“You’re going to delete that, right?”
If you’ve ever said that after someone who took a video or photo of you that you’d prefer didn’t leave that camera, you probably felt comfort in watching them delete it in front of you. But what if it wasn’t really gone?
I’ve often felt a little paranoid when I’ve decided to keep a broken phone or buy a used hard drive ro replace one in a laptop I’m selling. I have long held a strict policy of not letting anything that stores files leave my possession when I’m done with it for fear that someone could recover files that could lead to anything from mild embarrassment to identity theft. I may be paranoid, but with good reason.
I bought some SD cards
This week, I bought two auctioned lots of formatted memory cards, but what I found may surprise you. Keep in mind that these were specifically listed as “formatted”, meaning that someone went trough the effort of trying to wipe all the data to protect the privacy of the previous owners, but failed to do it in a secure way. More on that in a minute. First, here’s a breakdown of what I bought:
- 3 Sony Memory Sticks (about 4.5 GB)
- 8 SD cards (about 17 GB)
- 7 MicroSD cards (about 50 GB)
In total, I went through about 70 GB of recovered files in a day.
Thousands of private files uncovered
The goal of this experiment was to figure out what types of files I could uncover from all of these cards, but more specifically, I wanted to know if it was possible to get enough off a card to compromise someone’s online account or steal their identity. After all, hackers don’t care much about that photo of you in your underwear. They want something that can generate a profit. In all, I recovered over 15,000 files. Most of the files were photos with video and audio files making up a large portion of the remainder. In the minority were PDFs, XML, DOC, and system files. Of all these, here’s essentially what was uncovered.
- thousands of photos
- hundreds of videos
- medical documents
- personal information
- plenty of selfies
- strange screenshots
- lots of pet photos!
- photos of documents, lists, and notes
I started with the PDFs and XML, but came up empty-handed with a couple menus, some instructions, and a couple software configuration files. Next, I skimmed the photos for anything that included a computer screen in the background, hand-written notes, or printed materials. Mostly, I found myself sifting through tons of blurry photos and pictures of pets, family events, and what looks like items people were photographing to sell, but I did land on a few interesting items.
On one SD card, I found photos of medical records for a guy I’ll call “Phil” (I changed the name). Those photos included personal medical details and his home address. On the same card were plenty of photos of him and a girl who I imagined must be his girlfriend alongside screenshots from dating applications like Zoosk. There was enough on the card for me to find him on Facebook in under a minute and confirm that they’re still together. It’s creepy how much you can learn about a person with only an old formatted SD card as a starting point.
On another card, a younger gentleman captured a snapshot of the email on his computer that contained his username, password, and the URL to log into a specific site.
A third card included hundreds of photos that mostly just showed a college girl and her friends, her dog and the usual cellphone photo subjects. Looking closely at computer screens and other details in the photos, however, it wasn’t hard to determine her full name, dorm room number classes studied, place of employment, and more.
Less interesting were reminders, shopping lists, a school paper, and one recipe that looked worth trying.
How I recovered deleted files with an undelete program
To understand how files are recovered, it helps to first know a little bit about how they’re stored and deleted. When a file is stored, it’s data is stored in one area of your drive and a file pointer points to the first block of that data. When you click a file to open it, your computer simply references that first block and loads that file. When a file is “deleted”, your computer is really just removing the pointer to that file’s data and marking that space as free, but the data remains in tact. A standard “format” operation on a drive or card just removes all the file pointers, making all the space available for writing.
So-called “undelete” programs take advantage of this by scanning the storage space for any blocks of data that do not have file pointers. Such a program will then collect that data to it’s final block, give it a new file name, and store it in your recovery location, which should always be another storage device. Any parts of the data that were overwritten will be lost, so if you have something to recover, the best idea is to disconnect that drive and use recovery software on another computer to save your lost data.
The program I’ve had for years and which I used for this project is called LSoft Active@ Undelete Professional which currently costs about $45, but the standard version is only 20 bucks. There are other programs out there, but I can’t speak to their usefulness.
How to protect your files
If you’re like me, you’ll just never let that storage media out of your possession, but most people would prefer to sell or donate old hardware or drives that still work. So how to you keep your data safe from prying eyes? The key is to overwrite the data. When you overwrite the data, it makes it much harder for someone to recover it if at all. Your success at eliminating data may depend on the method you use. For example, simply deleting files or formatting the drive will leave your data wide open to anyone who knows how to get it back, but overwriting your data with something less private will make it much harder and using the Department of Defense 5220.22-M method (described more plainly here) will make data recovery virtually impossible.
I learned some things along the way
When I decided to conduct this experiment, I had a fairly narrow goal to see if I could find what a hacker would consider a successful haul of personalized information. Admittedly, I chose memory cards to keep the project cheap, allowing me to get storage media from many people affordably. I had not considered the types of information different devices might yield.
In my case, I procured a mix of SD, MicroSD, and Sony Memory Stick cards. Sony’s cards were popular for gaming and photography. SD Cards are often found in cameras and MicroSD cards have a variety of uses, including cell phone storage, small cameras, web/security cameras, etc. With this in mind, it’s not too surprising that the bulk of recovered files were photos.
This lends itself to the idea that a hacker could narrow his or her search by carefully selecting the storage device to sift through. If high-resolution photos were the goal then purchasing used cards that are specifically designed for high-speed storage would be ideal. In fact, the faster the write time, the more likely that card was purchased by its previous owner for video applications. If, on the other hand, a hacker wanted to get his or her hands on financial documents, spreadsheets or browser cookies and cache, desktop and laptop drives would be ideal. A hacker could even go so far as to target drives known to have been used widely in consumer computers to increase the probability of loosely-secured personal data, or server hard drives in search of corporate bounty.
Currently, I’m shopping hard drive auctions and will be looking at other items that store information in internal memory for my next experiment. I’ll post on that soon, but in the meantime, be sure to truly wipe any storage media before sending it back out into the world.