Testing Data Sanitization Practices of Retired Drives with The Digital Forensics Data Recovery Project

There are several empirical studies that have focused on the analysis of retired digital media on the secondary market which has had historical impact on not only the technology community, but the business community alike. This research will introduce the Digital Forensics Recovery (DFDR) study, where five key industriesgovernment, education, businesses, electronic recycle centers, and individual home users were targeted to test effectiveness of data sanitization practices with used media. While previous work analyzed any device, the DFDR study aims to analyze on media in which due diligence has been taken to ensure data privacy Introduction Given the migration from paper based storage to digital media, coupled with the movement of increased computer based personal and business practices; virtually all forms of communication are stored on some type of digital media. Improper data sanitization practices can result in the release of confidential data and identity theft • Digital media capacity continues to increase while the cost per GB continues to decrease [2]. Toshiba developed a 2.5 terabyte density per square inch [16] •The; shorter replacement lifecycle directly results in a higher number discarded digital devices which in turn needs to be sanitized before it is retired or reused. •Residual data, is data that remains on digital media after a sanitization process was taken. It can be found in slack and unallocated space, or could simply be marked for deletion but not actually deleted. •Properly adopted and integrated data sanitization policies and practices are essential to ensuring discarded media does not contain personal identifying information or sensitive corporate data. Practically all aspects of our lives are held on digital media somewhere, whether the media is in our control or not. •Current beliefs on formatting, f-disking or imaging (aka ghosting or cloning), are that these approaches result in properly sanitized digital media; however research has shown that residual data can be recovered from these drives [3,18]. In special cases, even zero fill utilities can leave residual data in slack and unallocated space. Accidental Data Disclosure Examples •In 2009, Chris Ogle purchased a used iPod for $15.00 from a store in New Zealand. The iPod contained current personal information of different military personnel, war mission briefings and deployment information. [11] • In 2002, the US Veterans Administration Medical Center, located in Indianapolis, disposed of 139 computer desktop systems. The systems were either sold or donated to needy school districts. A reporter purchased three of the systems. The drives were littered with confidential and personal data including medical records on veterans with mental health concerns, AIDS, and other serious health ailments [12]. •In Garfinkel and Shelat’s research study published in 2003,10 used systems were purchased from a computer store which contained files from a law firm, records on mental health patients, and confidential financial files [1] •In 2009, researchers purchased used desktop machines on eBay, the systems contained health records and financial records from a major healthcare provider.[3] Hard Drive Replacement Lifecycle DFDR Phase One Results •Government Drive: •Two credit cards with CV codes •Two social security numbers •Four addresses, •Dozens of emails •Hundreds of personal images •Over 60 profiles, including the domain administrator. •The SAM files were recovered and the domain administrator account password was cracked using FTK’s PRTK tool. •Employees used the computer to process travel reservations, •System used by an employee who was updating immigration files – •All the personal data need to steal two complete identities was recovered. •Educational Drive: •This drive contained enough data to steal three complete identities; •Countless confidential files, emails, and personnel images were found. If released this data could be extremely embarrassing for the educational site, even illegal in situations •Business Drive: • Employee records, payroll, banking files, confidential internal memos, and budget information. •Tax datafile found on the computer that contained a master record for tax and payroll. The full names, addresses, DOB’s, SSN ’s, and banking data (direct deposit) was found for 23 employees. •Electronic Recycle Site: •Photos of an underage teenager participating in illegal drug activities. •Homes User •Confidential tax data, banking records, personal files, FAFSA forms, National Guard Data Sanitization Tools: Open Source and Commercial There are several options available for both open source and commercial data sanitization tools. When selecting a tool, the authors note it is important to select a tool that emphasizes patterns in write fill in addition to passes. This is imperative to making sure that slack and unallocated space is overwritten. and no data was found. Who is Responsible? Legal Concerns The concerns identified by the DFDR project are twofold, first the lack of regard of any sanitization practice whatsoever, and secondly the ineffectiveness of f-disk, format, and imaging [1]. When a computer is formatted, as part of a fresh install of Windows, there is a warning that informs the user that all of their data will be erased. If Microsoft is stating this, why shouldn’t it be believed by the average user? Senate Bill S 1490 has been introduced several times for votes, but has yet to be signed into law. The bill aims to “To prevent and mitigate identity theft, to ensure privacy, to provide notice of security breaches, and to enhance criminal penalties, law enforcement assistance, and other protections against security breaches, fraudulent access, and misuse of personally identifiable information [22].” House bill H.R. 221 Data Accountability and Trust Act of 2009 (DATA), also aims to provide national coverage for victims of security breaches. Senate S. 3742 Data Security and Breach Notification Act, S 139, Data Breach Notification Act, and S 773 Cybersecurity Act of 2009 were also introduced into Congress in 2009. Passed into law.