Subscribe(Text for those without flash or javascript) Fulcrum's professionals are experienced CPAs, MBAs, ASAs, CFAs, affiliated professors and industry specialists Our expertise encompasses damages analysis, lost profit studies, business and intangible asset valuations, appraisals, fraud investigations, statistics, forensic economic analysis, royalty audits, strategic and market assessments, computer forensics, electronic discovery and analysis of computer data.
Firm Overview Computer Forensics Study: Selling More Than You Bargained For
February 2007
Library Sections:
- Expert Testimony
- Damages Analysis
- Investigations and Forensic Accounting
- Computer Forensics / Electronic Discovery
- Sarbanes-Oxley and Nonprofit Whistleblower Solutions
- Valuations and Appraisals
- Financial Reporting
- Tax Advice and News
- Other Current Events and Economic Commentary
- Interactive Tools and Personal Financial Advice
As published in the Journal of Forensic Accounting, and other publications.
While the message about the need to destroy electronic data contained on computer disks and other electronic devices when they are disposed of has been out for some time, the authors thought they would test how well the public is responding to the message. The sad result of our investigation: most users are at risk of having their personal information read by others. Here is what we discovered, and what the public can do about it.
Fulcrum Inquiry analyzed 70 used hard drives purchased from 14 different sources. Most of the drives purchased were supposedly cleansed of all information. Fulcrum Inquiry also asked for the process that was used to clean the drives and were usually told that the drives had been low-level formatted.Using computer forensics, Fulcrum Inquiry attempted to recover information from these hard drives. Admittedly, the tools used by the duo are complex and technical but electronic-knowledgeable thieves can - easily - do what they did.
From the disks that actually worked, Fulcrum Inquiry recovered private data from almost two-thirds (62 percent) of the disks. Specifically:
- 37 drives (53 percent) contained recoverable information
- 23 drives (33 percent) had been properly wiped/cleaned
- 10 drives (14 percent) were non-operational
The properly cleaned drives were either (i) low-level formatted or (ii) wiped using special software that overwrites data.
A Goldmine of Personal Information
Of the 37 drives containing recoverable data, all but four were formatted in an attempt to remove data. Despite the formatting, here is the type of information which was obtained:
Example #1 - Bob:
Bob is unemployed and on disability but has experience in the construction industry. His interests include playing his new guitar, body art and weight lifting. He appears to be infatuated with a particular female celebrity. He has credit problems and is thousands of dollars in debt. Bob served time in jail and is currently living in low-income housing.
Because Bob formatted his hard drive prior to selling it, he obviously did not want his information released. To a casual observer, all files were gone. Nevertheless, Fulcrum Inquiry recovered tens of thousands of files that would allow his identity to be stolen easily:
- An image of Bob's birth certificate
- An image of Bob's drivers license
- An image of Bob's social security card
- Bob's Last Will and Testament
- Pictures of Bob and his family
- A personal letter from Bob to his favorite female celebrity
- An image of Bob's college diploma
- Adult images and videos
- Collection agency letters
- Credit card statements
- Bob's memoirs
- Approximately twenty thousand pictures which appeared to come primarily from Web surfing
- Financial aid documents
- Business expense receipts
- Rent receipts
- Hundreds of other documents
Example #2 - Nurse Betty:
Nurse Betty works in the pediatric ward at a hospital. Along with recovering
confidential medical records and history were patient names, conditions,
medicines prescribed, and the doctors who prescribed them. The hospital's
efforts to remove this private information were not successful.
Betty accesses a central database of medical information. Although the
database is not maintained on her computer, her computer stored the
information locally. This is similar to Internet files that are stored
locally when a user visits a Web site. Simply accessing information often
leaves remnants behind.
Example #3 - Ted:
Ted is a project manager for a state government agency. Thousands of
government documents and communications related to Ted's job were recovered,
many of which were labeled confidential.
Of particular importance to Ted and his employer, Ted appears to be
moonlighting in a field that potentially represents a conflict of interest
with his government position. Ted also has many personal pictures of family
and friends on his computer, as well as personal banking information.
As with practically all of the disks purchased, the vendor selling Ted's
hard drive claimed it had been cleansed of all information.
Other personal information available on the purchased disks included:
- Bank accounts and credit cards
- Personal pictures of babies, children, weddings, friends and vacations
- Business e-mail and attachments
- Web browsing details
Adult content was found on both work and personal computers. Although some
of the pornographic images were of the "commercial" variety, also found were
personal pictures not intended for distribution.
Drives purchased from eBay had the highest data recovery rate. Every one of
the operational drives purchased on eBay contained information that could be
recovered.
Size and cost of the drives seemed to matter. Smaller or less expensive
drives were more likely to contain recoverable information. Initially
Fulcrum Inquiry focused on smaller drives - 80MB to 15GB (ranged from $0.50
to $15 per drive). Mid-way through the study, the recovery rate was 88
percent. Moving to larger drives - 15GB to 80GB (ranging from $15 to $26),
the recoverable data dropped, most likely because the businesses involved
took data security more seriously, and employed additional resources.
The value of the drive might explain some laxness: Properly cleaning drives
is time-consuming. Someone selling an inexpensive disk might be tempted to
take shortcuts.
Lessons to be Learned
- Information can be recovered from a hard drive even if attempts have been made to delete files, or by performing a quick format.
- Users know they need to remove their old information but lack the technical understanding to accomplish this properly.
- Properly cleaning drives is time-consuming. Too many vendors took the quick but also incomplete route.
- The lower the value of the drive, the less likely it was cleaned properly. The data on the "small" drives was still voluminous and worthy of keeping safe.
- Fourteen percent of the drives were non-operational, indicating a decent chance that the buyer is wasting time when purchasing a used disk drive.
Fulcrum Inquiry's advice applies to every type of electronic media including memory cards, backup tapes, cell phones, digital copiers and most handheld electronic devices.
To properly dispose of data:
- Low-level format the drive. Do not use the quick format, which may be the default.
- Use wiping software designed to overwrite information.
- Physically destroy the media (think big hammer or very strong magnet).
- Hire a firm to dispose of the drive. Unfortunately, this service may cost more than the value of the drive.
To protect those whose information was obtained, Fulcrum Inquiry changed the names in the above descriptions. After notifying the hospital and government agency of the breached confidential records and giving them the opportunity to collect their information, Fulcrum Inquiry wiped/erased all data properly.
Fulcrum Inquiry is a litigation-consulting firm that performs computer forensics, economic damage calculations, and expert witness testimony.