lessons not learned on data disposal
TRANSCRIPT
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 0 9 ) 3 – 7
ava i lab le at www.sc ienced i rec t . com
journa l homepage : www. e lsev ier . com/ loca te / d i in
Lessons not learned on data disposal
Andy Jonesa,b,*aHead of Information Security Research, Centre for Information & Security Systems Research, BT, United KingdombEdith Cowan University, Australia
a r t i c l e i n f o
Article history:
Received 24 April 2009
Received in revised form
15 June 2009
Accepted 20 June 2009
Keywords:
Disk study
Mobile device security
Data destruction
Disk and device wiping
Disk erasure
* Head of Information Security Research,606256.
E-mail address: [email protected] http://www.theregister.co.uk/2007/11/20/2 http://www.infoworld.com/article/07/01/
1742-2876/$ – see front matter ª 2009 Elsevidoi:10.1016/j.diin.2009.06.017
a b s t r a c t
There has been a great deal of media attention paid to high profile losses of data such as
the UK HR Revenue and Customs (HMRC) loss of the personal records of 25 Million people
in 2CDs, the TJX (the parent company of TJ MAXX) loss of 40 million customer account
records and the U.S. Department of Veterans Affairs (VA) loss of information on more than
half a million people. While these spectacular failures are certainly newsworthy, they have
in some ways diverted attention from the underlying issues. What remains almost unre-
ported is the levels and types of information that are given away on a daily basis when
equipment that contains digital storage media such as computers, Personal Digital Assis-
tants (PDAs), mobile phones, etc. is disposed of at the end of its useful life.
Over the last four years research has been carried out to determine the level of information
that individuals and organisations inadvertently give away when they dispose of
computers and hand-held devices such as mobile (cell) phones, RIM Blackberries and PDAs.
This research has been carried out by an industry/academic collaboration led by British
Telecommunications with academic partners at Edith Cowan University in Perth,
Australia, the University of Glamorgan in Wales and Longwood University in Virginia, USA.
The results of the research, which has now examined more than 1000 computer disks and
160 hand-held devices, have provided an insight into the very poor protection that both
organisations and individuals give to data when they dispose of these types of equipment.
It has given an indication of the effect that the availability of this information is likely to
have in causing data breaches and will provide personnel involved in incident response
and management with indicative data of the type of information that may be lost in an
incident and allow them to plan suitable measures to mitigate the effects. It will also be of
interest to those involved in digital forensics as it provides an indication of the likelihood of
information being available on devices being examined and the steps that have been taken
in attempts to remove it.
ª 2009 Elsevier Ltd. All rights reserved.
There has been a great deal of media attention paid to high
profile losses of data such as the UK HM Revenue & Customs
(HMRC) loss of the personal records of 25 Million people in
Centre for Information &
hmrc_loses_lots_data/.17/HNtjxbreach_1.html.er Ltd. All rights reserved
2CDs,1 the TJX (the parent company of TJ MAXX) loss of 40
million customer account records2 and the U.S. Department of
Veterans Affairs (VA) loss of information on more than half
Security Systems Research, BT, United Kingdom. Tel.: þ44 1473
.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 0 9 ) 3 – 74
a million people.3 While these spectacular failures are
certainly newsworthy, they have in some ways diverted
attention from the underlying issues. What remains almost
unreported are the levels and types of information that are
given away on a daily basis when equipment that contains
digital storage media such as computers, Personal Digital
Assistants (PDAs), mobile phones, etc. is disposed of at the end
of its useful life.
Over the last four years research has been carried out to
determine the level of information that individuals and
organisations inadvertently give away when they dispose of
computers and hand-held devices such as mobile (cell)
phones, RIM Blackberries and PDAs. This research has been
carried out by an industry/academic collaboration led by
British Telecommunications with academic partners at Edith
Cowan University in Perth, Australia, the University of Gla-
morgan in Wales and Longwood University in Virginia, USA.
The results of the research, which has now examined more
than 1000 computer disks and 160 hand-held devices, have
provided an insight into the very poor protection that both
organisations and individuals give to data when they dispose
of these types of equipment. It has given an indication of the
effect that the availability of this information is likely to have
in causing data breaches. The results of the research will
provide personnel involved in incident response and
management with indicative data of the type of information
that may be lost in an incident and allow them to plan suitable
measures to mitigate the effects. It will also be of interest to
those involved in digital forensics as it provides an indication
of the likelihood of information being available on devices
that are examined and the steps that have been taken in
attempts to remove it.
The aim of the research was to gain an understanding of the
level of information that remained on magnetic media that
was offered for sale on the second hand market and which
could easily be recovered. At the start of the research there was
limited anecdotal and journalistic evidence that there were
problems with regard to the disposal of data, such as a report in
1993 from the Canadian Globe4 about the discovery of a disk
containing information relating to the employees of a small
company and another in 2000 on the discovery of Sir Paul
McCartney’s banking information.5 While there had been
a small number of academic research papers published on
the subject including one by Garfinkel and Shelat in 2003,6
there had been no long term scientific investigation to deter-
mine whether the situation was changing in response to the
developing technical and regulatory environments. The
research has focussed on the level of information remaining on
computer disks that have been obtained on the second hand
market from a number of countries over a four-year period.
The hand-held device research was initiated in 2008 as it was
3 http://www.informationweek.com/news/security/showArticle.jhtml?articleID¼200900263
4 Canadian Globe and Mail (1993). Disk Slipped Into WrongHands, Canadian Globe and Mail, 2nd August 1993.
5 Calvert, J, Warren, P (2000). Secrets of McCartney Bank CashAre Leaked, Daily Express, 9 February 2000, pp 1–2.
6 Garfinkel S.L, Shelat A, (2003). Remembrance of Data Passed: AStudy of Disk Sanitization Practices. IEEE Security & Privacy, Vol. 1,No. 1, 2003.
recognised that the increasing processing power and storage of
these devices might mean that they were affected by the same
issues of data removal as computers. The results of
the research have been widely reported, but the results indi-
cate that there has been little change with regard to the level of
information being found on the media and devices. In the
course of the research, no attempt was made to use sophisti-
cated or expensive and specialised tools to access the data. The
only tools that were used to gain access to the data were those
that are commonly available to any competent computer user
and for the mobile devices, the software available from the
device manufacturers.
1. Research methodology
The methodology that was used by all of the contributing
organisations throughout the research remained unchanged.
The disks and hand-held devices were procured either indi-
vidually or in small batches from a wide range of sources and
over a period of time. This step was taken in order to ensure
that there was no undue influence on the findings as a result
of the actions that may have been taken by a single supplier.
For example, if a large quantity had been purchased from one
source and that supplier cleaned the media effectively, it
might have an affect on the proportion of disks or devices that
were found to contain no data. The disks that were purchased
were selected randomly with regard to the storage capacity,
physical size (2.5/3.5 and interface type IDE/SCSI/SATA). This
step was implemented to ensure that the items purchased
were from as random a set of sources as possible. For
example, it would have been possible to target organisations
through the purchase of SCSI disks, as these are not widely
used in personal home computers. The disks and devices were
purchased in each of the countries that were included in the
studies and a range of sources were used, including computer
and technology auctions, computer fairs and ebay (although
some of the purchases made from ebay were from recycling
companies that offer them for sale on this outlet).
The processes that were used to capture and analyse the
information were also consistent over the organisations
throughout the period. The devices (whether a computer disk
or a hand-held device) were first forensically imaged and then
stored in a secure container. This was done as part of estab-
lished forensic good practice, so that all analysis work was
carried out on an image of the original. The tools used for this
included Encase, Access Data FTK Prodiscover or Helix for the
computer hard disks and Paraben, XRY, Oxygen and DataPilot
SecureView for the hand-held devices. By doing this, the
original media remained unaltered and the adoption of this
good practice has meant that it has been possible for media
that is found to contain material relating to reportable crim-
inal activity to be passed to the relevant authorities, with the
chain of custody intact.
Once the storage media had been forensically imaged, the
only tools that were used to determine whether any infor-
mation that was contained on the storage media were, for the
computer disks, tools that carried out the equivalent function
to the Windows Unformat and Undelete and a hex editor, all of
which are freely available to any user. For hand-held devices,
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 0 9 ) 3 – 7 5
a hex editor and the manufacturers’ software for the
management of the device, synchronisation with the PC and
the creation of backups, all of which are freely available, were
used.
2. Results
Throughout the whole of the research period, the volumes
and types of information that have been discovered have
been alarming. The information that has been found came
from nearly all areas, including government, the financial
sector, the legal profession, academia, healthcare, the auto-
motive, agrochemical and other industries, the leisure
industry, the retail sector and individual’s private computers
and devices.
The statistics relating to the disk research show that
organizational information could be recovered from 52% of
the disks and that personal information could be recovered
from 51% of the disks (some contained both personal and
organisation information). Only 31% of the disks had had all of
the data removed to a standard where it could not easily be
recovered.
From the research into the hand-held devices, of those
devices that were working and could be accessed, organiza-
tional information could be recovered from 23% of the devices
and personal information could be recovered from 19% of the
devices. For 51% of the devices, there was no data that could
be easily recovered using the selected tools.
As the purpose of the research was to answer the ques-
tion ‘is it possible to recover data from second hand
computer disks and hand-held devices using easily available
tools’, statistical information was not collected on the
specific types of organisation in which the media had origi-
nated. Also, statistical information was not collected on the
proportion of devices from a specific type of organisation
(Medical, Finance, Defence, local government, etc.) that
contained sensitive data.
One of the most graphic examples of the types of data that
have been recovered was the records of patients being treated
for cancer that had been left on a computer from a healthcare
organisation. The exposure of this information could have had
a significant psychological effect on the individuals
concerned.
Another example from a computer that had been used in
a shipyard was of classified bids for government contracts to
build a ship. These bids exposed detail of the specification of
the ship and the capability of the shipyard. On the same disk
were photographs of some of the people working at the
shipyard and explicit details of one person’s personal predi-
lections, which could have exposed them to potential
blackmail.
Other examples of data that was found included current
business plans for a large multinational company, together
with details of turnover broken down by establishment,
personal information of staff including salaries, National
Insurance Numbers, home addresses and contact numbers.
The potential impact of this type of information being
available to anyone who cares to look for it, without any
significant effort or specialised tools could be devastating for
a business or an individual. For a business, the exposure of
their current business plans to a competitor or people inter-
ested in the performance and expectations could have
a catastrophic effect. For an individual it could result in
identity theft, embarrassment and the exposure to potential
blackmail.
3. Changing environment
The problems of the effective destruction or removal of data
from computers and hand-held devices have been exacer-
bated by a number of contributory factors. The first of these is
that the storage capacity of computer disks has continued to
increase over time at a significant rate (Moore’s Law). This has
been observed throughout the period of the research where
the storage capacity of the disks purchased has increased
from an average size of between 20 and 40 Gb during the first
year to between 200 and 300 Gb in the last year. Another factor
affecting the use of laptop computers and hand-held devices
has been the growing demand for devices that support an
increasingly mobile population. A third factor has been the
proliferation of good quality and high-speed mobile commu-
nications which have also supported the demands for
computing capability on the move.
All of these have contributed to the transmission of ever
larger volumes of data to an increasingly wide range of devices
and its subsequent storage on them. The availability of greater
storage capacity has also meant that people both in their
employment and in private use have been less likely to
destroy data on an incremental basis when it is no longer
required in order to ensure that there is adequate storage
space on the media.
4. Legislation
As computer and networking technologies have developed,
legislation such as the UK Data Protection Act and the Cal-
ifornia state law on disclosure has been introduced to meet
the requirements of the changing environment. Organisations
that hold personal data are now required to have measures in
place to ensure that the information is adequately protected.
Many organisations also have sector specific regulations that
they are obliged to comply with, such as the Basel II accord for
the financial sector and HIPPA for the healthcare sector. In
addition, other regulations such as the Sarbanes Oxley Act
have been introduced to improve corporate accountability. All
of this legislation has been put in place to ensure that infor-
mation is properly protected and that suitable audit measures
are in place to ensure that the measures are effective. Legis-
lation will define what information needs to be protected, but
does not define the methods and techniques by which it
should be protected.
5. Reasons for the failures
Once the analysis of the media was completed, the
researchers contacted a number of the organisations and
7 Ultratec Limited – http://www.ultratec.co.uk/.8 DataTerminators – http://www.data-terminators.co.uk/.9 Blancco – http://www.blancco.com/en/frontpage/.
10 TrueCrypt – http://www.truecrypt.org/downloads.php.11 PGP Corporation, Whole disk ensryption – http://www.pgp.
com/products/wholediskencryption/index.html.12 Secure Systems Secure Data Vault – http://www.secure
systems.com.au/.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 0 9 ) 3 – 76
individuals that could be identified and from which infor-
mation that it was considered would have a significant
impact was recovered. Although this went beyond the orig-
inal scope of the project, which was to determine whether
information could be recovered from second hand media
using basic, freely available tools, it was considered to be
important if an understanding of the reasons for the failure
to effectively destroy the information was to be obtained. It
is noteworthy that the reaction of organisations that were
contacted varied greatly. At one extreme, the majority of the
organisations reacted to being informed of a security breach
by engaging with the researchers to identify the chain of
actions and events that had led to the data not being prop-
erly disposed of. This included reviews of the information
found, internal investigations, procedural changes and
changes in service supplier contracts or changes of
contractors. At the other extreme, a small number of orga-
nisations responded with categorical denials of the facts and
an unwillingness to recognise or address the problems that
had been identified.
It was found that there were a wide range of reasons
behind the data not being properly cared for and disposed of
adequately. These ranged at one extreme from the theft of
the device to accidental failures and negligence and igno-
rance at the other. In the local government, financial sector,
legal profession, academia, healthcare, the automotive,
agrochemical and other industries, the leisure industry and
the retail sector, one common factor was found. The main
cause of the failure to properly dispose of the information
can be attributed to poorly worded and managed third party
arrangements where a disposal or recycling company has
been contracted to dispose of the equipment and remove the
data. In the majority of cases, the evidence was that they
had fulfilled this requirement to delete the data from the
devices by the use of the Windows format command. In
a small number of cases the third party had failed to take
any action to remove the data. A second factor that was
consistent was that the adequacy and effectiveness of the
processes used by the third party had, in all of the cases that
were investigated, never been tested by the contracting
organisation. In almost all cases, the organisation that was
disposing of the equipment believed that the wording of the
disposal contract adequately dealt with issue of residual data
and had not tested that the processes being used actually
destroyed the data to a level from which it could not be
recovered. Any competent information security professional
and most competent computer users would know that the
use of the Windows format command does not actually
destroy the data, it merely removes the file structure which
is normally used to access it. In an attempt to support users
who make mistakes, Microsoft created an Unformat
command which allows the file structure to be recreated
with relative ease.
For disks and devices that had belonged to individuals,
the major reason for the failure to adequately destroy the
data was that of ignorance and lack of technical knowledge.
The majority of home users do not have easy access to tools
that could be used to safely destroy the data and do not
have the skills and knowledge required to use them
effectively.
6. Recommendations
There are a range of measures that were identified by the
research which can be taken to ensure that information on
organisations and individuals does not end up in the public
domain. For computer disks, the recommended steps include:
� User Education – A public awareness campaign by Govern-
ment, the media, commerce and/or academia.
� Organizational Risk Assessments – Carry out organizational
risk assessments to determine the sensitivity of the infor-
mation on disks.
� Best Practice – The introduction into organisations of
procedures to ensure that computer systems and computer
hard disks are disposed of in an appropriate manner.
� Physical Destruction – Where appropriate, the physical
destruction of the disks using services such as the Ultratec
Secure Data Erasure service7 or that offered by
DataTerminators.8
� Data Erasure – The development of and access to the tools
such as Blancco data erasure tool9 and facilities to enable
individuals to effectively remove the information from their
computers.
� Encryption – The full encryption of hard disks using soft-
ware such as TrueCrypt10 or PGP whole disk encryption11 or
hardware encryption devices such as the Secure Data
Vault12 to ensure that information could not be easily
recovered.
� Asset Tracking – It is also suggested that organisations may
more effectively secure their data if asset tracking is con-
ducted at a storage device level. This would require that
asset tags are placed on individual disks rather than the
computer system unit to ensure safe disposal as increas-
ingly systems are offered with more than one physical
storage device.
� Legal – Assign responsibility to those charged with receiving
discarded or damaged hard disks. Disks considered dead or
faulty should have the same disposal practices applied to
them as disks removed from a working system.
For mobile devices, the measures that can be taken
include:
� User Education – Education and awareness training for the
users.
� Best Practice – A system within the organisation for the
secure disposal of mobile devices.
d i g i t a l i n v e s t i g a t i o n 6 ( 2 0 0 9 ) 3 – 7 7
� Data Erasure – Ensuring the wider availability of tools and
instructions such as model specific data removal informa-
tion13 for the removal of data from hand-held devices.
� Contracts – Ensuring a commitment from recyclers14 and
organisations15 that accept donated hand-held devices to
ensure that they are data cleansed before they are sold on.
None of these measures, in isolation, will improve the level
of risk and potential exposure for the individual or an orga-
nisation. It is only when they are used in combination that
a significant change will occur.
13 Recellular Free Data Erasure tools – http://www.recellular.com/recycling/data_eraser/default.asp.14 PHS Datashred – http://www.recyclemycomputer.co.uk/
recycle-mobile-phones.htm.15 Birmingham Focus on Blindness – http://www.
birminghamfocus.org.uk/html/display.php/id/419.
7. Future work
The consortium plans to continue with the research into both
computer disks and hand-held devices, although the latter
will, in the future, be concentrated on 2.5 and 3G devices,
Blackberries and PDAs. The decision to change the scope of
the hand-held devices was taken as it is considered that the
risk from 2G devices is small due to their limited functionality
and storage capacity and also that these devices will, as time
progresses, be replaced by the more function rich 3G type
devices.