Data Mining Used Hard Drives 695
linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."
Thats pretty cool (Score:2, Interesting)
How many credit cards per hard disk??? (Score:1, Interesting)
Data worth more than the computer (Score:5, Interesting)
Some computers sold on eBay are sold for the data [ebay.com].
scary (Score:2, Interesting)
Occasionally there are new reports about someone finding a stack of files by a dumpster containing sensitive medical or financial information about a lot of people. The same surely holds true for old drives or computers disposed of by careless companies.
I can relate (Score:5, Interesting)
Re:just shoot the drive (Score:2, Interesting)
Because it's businesses selling the drives with their customer lists still on them, which are probably worth more in many cases than the CC#'s.
Not so bad. (Score:5, Interesting)
I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.
On par for Ebay.. (Score:3, Interesting)
Everyone knows that HD's contain data.. I would be more impressed if they broke down the numbers of where the BAD drives came from. That would make a much more informative story. I've bought as-is before in person but never online.
Re:yes (Score:3, Interesting)
Comment removed (Score:4, Interesting)
Shouldn't the title be... (Score:3, Interesting)
Re:yes (Score:4, Interesting)
I sledge them! (Score:3, Interesting)
However, I *always* remove the hard disk drive, disassemble it, and give it the sledge hammer treatment. I just don't have the time to get them running again, and write the erase patterns to every track and sector.
Maybe if there's ever a good, transparent, drive-level PGP available, I'll rethink this strategy, but until then, I put on the safety glasses and hammer away, after opening the drive case to expose the platters.
Here's a sugesstion to drive manufacturers--make a convention where if certain pins on the IDE connector are jumpered together, and the drive powered up, it will do a low-level format automatically. Then I might choose to erase the disks, so long as I didn't have to hook them up to a computer and run a program.
Re:PGP! (Score:3, Interesting)
Roughly speaking that'll do it. I'm sure there's nice trickery you can do to, say, get the equivalent of
Re:HD Abuse (Score:5, Interesting)
It's not just hard drives (Score:5, Interesting)
No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.
I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.
Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.
"Thrift store hard drives are like a box of chocolates... you never know what you'll find!"
Re:Not so bad. (Score:3, Interesting)
and if there is a class action suit, then be
a witness.
Re:I sledge them! (Score:4, Interesting)
Re:Luckily for me, my Ebay'd hard drives are safe (Score:3, Interesting)
Re:Luckily for me, my Ebay'd hard drives are safe (Score:2, Interesting)
Re:Oh, man. Hear it comes. (Score:3, Interesting)
Tim
this is also a problem for warranty. (Score:5, Interesting)
Scary Thought (Score:3, Interesting)
Re:Luckily for me, my Ebay'd hard drives are safe (Score:2, Interesting)
Costly? Get two similar HD and swap the PCB. Chances are decent that only the PCB was dead, there ya go all the data and no need to load up some forensic software to read the deleted data since the drive is assumed "dead".
Yes, I have done this and recovered valuable information. Of course, Both drives where mine anyway, but still.
AlexThis does not surprise me at all. (Score:3, Interesting)
I run a computer shop in the southeastern United States, much of my work involves the local school systems.
Several years ago (Long before 9-11) a local school received a donation of several pallets of computers, monitors, printers, and other equipment from a local military installation. The donation was properly processed through the Defense Reutilization and Marketing Service (DRMS) and should have been cleared of any sensitive materiel.
I was contracted by the school to take the entire load and build as many working systems as I could out of the parts. As I begin to put systems together and power them up I was staggered by the fact that at least half of the hard drives were FULLY intact and no attempt at all had been made to remove sensitive data.
I of course had to take a closer look. Much of the data concerned simple day to day non-sensitive routine base operations (I am x-military so much of it was familiar to me). HOWEVER on one of the intact drives I found something that KNOCKED MY SOCKS OFF! Setting there on that hard drive spinning on my work bench was pile of data concerning the moving of NUCLEAR weapons and other nuclear materials and conventional weapons around the United States. The data contained information such as routes, schedules, manifests, and duty rosters. I WAS DUMBSTRUCK. How could this have happened? This drive should never have left a controlled area, EVER, it should have been destroyed. This was inexcusable!
Of course in a situation such as this all manner of thoughts go though your head. Thoughts such as; What kind of damage could a enemy of the U.S. do with this data. What would this data be worth to someone unethically inclined. If they knew I saw this data they would probably lock me up and throw away the key just for good measure, and of course WHAT SHOULD I DO WITH THIS DATA?
In the end I destroyed the hard drive and the data it contained and kept my mouth shut. That has been at least 8 or 9 years ago and until this day I have never told anyone and thank God that due to the passage of time I have forgotten most of the particulars of the data I saw.
What about RAM? (Score:3, Interesting)
When they moved some of these labs all of the equipment was shrinkwrapped and escorted to the new location to prevent tampering while in transit.
I think I had something to say. Oh yeah. Ok, when hard drives and backup tapes got old they had to format them X number of times (I forgot the exact number), then physically smash them and then burn the remains. All in a secure manner (ie: not taking them to the local Springfile Tire Fire).
Anywho, a friend of mine had to replace RAM from one of their Suns, and I went with him. They let us leave with the RAM and didn't think twice about it. 2 or 3 minutes after we left my friend realized he may be able to take the RAM and actually read the data off of it somehow, assuming it was still saved.
Perhaps this could be applied to other things including external processor caches and VRAM as well.
Random Bit Overwrite (Score:5, Interesting)
German DoD Spec: 7 passes
(from http://www.ontrack.com/library/dataeraser.pdf)
-- R
multiple writes (Score:3, Interesting)
There doesn't seem to be much point in overwriting more than once with the same zero pattern (the article makes this mistake too, though the original authors probably don't). There are really two levels of sophistication we're hoping to elude here:
a) People using the drive's own interface to retrieve "deleted" datab) People doing direct signal analysis of the magnetic media to find successive generations of overwritten data
Once you've overwritten the disk once (whether with dd, a real SCSI low-level format, or some other means), you're in regime (b). Assuming you're paranoid and/or justifiably concerned enough to bother with repeated writes, using the same bit pattern does little - and zeroing is especially non-optimal, from what I've read. Random bit patterns seem a likely candidate, but randomness is actually particularly easy to divine in a signal.
People have experimented with instead writing various repetitions of constant strings with good success, but what might be ideal is a chaotic pattern that approximates the look of the expected data without divulging anything real (interesting thought - perhaps this is what some of the porn they found was for!). Write that a few times and you have a honeypot that might mislead a naive investigator into thinking there's nothing more to be found - but even this is difficult because the "freshness" of the bit patterns can be determined by their relative signal strength, and you can't simulate age using the default write current no matter how many new patterns you lay on. You can only hope you've made the old, real data so faint that it disappears into the background noise. Since there's no real way to guarantee this, people with real secrets to hide have to physically destroy the media. So much for reduce, reuse, recycle. ;)
The technique of extracting the data is akin to the work of deep-sky astronomers, military listening posts, or even sedimentary archaeology. It's quite an interesting problem, as is making the data unrecognisable. The parallel with copy-protection is obvious, and the outcome is the same - an escalating war of technique between intrigued hackers, where the party acting later in time (the deprotector / signal analyst) always has an advantage.
As an aside, when using dd to copy large amounts of data to disk you can often speed things up immensely by tailoring the (output) block size to the destination device.
Re:DPA (Score:5, Interesting)
This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.
Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!
I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.
I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.
Secure deletion (Score:2, Interesting)
Autoclave [washington.edu]
Autoclave is a boot disk w/ a Linux distro that will securely delete on five levels:
Zero fill
One random pass
3 binary overwrite passes
10 passes, some structured
25 structured passes
For *true* secure deletion. Policy at the University of Washington requires level 3 at least. Of course, I've bought some UW surplus computers with still-functioning Win98 on the drives...
Interesting reaction on hard drive wiping (Score:4, Interesting)
Being the IT director, I helped the owner, my friend, with the office computers. I planned on wiping all the hard drives and I informed the owner of my plan. He agreed that it was a good idea.
From the next three months, watching the bankruptcy process unfold, I got questioned left and right as to why I wiped the data. The accountants wanted to know why...the lawyers wanted to know why...the liquidators wanted to know why...the court wanted to know why. I understand that a system with an installed OS is more valuable than one that has been wiped clean(the data had been backed up so there was no question of whether data had been destroyed) but this should not be unusual. Nobody asking me these questions were newbies--their jobs involved dealing with bankrupt companies and it was as if they had never seen this before!
Simson Garfinkel (Score:3, Interesting)
A hammer may not be enough! (Score:2, Interesting)
There was a quote somewhere saying that a heap of data could be recovered from even a square millimetre of hard disk platter.
So let's have a think about the maths. I don't know what the physical interior of a hard disk is like, but the exterior is in the vicinity of 10cm (4in) across. If the platter were square, that'd be 100*100 square millimetres. (It'd be round, so the actual number would be about 25% smaller.) Suppose we were talking about a 40gig disk. That's 4 meg per square millimeter.
Now if hard disks were made up of lots of layers, say 1000 of them, that's still 4K per square millimeter per layer, and you've got one hell of a pulverising job ahead of you!
There's good reason why high-security areas go through their elaborate sequences of electronic shredding (multiple data overwrites), physical shredding (makes the hammer look weak) and thermodynamic shredding (I daresay *someone* can get data off a hard-disk after you've treated it with thermite!)
Rachel
Re:used to work with the police (Score:1, Interesting)
Book and Nuke (Score:3, Interesting)
Burn the ISO, boot to the CD, then wait a *really* fucking long time for it to scamblefuck the drive. (You can also use a floppy disk...but nowawayd why use something that a magnet could possibly fuck?)
(I have no idea whether or not this is military-grade. Can anyone comment? And if not, provide something *better*?)
Re:Oh, man. Hear it comes. (Score:4, Interesting)
I have one, honest to god..
It literally removes the magnetic code/signatures from the HDD. I used to work at a data recovery shop (yes one with static room where we physically remove the data etc...) and even we couldn't recover anything off a HDD that has been passed through one...
The only bummer is they draw lots of amperage on a 220... (meaning they literally dim the lights even on my very well powered home...)
The NSA/DOD/Whatever probably uses these when they erase a HDD for redistro/etc...
Re:Luckily for me, my Ebay'd hard drives are safe (Score:4, Interesting)
Re:Luckily for me, my Ebay'd hard drives are safe (Score:1, Interesting)
Used computers from the office (Score:1, Interesting)
Uses for your destroyed drive (Score:2, Interesting)
Here's a question: (Score:4, Interesting)
Some sort of explosive device on a trigger next to your mouse?
A shotgun blast? (Hoping you hit the drives and don't get shot...)
Fast acting fantasy software to write random data 144 times over the disk in mere milliseconds?
shit i pull the platters (Score:2, Interesting)
They didn't say a damned thing, and sent us a new drive. Each of the engineers took a platter and did away with it. No problem!
Shoot a drive while it is spinning? (Score:3, Interesting)
Should produce some interesting results. It'd be interesting to see the different effect from hitting dead center on the hub as compared to (on a different, identical drive) the outermost rim.
Re:Your old HD is safe. (Score:3, Interesting)
On the third disk I noticed a file named "Moms Credit Card". We can all guess what the file contained.
Fortunately for that poor student, I'm a nice guy and I wiped the disk so that the information wouldn't be abused. However, the next disk contained Frat Party planning meeting minutes that were quite entertaining. (Someone was violating campus alcohol rules.)
Anyway, I stopped looking after the 5th disk, and there were over 500 lost disks in that lab. All of the disks were found withing the last 4 months. If you want to get dirt to use on people, visit a college lab, shuffle through the lost disks, hold onto the information for a few years and then see how much that lost disk is worth to them.
Re:That Rarely Works Any More (Score:4, Interesting)
If you have a HD that has sectors that go bad, many HDs (or operating systems) will mark the block as bad and off-limits so it doesn't get used any more.
This of course poses a problem with most "erase" type programs, as there may not be a way that the eraser can override either the operating system "bad block" mark, or the drive's "bad block" internal mapping.
If something critical happens to be in a block marked bad on the HD, there may not be any way to securely erase it 100% via software and you'd need to destroy it physically.
A story of DISK, SRAM and DRAM data recovery (Score:5, Interesting)
First, a little background:
Regarding disk recovery:
Regarding SRAM recovery:
Regarding DRAM recovery:
Based in part on the recovered data, we concluded that candidate A was declared the winner due to a ''mistake'' in mapping ballot slot numbers to candidates. In some cases the slots for candidate A and B were reversed.
An incorrect vote count was reported by the election officials. It is our guess that when we came around asking for the raw data, someone began to collect it. At some point some official(s) discovered the blunder. The system was left on while they stalled for time. When it was clear that we were going to force them to turn over the data someone wiped the system and shut it down.
BTW: The majority of the election officials involved were supporters of candidate B. Even though their blunder caused them to declare candidate A the winner, they still tried to coverup their mistake.
Our conclusion was that the attempt to coverup the mistake was motivated by not wanting to admit the major blunder instead of because of candidate A's influence. This conclusion was reached in part because of messages that we recovered on another system that was not wiped. However we would have never been able to find that other system, nor would we have been able to match the raw slot numbers with the reported vote counts by candidate name without the help of the data recovery consultant and the critical data that they recovered.
I'll offer a few observations:
P.S. I know that some people doubt [slashdot.org] that one can obtain old data from SRAM and DRAM after poweroff. I did too until it was done for our group. To those who still doubt this: I will refer you to Peter Gutmann's paper on Secure Deletion of Data from Magnetic and Solid-State Memory [auckland.ac.nz] for another source on data recovery methods.
Refurbished computers (Score:1, Interesting)
It was right there, no attempt had been made to delete it at all. Sigh.
Not just old hard drives (Score:1, Interesting)
Another interesting case came up when my company was in its death throes and was firing people left and right. When the admin was backing up the content of their hard drives prior to wiping, a lot of interesting non-work-related stuff cropped up. I'm not talking about a little gay porn. One guy had dozens of documents related to different couples' divorce proceedings! Ouch ;)
The real lesson here is that the people you sometimes have to entrust your data to can't necessarily be trusted.
Computer Repairs (Score:2, Interesting)
After reading all the posts of this topic, I have concluded that physical destruction is the best way to go. Although I have no doubt that a program designed to securely erase the hard disk would be effective enough for me, my hard disks are simply too big for this approach. Who wants to wait on 7 or more passes on a 120GB hard disk?
Re:Random Bit Overwrite (Score:2, Interesting)
A feature I'd like to see in hard drives (Score:2, Interesting)
Before the drive can be used, the mainboard (bios?) must first issue an ide command to set the key that the drive used for reading/writing each sector.
WIth a properly configured bios, the bios could ask you for the key during power on self test.
You run your computer off a UPS. If the bad guys are going to serve a warrant, raid you and steal your gear, they might first cut the power to prevent you from inserting a linux "reformt-the-drive" floppy and punching reset. The UPS helps against this.
But even if you can't get the drive reformatted, and the bad guys attach your drive to one of those drive copying gizmos to collect evidence, all they get is encrypted blocks. Or better, if the drive electronics detects an attempt to do this, massive sequential copying of blocks, but without first having issued the decryption key command, then the drive electronics could simultaneously return random bytes to through the ide interface to the copying gizmo while actually overwriting the corresponding sector on the drive with different random data.
Another way to look at this from the point of view of the drive electronics is that if the drive is powered up, and very much access is attempted without the decryption key command, then the drive can assume that it is NOT physically in the good guy's computer where it belongs.
While the technique described here is also good to prevent data mining of your hard drive, it is most useful in preventing data mining by the bad guys who might steal your drive for evidence.
YASS (yet another similar story) (Score:3, Interesting)
Re:Better yet! (Score:2, Interesting)
(sorry, me mechanical engineer, me think link is machine part)
Has a utility to blow away hard drives, or at least clear all the empty space.