Want to sell your laptop, cell phone, or hard drive? Not so fast...
Although it never seems to work when you really need it to, data recovery is a lot more straightforward than people think. A generation of CSI, NCIS, and Law & Order episodes have taught most of us that simply deleting a file doesn't really get rid of it, but even more concerted efforts to wipe data and format a disk can be undone if you know where to poke and prod. Knowing this, I've always thought it would be interesting to scoop up a handful of secondhand devices and hard drives in order to see what might be left over. I've always assumed that even smaller shops would have some standardized method of wiping their drives, but armed with the SIFT Workstation and the overconfident curiosity of someone who is not an expert in digital forensics, I loaded up my Thermaltake BlacX Duet docking station with the first drive and prepped for a file-carving journey through unallocated space.
Bringing a Knife to a Food Fight. Wait. There is a fight? I didn't know there was going to be a fight...
While this blog post should now take a turn toward walking through forensic file recovery techniques such as those described in Kevin Ripa's awesome talk The Magic of Raw Data Carving, no such methods would be necessary. While I initially anticipated that recovering any data from a drive's prior owner would be a win and an indictment on the practice of selling old drives and devices, the reality was much more disappointing... Once the first drive was read and became available for review in my workstation, I was presented with a full and unfettered Windows installation. Does that sound reasonable and not-so-bad to you? Well, here is why you should be concerned:
Under normal circumstances, you have to provide Windows a valid username and password in order to access data stored on a system's drives. But if the drive is removed from the system and there is no at-rest encryption (such as Windows BitLocker, which is not enabled by default), then there are no restrictions on accessing the drive's data at all.
Access to a drive which was previously used to run Windows grants access to: password hashes, potential cleartext passwords, sensitive user personal documents, pictures, browser history, saved credentials, email and messaging history, accounts with credentials saved in the browser, and much, much more.
If none if this is landing, just assume all of this is akin to exposing access to your machine, data, accounts, habits, and history without the password you normally use to login (or any credentials at all).
While I will not go into specifics about what was found on this particular drive, I did cut my activities short, opting to simply review for the presence of various kinds of findings (basically all of what is included in the bullet points above and then some) before destroying the drive.
But Jason, that was just one of the drives, right?
Yes, you are 100% correct that the drive discussed above is just a single drive. Sadly, the findings related to that drive were not so singular; of the twelve drives I analyzed: four featured a full Windows installation, five retained data which I estimated should not be there, and two seemed to be entirely clear, either due to my terrible forensicating or the potential that they were never used.
It is important to note that none of this is specific to Windows OS disks. Your cell phone (although there is more support for default drive encryption), external hard drive, video game system, Linux laptop, IoT toilet seat, corporate printer, and anything else with a hard drive can some of it's data after deletion, or all of it if nothing is done to remove data in the first place.
If It Doesn't Spark Joy
So, what is the best way to wipe a drive before you move on from it? If this is for a business, there are many vendors which will provide secure deletion and destruction services for a fee. For personal drives or orgs which want to take a more manual approach, there are software offerings such as DBAN and KillIDisk, and most drives ship with ATA Secure Erase firmware. For my money, though, it is hard to beat a drill bit or a hammer. Unless you can get one of these.