Hard Drive Security Study

With the introduction of Drive eRazer Ultra, WiebeTech's latest drive erasure hardware solution, we're reviewing again how the general public handles data security when disposing of old hard drives.

Hard Drive Security Study

A second look at digital security in hard drive disposal


A White Paper

by Justin C. Lauzet
September 7, 2011


Introduction

The topic here is similar to a paper written in 2007 titled "What's on your old hard drive?" We will explore why people are not erasing drives properly and discuss how to properly erase hard drives.

What bad guys are interested in

Almost everyone has data that a bad guy can be interested in. Email history and personal photos alone are enough to be "interesting", but most users store more than that, including passwords, tax information, and other financial data. Starting with exploitations we think are most likely:
  • Passwords to online sites (banking, social networks) leading to unauthorized access
  • Financial information leading to stolen credit
  • Personal information leading to identity theft
  • Email contact lists for email address harvesting
  • Stored license keys for unauthorized use of software
  • Knowledge of a person's income, exact location, and possessions (often in photos) for burglary
  • Work/office remote access passwords for accessing still active systems
End users, resellers, and corporations are not erasing hard drives properly

In our two studies (2007, 2011) we found that approximately 2/3 of the drives we purchased on eBay were not erased properly. It's a good thing for the previous owners that we're the good guys.



Improper methods used to erase hard drives

We know from discussions, exploring the internet, and through our own studies that there are methods being used to "erase" drives that are completely ineffective. These include:
  • Dragging everything to the trash/recycle bin
  • Formatting a drive
  • Removing the partition table from a drive
While they can give a false appearance of success and are certainly fast techniques, these methods really do nothing to the drive's contents - only to the drive's index. As a general rule, if the erasure method only takes a few seconds to run, it's not over-writing the data. A full erase will take time to write over every byte on the drive.

These improper methods are analogous to attempting to evict a tenant from a house by only removing his name from the mailbox.

How to properly erase a hard drive

In order to properly erase a hard drive, you must write over all of the data with software or hardware designed for the task. These products will "wipe" the data from the start of the drive, working sequentially to the end of the drive, intentionally over-writing every byte. The phrase "zero out a drive" means that zeros are written to every bit on the drive (a bit can be 0 or 1).

The effectiveness of a properly erased hard drive

Data recovery applications, or "unerase" software, exist which can reconstruct accidentally deleted files. This software is effective at recovering single files or entire volumes of data if an improper erasure method was used. Recovery programs are inexpensive, sometimes free, and easy to use.

Software recovery methods rely on improper file deletion by analyzing and reconstructing data on the drive.

A myth may be believed by some that says, "elite groups of programmers have software which can read back data after it has been overwritten."

Keep in mind that a hard drive's only job is to report what was written on it last. If it stops doing this job, it fails as a hard drive (by definition). To believe that software can read anything other than what was most recently written on it is a false notion.

Consider this: If it were possible for hard drives to read back older generations of data, competitive hard drive manufacturers would quickly seek to use this technique as a method to store more data.

A properly erased hard drive is always 100% effective at stopping software recovery methods, since no data remains on the drive to reconstruct.

Gutmann's research (reading previous generations of data with a microscope)

There is old research suggesting that old generations of data can be read by physically opening the drive, removing the platters, and reading the data with a Magnetic Force Microscope (MFM)[2]. This method, which caused concern and recommended 35 passes, proposed in 1996 by Peter Gutmann, is almost certainly unnecessary - especially considering modern hard drive technology.

In our 2007 paper we proposed that this was not realistic, for a few reasons:
  • Hard Drives become more and more dense with data each year and the physical bits continue to shrink.
  • The amount of "residual data" and its usefulness is dubious at best.
  • Different drives spread data out over different platters in proprietary ways (which must be known by the examiner)
  • Different file system formats store data in different ways, further increasing the unlikeliness that the location of the desired data is known.
Shortly after our paper was released a study was conducted by forensics examiners Craig Wright, Dave Kleiman, and Shyaam Sundhar that put our claims to the test. Their paper goes a long way towards debunking the myths that surround the theoretical application of MFMs and assert that any one bit "has only a marginally better chance of any recovery than tossing a coin." [1]

Their conclusion is straight forward:

This study has demonstrated that correctly wiped data cannot reasonably be retrieved even if it is of a small size or found only over small parts of the hard drive. Not even with the use of a MFM or other known methods. The belief that a tool can be developed to retrieve gigabytes or terabytes of information from a wiped drive is in error.


The number of passes required to properly erase a drive

Today we believe the answer to that is one pass. With one pass, by definition, software recovery methods will not be able to recover data from a drive. We also believe that usable data is unrecoverable with microscopes after having been over-written, and so we remain firm in our belief that a one pass erasure stops all recovery.

We recognize that some agencies and departments have standardized on more than one pass. This is mostly due to the fear, uncertainty, and doubt that has surrounded this topic for years. An uncertain policy maker is often going to error on the side of caution. Due to this reason, for the foreseeable future there will be software and hardware products that advertise multiple passes. Supporting these policies is still important for erasure tools - simply because the market asks for it - even if the extra passes do no more than to offer peace of mind.

Destroying Hard Drives

Some government agencies need to be 100% certain that data will not fall into the wrong hands. These agencies often destroy their old drives if the data on them is classified as "top secret". Consider someone neglecting to run a proper erasure or willfully not running it, allowing a "top secret" drive out into public. Due to the sensitive nature of such data and the problem with the human factor, we do not find fault with the practice of destroying such drives. Hard drives which do not contain national secrets, however, should be considered suitable candidates for proper erasure and reuse.


Why the public does not erase drives correctly

From our experience, here is what we've learned that keeps the public from erasing their hard drive properly:
  • Lack of awareness of data's value keeps some from thinking about erasure at all
  • Many take the time to erase a drive, but use an ineffective method
  • The belief that 35 passes are required can keep someone from starting, as 35 passes takes an excessively long time to complete
  • Having many hard drives to erase can be a difficult task to manage
  • Unwillingness to tie up a computer for the time required to erase a drive
  • Limited by the number of computers available for erasure
  • Unable to easily connect a bare drive to a computer. An enclosure or drive dock is often required
  • Software applications sometimes require booting into a different operating system which renders the computer unusable for other tasks until the process completes
  • Software applications may allow you to accidentally erase the wrong hard drive, such as a computer's main drive instead of a connected drive
How hardware erasers can help

Hardware drive erasers can assist in important ways:
  • Making it easy to start an erasure, requiring just a few button presses
  • Performing faster than software applications, often at the drive's maximum write speed
  • Removing the ambiguity of which drive will be erased
  • Acting on its own as a dock and computer, and not tying up a computer workstation
  • Correctly handling hidden drive areas (HPAs/DCOs), which most software applications fail to address
  • Providing an easy way to trigger Secure Erase
  • Helping to create a paper trail for erased drives with automatic verification label printing

Secure Erase

Secure Erase is an erasure feature on many modern hard drives (greater than 15GB). This feature ships in the drive's firmware (written by the factory). Like other methods, Secure Erase also sequentially overwrites every single bit/track on the hard drive.

NIST special publication 800-88 "Guidelines for Media Sanitization" addresses Secure Erase specifically:

"Degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable methods for purging."

We want to point out that degaussing (with a large magnet) will usually destroy the mechanics of the target hard drive, rendering it permanently inoperable.

Our eBay study

The point of our studies have been to simulate a casual attack in much the same way that a thief would, who is interested in recovering user data. This year we spent around $250 on 15 used hard drives. We sought hard drives that were marked simply as "used", "pulls from systems" or were otherwise unclear about their origin. We did not worry if they were advertised as "erased", "formatted" or "partitioned". We avoided drives if they were marked as "cleared", "wiped", or "zeroed".

If we wished to continue our simulated attack as a digital thief might, we would simply resell the used hard drives to new buyers on eBay and continue with more drives, with no further cash investment.

This time around we saw data similar to our first study. Here's a quick overview of the highlights of what we recovered in 2011 (in each of these cases we were able to identify the name and location of the original owner):
  • A drive with more than 12,000 personal photographs (which revealed location, names, and hint at income level)
  • A very large volume of bankruptcy documents from a company going through chapter 11 - including a list of their debtors with amounts owed, along with tens of thousands of emails
  • Drives from two different schools (with staff information)
  • A drive from a graphic designer (including project source files and software license keys to popular and expensive design software)
  • A corrupt drive (bad blocks) that we stopped after 100 hours of recovery, but still managed to recover, among other data, valid software license keys.
Nearly all of the drives we obtained in both studies had no data immediately available after mounting it, which means that someone put forth minimal effort at erasing the data (often by reformatting and deleting the partition table). We then ran software recovery programs in order to "unerase" data, looking for information that was improperly deleted. These methods of recovery are as easy as running an application and waiting for a progress bar.

Conclusion

There are still many end users - and even more importantly resellers who have the trust of their customers - who are failing to erase used hard drives properly. The word needs to get out from concerned users that their drives need to be erased properly before being resold as a profitable component.

End users need to be aware that when they upgrade their computer at a reseller and leave the old one behind, their old hard drive still exists. Where that drive ends up next needs to be important to them.

All users and corporate policy makers need to be aware that techniques are often deployed that are completely ineffective and that these methods allow for easy software recovery of data.

Bottom line - anyone releasing ownership of a used hard drive needs to make a smart decision about how the data will be erased before they let go.

References


[1] Craig Wright, Dave Kleiman, and Shyaam Sundhar R.S., "Overwriting Hard Drive Data: The Great Wiping Controversy", ICISS 2008, LNCS 5352, pp. 243-257, 2008.
http://www.vidarholen.net/~vidar/overwriting_hard_drive_data.pdf

[2] Peter Gutmann, "Secure Deletion of Data from Magnetic and Solid-State Memory", Department of Computer Science, University of Auckland, USENIX Security Symposium, July 1996
http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html
email us

news
more news

CRU DataPort Logo CRU-DataPort on FaceBook