Yottabytes: Storage and Disaster Recovery

Mar 24 2019   5:07PM GMT

Fun Hacking Salvaged Data Storage

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

Tags:
privacy
Security
Storage

Every few years, someone hits the papers—or, in this day and age, the Internet – by going out to eBay or Craigslist, buying a bunch of old computers, and checking out what data is still available on them.

This year, it was Josh Frantz, a senior security consultant for Rapid7, a security firm, and who writes a blog post every couple of months for them.

Instead of hitting up eBay and Craigslist, Frantz did it by simply going around to all the refurbished computer dealers in his Wisconsin town – 31 of them, he reports – and buying up whatever equipment they had that included storage. That consisted of 41 computers, 27 removable storage media, 11 hard disks, and 6 cell phones, for a total of $600.

Then Frantz developed or obtained software that systematically went through each one – helpfully providing the links so other people wishing to duplicate his feat could do the same.

“Whenever I brought a computer back, I booted it up to see whether it was bootable and whether it required a password to log in,” Frantz writes. ”I wrote a script in PowerShell that would run through and index all the images, documents, saved emails, and conversation histories through instant messengers. It would then zip it up nice and organized on the desktop, and I would pull it off with a USB drive (I know, you were expecting something much fancier).”

(Frantz is a funny guy. According to his LinkedIn profile, he just recently was promoted to senior security consultant, from security consultant. “I do the same thing as before, but this title makes me feel older,” his profile notes.)

Finally, Frantz wrote up the results. Altogether, the process took him six months.

Frantz’  operative point was to demonstrate that such companies, despite their promises, don’t always wipe storage the way that some of them claim. In fact, of the 85 devices, only two of them were properly wiped, and only three were encrypted, he writes. He did end up having to spring for $50 in chargers from eBay to charge the old cell phones, he notes.

(Interestingly, his blog post was apparently originally called “Exfiltrating Remaining Private Information from Donated Devices,” but as published, it was called “Buy One Device, Get Data Free: Private Information Remains on Donated Tech.”)

For the flash drives and other memory cards, Frantz plugged them in. It would have been ironic if one of them had been infested with malware, which could turn this into another treatise on “Don’t Poke USB Sticks in Things,” but if that happened, he didn’t say so.

Having downloaded the data, Frantz then wrote other programs to look for useful kinds of data. “I used pyocr to try to identify Social Security numbers, dates of birth, credit card numbers, and phone numbers on images and PDFs,” he writes. “I then used PowerShell to go through all documents, emails, and text files for the same information. You can find the regular expressions I used to identify the personal information here. Despite the fact that OCR is not 100% accurate and there could have been data I couldn’t extract from images by themselves or within PDFs, I can verify that the regular expressions used for Social Security numbers, credit cards, dates of birth, and driver’s license numbers were fairly comprehensive.”

Altogether, Frantz found more than 200,000 images, 3,000 documents, and almost 150,000 email messages on the storage devices. That included 611 email addresses, 50 dates of birth, 41 Social Security numbers, 19 credit card numbers, 6 driver’s license numbers, and 2 passport numbers, he writes.

Frantz didn’t report on whether he found any bitcoin or other cryptocurrency on the storage devices, so the guy who accidentally threw out $7.5 million on bitcoin on his hard drive is apparently still safe.

This isn’t just a U.S. problem. Last year, researchers in the U.K. performed similar tests, writes Anna Tobin in Forbes. “Two-thirds of second-hand memory cards left in mobile phones and tablets sold on the second-hand market in the UK still retained personal data from their former owners,” she writes. “Over a four-month period, the research team purchased one hundred used SD and micro SD memory cards from eBay, traditional auctions, second-hand shops and other sources. Most of the cards were found in resold smartphones and tablets and some came from second-hand cameras, SatNav devices and drones.”

Using freely available software, researchers were able to recover scans of passports, intimate photos, pornography, contacts lists and identification numbers, Tobin writes.

“Of the 100 cards assessed it was found that 36 percent had not been wiped at all,” Tobin writes. “29 percent had been formatted in an attempt to erase, but the data could still be recovered with the right know-how; 2 percent had had their data deleted, but it was found to be recoverable; 25 percent had been properly wiped using a data erasing tool that overwrote the entire storage area so that nothing could be recovered; 4 percent could not be accessed as they were damaged; and, 4 percent had no data present, but the reason for this could not be ascertained.”

The good news, sort of, is that for most criminal hackers, the expense and work that Frantz went through wouldn’t be worth it for most of them. “Researching further, I realized just how cheap it is to buy people’s information on the Darknet,” he writes. “Social Security numbers only fetch around $1 apiece, while full documents (dox) fetch around $3 each. Data leakage/extraction is so common that it has driven down the cost of the data itself. I saw several dumps of Social Security numbers on the Darknet for even less than $1 each. No matter how we calculate the value of the data gathered, we would never recoup our initial investment of around $600.”

Frantz went on to list a number of ways to fairly reliably destroy hard disk drives, ranging from hammers to thermite. And lest you think he was kidding about the thermite, he included a video of it as well.

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: