Subscribe(Text for those without flash or javascript) Fulcrum's professionals are experienced CPAs, MBAs, ASAs, CFAs, affiliated professors and industry specialists Our expertise encompasses damages analysis, lost profit studies, business and intangible asset valuations, appraisals, fraud investigations, statistics, forensic economic analysis, royalty audits, strategic and market assessments, computer forensics, electronic discovery and analysis of computer data.
Firm Overview How To Properly Prepare A Computer For Sale Or Donation
March 2011
Library Sections:
- Expert Testimony
- Damages Analysis
- Investigations and Forensic Accounting
- Computer Forensics / Electronic Discovery
- Sarbanes-Oxley and Nonprofit Whistleblower Solutions
- Valuations and Appraisals
- Financial Reporting
- Tax Advice and News
- Other Current Events and Economic Commentary
- Interactive Tools and Personal Financial Advice
New Jersey just released an audit report that showed that almost 80 percent of the used computers it was ready to auction off contained highly confidential information. The audit report summarized these findings as follows:
“State agencies disposed of computer equipment without ensuring that data on the devices had been properly removed. Data we found on such devices was of a personal and confidential nature, including: completed tax returns; Social Security numbers; names, addresses and phone numbers of children placed outside of the parental home; a list of State computer sign-on passwords; and child abuse documentation including the names and addresses of the children. Many of these items were found on computers packaged for public auction. In total, we found data on 46 of the 58 hard drives we tested (79 percent). “
Within the community of computer forensic examiners nobody was surprised at this. Four years ago Fulcrum did a similar examination of disks randomly bought on eBay and found both a similar frequency of data available and existence of personal data.
Although the report addresses the failure to follow existing state guidelines, the real underlying problem stemmed from three things:
-
Common misperceptions about data destruction
Burn this into your memory: formatting a hard disk erases absolutely no data. The computer system warning that formatting will erase all data on the disk was true with floppies and with 1980′s hard disks. That warning has hung around, but from an actual data destruction standpoint the warning is incorrect. In addition, there is no difference in data destruction between a quick format and normal format. The latter error-checks the disk surface, but the error checking does not change any of the data on the disk. Finally the ‘low-level’ format is a myth. Modern hard disks will take the commands to do such a format and ignore them.
The procedure that will actually remove the data from the disk is called a wipe. It involves writing new data over the entire hard disk using software designed for this purpose. However, most wiping programs are a bit incomplete because the computer is still using its operating system (which is not wiped).
For any purpose other than top-secret classified information a single pass of zeroes will serve to make the drive look like it has never been used by anybody. For top-secret information the military requires a multi-pass technique.
- Regulations that did not reflect current technologies
New Jersey set forth a four step process for destroying data on a hard disk.
- Remove the drive.
- Degauss the drive using a special device that contains a powerful electromagnet.
- Return the drive to the computer and perform a low-level format.
- Re-install the operating system.
That is a fine set of instructions…for 1985. For a current technology drive, using a degausser would render the drive useless, thus making steps 3 and 4 impossible. When the regulation is impossible to follow, the data destruction intended by the regulation gets ignored.
- Regulations that did not reflect current economics
The latest ad from Fry’s Computer shows a brand name new 500 gigabyte hard disk for $38. Since hard disks do eventually fail, how much could a used disk be worth? Consider the four step process outlined in the New Jersey regulation. Is there any way those steps could be completed by a computer technician fast enough to be worth the value of a used disk drive that sells for $38 new? Instead of degaussing the drive, even if a preferable solution of running a wipe program were observed, and steps 3 and 4 above were bypassed (since you don’t really know what operating system the buyer will want anyway), you are still likely not looking at an economical time expenditure.
The moral obligation to protect confidential data supersedes any profit motive in selling the used equipment. Nevertheless, it is likely that the state’s surplus property program was expected to be a revenue generator. This budgetary pressure encourages employees to spend as little on the problem as possible. For this reason, updates regulations and related procedures are needed, as described below.
How to wipe a computer properly and economically
The best way of economically cleaning a disk is commonly called Boot-and-Nuke, from the most common program that does it called Darik’s Boot and Nuke (DBAN). Essentially you put DBAN on a CD or on a USB drive for computers without a CD drive. Then you power up the computer, check the BIOS setup so it will boot off of the DBAN CD or USB, and then boot the computer. The computer will then be running a tiny version of Linux solely off of the CD or USB, leaving all the disk drive entirely free for wiping (including the operating system and other program files). Tell it the drives to wipe and walk away. Come back later (a 500 gb drive will take about two and a half hours to do a one pass wipe), remove the DBAN disk, turn the computer off, and it is ready to be safely donated or sold with a blank disk.
Lessons for litigation and investigations
When conducting investigations, we often hear that the data has been lost or deleted. While that may be true, the New Jersey report and our repeated experience tells us that additional questions and work should be conducted before concluding that evidence is really gone. A properly-trained and motivated computer forensics professional can often get plenty of data when others have concluded that there is nothing left.
Fulcrum Inquiry performs computer forensic investigations and financial investigations. We regularly provide expert testimony regarding the results of our work.
Fulcrum Inquiry performs computer forensic examinations, and special master assignments.