Study: 78% of Resold Drives Still Contain Readable Personal or Business Data

itwbennett writes: Blancco Technology Group, which specializes in data erasure, bought 200 secondhand PC storage drives (PDF) from eBay and Craigslist to see if they could recover any of the old data saved inside. Their findings: 78 percent of the drives contained residual data that could be recovered, 67 percent still held personal files, such as photos with location indicators, resumes and financial data, and 11 percent of the drives also contained company data, such as emails, spreadsheets and customer information. Only 10 percent had all the data securely wiped, Blancco said. The Consumerist points out that Blancco makes their money from promising secure data erasure, so the company has a "strong and vested interest in these results." As for why so many of the drives contain unwanted information, the report says it has to do with the difference between "deleting" data and "erasing" data. Your files aren't actually deleted when you drag them to the Trash or Recycle Bin, or by using the delete key -- shocking, I know. You can format a drive to erase the data, but you have to be careful of the format commands being used. A quick format, which was used on 40% of the drives in the sample, still leaves some residual data on the drive for someone to possibly access. A full format, which was used on 14% of the drives, will do a better job in removing unwanted files, but it too may still miss some crucial information. The solution Blancco recommends: buy a tool to perform complete data erasure.

Don't have to buy one

[TheReaperD]

You don't have to buy a secure hard drive erasure tool, DBAN does a reliable job for most drives and is free. SSDs are a new kink in the mix that means that some really advanced tools could retrieve data from the drives, even after a complete wipe but, if you're going up against people that dedicated, I recommend a sledgehammer instead.

Re:Why?

[JoshuaZ]

Because it is cheap, and a single reformat will deal with the vast majority of issues. A few bad sectors aren't in general going to make the drive unusable.

Re:Simple under linux

[RabidReindeer]

If you're decommissioning an online disk, the simplest solution would be to boot one of the live-distro Linuxes and run dd on it.

Of course, that does require a certain minimum level of competence. More, perhaps than you'd find in a PHB, but less than you'd find in a hamster.

Re: Buying not needed

[jabuzz]

Set a password for the drive and issue an ATA secure erase using hdparm. This will get all the remapped sectors as well. Procedure documented here

https://ata.wiki.kernel.org/in...

Re:Simple under linux

[Dr_Barnowl]

You don't need to do it under Windows though - burn a Linux USB and off you go.

Hell, there's a bootable image just for it : Darik's Boot and Nuke

Blancco are just capitalising on ignorance (and risk-aversion in the business community which only tends to regard something you pay for as being a safe bet, despite the usual license agreements which preclude the vendor having any liability anyway).

Re:Why?

[PhunkySchtuff]

Modern drives will silently remap sectors without telling you (unless you look at the SMART status).
Once they exhaust their pool of spare sectors, then they start telling things higher up the chain that there are bad sectors.
By the time a disk is reporting bad sectors to the OS (as a bad sector, instead of incrementing a SMART counter and silently carrying on) it has remapped so many bad sectors that it can no longer automatically remap them and is now telling you there is a problem.

In my experience, every single drive that I've seen reporting even a single bad sector will soon go pear-shaped and shouldn't be used.

Re:Simple under linux

[Dr_Barnowl]

Hah, hadn't realized that Blancco is apparently just the monetization of DBAN.

Re: 78% of Crapdot stories are worse now

Can Intelligence Agencies Read Overwritten Data?

Daniel Feenberg
National Bureau of Economic Research
Cambridge MA

Claims that government intelligence agencies can recover overwritten data on disk drives have been commonplace for many years now. The most commonly cited source for this claim is a paper, "Secure Deletion of Data from Magnetic and Solid-State Memory", written by Peter Gutmann in 1996. Gutmann believes that an overwritten sector can be recovered under examination by a sophisticated microscope and this claim has been accepted uncritically by numerous people.

However, all of the references cited by Gutman refer to experiments where Scanning Tunneling Microscopy was used to examine individual bits, and some evidence of previously written bits was found. Although there is a lot of literature on the use of Magnetic Force Microscopy(MFM) or Scanning Tunneling Microscopy (STM) to image bits recorded on magnetic media, the apparent purpose point of this literature is to test and improve the design of hard drive read/write heads, not to retrieve overwritten data. While I agree that overwritten bits might be observable under certain circumstances, Gutmann doesn't cite anyone who claims to be reading the under-data in overwritten sectors, nor does he cite any articles suggesting that ordinary wipe-disk programs are not completely effective.

Gutmann claims that "Intelligence organizations have a lot of expertise in recovering these images", but, out of the 18 references in his paper, none refer to anyone actually doing that. Subsequent articles written by many other authors do make that claim, but they only cite Gutmann. Charles Sobey has written a paper "Recovering Unrecoverable Data" with some quantitative information on this point. He estimates that it would take more than a year to scan a single hard drive platter with current MFM technology, and tens of terabytes of image data would have to be processed.

In one section of Gutmann's paper he suggests overwriting with 4 passes of random data, probably because he anticipates using pseudo-random data that would be known to the investigator. However, a single write is sufficient if the overwrite is truly random, even given an STM microscope with far greater powers than those in his references. In fact, data written to the disk *PRIOR* to the data whose recovery is sought will interfere with recovery just as much as data written after -- the STM microscope can't tell the order in which data is created. It isn't like ink on paper, where later applications are physically on top of earlier markings.

After posting this information to a mailing list, I received a reply suggesting that the recovery of overwritten data was an industry, and that a search on Google for "recover overwritten data" would turn up a number of companies offering this service commercially. Indeed it does turn up many firms, but all are quite explicit that they can only recover "overwritten files", which is quite different from overwtitten data. An overwritten file is one whose name has been overwritten, not its sectors. Likewise, partitioning and formatting typically affect only a small portion of the physical disk, leaving plenty of potential for sector reads to reveal otherwise hidden data. There is no implication in any of the marketing materials that these firms can read physically overwritten sectors.

Of course it has been several years since Gutmann published his original paper, so maybe microscopes have gotten better? Yes, but data densities have gotten higher too. I spent some time looking at STM websites and failed to find a single laboratory claiming it had an ability to read overwritten data.

Recently I was sent a piece by Wright, Kleiman and Sundhar (2008) who show actual data on the accuracy of recovered image data. While the images do include some information about underlying bits, the error rate is so high that the results are nearly useless, with recovery of maybe one word out of several thousand.

The requirem