Please create an account to participate in the Slashdot moderation system


Forgot your password?

Data Mining Used Hard Drives 695

linuxwrangler writes "One hopes the /. crowd knows the perils of discarding storage with sensitive data but this article drives home the point. Two MIT grad students bought used drives from eBay and secondhand computer stores. Among the data found on the 158 drives were 5,000 credit-card numbers, porn, love-letters and medical information."
This discussion has been archived. No new comments can be posted.

Data Mining Used Hard Drives

Comments Filter:
  • by Anonymous Coward on Wednesday January 15, 2003 @09:30PM (#5091581)
    There IS pornography on your computer!
  • DPA (Score:5, Informative)

    by kylegordon ( 159137 ) on Wednesday January 15, 2003 @09:31PM (#5091592) Homepage
    Another reason to securely erase your data. In the end, _you_ are responsible for data under the Data Protection Act (in the UK anyway)
    • and the only secure method involves a woodchipper.
      • Re:DPA (Score:5, Funny)

        by Alien54 ( 180860 ) on Thursday January 16, 2003 @12:00AM (#5092109) Journal
        and the only secure method involves a woodchipper.

        Actually, I find extensive use of sandpaper after attaching the disk to a high speed drill works wonders.

        Barring that, an old fashioned bulk tape eraser also has interesting effects.

        I'm thinking of other options, including battery acid, and use as a grounding rod for a Tesla Coil.

        • Re:DPA (Score:5, Informative)

          by Rolo Tomasi ( 538414 ) on Thursday January 16, 2003 @12:51AM (#5092307) Homepage Journal
          Barring that, an old fashioned bulk tape eraser also has interesting effects.

          Nope. A magnetic field that would be strong enough to erase a hard drive would probably also compress it into a lump of twisted metal. from ings/sec96/full_papers/gutmann/ []:

          US Government guidelines class tapes of 350 Oe coercivity or less as low-energy or Class I tapes and tapes of 350-750 Oe coercivity as high-energy or Class II tapes. Degaussers are available for both types of tapes. Tapes of over 750 Oe coercivity are referred to as Class III, with no known degaussers capable of fully erasing them being known [19], since even the most powerful commercial AC degausser cannot generate the recommended 7,500 Oe needed for full erasure of a typical DAT tape currently used for data backups.

          Degaussing of disk media is somewhat more difficult - even older hard disks generally have a coercivity equivalent to Class III tapes, making them fairly difficult to erase at the outset. Since manufacturers rate their degaussers in peak gauss and measure the field at a certain orientation which may not be correct for the type of medium being erased, and since degaussers tend to be rated by whether they erase sufficiently for clean rerecording rather than whether they make the information impossible to recover, it may be necessary to resort to physical destruction of the media to completely sanitise it (in fact since degaussing destroys the sync bytes, ID fields, error correction information, and other paraphernalia needed to identify sectors on the media, thus rendering the drive unusable, it makes the degaussing process mostly equivalent to physical destruction). In addition, like physical destruction, it requires highly specialised equipment which is expensive and difficult to obtain (one example of an adequate degausser was the 2.5 MW Navy research magnet used by a former Pentagon site manager to degauss a 14" hard drive for 1 minutes. It bent the platters on the drive and probably succeeded in erasing it beyond the capabilities of any data recovery attempts [20]).

          The only way to be really sure is to use an acetylene torch.
    • Re:DPA (Score:5, Interesting)

      by tealover ( 187148 ) on Wednesday January 15, 2003 @11:53PM (#5092075)
      I remember working on my very first IBM pc. My girlfriend's mother was dating a guy and he gave her an old 8086 computer (this was back in '94 or thereabouts). Well, I started playing with the computer. He had an early version of Norton Utilities on it. I played with the undelete file utility and found that there were lots of deleted files. I recovered some of them and started to read them. Most were boring. One wasn't

      This guy wrote about my g/f's mom about how he was banging her for the last 15 years. She had only been widowed for 10 years. He also complained about how she only came around when she needed money and how he was tired of banging her wrinkly ass.

      Also, this guy was a principal at an elementary school. He was apparently fucking several women at the school, even getting blowjobs at work!

      I was simply amazed. My g/f didn't even really know that this guy was dating her mom (some women are so stupid). She just thought he was a family friend. I couldn't tell her about what I found because I knew she would have been really upset.

      I learned from that day on that simply deleting a file was not going to hide anything. I'm actually holding onto a defective laptop thathas been broken for months. I don't want to toss it out until I can either recover the harddrive data myself or until I can safely dispose of the harddrive.

      • by Monkelectric ( 546685 ) <> on Thursday January 16, 2003 @01:05AM (#5092374)
        Ok, this is offtopic because it doesn't really involve undeleting, so mod me off topic if you want, but its still a good story.

        When I was 14 or 15 (long ago), I took a trip with my friend to visit his father and step mother for the day. We would have to help his father in his print shop for the day, but my friend promised in return we would be able to sneak access to his dads porn collection.

        After we ended up working in his dads shop all day, we had dinner, went to his dads house, and his dad left us alone with his computers to play games on. We had brought a palette of 100 disks to hopefully sneak our porn home on, so we began copying all those pcx and gif files onto disks as fast as we could. We couldn't risk looking at them for fear of being caught. It wasn't that unusual to have a huge pile of disks because that was how things got copied in the olden days, his dad thought we were copying some of his games.

        Low and behold, we fill all 100 disks with porn (an incredible stash in like 90 or 91). We go home for the evening to each of our houses, divide up the stash, and we both head straight to the computer to um, count our booty.

        I get home, pop the first disk into the computer, and just about then I get a phone call -- its my friend, he says "dude, don't look at the pics, trust me." But he's piqued my interest so I have to. I load one up and what do I see? A big juicy cock. We had copied his dads gay porn stash.

  • I only sell broken ones.
    • Nope, even broken ones can be read with the right equipment.
    • by norton_I ( 64015 ) <> on Wednesday January 15, 2003 @09:38PM (#5091648)
      Even broken hard drives can be recovered, though it takes some rather expensive equipment to do so. However, with a little creativity and some equipment you would likely find in a EE department, much of it could be recovered.
      • by broter ( 72865 ) on Wednesday January 15, 2003 @10:00PM (#5091800) Homepage Journal
        "Even broken hard drives can be recovered..."

        That's why it's the DoD way for me: scramble the data with many passes accross the media with a stong magnet, followed by hammer strikes until it's in small pieces.

        You may find this lowers its value slightly in the "Computers & Office Products" category, while raising it dramatically in the "Art - Sculpture, Carvings" category (as glue as needed).

        • If I remember right, the DoD standard was to erase the file by writing random bits over it 7 times....although that was before some researchers found that you could still read the original data if you had a scanning electron microscope.

          • Random Bit Overwrite (Score:5, Interesting)

            by akamoe ( 519034 ) on Wednesday January 15, 2003 @11:36PM (#5092007)
            US DoD Spec: 3 passes
            German DoD Spec: 7 passes


            -- R
  • by Anonymous Coward on Wednesday January 15, 2003 @09:32PM (#5091597)
    Two MIT grad students bought used drives from eBay and secondhand computer stores.

    Don't I feel inferior. I've done the same with used HD's in the past and I only have a HS edumacation.
  • HD Abuse (Score:3, Funny)

    by helix400 ( 558178 ) on Wednesday January 15, 2003 @09:34PM (#5091608) Journal
    I have some fun with my old drives.

    Take them outside, and throw them as high into the air as possible. Then watch them land on concrete.

    I think that render the drive useless. =)

  • by blamanj ( 253811 ) on Wednesday January 15, 2003 @09:34PM (#5091611)
    It's long been know that laptop theives are often more interested in the data than the computer.

    Some computers sold on eBay are sold for the data [].
  • by cornjchob ( 514035 ) <> on Wednesday January 15, 2003 @09:35PM (#5091618)
    If only he had but known...
  • I can relate (Score:5, Interesting)

    by l33t-gu3lph1t3 ( 567059 ) <`arch_angel16' `at' `'> on Wednesday January 15, 2003 @09:35PM (#5091624) Homepage
    Picked 6 or 7 old 4gig HDDs from my father's company a few years ago, found their company credit line information, personal (and some very erotic) email, and a surprisingly large collection of nudie photoshopped Gillian Anderson photos. Oh yeah, and like 100 different (and I must say, very well-done) quake2 "crackwhore" models and skins lol. I love the people who don't clear their HDDs, it's like treasure chests, you never know what you're gonna get.
  • by missing000 ( 602285 ) on Wednesday January 15, 2003 @09:38PM (#5091654)
    I can get creditcard numbers faster on kazaa.
    • I like the stack of lost floppy disks sitting in the campus lab. One day I started looking through them.

      On the third disk I noticed a file named "Moms Credit Card". We can all guess what the file contained.

      Fortunately for that poor student, I'm a nice guy and I wiped the disk so that the information wouldn't be abused. However, the next disk contained Frat Party planning meeting minutes that were quite entertaining. (Someone was violating campus alcohol rules.)

      Anyway, I stopped looking after the 5th disk, and there were over 500 lost disks in that lab. All of the disks were found withing the last 4 months. If you want to get dirt to use on people, visit a college lab, shuffle through the lost disks, hold onto the information for a few years and then see how much that lost disk is worth to them.
  • Not so bad. (Score:5, Interesting)

    by Annatar2 ( 558541 ) <> on Wednesday January 15, 2003 @09:38PM (#5091656)
    Thats not so bad. My dad happens to be a garbage man and often brings along an occasional system he's scavanged from the dumpsters along his route. Currently I have in my possession an old IBM Aptiva with some guys bank account information on it (He did his checking and stuff with it apparently), but worst of all I have what appears to be an old Gateway tower used to store Medical information for a major hospital in the area my father works. I have over 2 gigs of peoples medical history, including what they were put in the hospital for, insurance information, release dates ect.

    I should really do the honost thing and reformat it but its always fun to flip the thing on and just page through stuff.
    • Re:Not so bad. (Score:3, Interesting)

      by Compuser ( 14899 )
      Why reformat it? Contact people on the list,
      and if there is a class action suit, then be
      a witness.
    • Re:Not so bad. (Score:4, Informative)

      by Anonymous Coward on Thursday January 16, 2003 @12:30AM (#5092211)
      A goverment contractor donated some old PowerBook 140/180s to our school and one of them had an unformatted HD. Imagine my suprise when I booted it up and there were documents on there that said something along the lines of "This document has been classified Top Secret by the Department of Defense" at the top of them. I don't know what is more pathetic, the fact that this laptop was allowed to get out with confidential data on it or that it was unencrypted to begin with.

      Also that same year, the school councilor retired his trusty quadra 610(?) and he had all the psychological, academic, and disciplinary records on there from 1993 and up on there. No password. No encryption. No attempts to even get rid of data.

      A few months back, my brother picked up an old computer for $8 at a garage sale. He wanted me to fix it up for him and get it to do something. I was in for a nasty suprise when I found about 200 MB of gay pr0n jpegs on there.

      When I was taking my A+ class at my HS, we were given some old computers from the county office of education to get in working order to give to people who couldn't afford computers. There was a small text file on it that contained passwords for most of the servers in the COE.

      You can get quite a bit without even recovering files. People are idiots.
    • Re:Not so bad. (Score:3, Informative)

      by MarcQuadra ( 129430 )
      LOL! I had the same thing, from an old server at a medical center, giant 2GB SCSI-II drives full of insurance info, dental records, and who knows what else. I tossed the drives after a while because I didn't want the bad karma, but all I had to do was ask for them, they were willfully handed over to me by a doctor when I was 17.
  • PGP! (Score:5, Informative)

    by wirelessbuzzers ( 552513 ) on Wednesday January 15, 2003 @09:38PM (#5091657)
    PGP (for windows or mac, ie not GPG) has two commands related to this: wipe file and wipe free space. They overwrite the appropriate sectors of the disk with several patterns designed to ensure that no matter what (common) encoding scheme the hard disk uses, every bit will have been set at least once, zeroed at least once, and overwritten with pseudorandom data at least once. If you set in on a lot of passes, it does an even better job. This would be a cheap (free, except for time and bandwidth to download it) way to make sure your sensitive data doesn't get out.

    That said, experts would tell you that the only reliable way to make sure sensitive data doesn't get out is to thermite your drive.

    Also, what's the one-line unix command (running MacOS X here).
    • Re:PGP! (Score:5, Informative)

      by delta407 ( 518868 ) <slashdot.lerfjhax@com> on Wednesday January 15, 2003 @09:50PM (#5091738) Homepage
      what's the one-line unix command
      # dd if=/dev/zero of=/dev/hda
      ...being sure, of course, to make 'hda' the actual drive you want to zero. (You could blank individual partitions by using the appropriate names, of course.) Also, you could use '/dev/urandom' instead to fill your disk with random data.

      Ah, the joys of *nix.
      • Re:PGP! (Score:3, Informative)

        by kiolbasa ( 122675 )
        Several passes of /dev/random is certainly more secure. Writing a predictable pattern, such as /dev/zero (which, given HD encoding schemes does not actually mean all zero bits on the disk) only gives an attacker a pattern to subtract from the signal on the disk and recover the original data. Writing zero over a one looks different than writing a zero over a zero when you look at the disk on a low-level.
    • Re:PGP! (Score:3, Interesting)

      by jnik ( 1733 )
      Also, what's the one-line unix command (running MacOS X here).
      for i in 1 2 3 4; dd if=/dev/zero of=filename bs=1 count=filesize; sync; dd if=/dev/random of=filename bs=1 count=filesize; sync; done
      Roughly speaking that'll do it. I'm sure there's nice trickery you can do to, say, get the equivalent of /dev/true (opposite of /dev/zero) and get the size from the file, etc. etc. Note the sync's so it actually hits disc rather than buffer. Technically there should be a sleep or two in there in case of a journalled filesystem....
    • Re:PGP! (Score:3, Informative)

      by bourne ( 539955 )

      PGP (for windows or mac, ie not GPG) has two commands related to this: wipe file and wipe free space.

      And for those wishing for only mid-grade free space wiping, check out "cipher" which comes with Win XP and Win2K SP3. 'cipher /w:c:' will wipe all the free space on c: with 0s, then with 1s, then with random data.

      I have mine cron'ned - er, "Task Scheduled" - to run several times a week, just to keep things on the sanitary side. You never know when the layoffs will leave you wondering who is looking at your old hard drive.

    • Wiping and physics (Score:3, Informative)

      by Antity ( 214405 )

      If you wipe, remember to take your device's physics into account.

      Wipe it once when it is completely "cold" (computer has been turned off for at least several hours), then wipe it again after it has been running for an hour or so, and wipe it a third time after you've giving the disk some serious thrashing (that is, disk activity that moves the head around quite a bit).

      The reason is temperature. Data is saved on circles on a magnetic medium. The read/write head has a certain amount of thickness, and so have the tracks on the platter (the tracks have to be a bit widther than the head is, to take thermal expansion into account so the head won't overwrite data on neighbour tracks).

      So, for some specialized data recovery company, it may even be possible to recover different data from the same track, because after a while of use, a track can look like this:

      ................ Free space to next track
      ---------------- Outer track end
      AAAAAAAAAAAAAAAA Older data 1
      BBBBBBBBBBBBBBBB Actual data
      CCCCCCCCCCCCCCCC Older data 2
      ---------------- Inner track end
      ................ Free space to next track

      So, your drive will always read the data in 'B'. In 'C' there might still be data your computer saved when the drive had just spun up and was cold, while 'A' might still hold a copy of data that was written on very heavy disk activity when the drive was really hot.

      To overwrite all of this data, you need to have the drive write in any of the temperature states that it has been in within this life.

      "Simple" writing might only destroy all 'B' data and leave all 'A' and 'C' data intact on the drive, where they can be recovered.

  • On par for Ebay.. (Score:3, Interesting)

    by nolife ( 233813 ) on Wednesday January 15, 2003 @09:39PM (#5091658) Homepage Journal
    bought 158 used hard drives at secondhand computer stores and on eBay. Of the 129 drives that functioned

    Everyone knows that HD's contain data.. I would be more impressed if they broke down the numbers of where the BAD drives came from. That would make a much more informative story. I've bought as-is before in person but never online.
  • by Ironica ( 124657 ) <pixel.boondock@org> on Wednesday January 15, 2003 @09:40PM (#5091666) Journal
    People still don't get it. My old boss wondered why I was "wasting my time" doing stuff like writing all zeros to drives of computers we were giving to charity. "I only told you to format them!"

    I tried to explain the concept to her, but for an IT manager, she was woefully bad at technology.

    Actually, come to think of it, she was about average...
  • by netnerd.caffinated ( 473121 ) on Wednesday January 15, 2003 @09:41PM (#5091671)
    or do like this guy did... []
    he brought a hard drive, found all this cool stuff on it.. & put it to DVD for the masses
  • by bdigit ( 132070 ) on Wednesday January 15, 2003 @09:41PM (#5091674)
    Anyone happen to know any share/freeware programs out there for Windows 2k that will recover deleted files. I am intrested in running it on my computer to actually see what I can recover and see how well PGP's disk wipe function works.
  • by japhar81 ( 640163 ) on Wednesday January 15, 2003 @09:42PM (#5091681)
    But the CC info bothers me. Presumably, this is a corporate drive that got resold (Unless you know of 170 ppl with 25 credit cards a piece, in which case it's time to re-evaluate the financial system in this country).

    Personally, I have a standing policy in my department to take apart every HDD, take a magnet to each platter, and send the platters to Iron Mountain for destruction. Then again, we deal with large financial institutions, so we have to be extreme and obsessive-compulsive, which brings me to my actual point;

    This stuff should be regulated. If you store personal info on an HDD for business purposes, you should have a legal responsibility (i.e. one that comes with repricussions if not met) to ensure that even after a drive is retired, the data is safe.

    Just my $.02
  • by NoMoreNicksLeft ( 516230 ) <john.oyler@c[ ] ['omc' in gap]> on Wednesday January 15, 2003 @09:45PM (#5091704) Journal
    Data Fishing? I mean, you never know if you'll catch anything.
  • CIA (Score:5, Informative)

    by Eric_Cartman_South_P ( 594330 ) on Wednesday January 15, 2003 @09:46PM (#5091709)
    Thinking back to a Discovery channel show on the CIA, they dispose of hard drives with a good data wipe then they drill holes in them. Drives that held Super Top-Secret stuff (MS source code?) also got burned in a furnace. All of this on-site.

    In regards to Wiping data, do yourself a favor and check out

    Beyond the wonderfull wiping the program does, there is the option to make an emergency boot floppy that wipes the HD with DOD style 7-pass or a GutherSomething 36 pass! Niffty for the paranoid.

  • by haa...jesus christ ( 576980 ) on Wednesday January 15, 2003 @09:46PM (#5091713)
    my old company had the best method for destroying our sensitive data (like the gig of porn some asshat left on the XML server) - leave them in the old building! god bless those terrorists and their whacky flight skills.

    btw, has anyone seen my old ti calculator? it was on the 21st floor of two.
  • I sledge them! (Score:3, Interesting)

    by callipygian-showsyst ( 631222 ) on Wednesday January 15, 2003 @09:51PM (#5091747) Homepage
    We go through a large # of computers a year, and I try to donate the carcass, or at least make sure it's recycled properly. (Charitable organizations, unless specially equipped to handle PCs, are wary of junk computer donations.)

    However, I *always* remove the hard disk drive, disassemble it, and give it the sledge hammer treatment. I just don't have the time to get them running again, and write the erase patterns to every track and sector.

    Maybe if there's ever a good, transparent, drive-level PGP available, I'll rethink this strategy, but until then, I put on the safety glasses and hammer away, after opening the drive case to expose the platters.

    Here's a sugesstion to drive manufacturers--make a convention where if certain pins on the IDE connector are jumpered together, and the drive powered up, it will do a low-level format automatically. Then I might choose to erase the disks, so long as I didn't have to hook them up to a computer and run a program.

    • Re:I sledge them! (Score:4, Interesting)

      by jasonditz ( 597385 ) on Wednesday January 15, 2003 @10:05PM (#5091829) Homepage
      Speaking of this, whatever happened to the BIOS lowlevel format option? My old Laser 386 allowed you to lowlevel format any of the harddrives through CMOS setup... it would seem like that's a pretty simple feature to add, and plenty useful.
      • Re:I sledge them! (Score:3, Informative)

        by flonker ( 526111 )
        Back in the good old days, low level format actually did something. It rewrote the tracks and sectors on the platters. Nowadays, with high data density and whatnot, it's much more difficult to write the tracks and sectors, and special machinery is used to do so. The standard head isn't able to get enough accuracy.
  • by achurch ( 201270 ) on Wednesday January 15, 2003 @09:55PM (#5091774) Homepage
    "Out Of Order" [].
  • by Anonymous Coward on Wednesday January 15, 2003 @10:01PM (#5091808)
    I dont bother sanitizing them, squeezing or anything else. I just shoot them.

    They're great target practice when set up at 50 yards. Plus, they're rendered more or less ultra-highly unreadable, with half the platters coated in vaporized lead spall, and then with the platters dramatically warped, penetrated, stretched and shattered. Many areas are complete and totally lost, the ones that arent, would require precise magnetic microscopy to observe the actual state.

    These pictures [] were of a seagate 40mb eide, splashed with a 158grn jacketed hollowpoint in .357 magnum, after being accelerated to about 1700 fps from a Marlin 1894C lever-action carbine.
    • by Anonymous Coward
      Has anybody tried applying +12&+5VDC to an old hard drive, allow it to spin up to full operating speed (pref. 15KRPM), and THEN shoot it?

      Should produce some interesting results. It'd be interesting to see the different effect from hitting dead center on the hub as compared to (on a different, identical drive) the outermost rim.

  • by b1t r0t ( 216468 ) on Wednesday January 15, 2003 @10:03PM (#5091820)
    A few years back I found some backup cartridge tapes (the big 4x6 kind) and a couple of tape drives at a Goodwill store. While there wasn't anything particularly useful on it, I could tell that it was the shell account machine used by half a dozen or so Ingres developers.

    No database code or data, just typical home directories and stuff. And they were running SCO, but boot blocks and stuff don't generally get written to tapes, so no chance of warezzing from it.

    I also snag SCSI hard drives and SyQuest cartridges when they show up for five bucks or less at thrift stores, since most of that is Mac stuff and I'm a Mac-head.

    Once I got a 6100 at a thrift store. I presume the owner stopped using it when the PRAM battery died. (When a 6100's PRAM battery dies, the video settings go with it, and unless you're using a fixed-frequency monitor, you get no video unless you hold down command-option-P-R. Looks like real bad a hardware problem when it's just the battery.) I could tell it was used by some college guy, studying to be a lawyer, I think.

    "Thrift store hard drives are like a box of chocolates... you never know what you'll find!"

  • by Unknown Poltroon ( 31628 ) <> on Wednesday January 15, 2003 @10:11PM (#5091860)
    I have had 2 drives fail well within the warranty period, and did not return them for just this reason.
    • I have had 2 drives fail well within the warranty period, and did not return them for just this reason.

      This is a big problem for DoD-type datacenters; for non-classified (as in "this stuff shouldn't get out") stuff, they open the disk up, sand-blast the platters to remove the magnetic material, then return the carcass to the manufacturer for a warranty claim. For the really secret stuff (as in "people will die if this stuff gets out"), they just destroy the disk completely, then buy a new drive.

      Of course, if you kept all the data on the disk encrypted, you'd be fairly safe, but once you're making a warranty claim, the disk probably isn't working well enough for you to wipe using 'dd'...

      Speaking of 'dd': Beware of sector remapping. Any sectors on the disk which the firmware has marked 'bad' won't be touched by any user-level command - and those 'bad' sectors could still be recovered if they open the disk up. For most people, 'leaking' a couple of sectors wouldn't be the end of the world, but for (say) VISA's customer records, there are probably a couple of valid CC numbers and other info in those sectors...

  • Scary Thought (Score:3, Interesting)

    by Sayten241 ( 592677 ) on Wednesday January 15, 2003 @10:59PM (#5091877)
    So even if I take all the steps necessary to make sure my data is safe on my computer, odds there is a business throwing away hardrives that have my data on them without properly removing all the data? Wow, I can't believe this isn't a hotter topic. I also wonder how this affects certain websites privacy statements. Sure, they don't give your information away intentionally, but they may give away a harddrive full of personal data without even realizing it.
  • by g4dget ( 579145 ) on Wednesday January 15, 2003 @11:06PM (#5091906)
    Erasing your disks before selling your PC is easy:
    • Get out your favorite Linux installer CD or download a copy of Tom's RTBT [] and write it to floppy or CD-R.
    • Boot from the floppy or CD.
    • Log in as root.
    • Run dd if=/dev/zero of=/dev/hda to erase the master drive on the primary IDE controller (/dev/hdb etc. for the remaining disks)
    That's all. It erases all the blocks normally accessible by the disk controller and is probably safe enough for most people. Bad blocks that have been replaced may still contain a little bit of data, and inter-track data may be recoverable by analog means.
  • by Anonymous Coward on Wednesday January 15, 2003 @11:15PM (#5091937)
    Now for or something really scary.
    I run a computer shop in the southeastern United States, much of my work involves the local school systems.
    Several years ago (Long before 9-11) a local school received a donation of several pallets of computers, monitors, printers, and other equipment from a local military installation. The donation was properly processed through the Defense Reutilization and Marketing Service (DRMS) and should have been cleared of any sensitive materiel.
    I was contracted by the school to take the entire load and build as many working systems as I could out of the parts. As I begin to put systems together and power them up I was staggered by the fact that at least half of the hard drives were FULLY intact and no attempt at all had been made to remove sensitive data.
    I of course had to take a closer look. Much of the data concerned simple day to day non-sensitive routine base operations (I am x-military so much of it was familiar to me). HOWEVER on one of the intact drives I found something that KNOCKED MY SOCKS OFF! Setting there on that hard drive spinning on my work bench was pile of data concerning the moving of NUCLEAR weapons and other nuclear materials and conventional weapons around the United States. The data contained information such as routes, schedules, manifests, and duty rosters. I WAS DUMBSTRUCK. How could this have happened? This drive should never have left a controlled area, EVER, it should have been destroyed. This was inexcusable!
    Of course in a situation such as this all manner of thoughts go though your head. Thoughts such as; What kind of damage could a enemy of the U.S. do with this data. What would this data be worth to someone unethically inclined. If they knew I saw this data they would probably lock me up and throw away the key just for good measure, and of course WHAT SHOULD I DO WITH THIS DATA?
    In the end I destroyed the hard drive and the data it contained and kept my mouth shut. That has been at least 8 or 9 years ago and until this day I have never told anyone and thank God that due to the passage of time I have forgotten most of the particulars of the data I saw.

  • by jrstewart ( 46866 ) on Wednesday January 15, 2003 @11:29PM (#5091985) Homepage
    It's not enough to write 0's to remove traces of a file. Writing random patterns is much better and for older drives you can even do better than random (i.e. more erasing in less passes). The shred(1) command from the GNU fileutils will take care of this for you in Unix-alikes. s/ shred/1

    See also del.html for an informative paper about the details of how secure deletion works.
    • by jbrandon ( 603700 ) on Thursday January 16, 2003 @02:04AM (#5092543)
      Most recent GNU/Linux distros use Ext3, so shred won't work:

      $ man shred


      CAUTION: Note that shred relies on a very important assumption: that the filesystem overwrites data in place. This is the traditional way to do things, but many modern filesystem designs do not satisfy this assumption. The following are examples of filesystems on which shred is not effective:

      * log-structured or journaled filesystems, such as those supplied with AIX and Solaris (and JFS, ReiserFS, XFS, Ext3, etc.)

  • by dameron ( 307970 ) on Wednesday January 15, 2003 @11:32PM (#5091995)
    Backup all important data to both magnetic and optical media (another HD/tape -and- cd/dvd).

    Re-format HD using the NTFS file system if the drive is larger than 2 GB, otherwise install NT Server from the earliest available service pack.

    Install Windows NT 4 Server, apply service patch 6. Make sure you use a meaningless administrator password.

    Upgrade MS Internet Information Server to version 4.0 from NT Option Pack. Create a default web site using the following as the index page (*.htm, *.html, *.shtml):

    Why are Chinese, Dutch, German, and Russian Hackers So Homosexual?"

    Chinese, hackers, IIS rules, Counterstrike, Dutch, mothers, US ALL THE WAY, Germany sucks, script kiddie, porn, pr0n, disable X10 ads, warez, firewall, Bill Clinton, rar, zip, romz, roms, direct downloads, Long Live Pakistan, How do I secure III?, index of, Ronald Reagan Library

    Boot the HD in a computer with an internet connection.

    Wait about four days.

    Repeat the process three times.

    Reformat the drive.


    Hey, at least it won't have -YOUR- important data on it.

  • What about RAM? (Score:3, Interesting)

    by n3rd ( 111397 ) on Wednesday January 15, 2003 @11:35PM (#5091999)
    At a former employer who will remain nameless they had secure areas. To get in you needed a clearance and if you didn't have a full government clearance all of the people in there would power off their boxes until you left. You were also constantly watched and doing sysadmin stuff in there was an adventure because they could do whatever they wanted since they weren't hooked up to the regular network.

    When they moved some of these labs all of the equipment was shrinkwrapped and escorted to the new location to prevent tampering while in transit.

    I think I had something to say. Oh yeah. Ok, when hard drives and backup tapes got old they had to format them X number of times (I forgot the exact number), then physically smash them and then burn the remains. All in a secure manner (ie: not taking them to the local Springfile Tire Fire).

    Anywho, a friend of mine had to replace RAM from one of their Suns, and I went with him. They let us leave with the RAM and didn't think twice about it. 2 or 3 minutes after we left my friend realized he may be able to take the RAM and actually read the data off of it somehow, assuming it was still saved.

    Perhaps this could be applied to other things including external processor caches and VRAM as well.
  • by nightsweat ( 604367 ) on Wednesday January 15, 2003 @11:35PM (#5092001)

    Everyone knows you must write zeros over old drives 137 times, then bulk erase them then dip them in acid, smash them to teeny tiny bits, incorporate those bits into construction concrete for buildings on three separate continents and only then your data will be safely gone.

    Though there is this one data recovery firm in Wisconsin that can get data off the drive even after all that...

  • by Tracy Reed ( 3563 ) <> on Wednesday January 15, 2003 @11:45PM (#5092049) Homepage
    Because I pretty much run my life by computer I end up with all kinds of info on my computer. And it is for this reason that I use the Linux Crypto API (formerly the international kernel patch). I have an encrypted volume (a big file which gets mounted on loopback fs) on my machine where I keep any sensitive information including all of my email once it has been read. Every so often I mount it, copy the stuff in, and unmount it. It works great and is so easy to use that I actually use it. The only chance someone has of catching sensitive information is if they get it before I copy it into the encrypted volume (passwords, keys, company private data, etc. all go straight in) or if they can somehow recover it from the raw device from when it was written in cleartext. My disk has enough activity and accidentally fills up often enough that I'm not too worried. It's not like I'm protecting national secrets or anything.
  • by Commykilla ( 107585 ) on Wednesday January 15, 2003 @11:50PM (#5092067) Homepage
    Data Mining is NOT the process of recovering or otherwise retrieving data. Data Mining is the process of discovering knowledge through data that has already been obtained (usually through statistical and/or AI techniques). I.e., data retrieval/collection is a prerequisite for Data Mining.
  • by fo0bar ( 261207 ) on Wednesday January 15, 2003 @11:51PM (#5092072)
    I'm going to be sending a company HD to Dell to RMA since it's starting to fail (stupid IBM DeskStar 60GB drives)... From what I've heard (and contrary to a few other posts in this story), it is still possible to retrieve some data from a hard drive where you've done "dd if=/dev/zero of=/dev/hda" (I still don't get how, but I err on the side of caution).

    Enter GNU shred. Its default operation does 25 passes at the drive, with passes such as random data, random patterns and all zeros. Theoretically, the drive has been overwritten so many times that there is almost no chance of recovering data.

    Of course, just to play it safe I'll also run it across my stereo speakers a few times too :)
  • by rev063 ( 591509 ) on Wednesday January 15, 2003 @11:54PM (#5092085) Homepage
    Data mining is statistical analysis of structured or unstructured data to discover unknown relationships.

    At best, this is voyeurism. At worst, it's espionage.
  • by Anonymous Coward on Wednesday January 15, 2003 @11:59PM (#5092103)
    Last year, my employer of 12 years went out of business. The company was secretly being run improperly for quite a while and the owner closed the doors the same day he found out about the mismanagement.

    Being the IT director, I helped the owner, my friend, with the office computers. I planned on wiping all the hard drives and I informed the owner of my plan. He agreed that it was a good idea.

    From the next three months, watching the bankruptcy process unfold, I got questioned left and right as to why I wiped the data. The accountants wanted to know why...the lawyers wanted to know why...the liquidators wanted to know why...the court wanted to know why. I understand that a system with an installed OS is more valuable than one that has been wiped clean(the data had been backed up so there was no question of whether data had been destroyed) but this should not be unusual. Nobody asking me these questions were newbies--their jobs involved dealing with bankrupt companies and it was as if they had never seen this before!
  • Simson Garfinkel (Score:3, Interesting)

    by ( 114827 ) <> on Thursday January 16, 2003 @12:16AM (#5092164) Homepage
    It's not as if it's just any "[t]wo MIT grad students". Garfinkel has written more than a handful of security books [] over the years.
  • by HeyBob! ( 111243 ) on Thursday January 16, 2003 @12:24AM (#5092182)
    I just wait for my warantee to run out - it becomes unreable shortly thereafter!
  • by IGnatius T Foobar ( 4328 ) on Thursday January 16, 2003 @12:47AM (#5092298) Homepage Journal
    Last summer I was building a two foot high poured-concrete wall ... extending one, actually, at the edge of my patio, where a big oak tree had been taken down. Well, I poured the concrete in and it turned out that I hadn't bought enough.

    So I went down into the basement and pulled out all the old computer crap I could find -- old hard disk drives, AOL CD's, ISA boards of various types, etc. and just threw them into the cement mix until the level rose to where I wanted the wall to be.

    Perhaps someday after I die (or move) someone will dismantle that wall. When they do, they'll unearth some hard disk drives, complete with a 1997 or 1998 vintage of Red Hat Linux and other software of the time.
  • Book and Nuke (Score:3, Interesting)

    by scubacuda ( 411898 ) <> on Thursday January 16, 2003 @01:00AM (#5092344)
    Use Boot and Nuke [].

    Burn the ISO, boot to the CD, then wait a *really* fucking long time for it to scamblefuck the drive. (You can also use a floppy disk...but nowawayd why use something that a magnet could possibly fuck?)

    (I have no idea whether or not this is military-grade. Can anyone comment? And if not, provide something *better*?)

  • Here's a question: (Score:4, Interesting)

    by nightherper ( 635698 ) on Thursday January 16, 2003 @01:16AM (#5092413) Homepage
    Say you are working on an uber secret project (or miltary plans or viewing gay pr0n) and the "men in black" come running in your house. Assuming you are more than 5 seconds away from being on the floor with a knee on your neck, how would you keep intruders from getting your data? (Or looking at what you were viewing, you sick freak)

    Some sort of explosive device on a trigger next to your mouse?
    A shotgun blast? (Hoping you hit the drives and don't get shot...)
    Fast acting fantasy software to write random data 144 times over the disk in mere milliseconds?

    • Assuming that you have at least a few seconds to react when they come knocking then planning takes care of a lot of this. The system in question which I'll I call the Naughty Super Secret System or NSSS for short needs to be specially configured. It should have no swap files or swap partitions of any sort. The /tmp directory or any equivalent should be a ramdisk formatted with an encrypted filesystem. Any permanent datastores should also be on encrypted filesystems. The best part is that the NSSS also has a "panic script" thats triggered with a hotkey combination. There will be no time to actually type a command. The panic script will lock the terminal, unmount any ramdisks, change the filesystem password to a random collection of characters if possible and clobber the control structures of the encrypted filesystems with random data (superblocks, fat tables, etc). This is not a lot of data and won't need more than a few seconds to royally bollix. Actually, random data sprayed across an encrypted filesystem will do far more damage than a conventional filesystem. If the clobber script has enough time to hit those control structures with seven passes it should then spray random bytes across the remainder of the partition as long as it's permitted to run. In any case, the clobber script will run until some quick thinking MIB pulls the power cord. That can be made a pisser as well. Remove any obvious way to quickly power off the machine and make it necessary to spend a few more seconds getting at the power cord or UPS.'s this? Put the UPS inside the machine and rig the physical power switch well inside the case. The machine can be powered up or down by sticking a screwdriver into a hole to operate the switch. LOL, put lots of extra screws in the case too.... That should buy more than enougn time for the panic script to do it's work.

      I suppose what remains of those filesystems will be subject to cryptanalyis but it should be a bit more difficult at least. The only other option would be coming up with something to physically destroy the hard drive in a hurry that won't physically destroy the operator as well.
      I like the idea of digging a fire pit in the basement and having the system rigged to be burned by a panic trigger. The shotgun would work too but it needs to be permanently mounted on the machine. You won't have time to aim. You'll be lucky if you have time to reach over and pull the trigger.

      In all though, if the MIBs bust your door down you have much larger problems than what they are going to find on your computer.
  • by saskboy ( 600063 ) on Thursday January 16, 2003 @02:16AM (#5092582) Homepage Journal
    This only goes to prove that selling on eBay comes with certain unavoidable risks. You never know who your buyer is going to be...

    It could be some smart ass college kid who is going to get your old porn collection you thought was lost.
  • by tagman2 ( 641802 ) on Thursday January 16, 2003 @07:52AM (#5093373)
    Summary of the long posting below:
    • Data from a hard disk that as been wiped multiple times can be recovered.
    • Data left in SRAM and DRAM for a long period of time can be recovered even though the system has been powered off for a while and the SRAM has been cleared.
    • While it is hard to recover wiped and old data, it is not impossible.

    First, a little background:

    I belong to a group that polls/tracks certain elections around the world. In one recent election, there were a number of claims of voting irregularities. Our group became part of a post-election analysis team to look into these irregularities.

    We were able to determine that one desktop system in particular contained some critical raw voting data (raw precinct counts of per ballot slot data). The election officials were more than reluctant to give us a copy of that raw data. By the time we were granted a order requiring the election officials to let us access the data, someone had attempted to throughly wipe the desktop system of all traces of data.

    We thought we had lost that critical data. But thanks to a chain of contacts we were referred to a consultant that specializes in extremely difficult data recovery. After checking some references (and obtaining more money from OUR client: the consultant was VERY expensive), we hired this consultant.

    Much to the surprise of the election officials we obtained an order that allowed us to physically take possession of the system. The system was turned over to the consultant who recovered enough critical election data for our needs.

    The recovery included data from the wiped system hard drive as well as from SRAM and DRAM.

    Regarding disk recovery:

    The disk drive had been wiped by a utility that, we presume, had been run from a CDROM. The wipe tool wrote over the entire disk 35 times, 8 of them were random and 27 of them were fixed patterns of 3 bytes each.

    Not all disk data was recovered. Part of the reason was that the data recovery method was not 100% perfect. Part of the reason that some data was not recovered was a simple matter of time. (The consultant was in between two already committed projects and only had a limited amount of time to work for us.)

    The consultant did recover some deleted files that were critical to our work. Not everything was recovered, however. Parts of the swap/VM-paging area that might have contained some useful data were not recovered. Also some disk data critical to file and directory layout was not recovered making recovery of parts of the file system layout difficult to map.

    Still, some important files (a spreadsheet, simple database file, browser cache, some EMail, etc.) were recovered even though the drive had been wiped 35 times!

    Regarding SRAM recovery:

    n3rd [] posted a comment asking about recovering data from RAM.

    There are methods that can recover RAM data. Both SRAM and DRAM can be recovered.

    According to the consultant, the storage of the same data in SRAM over a long period of time has the effect of altering the preferred power-up state. They said that SRAM can ''remember'' data for days after it held it for a long period of time. This memory can be determined by a ''partial powerup'' (I presume they mean a lower than normal voltage?) and then going ''full on'' and reading the initial values of memory.

    In the case described above, the SRAM had been deliberately cleared prior to our group taking possession of the system. The consultant was able to recover the original data even though the SRAM had been cleared and the system has been powered off for more than a day. A simple clearing of memory was not enough to wipe out the long held memory effect.

    Regarding DRAM recovery:

    DRAM data was also recovered. Data left in DRAM for a long period of time can leave an ''impression'' thru a process somewhat different from SRAM.

    As explained by the consultant: With DRAM, recovery comes not from detecting any left over charge, but rather detecting the stress (or lack of stress) from the thin oxide of the cells storage capacitor dielectric. The effect of this stress can be measured by using the DRAM self-test feature. In self-test mode, a small voltage is applied to a cell in order to measure its margin for error. The self-test margin is increased or decreased by the amount of oxide stress.

    Not all of the DRAM memory was recovered. However certain critical portions of the DRAM held values for long enough period of time that data was recovered, even though the system has been powered off for more than a day. Data recovered included memory associated with a browser and a spreadsheet. Even though both the browser and the spreadsheet were closed prior to the system being wiped, they were left running long enough to leave behind their DRAM oxide stress.

    Based in part on the recovered data, we concluded that candidate A was declared the winner due to a ''mistake'' in mapping ballot slot numbers to candidates. In some cases the slots for candidate A and B were reversed.

    An incorrect vote count was reported by the election officials. It is our guess that when we came around asking for the raw data, someone began to collect it. At some point some official(s) discovered the blunder. The system was left on while they stalled for time. When it was clear that we were going to force them to turn over the data someone wiped the system and shut it down.

    BTW: The majority of the election officials involved were supporters of candidate B. Even though their blunder caused them to declare candidate A the winner, they still tried to coverup their mistake.

    Our conclusion was that the attempt to coverup the mistake was motivated by not wanting to admit the major blunder instead of because of candidate A's influence. This conclusion was reached in part because of messages that we recovered on another system that was not wiped. However we would have never been able to find that other system, nor would we have been able to match the raw slot numbers with the reported vote counts by candidate name without the help of the data recovery consultant and the critical data that they recovered.

    I'll offer a few observations:

    • Volatile data such as SRAM and DRAM is not as volatile as you might think.
    • With enough will, skill and effort, old data can be recovered from a disk that has been overwritten multiple times.
    • Packages such as PGP file wipe, GNU shred or Boot and Nuke [] are likely to only make it harder, but not impossible to recover the data.
    • To quote from a paper by Peter Gutmann:
      Data which is overwritten an arbitrarily large number of times can still be recovered provided that the new data isn't written to the same location as the original data (for magnetic media), or that the recovery attempt is carried out fairly soon after the new data was written (for RAM). For this reason it is effectively impossible to sanitise storage locations by simple (sic) overwriting them, no matter how many overwrite passes are made or what data patterns are written.''
      And even though in that paper next says:
      However by using the relatively simple methods presented in this paper the task of an attacker can be made significantly more difficult, if not prohibitively expensive.''
      For our consultant, the recovery process was hard but not extremely difficult. It was expensive for us, however. :-( But we were happy to pay to have it done. :-)
    • Whoever wrote the 35-pass disk wipe tool must have read that paper, or one similar to it because the overwrite patterns looked similar to the recommended list.

    P.S. I know that some people doubt [] that one can obtain old data from SRAM and DRAM after poweroff. I did too until it was done for our group. To those who still doubt this: I will refer you to Peter Gutmann's paper on Secure Deletion of Data from Magnetic and Solid-State Memory [] for another source on data recovery methods.

  • by infolib ( 618234 ) on Thursday January 16, 2003 @09:24AM (#5093629)
    what you need to do is overwrite the whole harddisk several times with different patterns. Peter Gutmann recomends 35 passes with different patterns. The DoD 5220.22-M NISPOM recomends 3 passes.

    Secure Harddisk Eraser implements these 35 or 3 passes on a single floppy. Just boot from the floppy, wait 60 seconds and the harddisk will start to erase.

    The homepage []

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0