The lingering dangers of a hard disk’s memory

Listen to this article

00:00
00:00

When the police seize computer equipment from a crime scene, one of the first things they do is make a copy of the hard disk.

This is called “imaging” – it provides an exact replica of the hard disk at the time the copy is taken, which is then used as evidence of what has been done with that computer, regardless of what happens afterwards.

Some criminals have made the mistake of thinking that deleting information will prevent the police from accessing the data. But the reality is very different.

“Data is very difficult to get rid of,” says Dan Haagman, head of operations for computer forensics company 7Safe. “It’s remarkably easy to recover. Data is always there – even if you delete it you can get it back.”

When a computer saves data, it separates and stores it in many different sections of a hard drive. But when a computer deletes data, it merely removes the reference to that information, while the data remains where it is.

“We find some pretty horrific stuff on people’s hard drives,” Mr Haagman adds. “And in the corporate sector we find a lot of pornography. It’s not necessarily illegal but it breaches the corporate security policy.

“We also find a lot of fraud and espionage where people in big-named companies are leaking copies of the sales database. But forensically you can track that back.”

Computer forensic experts can find almost anything on a hard disk, even if it has been formatted, because the data has not been overwritten. The danger of this is that many companies looking to dispose of hard disks are doing so in the belief that they have wiped their data when in fact they have not.

A recent study found that of 300 hard disks bought from auctions around the world, 41 per cent of the disks were unreadable, 20 per cent contained information to identify people, 5 per cent held commercial information on organisations, and a further 5 per cent held “illicit data”.

The researchers from BT, the University of Glamorgan and Edith Cowan University in Australia found data on payroll information, mobile telephone numbers, copies of invoices, employee names and photos, IP addresses, network information, illicit audio and video files, and financial details including credit card accounts. The implications are obvious: in the wrong hands such data could lead to identity theft, hacking and fraudulent purchases all over the world.

Disposing of hard disks is a much more complicated and costly problem than you might assume. The problem is that companies are now required to archive more data than ever. Compliance regulations mean that some data must be stored for up to seven years.

Yet if a company allows data to fall into the wrong hands, they could also be in breach of laws such as the UK’s Data Protection Act, which prevents the “passing on” of people’s details.

“The Data Protection Act is there to guard against information carelessly falling into the wrong hands,” says John Adey, chief technology officer of managed services company, Star. “But tellingly, I’ve never heard of anyone who’s been charged after business data has been recovered from decommissioned hardware.

“Saying that, I’d expect greater scrutiny in future. We know, for example, that there’s a thriving industry in India which salvages passwords and other credentials from discarded hard drives.”

So what can be done to wipe hard drives for good while keeping in line with the law?

“Assuming you don’t want to destroy the disk, most people copy or image the hard drive, and then wipe it,” says Tim Leehealey, VP of Guidance Software, a company that sells computer forensics tools to the police. “That eliminates the risk of losing any data that was on there. But the majority of companies don’t [wipe it].

Some companies dispose of old computers by giving them to charities. Computer Aid International, a charity that sends ex-corporate computers to schools in struggling economies, uses a software tool called Blancco to wipe hard disks. It promises donors that all hard disks will be cleaned before they travel.

“You’re not really wiping it, you are overwriting it,” says Ashley Lovett, a spokesman for the charity. “That’s in contrast to reformatting a drive, which does not get rid of data.”

Overwriting data many times can ensure a hard disk is safe to leave a company. But some companies opt for a more secure approach.

“The only two totally safe methods of disk erasure are to use a military-grade degauser or to melt the disk,” says Roy Hills, technical director for security company NTA Monitor. “A degauser is basically a massive magnet that makes the entire disk have the same magnetic field. This will turn modern disks into a doorstop.

“But [overwriting] is generally a good enough level of security – this is going to foil anyone except governments or big companies with large resources.”

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.