SmoothPackets Home

The Hidden Dangers of Computer Donation
Hard Drive Cost, $4.99.  Identity and Information Theft Potential, Priceless.

The Environmental Protection Agency estimates 250 million computers are destined to be obsoleted by the year 2005.  While most will be landfilled, 11-14% will be recycled for raw materials.  A subset in the millions will live a second life through various donation programs and charities.  We asked ourselves what kind of data and ID theft potential these donated systems have.  What is the likelihood of being able to recover proprietary and sensitive information from decommissioned hardware?  A quick survey confirmed our worst fears.

In a perfect world, home users would carefully erase sensitive tax returns, banking information, and personal e-mails before giving their machines away.  Corporate IT people would follow some prescribed data destruction method to scrub internal memos and spreadsheets as per their policy and procedure guide.  Just to be safe, the charity would go over the machines one last time and wipe anything the prior owners may have missed.

In preparation for our test, we purchased seven hard drives and one DELL Optiplex computer from local thrift stores to the tune of about $150.  Let me do a little foreshadowing at this point:  Simply reformatting your hard drive or deleting its partitions is not good enough to deter would-be thieves.

Our methodology was simple; if we wanted to embark on a career as an ID or information thief by gleaning information from used hard drives, what would we do?  We scoped out the two major thrift-store chains in our local area that sell used PC's or PC components.  Our goal was to identify and purchase hard drives or workstations that we deemed as likely candidates for data recovery.  To optimize our chances, we bought only hard drives made within the last several years, preferably OEM’d by major manufacturers such as Dell, Compaq, HP, Gateway, etc.  We limited ourselves to commonly available, easy to use, and inexpensive data recovery tools.  After canvassing a half-dozen locations, we settled on seven hard drives in the 2-10GB range, all of which had been pulled from major manufacturer's systems.  The DELL Optiplex seemed like a good target for several reasons:  It was on a stack of like machines, indicating an office upgrade, all of which displayed the inventory tag of a local mortgage firm.


Receipts (Small)
 Optiplex and Hard Drives
 DELL Service Tag
 Property Tag

We started with our $59.99 DELL.  The mortgage company in question gets minus points for leaving their property tags on the machines.  Mortgage companies are prime candidates for identity and data theft.  Where else can you find such copious quantities of personal and financial information in one convenient location?  Why make it any easier for the bad guys by identifying your company and line of business?  Besides, we reasoned, many mortgage brokers are smaller firms without dedicated IT personnel familiar with proper data destruction procedures.  DELL allows you to look-up a limited machine history online using the service tag.  A phone call to DELL confirmed the name and address of the computers previous owner.  To this particular company’s great credit, the hard drives had been formatted in a destructive manner, making easy data recovery via our software impossible.

We considered various software packages that promise to restore deleted data and lost partitions, and in the end we loaded up GetDataBack for FAT, a product of Runtime Software, available online for under US $70.  Insert drive one into an empty slot in our lab machine, and jackpot!  Our software was able to reconstruct and recover an estimated 91% of all raw files.  Sifting through the data, we quickly determined that this machine had served in various departments of a multi-billion dollar global transportation company headquartered out of Irvine, CA.  We easily obtained confidential internal documents, spreadsheets, e-mails, client and vendor information, and user names and passwords to the company internal network dating back only a few months.  We deduced a great deal about the internal network infrastructure, which applications were in use, and logical network paths.  The second hard drive turned out to be from the same company, expanding our already sizeable knowledge base.

One by one, the hard drives gave up their secrets.  One contains gems from a national architectural firm.  User accounts, e-mails, and documents aside, we become privy to AutoCAD drawings for several projects involving Home Depot.  Another hard drive yields sensitive board meeting minutes and bonus salary schedules of a FERC licensed electrical power marketer.  The prior user of this drive appears to have served as a board member and legal counsel for this company.  A graying but robust middle-aged gentleman according to his personal photos, he's also an active part-time professor at two local law schools, as indicated by several recovered syllabi.  One memo entitled “tax planning” reveals a monthly salary of $17,000.  Not bad.  The fifth hard drive gives us a company’s remote dial-in telephone number and user account information.  Yet another, Quicken and Quickbooks financial information.  Encrypted files offer little security; we make short work of encrypted password lists, Excel, and Word files.  Our machines are still cranking on one particularly stubborn SAM database.

In all, we are able to reconstruct between 61-91% of all raw data and extract significant amounts of sensitive information from six of our eight hard drives.  Two, including the DELL, have been destructively formatted, making recovery vastly more difficult.

This is the modern day version of dumpster diving, but without the risk.  Success, it seems, is a forgone conclusion.

It should be crystal clear at this point that an improperly disposed of computer poses a significant legal, financial, and fiduciary risk to you or your company.  In each of our test cases where data could be recovered, the hard drives have been formatted non-destructively, meaning someone has performed a format using the default setting of not overwriting the entire drive.  The new directory shows only a few system files and a lot of free space, giving the illusion of an empty disk.  This is false.  Because the old files and folders are still sitting on the drive, a utility like GetDataBack or Norton Unerase is able to read every sector on the drive, and puzzle the files back together into their coherent wholes most of the time.  In order to have any semblance of non-recoverability, the drive must be completely overwritten using a destructive format or a third party utility designed to protect you from simple data recovery methods.

Dozens of good commercial and freeware tools are available to this end.  We offer a freely downloadable utility called Napalm, which includes a variety of different military and commercially recognized data destruction options.  Of course, if you’re paranoia level is set to tin-foil-hat, simply wiping your drives may not be enough.  Consider professional degaussing or hardware shredding equipment.

We contacted three thrift store operators regarding their policy on preparing donated machines.  One answered that all machines are wiped clean, one answered it varied by location, and the third did not respond.  It's our opinion, however, that the responsibility ultimately lies with the donator, not with the reseller.  Charities may wipe machines as a courtesy, to limit liability for the resale of unlicensed software, or to test a system, but we doubt information security is on their minds.  Donating a computer without making some effort to remove your data is at best naive, and at worst criminally negligent.

What are the legal ramifications of recovering data from these drives.  Frankly, we're unclear on this ourselves.  The drives were legally purchased, and nothing illegal was done to recover the data.  We don’t own the data, any copy-written materials, or files containing trade secrets.  Are we allowed to view the data?  Could we harvest names and addresses?  Could we act upon recovered information that's internal to a company for our own financial gain?  We've stepped into a gray legal and ethical zone.  One could easily misuse the information we gathered in a decidedly illegal manner.  Blackmail, harassment, use of credit card and bank account information, identity theft, selling information to competitors, and leveraging knowledge of network topologies, user accounts, and dial-in numbers to gain unauthorized computer access come to mind.

We hope this survey will act as an instrument of warning and increased public awareness by demonstrating the tremendous exploitation potential for those with less scruples.  Make data destruction a part of your formal policy before getting rid of old computers, and use the right tools for the job.