they do tend to nip one's fingers occasionally :)

I just shoot mine.

I dont bother sanitizing them, squeezing or anything else. I just shoot them.

They're great target practice when set up at 50 yards. Plus, they're rendered more or less ultra-highly unreadable, with half the platters coated in vaporized lead spall, and then with the platters dramatically warped, penetrated, stretched and shattered. Many areas are complete and totally lost, the ones that arent, would require precise magnetic microscopy to observe the actual state.

These pictures were of a seagate 40mb eide, splashed with a 158grn jacketed hollowpoint in .357 magnum, after being accelerated to about 1700 fps from a Marlin 1894C lever-action carbine.

It's not just hard drives

[b1t+r0t]

A few years back I found some backup cartridge tapes (the big 4x6 kind) and a couple of tape drives at a Goodwill store. While there wasn't anything particularly useful on it, I could tell that it was the shell account machine used by half a dozen or so Ingres developers.

No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.

I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.

Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.

"Thrift store hard drives are like a box of chocolates... you never know what you'll find!"

Re:Oh, man. Hear it comes.

[QuaZar666]

Now days the dod drills a hole through the platter on drives that are bad that have to be RMA'd and have contracts so all they have to return is the top of the drive with the label. as for drives they no longer need i do not know. im guessing they write 0 and 1 patterns on the drive 7+ times. (even then data recovery services could recover it)

this is also a problem for warranty.

[Unknown+Poltroon]

I have had 2 drives fail well within the warranty period, and did not return them for just this reason.

a few minutes with tomsrtbt

[g4dget]

Erasing your disks before selling your PC is easy:

• Get out your favorite Linux installer CD or download a copy of Tom's RTBT and write it to floppy or CD-R.
• Boot from the floppy or CD.
• Log in as root.
• Run dd if=/dev/zero of=/dev/hda to erase the master drive on the primary IDE controller (/dev/hdb etc. for the remaining disks)

That's all. It erases all the blocks normally accessible by the disk controller and is probably safe enough for most people. Bad blocks that have been replaced may still contain a little bit of data, and inter-track data may be recoverable by analog means.

shred(1) will securely delete files

[jrstewart]

It's not enough to write 0's to remove traces of a file. Writing random patterns is much better and for older drives you can even do better than random (i.e. more erasing in less passes). The shred(1) command from the GNU fileutils will take care of this for you in Unix-alikes.

http://btr0xw.rz.uni-bayreuth.de/cgi-bin/manpage s/ shred/1

See also http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_ del.html for an informative paper about the details of how secure deletion works.

Re:shred(1) will securely delete files

[jbrandon]

Most recent GNU/Linux distros use Ext3, so shred won't work:

$ man shred

[snip]

CAUTION: Note that shred relies on a very important assumption: that the filesystem overwrites data in place. This is the traditional way to do things, but many modern filesystem designs do not satisfy this assumption. The following are examples of filesystems on which shred is not effective:

* log-structured or journaled filesystems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)

[snip]

FYI: HOWTO: Secure HD for Donation or Disposal.

[dameron]

Backup all important data to both magnetic and optical media (another HD/tape -and- cd/dvd).

Re-format HD using the NTFS file system if the drive is larger than 2 GB, otherwise install NT Server from the earliest available service pack.

Install Windows NT 4 Server, apply service patch 6. Make sure you use a meaningless administrator password.

Upgrade MS Internet Information Server to version 4.0 from NT Option Pack. Create a default web site using the following as the index page (*.htm, *.html, *.shtml):

Why are Chinese, Dutch, German, and Russian Hackers So Homosexual?"

Chinese, hackers, IIS rules, Counterstrike, Dutch, mothers, US ALL THE WAY, Germany sucks, script kiddie, porn, pr0n, disable X10 ads, warez, firewall, Bill Clinton, rar, zip, romz, roms, direct downloads, Long Live Pakistan, How do I secure III?, index of, Ronald Reagan Library

Boot the HD in a computer with an internet connection.

Wait about four days.

Repeat the process three times.

Reformat the drive.

Donate/Discard.

Hey, at least it won't have -YOUR- important data on it.

-dameron

Random Bit Overwrite

[akamoe]

US DoD Spec: 3 passes
German DoD Spec: 7 passes

(from http://www.ontrack.com/library/dataeraser.pdf)

-- R

Re:Random Bit Overwrite

[MillionthMonkey]

Can anyone tell my why there has to be numerous random-bit passes when one could do something like this:
dd if=/dev/zero of=/dev/hda bs=512
What's wrong with just zeroing out the drive once?

Say the child porn file has a one bit and a zero bit. You overwrite it with two zero bits. The magnetic domains where the one bit was are presumably weaker or smaller because they were flipped, not reinforced like the zero bit domains. Of course the drive's read head itself won't be useful for extracting this information, because it's only designed to determine the last bit written by the write head- a binary zero/one determination. But with special equipment you can measure domain strengths carefully, and pull more information than a single bit out of them. You can tell which domains were flipped by the zero-out process and which were reinforced. (Of course this is a simplification because each bit is composed of multiple domains.)

So there are a few trivially obvious considerations when writing an erasing program-

-Don't write zeroes, write ones and zeroes.
-Go in more than one pass. A single pass leaves the bits in 4 possible states- (0,0), (0,1), (1,0), and (1,1) (where (c,r) are the child-porn and random-overwrite bits, respectively). An attacker can in theory tell all four states apart by close physical examination, so he knows c. Two passes (c,r1,r2) leaves 8 possible states- (0,0,0), (0,0,1), (0,1,0), (0,1,1), (1,0,0), (1,0,1), (1,1,0), and (1,1,1). Now the attacker's equipment needs more than twice as much precision, because some of them, like (0,0,1) and (1,0,1), are starting to look physically similar. 10 passes leaves 1024 possible domain states, many of which are indistinguishable.
-Writing zeroes over the file ten times is much better than writing zeroes over it once, but still leaves it in one of only four possible states. (Which are admittedly harder to tell apart, but you never know.)
-Do not allow the content of the file you're erasing to influence your decision of what bits to overwrite it with. You avoid a whole class of problems this way.
-Be aware that when you are writing random numbers, you are actually encrypting, not erasing, the file. The seed you used for your random number generator becomes a key for decrypting the file (given special equipment).
-You want to prevent the attacker from knowing what bits you wrote and in what order you wrote them. You will favor erasure over encryption if you can continually introduce entropy into the process. But entropy is scarce in most software environments. The variations in the timings of the drive's mechanical movements, ping responses from remote servers, mouse movements, and keypresses are well-known sources.
-Don't use a lousy random number generator. There are many ways for a random number generator to be bad. The simplest type produces numbers where n-tuples fall on a regular lattice when plotted in n dimensions. Generators like that are used a lot in scientific and graphics applications, but have no business being in security applications. If an attacker gains access to a few of the numbers in the generator's sequence, he can predict the rest of the sequence. They also loop after generating 2^N numbers.
-If applying this process to a single file, hide the size of the file.
-Ideally you should hide all traces of the file's existence. This means clean up after yourself by writing zeroes in the last several passes, so that even the domain randomness is physically removed (its presence implies that something was erased).

This is NOT Data Mining!

[Commykilla]

Data Mining is NOT the process of recovering or otherwise retrieving data. Data Mining is the process of discovering knowledge through data that has already been obtained (usually through statistical and/or AI techniques). I.e., data retrieval/collection is a prerequisite for Data Mining.

Re:Oh, man. Hear it comes.

[rela]

Don't forget degaussing. Someone is going to have to make the obligatory link to Secure Deletion of Data from Magnetic and Solid-State Memory, so there it is.

You don't really want none of this...

[Mulletproof]

Unfortunately, I suspect you're gonna have an unplesant time getting your hard drive to that state...

A story of DISK, SRAM and DRAM data recovery

[tagman2]

Summary of the long posting below:

• Data from a hard disk that as been wiped multiple times can be recovered.
• Data left in SRAM and DRAM for a long period of time can be recovered even though the system has been powered off for a while and the SRAM has been cleared.
• While it is hard to recover wiped and old data, it is not impossible.

First, a little background:

I belong to a group that polls/tracks certain elections around the world. In one recent election, there were a number of claims of voting irregularities. Our group became part of a post-election analysis team to look into these irregularities.

We were able to determine that one desktop system in particular contained some critical raw voting data (raw precinct counts of per ballot slot data). The election officials were more than reluctant to give us a copy of that raw data. By the time we were granted a order requiring the election officials to let us access the data, someone had attempted to throughly wipe the desktop system of all traces of data.

We thought we had lost that critical data. But thanks to a chain of contacts we were referred to a consultant that specializes in extremely difficult data recovery. After checking some references (and obtaining more money from OUR client: the consultant was VERY expensive), we hired this consultant.

Much to the surprise of the election officials we obtained an order that allowed us to physically take possession of the system. The system was turned over to the consultant who recovered enough critical election data for our needs.

The recovery included data from the wiped system hard drive as well as from SRAM and DRAM.

Regarding disk recovery:

The disk drive had been wiped by a utility that, we presume, had been run from a CDROM. The wipe tool wrote over the entire disk 35 times, 8 of them were random and 27 of them were fixed patterns of 3 bytes each.

Not all disk data was recovered. Part of the reason was that the data recovery method was not 100% perfect. Part of the reason that some data was not recovered was a simple matter of time. (The consultant was in between two already committed projects and only had a limited amount of time to work for us.)

The consultant did recover some deleted files that were critical to our work. Not everything was recovered, however. Parts of the swap/VM-paging area that might have contained some useful data were not recovered. Also some disk data critical to file and directory layout was not recovered making recovery of parts of the file system layout difficult to map.

Still, some important files (a spreadsheet, simple database file, browser cache, some EMail, etc.) were recovered even though the drive had been wiped 35 times!

Regarding SRAM recovery:

n3rd posted a comment asking about recovering data from RAM.

There are methods that can recover RAM data. Both SRAM and DRAM can be recovered.

According to the consultant, the storage of the same data in SRAM over a long period of time has the effect of altering the preferred power-up state. They said that SRAM can ''remember'' data for days after it held it for a long period of time. This memory can be determined by a ''partial powerup'' (I presume they mean a lower than normal voltage?) and then going ''full on'' and reading the initial values of memory.

In the case described above, the SRAM had been deliberately cleared prior to our group taking possession of the system. The consultant was able to recover the original data even though the SRAM had been cleared and the system has been powered off for more than a day. A simple clearing of memory was not enough to wipe out the long held memory effect.

Regarding DRAM recovery:

DRAM data was also recovered. Data left in DRAM for a long period of time can leave an ''impression'' thru a process somewhat different from SRAM.

As explained by the consultant: With DRAM, recovery comes not from detecting any left over charge, but rather detecting the stress (or lack of stress) from the thin oxide of the cells storage capacitor dielectric. The effect of this stress can be measured by using the DRAM self-test feature. In self-test mode, a small voltage is applied to a cell in order to measure its margin for error. The self-test margin is increased or decreased by the amount of oxide stress.

Not all of the DRAM memory was recovered. However certain critical portions of the DRAM held values for long enough period of time that data was recovered, even though the system has been powered off for more than a day. Data recovered included memory associated with a browser and a spreadsheet. Even though both the browser and the spreadsheet were closed prior to the system being wiped, they were left running long enough to leave behind their DRAM oxide stress.

Based in part on the recovered data, we concluded that candidate A was declared the winner due to a ''mistake'' in mapping ballot slot numbers to candidates. In some cases the slots for candidate A and B were reversed.

An incorrect vote count was reported by the election officials. It is our guess that when we came around asking for the raw data, someone began to collect it. At some point some official(s) discovered the blunder. The system was left on while they stalled for time. When it was clear that we were going to force them to turn over the data someone wiped the system and shut it down.

BTW: The majority of the election officials involved were supporters of candidate B. Even though their blunder caused them to declare candidate A the winner, they still tried to coverup their mistake.

Our conclusion was that the attempt to coverup the mistake was motivated by not wanting to admit the major blunder instead of because of candidate A's influence. This conclusion was reached in part because of messages that we recovered on another system that was not wiped. However we would have never been able to find that other system, nor would we have been able to match the raw slot numbers with the reported vote counts by candidate name without the help of the data recovery consultant and the critical data that they recovered.

I'll offer a few observations:

• Volatile data such as SRAM and DRAM is not as volatile as you might think.
• With enough will, skill and effort, old data can be recovered from a disk that has been overwritten multiple times.
• Packages such as PGP file wipe, GNU shred or Boot and Nuke are likely to only make it harder, but not impossible to recover the data.
• To quote from a paper by Peter Gutmann:

  '' Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple (sic) overwriting them, no matter how many overwrite passes are made or what data patterns are written.''

  And even though in that paper next says:

  '' However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.''

  For our consultant, the recovery process was hard but not extremely difficult. It was expensive for us, however. :-( But we were happy to pay to have it done. :-)
• Whoever wrote the 35-pass disk wipe tool must have read that paper, or one similar to it because the overwrite patterns looked similar to the recommended list.

P.S. I know that some people doubt that one can obtain old data from SRAM and DRAM after poweroff. I did too until it was done for our group. To those who still doubt this: I will refer you to Peter Gutmann's paper on Secure Deletion of Data from Magnetic and Solid-State Memory for another source on data recovery methods.