In Depth

PC Disposal: Hard-Disk Risk

Are all those old hard drives you're getting rid of completely wiped clean of important company data? Don't be so sure.

By Simson Garfinkel

April 01, 2003 — CSO — A few years ago, when I was in Silicon Valley with nothing to do, I stopped by one of the valley's famed stores that sell used and "recycled" computers. In the store's front were used minicomputers, workstations, terminals and lots of old PCs that had all seen better days. Then I noticed that the store was selling used hard drives as well. A 10GB drive could be had for just $30—quite a bargain at the time.

"You clear the information off these drives before you sell them?" I asked innocently.

"Absolutely," said the man behind the counter. "I do it myself. We run FDisk on every drive. There's no way to get back the information after you do that."

Really? Turns out he was wrong. Running Windows FDisk on a 10GB drive overwrites only 0.01 percent of the drive's sectors. Although Windows doesn't give you any tools for recovering the data afterward, many such tools are currently on the market (for descriptions of those tools, see "Tools of Evidence," Machine Shop, March 2003).

But the real treasure trove that day wasn't on the store's display shelves; it was in the warehouse. The cavernous space out back had several shelves stacked high with old hard drives, each $5, "as is and untested," according to the sign. In other words, nobody had even run FDisk on those drives. Pop one into a computer, and you could recover the previous owner's files simply by running XCopy.

I bought 20 of them.

I took the drives home and started my own forensic analysis. Several of the drives had source code from high-tech companies. One drive had a confidential memorandum describing a biotech project; another had internal spreadsheets belonging to an international shipping company.

Since then, I have repeatedly indulged my habit for procuring and then analyzing secondhand hard drives. I bought recycled drives in Bellevue, Wash., that had internal Microsoft e-mail (somebody who was working from home, apparently). Drives that I found at an MIT swap meet had financial information on them from a Boston-area investment firm. Last summer, I started buying drives en masse on eBay.

In all, I bought and analyzed the content of more than 150 drives with the help of Abhi Shelat, another graduate student at MIT's Laboratory for Computer Science. We found that between one-third and one-half of the drives still had significant amounts of confidential data, even though many had been through a Format or FDisk operation. On another third, someone had deleted the document files but left the applications behind. It was a simple matter to undelete the data files and retrieve their secrets as well.

• Email
• Print
• Comments
• Digg This
• SlashDot

• How to Get Rid of Old Computers
• Dispose of IT Equipment Without Sharing Secrets
• Antiforensic Tools
• Tools of Evidence