I had this impulse to go to a thrift store the other day.

The particular one I chose, a Savers, has this kind of unique way of repackaging old cables, remotes, and miscellaneous small technology – they neatly bag it up and hang it on a pegboard.  It’s actually very well organized and professional, bordering on impressive.

As I perused, my nerd sonar went off the charts when saw an ’03 80GB Western Digital IDE hard drive hanging there in a sea of other castoff peripherals.  $2.99.

And behind it, a Maxtor; same capacity and vintage. $2.99!

Immediately I had a thought for a project – take one of these home and see if any data could be recovered from it, using freely available tools found on the internet.

But which drive do I pick?

I supposed the WD pedigree might edge out the Maxtor, but who really knows.  And what if I were to get it home, and it was just dead?  That would be a buzzkill.

$5.98 it is.  I took them both; a nominal investment for science.

IMG_2571

I really hadn’t thought much about what might be on them as I tendered my cash, but as I drove home, a few things began percolating:

-Does the average home PC owner really know how to properly dispose of a hard drive?

-No.  Why would they?  The industry has equipped the consumer in no way to to do so.  The life cycle of personal computing is sooooo incomplete.  It’s remarkably easy get a new machine in someone’s hands, but when it comes to the disposal of their old one, there’s no guidance issued to ensure the consumer is properly protected.  Nothing that’s second-nature, household name procedure kind of stuff.  If you have an IT-minded person in the family, you may be in luck.  If not…sorry, you get identity theft?

-It’s exactly like a wallet.  If you find yourself in need of a new wallet, you go out and buy a new wallet.  You take the contents of your old wallet and put those contents in the new wallet.  Because you think your old wallet still has some life left in it, certainly of value to someone else out there you believe, you donate it.

-Except in the hard drive scenario, it’s exactly like taking that old wallet and just donating the entire thing, contents and all.  All of your money, your credit cards, your driver’s license – just handing it over to a complete stranger.  You would never do this.  Yet it’s exactly what you’re doing if you donate a computer or a hard drive without taking the precaution of wiping it.

-I’m becoming legitimately interested in what may be on these hard drives.  Would they be formatted?  Would they outright have files on them?  Would they be drenched in malware?  Depending on what I am able to recover, these people are going to be damn lucky I’m not a criminal.

-Then I started to go in a different direction.  What if I find something on these hard drives – something terrible.  Something I have to turn over to the police.  What if I find evidence of a crime.  What a strange chain of custody the evidence would have followed, and what a complex legal scenario this presents.

Now I’m legitimately nervous.  I really have no idea what I’m about to find.  It could be anything.  What I know is that I have the hardware to read these old drives, and I’m certainly willing to pay a few more bucks for software that proves it can bring data back to life.  I last used tools like this about a decade ago; certainly they’ve evolved.

I’d do well to have a sandboxed machine to do this on.  Too bad I just sold our old netbook on eBay; it would have been perfect.  I’d have to go it alone with my daily driver and only Windows Defender and a MalwareBytes Premium subscription watching my back.

I started with the Western Digital.  I connected it to a molex/USB adapter and plugged it in.

Click of death.

Moving on to the Maxtor.

maxtor1
Two drives mount immediately. Wow. I won’t even have to try.

 

maxtor2
What mounted as D:\ is someone’s entire C:\ drive, and it looks intact.

 

maxtor3
And not just someone’s entire C:\ drive – an entire family’s C:\ drive.

 

maxtor13
And of course, hidden folders.  A disaster of epic proportions.

 

maxtor8
Maybe thousands of cookies total.  You won’t hijack a ten year old session with these, but you’ll find something.

 

maxtor9
I feared I would find these.  Outlook Express folders.

 

maxtor10
Opening .dbx files is a trivial affair with the proper freeware.

 

maxtor11
Terrible password practices will plague users for, well, forever.

 

maxtor12
Odds are better than average that weak MySpace password was also used to prepare taxes.

 

We could open emails and other files all day, aggregating information.

Despite having already proved otherwise, for the sake of argument – let’s presume the user who “disposed” of this drive felt that anything of value had already been copied off or otherwise deleted.

Enter a freeware file recovery utility.

maxtor15
Just like that, a quarter million files could be eligible for resurrection.

 

maxtor19
Filtering on all recoverable jpegs.  I braced for the worst.  Miraculously, there was nothing of interest.

 

maxtor16
After sorting by size, the largest file is a .zip full of emails.  It is highly recoverable.  Before disposing of this drive, the user saved off important messages, copied them to another machine and then deleted the archive, presuming that would be sufficient.

 

maxtor17
And that was not sufficient.  The recovery tool goes to work restoring the archive.

 

maxtor18
Now we unzip the archive.  There are over three thousand email messages here…

 

maxtor20
…exposing things like online shopping transaction details…

 

maxtor21
…and more terrible password practices…

 

maxtor22
…and unforgivably bad password management habits such as emailing yourself credentials.  For payroll.  For taxes.  For loan applications.  There was so much of this stuff I just stopped.

 

Probably enough had been proven at this point.  But as a last measure, I filtered the output of the recovery tool on all recoverable PDF documents.

maxtor23

Now we enter a nightmare scenario.  No matter how old this drive is, these two documents WILL contain at a minimum, full names, birthdates, and social security numbers.  The identity thief has just hit a grand slam.

I will destroy this drive.  Maybe with a sledgehammer, maybe with fire, maybe both.  I’m inclined not to notify the family that I had possession of it, as I don’t want to stress them out.

I honestly have no idea how Savers ended up with this hard drive.  It hardly matters.  The point is that consumers have only a vague understanding that they need to protect themselves when disposing of hard drives.  And they certainly have no idea how to do it properly.

You can see that the last person to use this drive did some housekeeping, deleting “the really important stuff”.  As you can see, that is only going to deter the truly inept.  I could have taken this so much further, and an actual criminal would have.  They would have mined all of those cookies, mapped out a profile for all of the family members based on what they found, and taken the whole thing to another level we don’t need to flesh out here.

I didn’t need to spend a dime on tools; there’s too much freeware out there to even bother.  But if I had, it’s a near certainty that I could have been able to recover even more than I could have with freeware.  Seagate’s recovery software is $99.  The average identity theft haul is $2000.  The worst criminal can do this math.

So what can you do?

I have been a fan of DBAN for a very long time.  I keep it on a bootable flash drive and nuke any system I’m about to part with.  It’s exceedingly easy to use.  Make it a part of your life.

If the drive is dead and can’t be wiped, I go Wile E. Coyote on that thing with a pick axe.

Between these two methods, you should be in good shape.  Now tell everyone you know.

-cp

Advertisements