A new report, "A Remembrance of Data Passed: A Study of Disk Sanitization Practices," by two Massachusetts Institute of Technology
graduate students, points out that companies and individuals frequently sell or even give away free old computer disk drives with lots of sensitive information still on them.
The students analyzed 158 disk drives purchased through EBay's online auction site, at various computer stores, at salvage companies, and at swap meets, and found that 74 percent of the drives contained old data that could easily be recovered. Furthermore, 17 percent contained fully installed, functional operating systems with user data that was extremely simple to recover.
Another 36 percent had been freshly formatted but still contained old data that could be recovered, and only a scant nine percent had been properly cleaned before being purchased or given away.
What was on these disks? According to a statement released by MIT, among the sensitive information retrieved were detailed personal and corporate financial records, medical records, and love letters, as well as a ton of personal e-mail including child pornography.
In fact, financial log files on one drive yielded some 2,868 credit card numbers plus bank account numbers, dates of transactions, and account balances. The report postulates that the drive came from an automatic teller machine in Illinois and there was no effort by the bank to remove any financial information on the drive prior to resale.
Moreover, one drive contained 3,722 credit card numbers in what appeared to be a log file, while a number of other drives yielded financial information that had been stored in cached Web pages that had been recovered.
Computer users like me often assume that my machine has features that permanently delete the data stored in a file from the computer's disk drive. Instead, the MIT people say that most operating systems simply change the data to show that the file has been deleted, but then proceed to mark areas of the hard disk that contains the "deleted" data--which is, of course, available for reuse by other programs.
If we assume that data is not overwritten by another program, it still remains undisturbed and can therefore, be accessed using a variety of techniques ranging from simple Unix commands to free and commercial forensic software tools.
So, what do the MIT lads suggest? They would like operating system vendors to include software-based tools that securely delete files and sanitize the disk space they leave behind. They point out that commonly used Microsoft format commands such as fdisk, for example, does indeed verify the integrity of the disk drive blocks but still does not erase files.
Finally, the report advocates that consumers need to be better educated about the best ways to erase the data stored on their computer disk drives, while companies should develop policies for sanitizing storage media that are sold, donated, or reused.
In the meantime, with more than 150 million disk drives retired from their
primary use in 2002 alone, it is likely that a large quantity of potentially
"sensitive" data is floating, unprotected, in the secondary disk drive market.
So, who loves ya, baby?
