Second-hand data from discarded digital systems

Andy Jones, BT

Andy Jones IT has become ubiquitous, including the myriad of technological devices that we all take for granted, use and misuse, everyday. Andy Jones examines the dangers of retrievable data on discarded hardware.

Computers have been in common business use for around three decades now, starting with mainframe computers that operated in air conditioned rooms and had dedicated staff, and then later the desktop came along and the modern computer revolution started.

The computer has gone from being a precious facility to a commodity that transcends all aspects of our business and personal lives. In the transition, the user interface has improved and become more transparent, with the result that the underlying processes that are taking place on the device are often not seen or thought about.

With mainframe computers, the environment was controlled and digital storage media was limited in volume and extremely expensive. Since the innovation of the desktop computer and subsequently the laptop, the PDA and 3G mobile phone, digital storage media has become hugely more compact, much cheaper and the volumes have grown at an almost exponential rate. Over the same period, while an ever increasing volume of information, some of it sensitive, has been stored on the hard disks of these devices, the tight control that used to exist in the days of the computer hall environment have almost totally disappeared.

Computer security has always been considered to be an overhead and an inconvenience, but in the days of the computer hall, this was dealt with by the trained computer staff. In the modern environment, the security measures that are required to protect the information that is stored on the devices is still viewed by most users as an imposition and an impediment to getting the job done. In the corporate environment some security measures can be imposed, but in the era of consumerisation and the increasingly diverse range of devices that are being used, this is also becoming more difficult.

There have been a number of surveys into the level of information remaining on computer hard disks that have been offered for sale on the second-hand market over the last few years[1],[2],[3],[4],[5]. Another report, to be published shortly, looks at the level of information remaining on handheld devices, such as mobile phones, PDAs and RIM devices. These reports have revealed that despite the availability of affordable, effective and easily useable tools, many organisations and individuals are failing to effectively remove data from the magnetic media of the devices when they dispose of them. This research has highlighted two major issues: for the organisations, it represents, at best, a failure of procedures and, at worst, a failure to meet their statutory and legal obligations; while for the individual, the issue appears to be one of ignorance of the risk that they expose themselves to when they dispose of an old computer or handheld device.

The second-hand disk research that has been undertaken over the last four years by BT, the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the US has provided a startling insight into the volumes of information that are discarded and the potential damage that the abuse of it could cause.

In recent months we have also seen numerous articles in the newspapers about the loss of data through the theft of laptop computers and lost USB storage devices or through poor procedures and practices. These articles have highlighted the issue of the protection of the data that is being stored on systems that are currently in use and where the loss of the data has been noticed, and there is no doubt that many more incidents either go unreported or unnoticed.

What the studies and the reported losses have actually revealed is that organisations and individuals have, in many cases, failed to address the issue of how to protect data on the devices that we now use. The newspaper reports show that in some organisations the data is not adequately protected while the systems are in use and the studies have revealed that there is a widespread failure, when systems and devices are disposed of, to ensure that data is removed.

Investigations into the reasons that corporate data was still present on magnetic media that had been disposed of showed that, in a number of cases, the underlying reason was that, when computers were disposed of, third party organisations were used. It became clear that the organisation that owned the disks and the information believed that their third party contractor was contracted to remove the data. In some cases this was incorrect and there was no agreement, but in other cases, the process by which the data was to be removed was not defined and the media had simply been formatted. In both of these cases, the organisation that had owned the media had failed in the basic requirement of any security procedure - they had not checked that it actually worked and produced the results that they expected. In other cases, the underlying cause was that there were no processes or procedures in place and that, effectively, when the device reached the end of its useful life, it was discarded with no effort made to remove the data.

Unfortunately, in the case of the handheld devices (the mobile phones, PDAs and Rim devices), the problem appears to be that people do not yet realise that the devices now have significant digital storage capacity and that, in many ways, they hold exactly the same type of sensitive information that the desktop computer does. They hold address books, diaries, the user's email and SMS text messages and a range of other information that could be of value to anyone with criminal intent. Unlike the computer, where organisations are likely to have processes in place for their disposal, the handheld device, when it comes to the end of its (normally short) useful life, is typically put into a desk draw and eventually forgotten until there is a charitable initiative. They are then placed into charity bags and sent off for recycling. In part this is because in both the corporate environment and for personal use, the devices are normally provided as part of a service agreement with the communications provider and replaced at regular intervals.

The 2007 second-hand disk study revealed that in the UK, a shocking 62 per cent of the disks that were in working condition still contained data that could be recovered without the use of any specialist tools. Of these, 41 per cent contained enough information for the organisation that they had come from to be identified and 65 per cent contained information that allowed individuals to be identified. Of the disks that were not working, a significant number were repaired with little effort and of these, the great majority still contained data.

The second handheld device study revealed that, of the working devices, 57 per cent contained easily recoverable data, 32 per cent contained no easily recoverable data and just 12 per cent were encrypted (these were all RIM Blackberry devices). This means that when they are disposed of, more than half of all of the devices, whether computers or handheld, still contain data.

There are a number of steps that can be taken to improve this figure. Some of these are in the remit of the government and national authorities, some are in the hands of organisations and some are in the hands of the individual.

The first and probably most effective measure that can be taken is the education and provision of awareness training for the users. If the users are aware of the problem, many will change their behaviour.

For organisations, probably the most effective step that they can take is to adopt systems similar to that which has been implemented in BT and set up disposal systems within the organisation for computers and mobile devices. To help the individual, the manufacturers, retailers and service providers can make available the tools and instructions to help them to remove data from computers and handheld devices.

None of these measures in isolation will appreciably improve the level of risk and potential exposure for an organisation or the individual. It is only when they are used in combination that there is likely to be a significant improvement in the situation.

References
1. Garfinkel SL, Shelat A (2003), Remembrance of Data Passed: A Study of Disk Sanitization Practices. IEEE Security & Privacy, 1(1).
2. Jones A, Mee V, Meyler C, Gooch J (2005), Analysis of Data Recovered from Computer Disks released for sale by organisations. J Information Warfare, 4(2), 45-53.
3. Jones A, Valli C, Sutherland I, Thomas P (2006) An Analysis of Information Remaining on Disks offered for sale on the second hand market. J Digital Security, Forensics & Law, 1(3).
4. Jones A, Dardick G, Sutherland I, Valli C, (2007) The 2007 Analysis of Information Remaining on Disks offered for sale on the second hand market. J Digital Security, Forensics & Law. IN PRESS
5. Sutherland I, Mee V (2006) Data Disposal: How educated are your Schools? 6th European Conference on Information Warfare and Security, June 2006.

Dr Andy Jones works jointly at the Security Research Centre at BT and at Edith Cowan University (email: andrew.28.jones@bt.com).