An Investigation into the Efficiency of Forensic Erasure Tools for Hard Disk Mechanisms

One of the common anecdotal complaints used when defending the insecure erasure of hard disks is the length of time taken to affect a secure erasure. This paper discusses results of experiments conducted with Unix/Linux based hard disk wiping software when run on various machines and hard disk mechanisms in terms of size, speed and interface. The initial research has uncovered a range of issues and factors that affect the speed of erasure of hard disk mechanisms. Some of these factors included memory configuration and CPU but not in ways that were expected. This paper includes results from contemporary ATA and the newer SATA IDE hard disk drives in use today

The effectiveness of internet activity erasure tools to protect privacy

When most people go to the trouble of getting erasure tools to remove data from their hard drives they expect the job is done correctly. Using erasure tools is a step to protect privacy by assuming the applied tools erase data rather than simply delete data that may be recovered using forensic tools. In this research we tested the performance of the delete function on three web browsers against the performance of eight erasure tools with alarming results. It was found that the erasure tools had almost the same capability to delete data as the web browsers delete function; and that no tool actually erased data. The implications for people using these tools to protect sensitive data are profound. People and organisations as they retire, sell or dispose of their hardware containing information assets require assurance they will not be impacted by the adverse effects of unintended disclosure of sensitive information. Better software solutions are required and better software certification measures require implementation

The Effectiveness of Internet Activity Erasure Tools to Protect Privacy

When most people go to the trouble of getting erasure tools to remove data from their hard drives they expect the job is done correctly. Using erasure tools is a step to protect privacy by assuming the applied tools erase data rather than simply delete data that may be recovered using forensic tools. In this research we tested the performance of the delete function on three web browsers against the performance of eight erasure tools with alarming results. It was found that the erasure tools had almost the same capability to delete data as the web browsers delete function; and that no tool actually erased data. The implications for people using these tools to protect sensitive data are profound. People and organisations as they retire, sell or dispose of their hardware containing information assets require assurance they will not be impacted by the adverse effects of unintended disclosure of sensitive information. Better software solutions are required and better software certification measures require implementation

Industrial Espionage from Residual Data: Risks and Countermeasures

This paper outlines the possible recovery of potentially sensitive corporate information from residual data. It outlines previous work on the recovery of information contained on second hand hard disks and handheld devices and discusses the risk of individuals conducting industrial espionage by targeting specific organizations. It examines the possible avenues for an attacker to obtain a storage device, then discusses the skill level required to extract information from the storage devices and considers the potential risk to an organization from this particular avenue of attack. The paper concludes by proposing a number of possible countermeasures to enable organizations to reduce the risk of this particular form of attac

Zombie Hard disks - Data from the Living Dead

There have been a number of studies conducted in relation to data remaining on disks purchased on the second hand market. A large number of these studies have indicated that a proportion of these disks contain a degree of residual data placed on the drive by the original owners. The Security Research Centre at BT has sponsored a residual data study over the last five years examining disks sourced around the globe, in the UK, USA, Germany France and Australia. In 2008 as part of a 5 year study, Glamorgan University in conjunction with Edith Cowan University in Australia, Longwood University in Virginia USA and the BT Security Research Centre completed the fourth annual disk study aimed at assessing the volume and nature of information that remains on computer hard disks offered for sale on the second hand market. One of the main findings of the study was the high proportion of disks that are sold in a non-functioning state. As in both previous and following years a percentage of the hard disks examined in the 2008 study failed the imaging process and were marked as faulty. This paper describes further analysis of a number of these faulty drives from the UK sample set of the 2008 study. This paper details the analysis of non-functioning disks supplied to the University of Glamorgan to determine the ease with which data can be recovered from these drives using specialist recovery tools. It discusses implications for both computer forensics and information security practices and procedures

The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market

All organisations, whether in the public or private sector, use computers for the storage and processing of information relating to their business or services, their employees and their customers. A large proportion of families and individuals in their homes now also use personal computers and, both intentionally and inadvertently, often store on those computers personal information. It is clear that most organisations and individuals continue to be unaware of the information that may be stored on the hard disks that the computers contain, and have not considered what may happen to the information after the disposal of the equipment. In 2005, joint research was carried out by the University of Glamorgan in Wales and Edith Cowan University in Australia to determine whether second hand computer disks that were purchased from a number of sources still contained any information or whether the information had been effectively erased. The research revealed that, for the majority of the disks that were examined, the information had not been effectively removed and as a result, both organisations and individuals were potentially exposed to a range of potential crimes. It is worthy of note that in the disposal of this equipment, the organisations involved had failed to meet their statutory, regulatory and legal obligations. This paper describes a second research project that was carried out in 2006 which repeated the research carried out the previous year and also extended the scope of the research to include additional countries. The methodology used was the same as that in the previous year and the disks that were used for the research were again supplied blind by a third party. The research involved the forensic imaging of the disks which was followed by an analysis of the disks to determine what information remained and whether it could be easily recovered using publicly available tools and techniques

The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market

All organisations, whether in the public or private sector, use computers for the storage and processing of information relating to their business or services, their employees and their customers. A large proportion of families and individuals in their homes now also use personal computers and, both intentionally and inadvertently, often store on those computers personal information. It is clear that most organisations and individuals continue to be unaware of the information that may be stored on the hard disks that the computers contain, and have not considered what may happen to the information after the disposal of the equipment. In 2005, joint research was carried out by the University of Glamorgan in Wales and Edith Cowan University in Australia to determine whether second hand computer disks that were purchased from a number of sources still contained any information or whether the information had been effectively erased. The research revealed that, for the majority of the disks that were examined, the information had not been effectively removed and as a result, both organisations and individuals were potentially exposed to a range of potential crimes. It is worthy of note that in the disposal of this equipment, the organisations involved had failed to meet their statutory, regulatory and legal obligations. This paper describes a second research project that was carried out in 2006 which repeated the research carried out the previous year and also extended the scope of the research to include additional countries. The methodology used was the same as that in the previous year and the disks that were used for the research were again supplied blind by a third party. The research involved the forensic imaging of the disks which was followed by an analysis of the disks to determine what information remained and whether it could be easily recovered using publicly available tools and techniques

Hard-drive Disposal and Identity Fraud

Abstract. A personal computer is often used to store personal information about the user. This information may be intentionally kept by the user or information maybe automatically stored as the result of the user's activities. In this paper we investigate whether it is possible for identity fraud to occur as a result of post-disposal access to the residual data stored on a personal computer's hard drive. We provide indicative types of information required to commit an identify fraud and examine the personal information contained in a series of second-hand personal computer hard disk drives, purchased as part of a wider research study

The 2009 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market

The ever increasing use and reliance upon computers in both the public and private sector has led to enormous numbers of computers being disposed of at the end of their useful life within an organisation. As the cost of computers has dropped, their use in the home has also continued to increase. In most organisations, computers have a relatively short life and are replaced on a regular basis with the result that, if not properly cleansed of data, they are released into the public domain containing data that can be relatively up to date. This problem is exacerbated by the increasing popularity and use of smart phones, which also contain significant storage capacity. From the results of the research it remains clear that the majority of organisations and private individuals that are using these computers still remain ignorant or misinformed of the potential volume and type of information that is stored on the hard disks contained within these systems. The evidence of the research is that neither organisations nor individuals have considered, or are aware of, the potential impact of the information that is contained in the disks from these systems becoming available to an unintended third party. This is the fifth study in an ongoing research programme being conducted into the levels and types of information that remain on computer hard disks that have been offered for sale on the second hand market. This ongoing research series has been undertaken to gain an understanding of the level and types of information that remains on these disks, to determine the damage that could potentially be caused if the information was misused, and to determine whether there are any developing trends. The disks used have been purchased in a number of countries. The rationale for this was to determine whether there are any national or regional differences in the way that computer disks are disposed of and to compare the results for any regional or temporal trends. The disks were obtained from a wide range of sources in each of the regions in order to minimise the effect of any action by an individual source. The first study was carried out in 2005 and since then has been repeated annually with the scope being incrementally extended to include additional research partners and countries. The study in 2009 was carried out by British Telecommunications (BT) and the University of Glamorgan in the UK, Edith Cowan University in Australia, Khalifa University in the United Arab Emirates and Longwood University in the USA. The core methodology of the research has remained unaltered throughout the duration of the study. The methodology has included the acquisition of a number of second hand computer disks from a range of sources and determining whether the data contained on the disks has been effectively erased or if they still contain information relating to previous owners. If information was found on the disks from which the previous user or owner could be identified, the research examined whether it was of a sensitive nature or in a sufficient volume to represent a risk. One of the consistent results of the research through the entire period has been that, for a significant proportion of the disks that have been examined, there was sufficient information present to pose a risk of a compromise of sensitive information to either the organisation or the individual that had previously used the disks. The potential impacts of the exposure of this information could include embarrassment to individuals and organisations, fraud, blackmail and identity theft. In every year since the study started, criminal activity has also been exposed. As has been stated in the previous reports, where the disks had originated from organisations, they had, in many cases, failed to meet their statutory, regulatory and legal obligations

The 2007 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market

All organisations, whether in the public or private sector, increasingly use computers and other devices that contain computer hard disks for the storage and processing of information relating to their business, their employees or their customers. Individual home users also increasingly use computers and other devices containing computer hard disks for the storage and processing of information relating to their private, personal affairs. It continues to be clear that the majority of organisations and individual home users still remain ignorant or misinformed of the volume and type of information that is stored on the hard disks that these devices contain and have not considered, or are unaware of, the potential impact of this information becoming available to their competitors or to people with criminal intent. This is the third study in an ongoing research effort that is being conducted into the volume and type of information that remains on computer hard disks offered for sale on the second hand market. The purpose of the research has been to gain an understanding of the information that remains on the disk and to determine the level of damage that could, potentially be caused, if the information fell into the wrong hands. The study examines disks that have been obtained in a number of countries to determine whether there is any detectable national or regional variance in the way that the disposal of computer disks is addressed and to compare the results for any other detectable regional or temporal trends. The first study was carried out in 2005 and was repeated in 2006 with the scope extended to include additional countries. The studies were carried out by British Telecommunications, the University of Glamorgan in the UK and Edith Cowan University in Australia. The basis of the research was to acquire a number of second hand computer disks from various sources and then determine whether they still contained information relating to a previous owner or if information had been effectively erased. If they still contained information, the research examined whether it was in a sufficient volume and of enough sensitivity to the original owner to be of value to either a competitor or a criminal. One of the results of the research was that, for a very large proportion of the disks that were examined, there was significant information present and both organisations and individuals were potentially exposed to the possibility of a compromise of sensitive information and identity theft. The report noted that where the disks had originally been owned by organisations, they had, in most cases, failed to meet their statutory, regulatory and legal obligations. In the third and latest study, conducted in 2007, the research methodology of the previous two studies conducted was repeated, but in addition to Longwood University in the USA joining the research effort, the scope was broadened geographically and the focus was extended to determine what changes had occurred in the availability of sensitive information might be occurring over time