(Text for those without flash or javascript) Fulcrum's professionals are experienced CPAs, MBAs, ASAs, CFAs, affiliated professors and industry specialists Our expertise encompasses damages analysis, lost profit studies, business and intangible asset valuations, appraisals, fraud investigations, statistics, forensic economic analysis, royalty audits, strategic and market assessments, computer forensics, electronic discovery and analysis of computer data.
Computer Forensics / Electronic Discovery

Computer Forensics Study: Selling More Than You Bargained For

February 2007
Library Sections:

Computer forensic examiners find a treasure-trove of information on used hard drives. While the message about the need to destroy electronic data contained on computer disks and other electronic devices when they are disposed of has been out for some time, Fulcrum Inquiry's Steve Peskaitis and Jared Schultz thought they would test how well the public is responding to the message. The sad result of their investigation: most users are at risk of having their personal information read by others. Here is what they discovered, and what the public can do about it.

Fulcrum Inquiry analyzed 70 used hard drives purchased from 14 different sources. Most of the drives purchased were supposedly cleansed of all information. Peskaitis and Schultz also asked for the process that was used to clean the drives and were usually told that the drives had been low-level formatted.

Using computer forensics, Fulcrum Inquiry attempted to recover information from these hard drives. Admittedly, the tools used by the duo are complex and technical but electronic-knowledgeable thieves can - easily - do what they did.

From the disks that actually worked, Fulcrum Inquiry recovered private data from almost two-thirds (62 percent) of the disks. Specifically:

- 37 drives (53 percent) contained recoverable information
- 23 drives (33 percent) had been properly wiped/cleaned
- 10 drives (14 percent) were non-operational

The properly cleaned drives were either (i) low-level formatted or (ii) wiped using special software that overwrites data.

A Goldmine of Personal Information

Of the 37 drives containing recoverable data, all but four were formatted in an attempt to remove data. Despite the formatting, here is the type of information which was obtained:

Example #1 - Bob:

Bob is unemployed and on disability but has experience in the construction industry. His interests include playing his new guitar, body art and weight lifting. He appears to be infatuated with a particular female celebrity. He has credit problems and is thousands of dollars in debt. Bob served time in jail and is currently living in low-income housing.

Because Bob formatted his hard drive prior to selling it, he obviously did not want his information released. To a casual observer, all files were gone. Nevertheless, Fulcrum Inquiry recovered tens of thousands of files that would allow his identity to be stolen easily:

  1. An image of Bob's birth certificate
  2. An image of Bob's drivers license
  3. An image of Bob's social security card
  4. Bob's Last Will and Testament
  5. Pictures of Bob and his family
  6. A personal letter from Bob to his favorite female celebrity
  7. An image of Bob's college diploma
  8. Adult images and videos
  9. Collection agency letters
  10. Credit card statements
  11. Bob's memoirs
  12. Approximately twenty thousand pictures which appeared to come primarily from Web surfing
  13. Financial aid documents
  14. Business expense receipts
  15. Rent receipts
  16. Hundreds of other documents

Example #2 - Nurse Betty:

Nurse Betty works in the pediatric ward at a hospital. Along with recovering confidential medical records and history were patient names, conditions, medicines prescribed, and the doctors who prescribed them. The hospital's efforts to remove this private information were not successful.

Betty accesses a central database of medical information. Although the database is not maintained on her computer, her computer stored the information locally. This is similar to Internet files that are stored locally when a user visits a Web site. Simply accessing information often leaves remnants behind.

Example #3 - Ted:

Ted is a project manager for a state government agency. Thousands of government documents and communications related to Ted's job were recovered, many of which were labeled confidential.

Of particular importance to Ted and his employer, Ted appears to be moonlighting in a field that potentially represents a conflict of interest with his government position. Ted also has many personal pictures of family and friends on his computer, as well as personal banking information.

As with practically all of the disks purchased, the vendor selling Ted's hard drive claimed it had been cleansed of all information.

Other personal information available on the purchased disks included:

  1. Bank accounts and credit cards
  2. Personal pictures of babies, children, weddings, friends and vacations
  3. Business e-mail and attachments
  4. Web browsing details

Adult content was found on both work and personal computers. Although some of the pornographic images were of the "commercial" variety, also found were personal pictures not intended for distribution.

Drives purchased from eBay had the highest data recovery rate. Every one of the operational drives purchased on eBay contained information that could be recovered.

Size and cost of the drives seemed to matter. Smaller or less expensive drives were more likely to contain recoverable information. Initially Fulcrum Inquiry focused on smaller drives - 80MB to 15GB (ranged from $0.50 to $15 per drive). Mid-way through the study, the recovery rate was 88 percent. Moving to larger drives - 15GB to 80GB (ranging from $15 to $26), the recoverable data dropped, most likely because the businesses involved took data security more seriously, and employed additional resources.

The value of the drive might explain some laxness: Properly cleaning drives is time-consuming. Someone selling an inexpensive disk might be tempted to take shortcuts.

Lessons to be Learned

  1. Information can be recovered from a hard drive even if attempts have been made to delete files, or by performing a quick format.
  2. Users know they need to remove their old information but lack the technical understanding to accomplish this properly.
  3. Properly cleaning drives is time-consuming. Too many vendors took the quick but also incomplete route.
  4. The lower the value of the drive, the less likely it was cleaned properly. The data on the "small" drives was still voluminous and worthy of keeping safe.
  5. Fourteen percent of the drives were non-operational, indicating a decent chance that the buyer is wasting time when purchasing a used disk drive.

Fulcrum Inquiry's advice applies to every type of electronic media including memory cards, backup tapes, cell phones, digital copiers and most handheld electronic devices.

To properly dispose of data:

  1. Low-level format the drive. Do not use the quick format, which may be the default.
  2. Use wiping software designed to overwrite information.
  3. Physically destroy the media (think big hammer or very strong magnet).
  4. Hire a firm to dispose of the drive. Unfortunately, this service may cost more than the value of the drive.

To protect those whose information was obtained, Fulcrum Inquiry changed the names in the above descriptions. After notifying the hospital and government agency of the breached confidential records and giving them the opportunity to collect their information, Fulcrum Inquiry wiped/erased all data properly.

Fulcrum Inquiry is a litigation-consulting firm that performs computer forensics, economic damage calculations, and expert witness testimony