Think the most intimate details of your medical history are well-kept secrets between you and your doctor? Think again. A large healthcare provider in Los Angeles was recently sued after a patient's medical records were recovered from a hard drive sold for salvage. Two thousand miles east, some enterprising reporters for a Minneapolis television station decided to take some leased computers to a data recovery service to see what they...
could find on the hard drives. As it turned out, there was plenty of juicy information waiting for them - including names, addresses, social security numbers and tax records of past users of the systems.
The troubling thing about these stories is they weren't necessarily the result of carelessness, according to the hospital's attorney and the service that uncovered the Minneapolis records. The people responsible for protecting the sensitive information may have thought they had deleted all the important files by performing a standard reformat before relinquishing the equipment, only to discover afterwards that remnants of sensitive information remained available to those who knew how to get it. PCs reassigned to new departments within a corporation can be a source of private personnel records or financial information. Similarly, hard drives swapped out in an upgrade effort may carry sensitive data with them - perhaps to people outside of your company.
Experts in data recovery techniques say that corporate financial records, personnel files, strategic e-mail messages and countless other types of sensitive information are at risk of falling into the wrong hands after being recovered from disk drives thought to be wiped clean. "Governments are certainly worried about a black market for data," says Lynne VanArsdale, senior product manager at storage vendor Quantum Corp., Milpitas, CA. "People know the threat exists."
Hard numbers showing the financial consequences of recovered data on large corporations aren't regularly compiled, and data-theft victims are reluctant to publicize their security breaches. But people in the storage industry acknowledge that public and private organizations are taking the threat seriously. To guard themselves, government agencies as well as private companies in highly regulated industries such as banking and insurance are now drafting guidelines for when and how to thoroughly cleanse storage devices, so old data doesn't suddenly reappear in unauthorized hands (see "Building a data deletion policy").
Peter Gutmann, a researcher in the Department of Computer Science at the University of Auckland, New Zealand, warns that data thieves are always searching for new ways to steal proprietary data. "One avenue of attack is the recovery of supposedly erased data from magnetic media," Gutmann says. He adds that thieves can also use powerful microscopes to look at what's buried under succeeding layers of overwritten data.
Given the gyrations computer users sometimes must undergo to retrieve an accidentally lost file, why is it so hard to intentionally destroy data? Blame the delete key. With one simple touch, any office worker can feel like an all-powerful digital ruler, nuking masses of ones and zeros into oblivion. Unfortunately, the destruction is more illusion than reality. "Deleted doesn't mean gone," says Jim Reinert, director of business development for Ontrack Data International Inc., Eden Prairie, MN, the data recovery service that helped the Minnesota TV station probe leased-computer disk drives. "Hitting the delete key on a computer only removes the reference to that file. The contents of the file are still sitting out there on the hard drive. It's like erasing the table of contents from a textbook."
Operating systems interpret the delete command as an instruction to make previously used sectors of a hard disk available once again for new information. But these newly freed areas aren't suddenly vacant; they will continue to hold the old data until it's overwritten, which typically won't happen until any remaining unused tracks become full. So, depending on the size of the storage resource, and the amount of data being saved to the device, large tracks of deleted information may remain unchanged indefinitely. Any of several commercial data recovery products, including stalwarts like Symantec's Norton Utilities, can easily bring this dead information back to life.
Even sectors that have been overwritten several times with new data can continue to reveal their secrets to sophisticated snoopers. Read/write heads on hard drives work with impressive precision to lay down data in microscopically close locations on a drive platter. But while they're precise, the heads aren't yet perfect. Miniscule gaps remain between tracks, and with the proper hardware and software, a thief can peer into these gaps to get an eyeful of information, like a burglar peeping through a keyhole.
|Building a data deletion policy|
In a large corporation, who should be in charge of when and how data gets deleted? Data recovery experts say no hard and fast rules exist as to who takes on this responsibility, but all agree that someone needs to act as the central point person.
"It's amazing that most large companies have procedures in place for backing up data, but when PCs get to the end of their life, there's nothing that governs how to get rid of the data," says Jim Reinert, director of business development for Ontrack Data International Inc., Eden Prairie, MN.
Experts say there are several key components of an effective data deletion policy. First, the company needs to decide what its objectives are for keeping track of data, based on the regulations of its particular industry. "Some data needs to be permanently kept, some permanently deleted," says Reinert. The rules are especially tricky for government contractors that often can find themselves with a mix of both classified and unclassified documents. For them, a rules-based archival system may be necessary to track files based on key words, the people who created the files or the particular project that's associated with the information.
An especially difficult form of information to keep track of is e-mail. "E-mail can be stored everywhere - at an employee's home office; on a Web-based mail account," says Michael R. Overly, a partner in the e-business and information technology group of the Los Angeles, CA, law firm of Foley & Lardner. One client discovered an employee sold a home computer at a yard sale before deleting the log-in information to the corporate network.
Some companies may opt for policies that call for regular cleansing of e-mails and other data to try to limit their financial liabilities from a lawsuit. "If you're sued, it can be extremely expensive to respond to a discovery request," says Overly, especially if relevant information is stored on the hundreds of thousands of PCs that may exist throughout a large company. For that reason, many corporations discourage employees from copying e-mail messages off of central communications servers and onto local hard drives, which can multiply the costs of litigation should the company ever be sued.
According to Gutmann, data recovery experts can reconstruct blocks of overwritten data by interpreting these patterns. "Deviations in the position of the drive head from the original track may leave significant portions of the previous data along the track edge relatively untouched," he has written. And sensitive data left lurking under overwritten files isn't the only point of vulnerability. Nuggets of critical information can also exist in temporary files created by an operating system or in cache memory.
Techniques and tools
How can a security-conscious company cope with hidden data? One way to thwart probing microscopic eyes is to systematically overwrite the entire surface of a storage medium with a random collection of ones and zeros. However, to account for the inaccuracies in how tracks are overlaid on top of each other, security agencies within the U.S. government recommend overwriting a surface several times. Somewhat more extreme, Gutmann recommends overwriting platters at least 35 times, eight times with random data and the remainder with an intricate series of ones-and-zeros patterns. Gutmann says his overwriting strategy centers on changing a hard disk's magnetic domain several times while not writing the same data pattern twice in a row.
Not everyone, however, feels that this degree of overwriting comprehensiveness is necessary. Ontrack's Reinert acknowledges that while disk-drive forensics using STM and MFM are theoretically possible, the practical reality is that companies can achieve acceptable security through less severe means. "Lab studies show traces of data are left even after an overwrite, and this residual data can still be seen with lab equipment. But I've never found a case yet where commercial recovery solution was able to recover that data."
Data recovery companies, often the same ones that degauss storage tapes, also offer overwriting services to cleanse hard drives. Ontrack's DataEraser Professional Edition overwrites each drive sector to return the device to the blank condition it was in when it originally left the factory. The software is licensed on a per-drive basis starting at $500 for 50 drives, or about $10 each. Other commercial products include CyberScrub, from the company of the same name and QuickWiper from AKS-Labs.
Of course, more options exist to keep probing eyes away from data saved to hard drives. While software exists to help in the data cleansing effort, some experts wonder if we've reached a price threshold in hard drive technology that makes disk cleansing more trouble than it's worth. Given the declining costs of hard drives vs. the potential damages from having data fall into the wrong hands, has destroying an old disk drive become a more prudent security measure than recycling it to another department or to a local charity? For Gutmann, the answer is yes. But he adds: "It's hard to convince the bean counters to destroy still-functioning gear until data that rises from the dead becomes even more costly."