The 2008 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market

• Author: Dr. Andy Jones; Dr Glenn S. Dardick; Mr. Gareth Davies; Dr. Iain Sutherland; Dr. Craig Valli
• Position: Security Research Centre, BT; Edith Cowan University; Longwood University; University of Glamorgan andrew.28.jones@bt.com; Phone: +44 1473 646133
• Pages: 163-175

Page 163

1. Introduction

The first in the series of annual studies was carried out in January 2005, (Jones et al, 2005) and revealed that a significant proportion of the disks that were examined still contained large amounts of information, much of which would have been considered sensitive by the previous owner. Prior to the publication of the report of this first study, there had been limited investigation in this area, with the most significant findings being reported by Garfinkel and Shelat (2003). At that time, there had also been a small number of commercially sponsored investigations and newspaper reports on the subject of personal data being found on incorrectly disposed disks. The 2005 report identified that the majority of the random sample of disks that were obtained still contained significant amounts of sensitive information that the researchers considered had the potential to cause embarrassment or financial harm to either the organisation or the individual.

In the 2006 study, the research effort included contributions from the University of Glamorgan in Wales and Edith Cowan University in Australia and the Security Research Centre of British Telecommunications. The research of 2005 was repeated and the scope was expanded to include a number of additional countries. The aim of the 2006 research was to determine whether there had been any change in the level or potential sensitivity of information that remained on the disks during the intervening period and also to gain an understanding of how the results compared between the countries that had previously been surveyed and the additional countries. The report of the study (Jones et al, 2006) revealed that for countries surveyed in both years, there had been no significant changes in the results and that the amount and sensitivity of information that could be recovered remained at a similar level. The results from the disk drives obtained from countries that had not been included in the 2005 survey were broadly similar to those from countries that were included in both the 2006 and 2005 surveys. The research undertaken in 2006 was sponsored by British Telecommunications (BT) and Life Cycle Services (LCS) (now Sims Lifecycle Services) who funded the purchase of the disks.

In the 2007 study the research effort included contributions from the University of Glamorgan in Wales and Edith Cowan University in Australia, Longwood University in the USA and the Security Research Centre of British Telecommunications. The research of the previous two years was repeated and the scope was further expanded to include additional countries. The report of the study (Jones et al, 2006) revealed that for countries surveyed in all three years there had been no significant changes in the results and that the amount and sensitivity of information that could be recovered had remained at a similar level. The aim of the 2007 study reflected that of 2006, to determine whether there had been any change in the level or potential sensitivity of the information that remained on the disks during the intervening period and to gain an understanding of how the results compared between the countries that had previously been surveyed and the additional countries. The results from the disk drives obtained from countries that had not been included in the 2006 study were broadly similar to those from countries that were included in all three studies. The research undertaken in 2007 was again sponsored by British Telecommunications (BT) and Sims Lifecycle Services (SLS) who funded the purchase of the disks.

All of the research had been conducted under the same conditions (using commonly and easily available tools that had similar capabilities) and the results then compared. The outcome of the research found that a number of conclusions and recommendations were made on ways in which the destruction or removal of data from disks that were being disposed of could be improved.

This paper, the report on the fourth and latest survey, contains the results of the 2008 research which has again extended the scope of the countries included in the survey and had the same objectives as the research in the two previous years. The research was again sponsored by British Telecommunications (BT) and Sims Lifecycle Services.

2. The Research

The same basic objectives, processes and procedures that were used in the previous studies have been followed throughout the period of the research. All the disks used in the research were purchased at computer auctions, computer fairs or through eBay in the respective regions. The disks were acquired discretely by a number of purchasers so that the sellers would not have any indication of the reason for purchase. For the most part the disks and computers were obtained either singly or in small batches in order to minimise any influence the disposal practices of one seller may have had on the overall result. For example, if a large number of disks were obtained from one seller and they obtained the disks from a particular source or wiped all of the disks that they resold, then this may have an effect on the results by affecting the proportion that were from one sector of the market or that contained no data.

In 2008, in line with the research that had been carried out in each of the previous years, the disks were supplied 'blind' to the researchers so that they had no external visual indicators of the potential source of the disks. The only markings on the disks that were provided to the researchers were sequential serial numbers so that each disk could be uniquely identified throughout the process. By supplying them in this way, any information that is recovered by the researchers can be clearly identified as having been the result of the data that was available on the disk. Page 164

The research methodology remained unchanged from the earlier researches (Jones 2005, 2006, 2008), with each disk being forensically imaged using verified software and then placed in secure storage. The analysis was undertaken on the forensic images of the original disks. The rationale for this time consuming step was that it met two requirements.

The first was that it was considered that there was a need to preserve the original media in an unaltered state and store it in a secure area in case there was a requirement to pass the disks on to the police. This would be necessary in the event that notifiable criminal activity was discovered and enable a chain of custody to be preserved for an investigation by law enforcement.

The second was to allow the research to be carried out in a non-intrusive manner that did not affect or change the original data in case any anomalies were detected with the image and it was necessary to validate the data against a second image created from the original. As with the previous researches, this proved to be a sensible precaution as four of the disks was found to contain material that necessitated them being passed to law enforcement for further investigation.

The tools used in the 2008 study were fundamentally the same as those used in the previous years (although the versions of the tools may have changed). The tools performed similar functions to the Windows Unformat and Undelete commands and that of a hex editor (which was used to view any information that exists in the unallocated portions of the disk). Tools that perform this type of functionality are freely available: examples include the Linux based Autopsy (Version 2.08) and Sleuthkit software. These types of tools do not require significant levels of skill or knowledge to effect the recovery of remnant data from storage media and there are now numerous online tutorials for operation of these tools for the purposes of recovery.

The objectives remained the same as in previous years: firstly, to determine if the disks had been effectively cleansed of data or whether they still contained information that was either visible or easily recoverable with the tools identified above. The second objective of the research was to determine whether the information available on the disk would allow for the identification of the organisation or individual(s) that had used the disk's host computer.

The results of the 2008 survey once again indicate that there has been very little change over time in the amount or sensitivity of the organisational information that remained on disks that were made available in the second-hand market. The level of sensitive personal data that has been recovered has shown a small but consistent reduction over the period. Before detailing the results of the 2008 survey, the results of the studies in the preceding years are briefly described below.

3. Summary of the Previous Research Results

The results of the previous studies highlighted a number of issues that have been identified throughout the period. These included the fact that, to date, nearly half of the second hand disks that were obtained and could be accessed, had had some attempt made to remove the data, but the majority of those attempts were unsuccessful. In fact, the vast majority of those second hand disks that could be accessed contained data that could easily be recovered. Of those disks that could be accessed, approximately half of them still contained sufficient data to allow the previous owner, whether an organisation or an individual, to be identified. Around one in five of them contained financial information relating to organisations, including staff salary details, sales receipts and profit and loss reports. There were also a significant number of disks that had come from computer systems that had been used in the organisations of critical infrastructure...