Formatting a hard drive is enough security if giving a computer away - or is it?

I recently had cause to recount an experience with one of my clients several years ago at another forum.

A client of mine was once convinced that despite my advice, nothing short of forensic recovery would put his old data at risk when he decided to donate some old workstations to a youth hostel. He wanted me to just delete the partitions the OS was sitting on, format and reinstall Windows. I did that on one machine right in front of him. Then I asked him to give me a few hours with that box on my own.

I returned the machine to him several hours later, with PDF copies of a few of "his" clients Tax Returns (complete with Tax File numbers) and a variety of other highly sensitive data sitting on the computer's desktop ready for the reading on a freshly installed copy of Windows 7 Pro. The entire exercise took about 4 - 5 hours, less than 30 minutes of actual hands-on work on my part. He was so grateful for my taking the time to show him what he was risking that I scored a $200 voucher to a high-end restaurant in Melbourne on top of my fee. Some people just need to physically "see" the proof of the pudding in order to believe.

What's your take? Are you still finding people insist on knowing better? I'm contemplating writing an article on this topic, but it seems so obvious to me that I wonder if it's going to turn out to be a wasted effort?

Regards, Andrew
0
LVL 114

Expert Comment

by:John
If I personally know the person who will receive the computer, I will format it and put the OEM operating system back on. I have done this and zero issues arise from this method. By the time the user would dump it, there would not be any usable information from the first user.

If I am donating to a charity and wish the computer to be usable, there are special programs one should use to ensure a military grade deletion of files.  That will work as well.

If junking the computer, we take the hard drive out and drill six or seven hole through the drive.

If I am junking my computer, I dismantle the hard drive and break up the platters.

I have not yet discarded a machine with an SSD drive but some portion of the steps above will work.
0
LVL 6

Expert Comment

by:Joe Fulginiti
I agree with John 100% but would also like to add when you setup a new computer, enable full disk encryption like bitlocker for Windows or FileVault for mac.  Then when you give your computer away, you can clear the TPM or secure enclave and your data will be gone for good.  I also setup bitlocker on all new servers I setup.  That way when the server is end of life, I just have to reset the TPM plus, if a hard drive fails, I have no problem sending the drive back in for a warranty exchange.
0
LVL 29

Author Comment

by:Andrew Leniart
@John
Agreed. A couple of passes with a drill press kept in the garage from my old chippy days, not only safeguards the data in a totally unrecoverable fashion, but I also find something strangely satisfying in hearing the platters initially shatter inside the drive housing :)

@Joe
Never considered enabling encryption and then tossing the key away when reformatting a drive. I must say that in over 20 years in the game now, the only time I've personally encountered encrypted drives or laptops is when I've been approached to try and help recover data from them. Apart from laptops, I never bother with them and don't recall ever dealing with a client who made use of it. You make some good points for its use though Joe - particularly the confidence in returning a drive still under warranty.

Thanks for your input guys.
0
LVL 34

Expert Comment

by:John Tsioumpris
Well i cant say that i have tried it but i guess a clever method would be to copy paste replace files with the same name /size with dummy ones..
0
LVL 29

Author Comment

by:Andrew Leniart
a clever method would be to copy paste replace files with the same name /size with dummy ones

I can verify that works as well, John. I had the same thought a couple of years ago, so I over-wrote the files with empty ones. Actually, all I did was to open Documents, pressed ctrl-a and then delete, then saved and then permanently deleted. Tried a deep recovery after deleting them and just managed to recover empty files.

I see no reason why just over-writing the files with another of the same name wouldn't achieve the same thing.
0
LVL 52

Expert Comment

by:noci
Well i cant say that i have tried it but i guess a clever method would be to copy paste replace files with the same name /size with dummy ones..
Well to be blunt no that is not a clever way.

Just writing 0  all over the platter means the traces of misaligned tracks can be excelently read in recovery systems.

To erase you need to write a security pattern on the disk:
First write all 11111...., then 010101010.....   then 101010101010... then all 000000  and finish it off with a RANDOM pattern.
And you need to wipe ALL blocks on disk.

Tracks are never exactly overwritten, due the heat differences platters & heads expand and shrink leaving varying traces of magnetic fields just outside of the main track.
(Compare to a meandering river, that leaves traces of old runs of the river in a landscape).   From those traces old data can be picked up.

Another way to do this fast is to only use encrypted disks (that leaves a random patter on the disk, and only wipe the key area (1 or 2 blocks)  using secure erasing.
Yep all data is still there, and yep you can retrieve the encrypted form easily.   If the keys were good, then good luck recovering the data.


Overwriting files by delete old en replace with garbage) will never work, as the new file will not be on the same disk blocks as the previous one. (unless the disk was 100% full before the delete and again 100% full after the save).
writeing zero's into a file will hide the content for an regular OS, not in a data recoverly lab.
0
LVL 52

Expert Comment

by:noci
*plaaters* = platters  *expand* = expand.
*retrievethe* = retrieve the
0
LVL 29

Author Comment

by:Andrew Leniart
*plaaters* = platters  *expand* = expand.
*retrievethe* = retrieve the

LoL! Don't you hate it when that happens noci? Ya could have just edited your post by the way :)
1
LVL 52

Expert Comment

by:noci
Yes, the edit only showed when i reloaded the page, before that there was no menu behind the 3 dot/hamburger menu.
Now fixed it... :-;....
0
LVL 40

Expert Comment

by:BillDL
I bought a 2nd hand EIDE hard drive from a PC refurbisher on eBay many years ago.  There was an ID written on the label in felt-tip pen containing the letters "NHS".  This is a well known acronym for the National Health Service in the UK.  Out of curiosity I ran GetDataBack on it and recovered a massive amount of very confidential information relating to psychiatric patients at one of the NHS hospitals in the area where the eBay seller was located.

After many emails and phone calls I finally managed to speak with the IT manager who was responsible for phasing out old IT equipment and passing it on through a recycling / refurbishment company.  I told him that I had recovered a lot of highly personal data from a hard drive that had come from a PC at the named hospital and told him who I had bought it from so that he could review the procedures and companies used.  I was met with a patronising wall of denial accompanied by an explanation of how drives are securely wiped, and was more or less told that I was lying and perhaps trying to extort money.

I printed about 20 of the documents I had recovered and posted them to the patients' home addresses with an anonymous note saying that the information had been recovered from NHS IT equipment sold on eBay.

I felt quite satisfied that at least a few of those patients would demand an explanation from the NHS as to how the documents came into 3rd-party hands and that the IT Manager would most likely be grilled about it.  (Note: it wasn't Pete Long :-)
1
LVL 28

Expert Comment

by:Brian B
Trust no one. I have read accounts of personal data getting out when someone donated a system or gave it to a friend without first fully wiping the drive. Said drive was removed and never used and then put back into the system when it was passed on to the next person and surprise! Hacker got the data.
1

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month