Thu, 25 Mar 2004 13:16:45 GMT

Used Hard Disks Packed with Confidential Information.

Simson Garfinkel has an eye-opening piece in CSO magazine about the contents of used hard drives. Simson bought a pile of used hard drives and systematically examined them to see what could be recovered from them.

I took the drives home and started my own forensic analysis. Several of the drives had source code from high-tech companies. One drive had a confidential memorandum describing a biotech project; another had internal spreadsheets belonging to an international shipping company.

Since then, I have repeatedly indulged my habit for procuring and then analyzing secondhand hard drives. I bought recycled drives in Bellevue, Wash., that had internal Microsoft e-mail (somebody who was working from home, apparently). Drives that I found at an MIT swap meet had financial information on them from a Boston-area investment firm.

One of the drives once lived in an ATM. It contained a year's worth of financial transactions÷including account numbers and withdrawal amounts÷from a organization that had a legal requirement to not divulge such information. Two other drives contained more than 5,000 credit card numbers÷it looked as if one had been inside a cash register. Another had e-mail and personal financial records of a 45-year-old fellow in Georgia. The man is divorced, paying child support and dating a woman he met in Savannah. And, oh yeah, he's really into pornography.

It's shouldn't be a secret anymore than when you “delete” a file, it's not really gone. Yes, the file is unreachable by ordinary means, but virtually all of the information is still there on the hard disk, recoverable by anybody with the right tools. If you really want to destroy data, you have to use special disk scrubbing tools that overwrite the “empty” disk space with random data. It's not rocket science, but you do need to be careful.

In Simson's study, between one-third and one-half of the drives had significant amounts of confidential data that could be recovered. Only ten percent of the used drives had been properly scrubbed.

[Link credit: Michael Froomkin at]

[ATAC: Abusable Technologies Awareness Center]