Forgot your password?
typodupeerror
Privacy

Data Mining Used Hard Drives 695

Posted by timothy
from the but-sircam-does-this-for-me-already dept.
linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."
This discussion has been archived. No new comments can be posted.

Data Mining Used Hard Drives

Comments Filter:
  • Thats pretty cool (Score:2, Interesting)

    by madsenj37 (612413) on Wednesday January 15, 2003 @08:32PM (#5091596)
    Sounds like a gold mine to me. Maybe, just maybe, it will teach people to be more secure.
  • by kenthorvath (225950) on Wednesday January 15, 2003 @08:32PM (#5091599)
    5000 divied up between say 200 disks is 25 cards per disk, are these retail discarded drives? Perhaps this should be regulated.
  • by blamanj (253811) on Wednesday January 15, 2003 @08:34PM (#5091611)
    It's long been know that laptop theives are often more interested in the data than the computer.

    Some computers sold on eBay are sold for the data [ebay.com].
  • scary (Score:2, Interesting)

    by Anonymous Coward on Wednesday January 15, 2003 @08:35PM (#5091622)
    It's one thing to make sure you securely wipe any drive of your own you get rid of, but you can't do anything about old drives or paper files that a company or hospital might discard containing sensitive info about you.

    Occasionally there are new reports about someone finding a stack of files by a dumpster containing sensitive medical or financial information about a lot of people. The same surely holds true for old drives or computers disposed of by careless companies.
  • I can relate (Score:5, Interesting)

    by l33t-gu3lph1t3 (567059) <arch_angel16@@@hotmail...com> on Wednesday January 15, 2003 @08:35PM (#5091624) Homepage
    Picked 6 or 7 old 4gig HDDs from my father's company a few years ago, found their company credit line information, personal (and some very erotic) email, and a surprisingly large collection of nudie photoshopped Gillian Anderson photos. Oh yeah, and like 100 different (and I must say, very well-done) quake2 "crackwhore" models and skins lol. I love the people who don't clear their HDDs, it's like treasure chests, you never know what you're gonna get.
  • by mike_stay (631250) on Wednesday January 15, 2003 @08:37PM (#5091641) Homepage
    And why the hell would only 158 drives have 5000 CCs?

    Because it's businesses selling the drives with their customer lists still on them, which are probably worth more in many cases than the CC#'s.

  • Not so bad. (Score:5, Interesting)

    by Annatar2 (558541) <krygsheldNO@SPAMsbcglobal.net> on Wednesday January 15, 2003 @08:38PM (#5091656)
    Thats not so bad. My dad happens to be a garbage man and often brings along an occasional system he's scavanged from the dumpsters along his route. Currently I have in my possession an old IBM Aptiva with some guys bank account information on it (He did his checking and stuff with it apparently), but worst of all I have what appears to be an old Gateway tower used to store Medical information for a major hospital in the area my father works. I have over 2 gigs of peoples medical history, including what they were put in the hospital for, insurance information, release dates ect.

    I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.
  • On par for Ebay.. (Score:3, Interesting)

    by nolife (233813) on Wednesday January 15, 2003 @08:39PM (#5091658) Homepage Journal
    bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned

    Everyone knows that HD's contain data.. I would be more impressed if they broke down the numbers of where the BAD drives came from. That would make a much more informative story. I've bought as-is before in person but never online.
  • Re:yes (Score:3, Interesting)

    by silas_moeckel (234313) <{silas} {at} {dsminc-corp.com}> on Wednesday January 15, 2003 @08:40PM (#5091665) Homepage
    That was the Policy at the IBM facility I worked at in the early 90's. I tossed piles of computers into this big ugly compacting trailor once that was done with it I doubt you could recover anything. Funny thing about that is employies took piles of "compacted" parts home with them well I guess if they wanted the data in the first place they could have gotten it anyway in building security was light network wise untill you hit big iron.
  • by bdigit (132070) on Wednesday January 15, 2003 @08:41PM (#5091674)
    Anyone happen to know any share/freeware programs out there for Windows 2k that will recover deleted files. I am intrested in running it on my computer to actually see what I can recover and see how well PGP's disk wipe function works.
  • by NoMoreNicksLeft (516230) <john...oyler@@@comcast...net> on Wednesday January 15, 2003 @08:45PM (#5091704) Journal
    Data Fishing? I mean, you never know if you'll catch anything.
  • Re:yes (Score:4, Interesting)

    by cbuskirk (99904) on Wednesday January 15, 2003 @08:46PM (#5091719)
    Why not remove the hard drive and donate the computer to a local school. Even at a couple of years old the computer is still useful for students and the school would be more than happy to pick up a new hard drive for it.
  • I sledge them! (Score:3, Interesting)

    by callipygian-showsyst (631222) on Wednesday January 15, 2003 @08:51PM (#5091747) Homepage
    We go through a large # of computers a year, and I try to donate the carcass, or at least make sure it's recycled properly. (Charitable organizations, unless specially equipped to handle PCs, are wary of junk computer donations.)

    However, I *always* remove the hard disk drive, disassemble it, and give it the sledge hammer treatment. I just don't have the time to get them running again, and write the erase patterns to every track and sector.

    Maybe if there's ever a good, transparent, drive-level PGP available, I'll rethink this strategy, but until then, I put on the safety glasses and hammer away, after opening the drive case to expose the platters.

    Here's a sugesstion to drive manufacturers--make a convention where if certain pins on the IDE connector are jumpered together, and the drive powered up, it will do a low-level format automatically. Then I might choose to erase the disks, so long as I didn't have to hook them up to a computer and run a program.

  • Re:PGP! (Score:3, Interesting)

    by jnik (1733) on Wednesday January 15, 2003 @08:54PM (#5091764)
    Also, what's the one-line unix command (running MacOS X here).
    for i in 1 2 3 4; dd if=/dev/zero of=filename bs=1 count=filesize; sync; dd if=/dev/random of=filename bs=1 count=filesize; sync; done
    Roughly speaking that'll do it. I'm sure there's nice trickery you can do to, say, get the equivalent of /dev/true (opposite of /dev/zero) and get the size from the file, etc. etc. Note the sync's so it actually hits disc rather than buffer. Technically there should be a sleep or two in there in case of a journalled filesystem....
  • Re:HD Abuse (Score:5, Interesting)

    by davidc (91400) <davidc@nosPAm.ccmi.salk.edu> on Wednesday January 15, 2003 @08:59PM (#5091794)
    Take 'em apart and use the magnets as fridge magnets. They hold up an enormous amount of paper, although they do tend to nip one's fingers occasionally :)
  • by b1t r0t (216468) on Wednesday January 15, 2003 @09:03PM (#5091820)
    A few years back I found some backup cartridge tapes (the big 4x6 kind) and a couple of tape drives at a Goodwill store. While there wasn't anything particularly useful on it, I could tell that it was the shell account machine used by half a dozen or so Ingres developers.

    No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.

    I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.

    Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.

    "Thrift store hard drives are like a box of chocolates... you never know what you'll find!"

  • Re:Not so bad. (Score:3, Interesting)

    by Compuser (14899) on Wednesday January 15, 2003 @09:03PM (#5091821)
    Why reformat it? Contact people on the list,
    and if there is a class action suit, then be
    a witness.
  • Re:I sledge them! (Score:4, Interesting)

    by jasonditz (597385) on Wednesday January 15, 2003 @09:05PM (#5091829) Homepage
    Speaking of this, whatever happened to the BIOS lowlevel format option? My old Laser 386 allowed you to lowlevel format any of the harddrives through CMOS setup... it would seem like that's a pretty simple feature to add, and plenty useful.
  • by deranged unix nut (20524) on Wednesday January 15, 2003 @09:06PM (#5091834) Homepage
    If I remember right, the DoD standard was to erase the file by writing random bits over it 7 times....although that was before some researchers found that you could still read the original data if you had a scanning electron microscope.

  • by WiPEOUT (20036) on Wednesday January 15, 2003 @09:06PM (#5091835)
    Not after they've been nuked for 10 seconds in a microwave oven set to "High". Trust me, or better yet, try it :)
  • by TheOnlyCoolTim (264997) <tim.bolbrock@nOspaM.verizon.net> on Wednesday January 15, 2003 @09:10PM (#5091854)
    I have heard that the DOD way of "sanitizing" a hard drive is to open it up and dissolve the platters in acid.

    Tim
  • by Unknown Poltroon (31628) <unknown_poltroon1sp@myahoo.com> on Wednesday January 15, 2003 @09:11PM (#5091860)
    I have had 2 drives fail well within the warranty period, and did not return them for just this reason.
  • Scary Thought (Score:3, Interesting)

    by Sayten241 (592677) on Wednesday January 15, 2003 @09:59PM (#5091877)
    So even if I take all the steps necessary to make sure my data is safe on my computer, odds there is a business throwing away hardrives that have my data on them without properly removing all the data? Wow, I can't believe this isn't a hotter topic. I also wonder how this affects certain websites privacy statements. Sure, they don't give your information away intentionally, but they may give away a harddrive full of personal data without even realizing it.
  • by AlexCV (261412) on Wednesday January 15, 2003 @10:05PM (#5091902)

    Costly? Get two similar HD and swap the PCB. Chances are decent that only the PCB was dead, there ya go all the data and no need to load up some forensic software to read the deleted data since the drive is assumed "dead".

    Yes, I have done this and recovered valuable information. Of course, Both drives where mine anyway, but still.

    Alex
  • by Anonymous Coward on Wednesday January 15, 2003 @10:15PM (#5091937)
    Now for or something really scary.
    I run a computer shop in the southeastern United States, much of my work involves the local school systems.
    Several years ago (Long before 9-11) a local school received a donation of several pallets of computers, monitors, printers, and other equipment from a local military installation. The donation was properly processed through the Defense Reutilization and Marketing Service (DRMS) and should have been cleared of any sensitive materiel.
    I was contracted by the school to take the entire load and build as many working systems as I could out of the parts. As I begin to put systems together and power them up I was staggered by the fact that at least half of the hard drives were FULLY intact and no attempt at all had been made to remove sensitive data.
    I of course had to take a closer look. Much of the data concerned simple day to day non-sensitive routine base operations (I am x-military so much of it was familiar to me). HOWEVER on one of the intact drives I found something that KNOCKED MY SOCKS OFF! Setting there on that hard drive spinning on my work bench was pile of data concerning the moving of NUCLEAR weapons and other nuclear materials and conventional weapons around the United States. The data contained information such as routes, schedules, manifests, and duty rosters. I WAS DUMBSTRUCK. How could this have happened? This drive should never have left a controlled area, EVER, it should have been destroyed. This was inexcusable!
    Of course in a situation such as this all manner of thoughts go though your head. Thoughts such as; What kind of damage could a enemy of the U.S. do with this data. What would this data be worth to someone unethically inclined. If they knew I saw this data they would probably lock me up and throw away the key just for good measure, and of course WHAT SHOULD I DO WITH THIS DATA?
    In the end I destroyed the hard drive and the data it contained and kept my mouth shut. That has been at least 8 or 9 years ago and until this day I have never told anyone and thank God that due to the passage of time I have forgotten most of the particulars of the data I saw.

  • What about RAM? (Score:3, Interesting)

    by n3rd (111397) on Wednesday January 15, 2003 @10:35PM (#5091999)
    At a former employer who will remain nameless they had secure areas. To get in you needed a clearance and if you didn't have a full government clearance all of the people in there would power off their boxes until you left. You were also constantly watched and doing sysadmin stuff in there was an adventure because they could do whatever they wanted since they weren't hooked up to the regular network.

    When they moved some of these labs all of the equipment was shrinkwrapped and escorted to the new location to prevent tampering while in transit.

    I think I had something to say. Oh yeah. Ok, when hard drives and backup tapes got old they had to format them X number of times (I forgot the exact number), then physically smash them and then burn the remains. All in a secure manner (ie: not taking them to the local Springfile Tire Fire).

    Anywho, a friend of mine had to replace RAM from one of their Suns, and I went with him. They let us leave with the RAM and didn't think twice about it. 2 or 3 minutes after we left my friend realized he may be able to take the RAM and actually read the data off of it somehow, assuming it was still saved.

    Perhaps this could be applied to other things including external processor caches and VRAM as well.
  • Random Bit Overwrite (Score:5, Interesting)

    by akamoe (519034) on Wednesday January 15, 2003 @10:36PM (#5092007)
    US DoD Spec: 3 passes
    German DoD Spec: 7 passes

    (from http://www.ontrack.com/library/dataeraser.pdf)

    -- R
  • multiple writes (Score:3, Interesting)

    by Forgotten (225254) on Wednesday January 15, 2003 @10:50PM (#5092064)

    There doesn't seem to be much point in overwriting more than once with the same zero pattern (the article makes this mistake too, though the original authors probably don't). There are really two levels of sophistication we're hoping to elude here:

    a) People using the drive's own interface to retrieve "deleted" data
    b) People doing direct signal analysis of the magnetic media to find successive generations of overwritten data

    Once you've overwritten the disk once (whether with dd, a real SCSI low-level format, or some other means), you're in regime (b). Assuming you're paranoid and/or justifiably concerned enough to bother with repeated writes, using the same bit pattern does little - and zeroing is especially non-optimal, from what I've read. Random bit patterns seem a likely candidate, but randomness is actually particularly easy to divine in a signal.

    People have experimented with instead writing various repetitions of constant strings with good success, but what might be ideal is a chaotic pattern that approximates the look of the expected data without divulging anything real (interesting thought - perhaps this is what some of the porn they found was for!). Write that a few times and you have a honeypot that might mislead a naive investigator into thinking there's nothing more to be found - but even this is difficult because the "freshness" of the bit patterns can be determined by their relative signal strength, and you can't simulate age using the default write current no matter how many new patterns you lay on. You can only hope you've made the old, real data so faint that it disappears into the background noise. Since there's no real way to guarantee this, people with real secrets to hide have to physically destroy the media. So much for reduce, reuse, recycle. ;)

    The technique of extracting the data is akin to the work of deep-sky astronomers, military listening posts, or even sedimentary archaeology. It's quite an interesting problem, as is making the data unrecognisable. The parallel with copy-protection is obvious, and the outcome is the same - an escalating war of technique between intrigued hackers, where the party acting later in time (the deprotector / signal analyst) always has an advantage.

    As an aside, when using dd to copy large amounts of data to disk you can often speed things up immensely by tailoring the (output) block size to the destination device.

  • Re:DPA (Score:5, Interesting)

    by tealover (187148) on Wednesday January 15, 2003 @10:53PM (#5092075)
    I remember working on my very first IBM pc. My girlfriend's mother was dating a guy and he gave her an old 8086 computer (this was back in '94 or thereabouts). Well, I started playing with the computer. He had an early version of Norton Utilities on it. I played with the undelete file utility and found that there were lots of deleted files. I recovered some of them and started to read them. Most were boring. One wasn't

    This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.

    Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!

    I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.

    I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.

  • Secure deletion (Score:2, Interesting)

    by Anonymous Coward on Wednesday January 15, 2003 @10:54PM (#5092082)
    There is no substitute for destruction, but if you want to re-sell, use:

    Autoclave [washington.edu]

    Autoclave is a boot disk w/ a Linux distro that will securely delete on five levels:

    Zero fill
    One random pass
    3 binary overwrite passes
    10 passes, some structured
    25 structured passes

    For *true* secure deletion. Policy at the University of Washington requires level 3 at least. Of course, I've bought some UW surplus computers with still-functioning Win98 on the drives...
  • by Anonymous Coward on Wednesday January 15, 2003 @10:59PM (#5092103)
    Last year, my employer of 12 years went out of business. The company was secretly being run improperly for quite a while and the owner closed the doors the same day he found out about the mismanagement.

    Being the IT director, I helped the owner, my friend, with the office computers. I planned on wiping all the hard drives and I informed the owner of my plan. He agreed that it was a good idea.

    From the next three months, watching the bankruptcy process unfold, I got questioned left and right as to why I wiped the data. The accountants wanted to know why...the lawyers wanted to know why...the liquidators wanted to know why...the court wanted to know why. I understand that a system with an installed OS is more valuable than one that has been wiped clean(the data had been backed up so there was no question of whether data had been destroyed) but this should not be unusual. Nobody asking me these questions were newbies--their jobs involved dealing with bankrupt companies and it was as if they had never seen this before!
  • Simson Garfinkel (Score:3, Interesting)

    by andy@petdance.com (114827) <andy@petdance.com> on Wednesday January 15, 2003 @11:16PM (#5092164) Homepage
    It's not as if it's just any "[t]wo MIT grad students". Garfinkel has written more than a handful of security books [oreillynet.com] over the years.
  • by dragonsister (321121) on Wednesday January 15, 2003 @11:55PM (#5092322) Homepage
    Depending how much someone is out to get you.

    There was a quote somewhere saying that a heap of data could be recovered from even a square millimetre of hard disk platter.

    So let's have a think about the maths. I don't know what the physical interior of a hard disk is like, but the exterior is in the vicinity of 10cm (4in) across. If the platter were square, that'd be 100*100 square millimetres. (It'd be round, so the actual number would be about 25% smaller.) Suppose we were talking about a 40gig disk. That's 4 meg per square millimeter.

    Now if hard disks were made up of lots of layers, say 1000 of them, that's still 4K per square millimeter per layer, and you've got one hell of a pulverising job ahead of you!

    There's good reason why high-security areas go through their elaborate sequences of electronic shredding (multiple data overwrites), physical shredding (makes the hammer look weak) and thermodynamic shredding (I daresay *someone* can get data off a hard-disk after you've treated it with thermite!)

    Rachel
  • by Anonymous Coward on Wednesday January 15, 2003 @11:55PM (#5092323)
    I used to work for the Queensland Police's IT department. We had to take used HDD to the dump personally and arrange for one of the bulldozers to crash them. Basically anything that had a memory chip had to be physically destroyed, old ram, old NICs, everything.
  • Book and Nuke (Score:3, Interesting)

    by scubacuda (411898) <scubacuda@@@gmail...com> on Thursday January 16, 2003 @12:00AM (#5092344)
    Use Boot and Nuke [sourceforge.net].

    Burn the ISO, boot to the CD, then wait a *really* fucking long time for it to scamblefuck the drive. (You can also use a floppy disk...but nowawayd why use something that a magnet could possibly fuck?)

    (I have no idea whether or not this is military-grade. Can anyone comment? And if not, provide something *better*?)

  • by chewedtoothpick (564184) <chewedtoothpick.hotmail@com> on Thursday January 16, 2003 @12:01AM (#5092349)
    Magnetic Speperator...

    I have one, honest to god..

    It literally removes the magnetic code/signatures from the HDD. I used to work at a data recovery shop (yes one with static room where we physically remove the data etc...) and even we couldn't recover anything off a HDD that has been passed through one...

    The only bummer is they draw lots of amperage on a 220... (meaning they literally dim the lights even on my very well powered home...)

    The NSA/DOD/Whatever probably uses these when they erase a HDD for redistro/etc...
  • by packeteer (566398) <packeteer.subdimension@com> on Thursday January 16, 2003 @12:01AM (#5092351)
    Assuming a DNA sample is not old or degraded too much you can tell between identical twins. Twins have the same genes but not the same DNA. Same thing with clones. A clone would not be exactly the same... there are many ways to tell the differance between the two.
  • by Anonymous Coward on Thursday January 16, 2003 @12:02AM (#5092357)
    Actually, I purposely break old HDs by taking them apart. Why? There's a set of cool ultra powerful rare-earth magnets inside usually. (I'm talking strong enough to hold a book to a fridge.) ;)
  • by Anonymous Coward on Thursday January 16, 2003 @12:09AM (#5092385)
    My wifes company - health care company - gave away the old office computers a few years ago. With out wiping the hard disks. We got two computers - both the co-owners with all of the memos intact. It made for some interesting reading - filling in those awkward questions about people who didn't come to the company picknick.
  • by Brad1138 (590148) <brad1138@yahoo.com> on Thursday January 16, 2003 @12:15AM (#5092408)
    I disassemble my old drives. The Magnet makes one hell of a good Refrigerator magnet and the discs make good pocket mirrors for wife or frisbies for kids.
  • Here's a question: (Score:4, Interesting)

    by nightherper (635698) on Thursday January 16, 2003 @12:16AM (#5092413) Homepage
    Say you are working on an uber secret project (or miltary plans or viewing gay pr0n) and the "men in black" come running in your house. Assuming you are more than 5 seconds away from being on the floor with a knee on your neck, how would you keep intruders from getting your data? (Or looking at what you were viewing, you sick freak)

    Some sort of explosive device on a trigger next to your mouse?
    A shotgun blast? (Hoping you hit the drives and don't get shot...)
    Fast acting fantasy software to write random data 144 times over the disk in mere milliseconds?

  • by Sir Spank-o-tron (18193) on Thursday January 16, 2003 @12:56AM (#5092524) Homepage
    I've had to RMA a drive (Seagate, I think) that had all our magic encryption keys. So I opened it, pulled the platters, and sent it in.

    They didn't say a damned thing, and sent us a new drive. Each of the engineers took a platter and did away with it. No problem!
  • by Anonymous Coward on Thursday January 16, 2003 @01:24AM (#5092599)
    Has anybody tried applying +12&+5VDC to an old hard drive, allow it to spin up to full operating speed (pref. 15KRPM), and THEN shoot it?

    Should produce some interesting results. It'd be interesting to see the different effect from hitting dead center on the hub as compared to (on a different, identical drive) the outermost rim.

  • by deranged unix nut (20524) on Thursday January 16, 2003 @02:15AM (#5092732) Homepage
    I like the stack of lost floppy disks sitting in the campus lab. One day I started looking through them.

    On the third disk I noticed a file named "Moms Credit Card". We can all guess what the file contained.

    Fortunately for that poor student, I'm a nice guy and I wiped the disk so that the information wouldn't be abused. However, the next disk contained Frat Party planning meeting minutes that were quite entertaining. (Someone was violating campus alcohol rules.)

    Anyway, I stopped looking after the 5th disk, and there were over 500 lost disks in that lab. All of the disks were found withing the last 4 months. If you want to get dirt to use on people, visit a college lab, shuffle through the lost disks, hold onto the information for a few years and then see how much that lost disk is worth to them.
  • by Nogami_Saeko (466595) on Thursday January 16, 2003 @05:17AM (#5093175)
    That's another good point that this article doesn't mention:

    If you have a HD that has sectors that go bad, many HDs (or operating systems) will mark the block as bad and off-limits so it doesn't get used any more.

    This of course poses a problem with most "erase" type programs, as there may not be a way that the eraser can override either the operating system "bad block" mark, or the drive's "bad block" internal mapping.

    If something critical happens to be in a block marked bad on the HD, there may not be any way to securely erase it 100% via software and you'd need to destroy it physically.
  • by tagman2 (641802) on Thursday January 16, 2003 @06:52AM (#5093373)
    Summary of the long posting below:
    • Data from a hard disk that as been wiped multiple times can be recovered.
    • Data left in SRAM and DRAM for a long period of time can be recovered even though the system has been powered off for a while and the SRAM has been cleared.
    • While it is hard to recover wiped and old data, it is not impossible.

    First, a little background:

    I belong to a group that polls/tracks certain elections around the world. In one recent election, there were a number of claims of voting irregularities. Our group became part of a post-election analysis team to look into these irregularities.

    We were able to determine that one desktop system in particular contained some critical raw voting data (raw precinct counts of per ballot slot data). The election officials were more than reluctant to give us a copy of that raw data. By the time we were granted a order requiring the election officials to let us access the data, someone had attempted to throughly wipe the desktop system of all traces of data.

    We thought we had lost that critical data. But thanks to a chain of contacts we were referred to a consultant that specializes in extremely difficult data recovery. After checking some references (and obtaining more money from OUR client: the consultant was VERY expensive), we hired this consultant.

    Much to the surprise of the election officials we obtained an order that allowed us to physically take possession of the system. The system was turned over to the consultant who recovered enough critical election data for our needs.

    The recovery included data from the wiped system hard drive as well as from SRAM and DRAM.

    Regarding disk recovery:

    The disk drive had been wiped by a utility that, we presume, had been run from a CDROM. The wipe tool wrote over the entire disk 35 times, 8 of them were random and 27 of them were fixed patterns of 3 bytes each.

    Not all disk data was recovered. Part of the reason was that the data recovery method was not 100% perfect. Part of the reason that some data was not recovered was a simple matter of time. (The consultant was in between two already committed projects and only had a limited amount of time to work for us.)

    The consultant did recover some deleted files that were critical to our work. Not everything was recovered, however. Parts of the swap/VM-paging area that might have contained some useful data were not recovered. Also some disk data critical to file and directory layout was not recovered making recovery of parts of the file system layout difficult to map.

    Still, some important files (a spreadsheet, simple database file, browser cache, some EMail, etc.) were recovered even though the drive had been wiped 35 times!

    Regarding SRAM recovery:

    n3rd [slashdot.org] posted a comment asking about recovering data from RAM.

    There are methods that can recover RAM data. Both SRAM and DRAM can be recovered.

    According to the consultant, the storage of the same data in SRAM over a long period of time has the effect of altering the preferred power-up state. They said that SRAM can ''remember'' data for days after it held it for a long period of time. This memory can be determined by a ''partial powerup'' (I presume they mean a lower than normal voltage?) and then going ''full on'' and reading the initial values of memory.

    In the case described above, the SRAM had been deliberately cleared prior to our group taking possession of the system. The consultant was able to recover the original data even though the SRAM had been cleared and the system has been powered off for more than a day. A simple clearing of memory was not enough to wipe out the long held memory effect.

    Regarding DRAM recovery:

    DRAM data was also recovered. Data left in DRAM for a long period of time can leave an ''impression'' thru a process somewhat different from SRAM.

    As explained by the consultant: With DRAM, recovery comes not from detecting any left over charge, but rather detecting the stress (or lack of stress) from the thin oxide of the cells storage capacitor dielectric. The effect of this stress can be measured by using the DRAM self-test feature. In self-test mode, a small voltage is applied to a cell in order to measure its margin for error. The self-test margin is increased or decreased by the amount of oxide stress.

    Not all of the DRAM memory was recovered. However certain critical portions of the DRAM held values for long enough period of time that data was recovered, even though the system has been powered off for more than a day. Data recovered included memory associated with a browser and a spreadsheet. Even though both the browser and the spreadsheet were closed prior to the system being wiped, they were left running long enough to leave behind their DRAM oxide stress.

    Based in part on the recovered data, we concluded that candidate A was declared the winner due to a ''mistake'' in mapping ballot slot numbers to candidates. In some cases the slots for candidate A and B were reversed.

    An incorrect vote count was reported by the election officials. It is our guess that when we came around asking for the raw data, someone began to collect it. At some point some official(s) discovered the blunder. The system was left on while they stalled for time. When it was clear that we were going to force them to turn over the data someone wiped the system and shut it down.

    BTW: The majority of the election officials involved were supporters of candidate B. Even though their blunder caused them to declare candidate A the winner, they still tried to coverup their mistake.

    Our conclusion was that the attempt to coverup the mistake was motivated by not wanting to admit the major blunder instead of because of candidate A's influence. This conclusion was reached in part because of messages that we recovered on another system that was not wiped. However we would have never been able to find that other system, nor would we have been able to match the raw slot numbers with the reported vote counts by candidate name without the help of the data recovery consultant and the critical data that they recovered.

    I'll offer a few observations:

    • Volatile data such as SRAM and DRAM is not as volatile as you might think.
    • With enough will, skill and effort, old data can be recovered from a disk that has been overwritten multiple times.
    • Packages such as PGP file wipe, GNU shred or Boot and Nuke [sourceforge.net] are likely to only make it harder, but not impossible to recover the data.
    • To quote from a paper by Peter Gutmann:
      ''
      Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple (sic) overwriting them, no matter how many overwrite passes are made or what data patterns are written.''
      And even though in that paper next says:
      ''
      However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.''
      For our consultant, the recovery process was hard but not extremely difficult. It was expensive for us, however. :-( But we were happy to pay to have it done. :-)
    • Whoever wrote the 35-pass disk wipe tool must have read that paper, or one similar to it because the overwrite patterns looked similar to the recommended list.

    P.S. I know that some people doubt [slashdot.org] that one can obtain old data from SRAM and DRAM after poweroff. I did too until it was done for our group. To those who still doubt this: I will refer you to Peter Gutmann's paper on Secure Deletion of Data from Magnetic and Solid-State Memory [auckland.ac.nz] for another source on data recovery methods.

  • by Anonymous Coward on Thursday January 16, 2003 @07:08AM (#5093418)
    I bought a refurbished power mac not so long ago and it appeared to come from united airlines and did contain quite an amount of serious sensitive data. Reports/emails about illness of an employee, financial stuff, flight planning etc.

    It was right there, no attempt had been made to delete it at all. Sigh.
  • by Anonymous Coward on Thursday January 16, 2003 @07:47AM (#5093516)
    My company bought a new hard drive once from a large retailer. It had a conspicuous scratch on it so we checked out the contents before overwriting, thinking it might not be all that new. We found some rather personal stuff there. Pictures of baby taking a bath with dad and so forth. I can understand regular people not thinking of wiping a drive before returning it (and perhaps being unable to, if it's not functioning quite right or the box won't even boot), but if you're going to sell a refurbished drive at the price of a new one, better wipe that sucker good. Then there's the more serious issue of them handing their customer's private data over to another customer.

    Another interesting case came up when my company was in its death throes and was firing people left and right. When the admin was backing up the content of their hard drives prior to wiping, a lot of interesting non-work-related stuff cropped up. I'm not talking about a little gay porn. One guy had dozens of documents related to different couples' divorce proceedings! Ouch ;)

    The real lesson here is that the people you sometimes have to entrust your data to can't necessarily be trusted.

  • Computer Repairs (Score:2, Interesting)

    by Gigacorpse (641080) on Thursday January 16, 2003 @08:53AM (#5093790)
    One thing to consider is turning your system in for repairs. I used to own an Apple G4 Cube and when I sent it in for repair, Apple decided simply to send me a new one. While I didn't have anything on the hard drive except some MP3s and Email, who knows where that disk is now and who has it? It is something to think about if you have your computer serviced.

    After reading all the posts of this topic, I have concluded that physical destruction is the best way to go. Although I have no doubt that a program designed to securely erase the hard disk would be effective enough for me, my hard disks are simply too big for this approach. Who wants to wait on 7 or more passes on a 120GB hard disk?
  • by numark (577503) <jcolson@@@ndgonline...com> on Thursday January 16, 2003 @10:43AM (#5094600) Homepage Journal
    And then you got Guttman deletion, which uses 35 passes, each of which, when combined together, basically flips the bits so much that the data is really unrecoverable. It's even designed to get around caching and the various encoding standards for hard drives.
  • by Anonym0us Cow Herd (231084) on Thursday January 16, 2003 @11:26AM (#5094965)
    I'd like to see IDE hard drives that encrypt every sector -- but done in the drive's electronics.

    Before the drive can be used, the mainboard (bios?) must first issue an ide command to set the key that the drive used for reading/writing each sector.

    WIth a properly configured bios, the bios could ask you for the key during power on self test.

    You run your computer off a UPS. If the bad guys are going to serve a warrant, raid you and steal your gear, they might first cut the power to prevent you from inserting a linux "reformt-the-drive" floppy and punching reset. The UPS helps against this.

    But even if you can't get the drive reformatted, and the bad guys attach your drive to one of those drive copying gizmos to collect evidence, all they get is encrypted blocks. Or better, if the drive electronics detects an attempt to do this, massive sequential copying of blocks, but without first having issued the decryption key command, then the drive electronics could simultaneously return random bytes to through the ide interface to the copying gizmo while actually overwriting the corresponding sector on the drive with different random data.

    Another way to look at this from the point of view of the drive electronics is that if the drive is powered up, and very much access is attempted without the decryption key command, then the drive can assume that it is NOT physically in the good guy's computer where it belongs.

    While the technique described here is also good to prevent data mining of your hard drive, it is most useful in preventing data mining by the bad guys who might steal your drive for evidence.
  • by lhand (30548) on Thursday January 16, 2003 @11:54AM (#5095185)
    Years ago I bought a CP/M system complete with a 30MB 14" hard disc at a computer show consignment table. I couldn't get it to boot up but I was able to poke around on the disc by writing and reading directly to the controller. I discovered some erased files and one was the previous owner's resume, a developer for Pickles and Trout. So....I called him up and he helped me get it working. He was suprised I found his deleted resume and I assured him I'd wipe it as soon as I got it working. That drive also had the source to most of their CP/M development. It made for some fun reading, pre-DMCA, of course.
  • Re:Better yet! (Score:2, Interesting)

    by R2.0 (532027) on Thursday January 16, 2003 @11:57AM (#5095222)
    Blowfish http://bsn.ch/Lasse/bfacs.htm
    (sorry, me mechanical engineer, me think link is machine part)

    Has a utility to blow away hard drives, or at least clear all the empty space.

Entropy isn't what it used to be.

Working...