Do you think your deleted data is truly gone? Every day, people around the world share, save, or move critically important data, like credit card numbers, medical checks, and passwords. It wouldn’t be unreasonable to think that the delete function erases files forever, but the truth is that those files could still exist.
In an age where computing power doubles every two years, we replace hardware quickly. The data from old devices doesn’t disappear from storage, even if we delete it. Criminals could use the photos, files, and even names of the previous owners left on these devices to exploit someone’s funds or position of trust. Our goal at the LCDI this semester is to see if we can find personally identifiable information left behind on old hard drives that were “wiped” using free and available programs.What is Personally Identifiable Information?
A good place to start when talking about this subject is the basics: What is PII? Personally Identifiable Information is data that could allow others to identify you. This information is critical, as often even small pieces of data fall into the wrong hands. The data allows people to impersonate you or gain access to your identity. Social Security numbers, credit card numbers, and a driver’s license are all common examples. This even extends to smaller pieces of data, like birth location, place of work, and your username on social media.
Though this information may seem random, password recovery for websites uses this information. They can obtain the data in many ways. Websites asking for your information is the most common, but phone calls or lost wallets have long been exploited. Digital data is akin to a wallet, full of personal information and liable to theft. With online shopping being the zeitgeist of the consumer world, this has never been more of a concern than now.How is data deleted?
We started our project by researching what’s established, including ways people previously deleted data and how it’s done now. There are no universal data deletion instructions or laws for non-government officials to follow, but rather a list of previous and current methods. We looked at government bureaus for practical data deletion standards. The National Institute of Standards and Technology’s SP 800-88 Media Erasure Guideline and the Department of Defense 5220.22-M ECE are two such examples. The documents differ on acceptable and appropriate methods for different levels of data security. The DoD standard states that the only way to destroy data forever is to destroy the device itself. The NIST protocol states only one digital wipe is necessary for data destruction.
Digital wiping or a “wipe” is the nonphysical option. This is the replacement of all data with a few of patterns, like random zeros and ones, or multiple replacements of random integers from zero to nine. The number of times this process occurs changes, but traditionally, it’s been between one and seven times. The reason behind the variation is the security of the information and the risk of recovery. The importance of the data could be trivial, like a grocery list from 5 years ago. On the other hand, it could be as severe as losing the PII of a secret agent in the field.
The digital wipe is less expensive, but also less secure due to the possibility of remaining data. This is possible no matter how many wipes have occurred. Physically destroying a hard drive can be favorable because it prohibits the device from any future use, but it’s more expensive to replace the lost device.Benefits of Physical Destruction
There are multiple ways to physically destroy a hard drive, but the goal is to damage or destroy the platter. The platter is a small metal disk in all hard drives where it writes and reads the data. The simplest and most available way is to destroy the hard drive physically, by hitting it with a hammer or large object. Another method is the magnetic degaussing. The process takes the iron oxide within the platter, a necessity for storing data, and uses it to remove the magnetic readings written on it.
The physical effects depend on the intensity of the magnetic field. Oersteds measure the amount of energy in the magnetic field, and the higher the oersteds, the more capable degaussing is at destroying data. However, not all magnetic marks can be easily removed. Hard drives’ resistance to the magnetic field is called coercivity, and the more intense the coercivity, the more oersteds needed to degauss. Shredding the hard drive or incinerating it are also viable methods. Machines capable of these methods are more suited for large scale businesses due to the high cost, but companies do provide these services.Conclusion
Nothing’s scarier than discovering a lost wallet. That feeling is the reason our mission is so critical in our society. We integrate technology into work, recreation, and security, as well as our money and data. The point of our research is to identify if PII data is still left on hard drives after “wiping”. Next week, we plan on investigating data recovery freeware and delivering our verdict on what it means for data disposal.
Be sure to check us out on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI to keep up to date with our progress!
The post Data Recovery – Blog 1 appeared first on The Leahy Center for Digital Investigation.