 |
WiebeTech, aware of the problems described in this paper, has created a low cost hardware disk erasing solution, Drive eRazer. The product was created for the same reason as this paper - to foster an awareness of the problems, and to provide a solution.
|
What's on your old hard drive?
A look at digital security in hard drive disposal
A White Paper
by Justin C. Lauzet
November 12, 2007
Introduction
There is, despite a number of tools available, a socially lax attitude regarding hard drive disposal. This paper discusses common myths about "deleted" data, the disadvantages of software disk erasing tools, and the lax security regarding hard drive disposal. Also presented are the results of a related study, in which used hard drives purchased from eBay and file recovery methods were implemented.
I. The immediate problems
The first problem is clearly a lack of knowledge about how operating systems handle hard drives. The second problem is that users of computers (thus hard drives) are failing to recognize that they have personally identifiable information worth securing. As a digital culture we worry more about network security than we do about security in hard drive disposal. Knowing what is on your hard drive and how to erase it can help prevent identity theft, credit card fraud, or even personal photographs and embarrassing online conversations (as examples) from being discovered and exploited.
MYTHS
Myth 1) "Trashing" all of the files is good enough (no, it's not)
Trashing a file in a typical way does not erase a file. The file still exists on the hard drive in its entire form. What happens when someone empties the Windows recycle bin or the Mac OS trash can, is the directory listing gets altered to forget the file exists. At that moment the file still exists in its entirety. Eventually the file, or portions of the file, may get written over during use of the computer. This is why trashing a file happens so quickly - it doesn't do anything to the file itself.
Myth 2) Reformatting/repartitioning a hard drive is good enough (no, it's not)
A "quick reformat" of a hard drive works in the same principle as trashing a file. Instead of modifying a little bit of the directory, the directory is simply rewritten. The directory appears empty and so the disk looks empty. However, a reformat does not erase a hard drive. In fact, it doesn't do anything to most of the data on the drive - it's all still there, and because of that, files can most likely be recovered with recovery programs. A "full format" also doesn't delete, it checks the disk for bad sectors. A "low level reformat", which does take the time to write zeros to the entire disk, could also be incomplete if the disk has sectors hidden from the host, known as Host Protected Areas (HPAs).
Myth 3) There's nothing interesting on my drive (there probably is)
A lot of information is stored on your hard drive. What you look at on the internet, emails, personal photographs, passwords to online banking, the list is endless. Probably enough for an attacker to know your name, address, location, what you look like, and probably quite a bit more. If nothing else, the people in your email contact list deserve anonymity. They shouldn't somehow suffer due to improperly disposing of a hard drive.
Consider what could be on your old hard drive
* Credit card numbers
* Corporate data
* Email address book / contact list
* Email conversations
* Financial data
* Legal documents
* Passwords
* Personal letters, stories, poems
* Personal photos of friends and family
* Pornography
* Social Security numbers
* Software license keys
* Your name, address and phone number
* Web browser's history
Your hard drive remembers data far longer than you do.
Myth 4) My drive has problems. Surely no one will take an interest, and no one could recover it anyway
A hard drive that's "going bad" is a reason many users will upgrade to a new hard drive. When this happens, most of these users will be satisfied when they get a replacement, and never again consider the old drive. They'll assume it's worthless and going to be tossed out, never to be used again. That doesn't always happen - especially if the drive is in a reseller's hands. Where the hard drive ends up next is too often a complete mystery to the end user.
Depending upon the hard drive's problem, the tenacious file-seeker could still retrieve data. They may use programs able to ignore bad blocks or repair the drive's directory.
Myth 5) My reseller would dispose of my hard drive safely (don't count on it)
Not nearly enough people are making a big enough deal for resellers to care. Also, it's not their security at stake. What's worse, end users clearly are not thinking about their computer reseller potentially having a copy of all data. When you trade in a computer with a hard drive for a new one, or have it upgraded with a new, bigger hard drive, the question you need to immediately ask is: What happens to my old hard drive? Your old computer, or at least your old hard drive, is now an asset that they could attempt to sell. Many of the drives in our study were from resellers. Almost all of them contained data.
Myth 6) My corporate environment is large/important enough that we take this seriously. Don't we?
According to studies, even corporations aren't taking hard drive disposal seriously enough. Our own study (included in this paper) found documents on a drive from a law firm. While the files found on that drive happened to be rather innocuous, the particular firm obviously is not treating their used hard drives with proper care.
II. Software Solutions vs Hardware Solutions
There are plenty of software drive wiping utilities that are available, some of them free. Most are capable of multiple passes. In many cases, they work just fine. However, software solutions do have inherent problems.
Common problems with software drive wiping utilities:
Slow performance
A leading shareware software erasure program was tested on a 160GB SATA drive, it completed in 1hr 40m. Under identical conditions, our own hardware solution, Drive eRazer, erased a 160GB SATA drive in 44m. Standalone hardware solutions can operate as fast as the disk can allow, and will not suffer performance issues due to operating system or other applications.
Require a computer, and tie up the entire computer
This can be particularly troublesome when needing to erase more than one drive.
Do not properly handle HPAs and DCOs
HPAs and DCOs are both used to protect portions of the drive from the Operating System by making these portions invisible. Host Protected Areas and DCOs can be cleared with hardware commands, and the entire disk can be erased. Some software fails to address HPAs and DCOs altogether.
Operating System specific
Software solutions being applications can only be run on one OS (i.e, Windows or Mac OS). Upgrades to the OS can force incompatibilities, possibly requiring new versions.
Many users disposing of a single Hard Drive on their own could be well suited with the right software utility. They're clearly better than not using anything. However, we believe slow speeds and a required dedicated computer to be the cause for so many drives failing to be erased properly.
III. DoD Specs, Gutmann's Research, and what is "good enough" for most users
The specifications from the Department of Defense (DoD) and Peter Gutmann's 1996 research are considered benchmarks in the disk erasing industry for qualifying hardware and software.
Unlike most users, the Department of Defense considers the sensitivity of the drive's contents. One pass of data to all bits across the disk is good enough to "clear" a drive, according to the DoD. As of June 28, 2007, however, "sanitization" of classified data requires degaussing machines, which will almost surely damage the drive beyond repair, or more obvious methods of destruction of the disk [1]. Remember that the Department of Defense deals with classified and top secret information. Before June, the DoD would allow "sanitization" with hardware and software, with various algorithms depending upon where you looked.
Gutmann's research titled "Secure Deletion of Data from Magnetic and Solid-State Memory" has since caused a stir in the industry. Many software applications make mention of Gutmann's research, and claim that an incredible 28 passes are necessary for secure erasures. What is not traditionally reviewed, however, is what would actually be necessary to read data back with more than one pass, according to Gutmann. From Gutmann's paper, "Magnetic force microscopy (MFM) is a recent technique for imaging magnetization patterns with high resolution and minimal sample preparation. The technique is derived from scanning probe microscopy (SPM)" [2].
In the 11 years that has passed since the paper's debut, we've witnessed ever increasingly small (physically small) block sizes. And with bits that small, data being spread out between four read/write heads, and wide number of available disk formats, the specific knowledge and cost involved in such a technique are overwhelming, and the actual success of which comes into question.
The laboratory required for such a technique is very expensive, and the knowhow is rare. While the common computer user should worry about how they dispose of hard drives, they should limit their worry. The conclusion, here, is that for most people 28 passes is unnecessary. For the few people who it is necessary for, it's simply easier to destroy the drive - those people obviously have more important things to do. "Good enough", for most people, is one (or several, for the more concerned) passes with data.
IV. What is necessary before releasing ownership of a hard drive
Answer this question: Do you know anyone with a Magnetic Force Microscope - and do you think the data stored on your drive is worth someone obtaining one? If yes, destroy the drive. There are plenty of techniques for this.
Most people should consider the following recommendation adequate. It can be done quickly, and with relatively little expense. It's not too little and it's not too much:
At least one pass across the drive, with data being written to every bit, properly handling HPAs/DCOs, and a quick check that it worked.
With this done, you can rest comfortably that software programs are not going to be able to reconstruct your data.
As discussed so far, when it comes to hard drives we have a false sense of security in thinking our normal techniques are good enough. The simplest techniques don't do anything to our data. While we don't have to go overboard with 28 passes, the recommended one pass, or several for the more worried, effectively stops almost everyone on the planet from being able to recover data from the drive.
V. Study Results
We wanted to simulate a casual attack, and for our study we purchased only 15 drives, costing roughly $300 from eBay, from individuals and resellers who advertised their drives as used, erased, or formatted. We connected the drives and ran software on two computers - a PC running Windows XP, and a Macintosh running Mac OS X 10.4.9, to retrieve recoverable files from each hard drive. Each drive to follow receives an identifying nickname, and a listing of what we were able to recover.
Rollie 1 through 5
- The Rollie set included (5) 10GB drives, all identical, which appear to be a RAID set. If we knew these were all from the same RAID set, and knew these were all 5 disks, we might have been successful recovering data. Since that was beyond the scope of this study, what can be done with minimal effort on the part of a casual attacker, no attempt was made to recover data from this set.
The "Shoe" series
5 drives purchased in a lot auction all had the word "formatted" written accross the top with a black Sharpie marker. The auction advertised these with the phrase "pulls from lease returns. Repartitioned and reformatted each drive." Individual results from the drives follow:
Shoe 1 of 5
- This drive was owned by someone who manages one or more super markets.
- Among recovered files are orders to vendors (complete with names and addresses of the owner of the drive), bank statements regarding a mortgage loan (they locked in at 6.25%), nearly 1500 images of food items, and the necessary blank vector based templates to create new newspaper advertisements for that supermarket.
Shoe 2 of 5
- This drive does not mount on Windows, but did mount on OS X, with no data initially readable.
- When attempting to recover any data, the drive was under great physical duress - bad blocks made the recovery program report hundreds of hours remaining on the scan. After 16 hours of this, the scan was aborted.
Shoe 3 of 5
- Appears to be a Law firm's drive. Some of the information was too corrupt to read. No personally identifiable data was found. However, many Word documents were recovered containing information about personal legal rights, and much legal information about adoptions.
Shoe 4 of 5
- This drive was completely zeroed out. No data recovered.
Shoe 5 of 5
- Nothing noteworthy recovered. The only files recovered were images from a Microsoft Windows installation.
Zat 1 of 1
- This drive was purchased from an individual.
- This drive contained image files easily identifying it as being used as a TiVo drive.
- A listing was recovered of what appeared to be recently recorded Pay-per-view movies, many of which were for Backyard Wrestling movies and Pornography.
- As all other TiVo data is readable on this drive, it's assumed that any video files are still on the disk as well. With enough trouble, it's probably possible to decode and view these movie files. Backyard Wrestling, anyone?
Lemon 1 of 1
- This drive was ordered from a "professional" looking pc repair shop who sells laptop parts on ebay with thousands of positive feedback. They advertised the drive: "may contain data that needs erased".
- The drive had been recently reformatted and had a fresh copy of Windows, but no user data was immediately obvious.
- Recovery programs were run
- Recovered 30 mp3s from commercial artists (almost entirely consisting of Dido and a cd called "The Best of the Big Bands")
- Recovered nearly 9000 image files from general web surfing and many personal photos.
- The web surfing images included a great many pictures of hanging lamps, female underwear models, and pictures from MySpace. At some point, someone surfing from this hard drive was interested in some form of breast surgery.
- The personal photos were vacation pictures, wedding photos, pictures of friends and family, and literally thousands of pictures of the owner's baby - very proud parent(s) indeed.
- One item of note was a photo of a hand written invitation which revealed the owner's name and location, including a hand drawn map to their house.
- 29 movie files were recovered - all were short clips of the same baby.
- PDFs were recovered containing specific documents about their neighborhood condominium agreements and an application to a yacht club (despite the fact that none of the pictures had a yacht in it).
- Files were found which led us to an online blog, which was active when we checked.
Fret 1 of 1
- This drive was completely zeroed out. No data recovered.
Today 1 of 1
- This drive was purchased from a reseller of computer equipment
- It was owned by a young man who is, or was, a youth minister for a Baptist church in the southern states. In a recovered personal bio we read that he originally wanted to be a lawyer, but found his calling while at summer camp.
- Papers written as part of the owner's studies.
- Photographs of the owner.
- We learned that he at one point owned a domain name, which is now no longer owned, but we were able to view a copy of it at the Wayback Machine internet archive, where more information about him was available.
- Most of the PDFs and Word documents recovered, dated 2004/2005, were about his religious studies and youth group.
- Scripture passages and detailed information and strategies on how to witness to various other religions.
- Potentially embarrassing recounts of counseling sessions. These included conversations the drive owner had with troubled members of his group.
- Word documents were recovered with the names, addresses, phone numbers, and email addresses of the youth group.
- The budget for his church, including incoming funds, ministers'/secretary wages, guest speaker fees, and how much was allocated for trips was recovered.
Hat 1 of 1
- Vacation photos, thousands of web cache pictures including pictures from real estate searches.
- Pennsylvania DMV registration forms.
- Recovered general information on Federal Employment, and specific application forms for working for the FAA as an Air Marshal.
- 2003 Income Tax Return documents, prepared and saved by TurboTax. This included everything you would expect to see on an income tax return - exact gross income, name and spouse's name, address, employers' name and address, and social security number.
References
[1] Defense Security Service, Updated DSS Clearing and Sanitization Matrix (June 28, 2007)
https://www.dss.mil/portal/ShowBinary/BEA%20Repository/new_dss_internet/isp/odaa/documents/
clear_n_san_matrix_06282007_rev_11122007.pdf
[2] "Secure Deletion of Data from Magnetic and Solid-State Memory", Peter Gutmann, Department of Computer Science, July 1996
http://www.usenix.org/publications/library/proceedings/sec96/full_papers/gutmann/
|
|
|
 |
|
|
|
|
 |
April 28, 2008
April 01, 2008
January 15, 2008
January 14, 2008
November 19, 2007
November 19, 2007
November 12, 2007
October 03, 2007
October 01, 2007
|
|
 |
|
|
|
