March 25, 2019 at 05:55 #2341
Without a doubt, technological devices are essential equipment in the lives of users. Whether computers (fixed, portable, hybrid), USB sticks, smartphones, etc. each household usually has at least one of this equipment. And for various reasons (technological evolution, programmed obsolescence, equipment defects), users are required to renew this equipment periodically.
As far as the replaced material is concerned, everyone is going for it. Some people will prefer not to clutter with the equipment they no longer need and get rid of it by selling it at the lowest price. Others will choose to offer them as gifts to friends or agencies that can refurbish them for use again. In any case, if you have decided to dispose of your equipment by giving it to a third party, you must know that these electronic devices contain precious data that can be recovered and reused again.
To show the risks of data leakage that can occur when you transfer devices to third parties without erasing the data correctly, Josh Frantz, a Rapid7 enterprise security consultant, engaged in a study by collecting – mixed with several companies that sold refurbished devices or put them on the market after having purged them. To achieve this goal, Frantz ran a total of 31 companies and managed to procure 85 devices consisting of 41 computers (laptops and desktops), 27 removable media (such as flash drives and memory cards), 11 hard disks and six phones for $600.
Armed with all these devices, Frantz invested his command center (the sexy name he found to talk about his basement) and started extracting the data. To do this, the security consultant wrote a PowerShell script that scanned the Windows systems installed on the computers and indexed all images, documents, recorded emails and chat history through instant messengers.
After identifying the different types of data, the script archived them and stored them on the desktop. And the consultant to recover them with a USB key. Moreover, to go even faster in the data collection of desktop computers which were for the most part equipped with IDE hard drives, Frantz has inserted multiple disks into a multi-bay docking station to read data from different storage devices simultaneously. To browse the data using this method, Frantz used a script written in Python.
In terms of extracting data from phones, Frantz noted that they did not require a PIN code to access the information contained in the devices. So, he just plugged in flash drives and memory cards and used the Python script again to organize the data of the phones he accessed.
After going through all the devices, he bought, Frantz found that only two devices (a Dell computer and a Hitachi hard drive) were properly erased. In addition, only three of the devices were encrypted.
After collecting all this data, Frantz used an optical character recognition (OCR) tool designed with Python to identify social security numbers, birth dates, credit card numbers, phone numbers in images and PDF files on the analyzed GNU/Linux systems. With Windows-based devices, the consultant used PowerShell to search for the same information. On the evening of the analysis of the data collected, Frantz reports that he was able to find many files on these devices. In all, the safety researcher states that he was able to obtain the following information:
- 611 e-mail addresses
- 50 birth dates
- 19 credit card numbers
- 6 driver’s license numbers
- 2 passport numbers
At the end of this study, it seems clear that erasing the device adequately before selling or giving it is more than necessary. For hard drives, Frantz suggests the DBAN tool that will erase data locations without risk of recovery. And for SSDs or RAID disks, PartedMagic is the tool he recommends. On the other hand, if your fear is to make your material irrecoverable, the researcher suggests some somewhat atypical methods for some of them in any case. These include:
- The use of the hammer to destroy your hard drive
- Incinerate your device
- Use an industrial mill
- Use a drill to erase your device
- Use acid or put your device in a microwave
- Finally, use thermite (a mixture of metallic aluminum and oxide of another metal) to melt your material.
Do you want to add any other methods to destroy your personal information? Do let us know.
You must be logged in to reply to this topic.