Ghosts of Users’ Past – Recovering Data from Discarded, Resold, Salvaged, and Stolen Hard Drives

Written August 29th, 2016

Post Tags: Cyber, cybersecurity, data, data erasure, hard drive, threat intelligence

Editor’s Note: This post is more than 2 years old. Contact us about current cybersecurity services and approaches to data management. 

By Andrew Paulette

Have you ever given away or resold a computer, smart phone, or electronic device? Before you disposed of it, how much time did you invest to ensure the data on the storage device was erased? In many cases, most users rely on the “Empty Recycling Bin” option found in the operating system to ensure their personal files are erased from the hard drive. Savvier users will often reinstall the operating system from a recovery disk or a recovery partition on a computer to be absolutely sure that the data is removed from the device. Yet, while the data may no longer be immediately accessible, personal and corporate data is often still available to people or corporations who acquire your device, with surprisingly little effort.

While it may seem unlikely that this data would be recoverable after a deletion or reinstallation of the operating system, a recent study performed by the Blancco Technology Group showed otherwise. Based on analysis of 200 hard drives purchased from second-hand sites such as Ebay and Craigslist in the first quarter of 2016, they found a total of 67% of devices had recoverable information, including Personally Identifiable Information (PII) such as names, addresses, and social security numbers. In addition, 11% of the resold drives contained recoverable corporate data that included company emails, customer relationship management records used for managing customer data and interactions, and spreadsheets containing sensitive information.

While in some cases recovery may require advanced techniques to find the information from previous users, often times these deleted files can be easily recovered. Many free programs with friendly graphical user interfaces exist for data recovery, such as Priform’s Recuva or EaseUS Data Recovery Wizard. These applications can easily pull data from files that were recently deleted. Even when all the data on a drive is deleted, or in cases where a computer recognizes a drive as failed, data can still be salvaged using software such as Puran File Recovery. As a member of the Information Security workforce who started as a service technician, I can attest to the ability to recover deleted data. Even drives which the computer determines are faulty can have their data recovered using the right software, given that the failure does not impede the mechanical workings of the hard drive. While I won’t go into the details of recovering deleted data in this article, you can learn more about some simple data recovery here.

So, why do so many individuals place their faith in quick hard drive formats and emptying the recycling bin? I believe the largest reason is due to a misunderstanding between what happens when data is deleted and when it is erased. In computing, deleting data from a computer does not remove the data forever. Hard drives store data by writing sections of data where space is available, then creating an address table on the drive that points to the location of the data or its pieces. In order to allow for faster operation when deleting files, operating systems do not actually overwrite the pieces of data that make up the file on the computer. Instead, the addresses in the file allocation table to that data are removed and those sections where the data resided are marked as areas where data can be written in the future should the space be required. In essence, the information still exists, but the operating system does not see it. Data erasure is different, however, and ensures that data on the hard drive is either completely erased, or sections of the drive are erased as dictated by the user either through physical means (degaussing, physical destruction) or through software programs that overwrite the data with random data.

Proper data erasure is essential to protect personal information. While it is good practice for end users to ensure their data is properly erased, for many businesses and governments, there are serious implications if data is lost on account of improper erasure. In 2011, a report from an e-waste dump site in Ghana showed that many of the hard drives that were being shipped to this site had not had their data properly wiped. In addition to a slew of personal financial information, details on sensitive contacts with the National Aeronautics and Space Administration (NASA), the Defense Intelligence Agency (DIA), and the Department of Homeland Security (DHS) were all found to be accessible on these drives.

Compliance standards such as the Health Insurance Portability and Accountability Act (HIPAA) and Sarbanes Oxley (Sox) both carry monetary penalties and civil and criminal liability in cases where data breeches occur. An outline of these fines and penalties can be found here. In addition, companies that do not properly delete data face additional embarrassment due to data breeches where the attacker is able to retrieve data the company claimed had been erased. A recent example of this can be found in the Ashley Madison hack, and may cost the company upwards of $5 million in damages.

I would advise that consumers and organizations do everything they can to ensure their data is completely erased before handing their computer off to the next user, and don’t rely on the individual or company to which you’re handing off the device to perform secure data erasure. They often will use the computer built-in recovery options to restore the computer, which again can lead to data being left behind. Ensuring your device’s data is properly erased is relatively easy, given you keep in mind the following:

  • Deleting it doesn’t cut it: Emptying the recycling bin, formatting a hard drive, and reinstalling the operating system does not guarantee data erasure. By performing these actions, the user is essentially marking the data as available to write over if the hard drive needs space, and removes the markers that point to the data. This action, however, does not erase or overwrite the data.
  • Use a data erasure software program to remove data permanently: While it’s relatively easy to get to data that has been deleted, erased data is harder to access. If the entire drive needs to be wiped of data, using the “Secure Erase” command in a program such as Parted Magic will quickly wipe the contents of an entire drive, and is often the best way to ensure a solid state drive is erased. If only parts of the drive need to be overwritten or secure erase is not supported, using a program like the aptly-named Eraser will perform a pass over the selected data with random bits to erase the data from the drive. For most modern drives, a single overwrite pass is sufficient to erase the information on the storage device. That said, many organizations and security frameworks use their own overwriting standard, so ensure your organization understands which standard is required to ensure compliance for any relevant frameworks. For the IT or InfoSec professional, review of the NIST SP 800-88 rev. 1 will provide a strong foundation for understanding the requirements of media sanitization.
  • Encrypt your data to protect it from unintended consequences: One of the unexpected benefits of encryption is that it helps guarantee the safety of data even if it is not fully erased from the storage device. Even if an individual is able to find that there was data on the storage device, the information will be meaningless to them without knowledge of the method of encryption and the key (password) to unencrypt the data. Free programs like VeraCrypt create encrypted containers (similar to folders) to hold sensitive data while full disk encryption solutions exist in the form of Windows’ Device Encryption, BitLocker (professional versions of Windows only), and FileVault for Apple OS X.
  • Destruction is the only guarantee that data won’t be stolen: There is no better guarantee that data is no longer accessible than physical destruction. If there’s any uncertainty in the validity of the data erasure technique used or if the data is too valuable to risk any exposure, consider employing a data shredding service that can destroy the drive or device permanently. While not environmentally friendly and less cost effective, paying to have the drive destroyed or degaussed is the safest option. This is especially true in cases where the hard drive has failed, multiple sections of storage have gone bad, or the drive uses flash memory; these conditions and forms of storage are not often reliably erased.

While these techniques are effective techniques for end users and some businesses, it’s important to note that the health and credit industry and the federal government often have certain laws and standards in place that require their data erasure be handled in a certain fashion. There are many different standards that are used for overwriting data found on a drive which must be followed depending on the compliance requirements of your agency. In many cases, some form of validation certificate is required to confirm the drive has been wiped.

If you are a member of a company and are uncertain of how to ensure compliance to any policies your business must follow, consider reaching out to IT/Information Security professionals to assist with ensuring compliance and sound operations security. In a time when it is not a question of if a data breach will occur, but when, budgeting for the necessary contracting staff to ensure compliance can often save millions in the future.