Computer Forensics – Does Your Used Hard Drive Still Have Data On It?

Tom Bartel – a long time colleague going back to the early days of Email Publishing in the mid-1990s and a hardcore privacy advocate currently working at Return Path – mentioned a powerpoint presentation by Simson Garfinkel titled Remembrance of Data Passed: Used Disk Drives and Computer Forensics.  While I don’t know Simson, we were both in the same year at MIT (87) and I remember him as the guy that always had articles and photos in a variety of MIT-related publications and I’m reminded of it every time I see an article by him in Technology Review.

If you care about data security and privacy, it’s worth downloading the powerpoint and scanning through it.  Simson bought 235 used hard drives between 11/2000 and 1/2003 from eBay, computer stores, and swap meets.  He set up a technical infrastructure to mount the drives, image them (using FreeBSD), store the images on a RAID server, store the metadata in a MySQL database, and then mine the data. 

Not surprisingly, he found a huge amount of data, including confidential information such as medical records, HR correspondence, and financial data.  For example, Drive #134 was from an ATM in a Chicago bank.  It contained one year’s worth of transactions, including over 3,000 card numbers.  In this case, the bank had apparently hired a contractor to upgrade the ATM machines – the contractor hired a sub-contractor.  The bank and contractor assumed the disks would be properly sanitized, but there were no procedures specified in the contract.  As a result, the drives weren’t sanitized correctly and the data was still on them for Simson to play around with.

In addition to explaining the problem and substantiating it with real data, Simson makes a number of suggestions for how to address the issue.  Two of his more severe (but logical) suggestions for cleaning all the data off of used drives are (a) to degauss them with a Type 1 or Type II degausser or (b) destroy, disintegrate, incinerate, pulverize, shred, or melt the drive. Simson’s ultimate prognosis is that “drive slagging is a fool-proof method to prevent data recovery.”  Just be careful not to light your house (or office) on fire.

Simson logically ponders this issue, especially in our current Patriot Act governed world.  For less than $1,000 and working part time, he was able to collect thousands of credit cards, detailed financial records on hundreds of people, and confidential corporate files.  He concludes by asking – “who else is doing this?”



  • Carl Rosendahl

    At PDI we had a huge stack of old drives with all sorts of information we didn’t want out. So we had a employee fundraiser for a local charity – $1 bought you one whack with a sledgehammer, $5 bought you as many hits on one drive as you wanted. Within a couple hours, all our drives were destroyed, and we raised a few hundred bucks for a good cause. I recommend this method – it feels good, and does good.

  • MikeFrye

    Carl reminds me… In PA there is an outdoor gun range where you bring your computer hardware and shoot it. It feels great and the disk drives make for nice office decor around raise time.

  • Alex

    Very interesting…

  • andre

    This info is not usual, but this is very helpful for me.

  • Pingback: auto insurance in georgia

  • Pingback: cheap auto insurance delaware