Even 'Sanitized' Hard Drives Can Hold Sensitive Information

Wed Jan 15 18:19:05 EST 2003

http://online.wsj.com/article_print/0,,SB1042664144798925144,00.html

January 15, 2003 4:47 p.m. EST

Even 'Sanitized' Hard Drives
Can Hold Sensitive Information

Associated Press

CAMBRIDGE, Mass. -- So, you think you've cleaned all your personal files
from that old hard drive you're selling?

A pair of graduate students at the Massachusetts Institute of Technology
suggest you think again.

Over two years, Simson Garfinkel and Abhi Shelat assembled a collection of
158 used hard drives, shelling out between $5 and $30 for each at
secondhand computer stores and on eBay Inc.

Of the 129 drives that functioned, 69 still had recoverable files on them
and 49 contained "significant personal information" -- medical
correspondence, love letters, pornography and credit-card numbers. One even
had a year's worth of transactions with account numbers from an ATM in
Illinois.

"On that drive, they hadn't even formatted it," Mr. Garfinkel said. "They
just pulled it out and sold it."

About 150,000 hard drives were "retired" last year, the research firm
Gartner Dataquest estimates. Many ended up in trash heaps, but many others
find their way to secondary markets.

Over the years, stories have occasionally surfaced about personal
information turning up on used hard drives that have raised concerns about
personal privacy and identity-theft risks.

Last spring, the state of Pennsylvania sold to local resellers computers
that contained information about state employees. In 1997, a Nevada woman
purchased a used computer and discovered it contained prescription records
for 2,000 customers of an Arizona pharmacy.

The MIT students, who report their findings in an article to be published
Friday in the journal IEEE Security & Privacy, say they believe they are
the first to take a more comprehensive -- although not exactly scientific
-- look at the problem.

On common operating systems like Unix variants and Microsoft Corp.'s
Windows family, simply deleting a file, or even following that up by
emptying the "trash" folder, doesn't necessarily make the information
irretrievable.

Those commands generally delete a file's name from the directory, so it
won't show up when the files are listed. But the information itself can
live on until it is overwritten by new files.

Even formatting a drive may not do it. Fifty-one of the 129 working drives
the authors acquired had been formatted, but 19 of them still contained
recoverable data.

The only sure way to erase a hard drive is to "squeeze" it: writing over
the old information with new data -- all zeros, for instance -- at least
once but preferably several times. A one-line command will do that for Unix
users, and for others, inexpensive software from companies including
AccessData works well. But few people go to the trouble.

Mr. Garfinkel said users shouldn't be forced to choose between wiping their
hard drives clean or taking a sledgehammer to them. "There are ways of
designing an operating system to make that problem go away," he said.

Indeed, future operating systems may make it easier. But many users like
believing that, in a pinch, an expert could recover their deleted files.
The resilience of hard-drive data is also a powerful weapon for law
enforcement.

As it turned out, most of the hard drives the authors acquired came from
businesses that apparently have a higher but misplaced confidence in their
ability to "sanitize" old drives. Individual users are more likely simply
to toss their old drives into the closet, or try the sledgehammer method.

"Homeowners seem to understand there's not a lot to be gained by selling
your 20-gig hard drive on eBay," Mr. Garfinkel said.

That jibes with the experience of Tom Aleman, who heads the analytic and
forensic technology group at Deloitte & Touche and often encounters
companies that get burned by failing to fully sanitize, say, the laptop of
an employee leaving the company for a job with a competitor.

"People will think they have deleted the file, they can't find the file
themselves and that the file is gone -- when, in fact, forensically you may
be able to retrieve it," he said.

Mr. Garfinkel has learned his lesson. As an undergrad at MIT in the 1980s,
he failed to sanitize his own hard drive before returning a computer to his
father, who was able to read his personal journal. The privacy concerns
worry him, especially since the U.S. Supreme Court has held that the right
to privacy doesn't apply to discarded items. But what really strikes him is
how many people he found bidding for old drives on eBay. He shudders to
think what they want with them.

"If I were a government interested in doing economic espionage against the
United States, I would allocate a million dollars a year to buy these hard
drives and analyze them," he said. In fact, it wouldn't even take that --
just somebody willing to hold their nose and walk around the municipal dump.

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com