•  Oxford: +44 (0)1865 877830 
  • Manchester: +44 (0)161 713 0176 
  •  London: +44 (0)203 5983740 
  •  New York: +1 646-781-7580 
  • Dubai: +971 (0)4 427 0429

The Risk of Data Recovery from Damaged Drives

You are here

08

Sep

The Risk of Data Recovery from Damaged Drives

One of the biggest risks with selling used or second-hand computers is the chance the new owner will be able to recover usable information from the hard drive. Over the years, a large number of different people and companies have demonstrated that used computers are frequently sold without having been properly wiped, and this can result in the previous owner's data being recoverable. Nowadays this extends beyond computers to other devices that store data such as mobile phones, and to devices that people are less likely to securely wipe, including games consoles and printers.

Although there are still a significant number of people who do not securely wipe their systems before selling them, it has become more widely accepted this is something that needs to be done, and that a simple format (which removes the partition but leaves the data intact) is not sufficient. There are a variety of tools available, including Windows GUI tools and bootable CDs that automate the process of wiping systems, allowing people without a high degree of technical knowledge to do so. However, most of these tools share the same weakness - they will only work if the hard drive is in good working condition.

Faulty Hard Drives

First, a quick background on hard disk drives (HDDs) and how they tend to fail. Sectors are the minimum storage units on HDDs (typically 512 bytes on older disks and 4096 bytes on newer disks). When a sector becomes damaged or inaccessible (due to a manufacturing defect, wear or physical damage) it is known as a bad sector, and attempts to read or write this sector will fail. HDDs do have a process to identify bad sectors and remap them in the background from a pool of reserved sectors - this can be monitored through the SMART data (SMART is a monitoring system built into HDDs). Once this pool has been exhausted, the bad sectors will start to directly affect the user, and any attempts to access that part of the HDD will fail.

When a mechanical hard drive is faulty, it tends to be in one of three different states:
 

Occasional Bad Sectors

This is where the user is first likely to identify a problem, when a small number of bad sectors start to appear on the HDD. This may result in system crashes if a process tries to access one of these sectors (or if an unlucky file is corrupted), but it is most likely to be identified when scanning the HDD for bad sectors using a tool like badblocks. Because of the sector remapping discussed previously, this actually means there are a significant number of bad sectors even if only one is visible, because the pool of reserved sectors has been exhausted. A user should be able to copy most if not all of the data from the HDD to another system simply by using a file browser.
 

Failing Drive

This is where a larger number of bad sectors are present, and the system will frequently crash and become unusable. Bad sectors are likely to have corrupted a number of files, including key system files. Attempts to access the disk through conventional methods, such as mounting it in Windows or Linux and trying to browse the file system, will result in the file browser hanging or failing to access the disk. The drive may also make unusual sounds, often a clicking noise, indicating it is failing. Recovery of some data may be possible using off-the-shelf software or even putting it in a freezer, although opinion is divided on this technique.
 

Dead Drive

This is often caused by electrical or mechanical failure of the drive, and at this point the drive is unlikely to be recognised at all by the operating system, or may not even power on. Specialist recovery techniques and hardware will be required to obtain any information from the drive, although any data recovery is unlikely.

 

Disposing of Faulty Hard Drives

As previously discussed, once a drive has started failing with visible bad sectors, attempts to write to one of these sectors will fail. In many cases this will cause the program that performed the write to either hang, crash or abort the process. This creates a serious problem when attempting to wipe the hard drives - if a sector cannot be written to, many tools will abort the process, usually with an error, but not always, and the remainder of the data will be left untouched. If the bad sector was near the start of the HDD then this could leave all of the user's data intact. In other cases, it may be decided the drive does not need to be securely wiped or disposed of, because it is considered faulty and unusable.

Due to these HDDs being seen as unusable and of little or no value, there are plenty available for sale second-hand, on websites like eBay. They are frequently sold in small batches of 10 to 15, and can be obtained very cheaply compared to working HDDs, often for a few pounds each. Although not directly usable, these HDDs can be cannibalised for parts, either for unrelated projects or to attempt to repair other HDDs by replacing damaged components.

Because of the difficulty in securely wiping faulty HDDs, this creates an interesting opportunity to obtain a large number of HDDs, which are likely to contain personal or company data for a relatively small amount of money.

Sample Size

Dionach purchased three batches of HDDs from eBay, all of which were described as "faulty". This included a total of 37 SATA HDDs, ranging from 40GB to 1500GB, for a total cost of £62.18 including shipping, which works out at around £1.70 for each drive.

Because these HDDs were purchased in batches, this has an effect on the likely original sources of the HDDs, which in turn will affect the type of information that is likely to be on them. Individual users are unlikely to be selling batches of faulty HDDs unless they are very unlucky, and most large business are likely to have proper disposal methods (or at least, not to sell old drives in small batches on eBay). This leaves the most likely sellers as small IT support companies, meaning that the HDDs are likely to come from either home users or small businesses that they support.

The fact that these HDDs are being sold on eBay rather than returned under warranty means they are likely to be a few years old, and in many cases are smaller disks (less than 500GB), another factor of their age.

Imaging Process

When presented with a failing HDD, the first step of the recovery process is to copy as much data as possible from the HDD before it dies completely. In targeted data recovery the first attempt at accessing the disk may be through a file browser (in order to quickly obtain key files); however in our case we attempted to make a bit-by-bit copy of each of the HDDs onto bulk storage media. Once these images had been created, we could then analyse them without worrying about the original media degrading further.

Probably the most well-known tool for creating images of hard drives is dd, which is available in most *NIX systems. However, when dd encounters a bad sector it will abort the copying process, so this is unlikely to obtain much data for us. Alternatively, there is a fantastic tool called GNU ddrescue (not to be confused with the confusingly named dd_rescue) which is designed to create images of failing media. It uses a number of different techniques to try and read as much data from the media as possible, including trying the good areas first, reading backwards from the end of the disk, and making multiple attempts to read each sector. Crucially, it won't abort when it encounters a bad sector - it will jump ahead and try and read more good sections of the HDD, before going back to retry the bad sectors. Full details of how it works can be found on the ddrescue manpage.

Where bad sectors are unrecoverable, you end up with an image of most of the disk, with small sections of data missing where the original media could not be read. If you're unlucky these will be in key files - but the likelihood is they'll either be in empty space or system files that are of little concern, rather than hitting the user data.

Imaging Results

Out of the 37 HDDs that we started with, 14 were found to be dead: either unrecognised by the OS or would not spin up. It may still be possible to recover information from them, for example by replacing the controller board or mechanical components, but this would require much higher investment of resources and time.

This left us with 23 working or partially working HDDs. 3 of these died during the imaging process; in some cases it was possible to partially image them, but no useful information was identified in these images.

Out of the 20 remaining HDDs, 7 of them were fully imaged, so either had no bad sectors or bad sectors that ddrescue was able to read after repeated attempts.

Partial images were obtained for the final 13 HDDs. In some cases the missing data was very small (a few KB), in the worst case it was approximately 160MB out of a 320GB HDD (0.05%) - so for all 13 HDDs the vast majority of the data was readable.

Analysis Process

Once the imaging process was complete, analysis could be performed on each of the images. Depending on the state of the original HDD and of the image, different steps are involved. In the first instance, the image file would be inspected to see if there were any valid partitions, and if these could be accessed. If not, then TestDisk is used to try to identify and recover partitions that had been deleted or corrupted, as well as some manual attempts to identify and recover the partitions. If all else fails, then file carving [PDF] was performed using X-Ways Forensics. File carving is normally used as a last resort, because you lose all the metadata associated with the files. For example, you might be able to carve out a valid JPEG image, but you would not be able to determine the folder it was stored in, when it was written to the disk, or even what the original filename was - although the embedded EXIF data may provide some of this information.

Operating System Usage

Out of the 20 images analysed, 7 of them had been largely or completely wiped. One of the batches contained multiple drives that had been wiped with the same tool (HDAT), but other drives that had not been wiped at all.

Out of the 13 drives with data on, the breakdown of operating systems is as follows:

Operating System Occurrences
Windows 7 3
Windows Vista 3
DR-DOS 2
Windows XP 1
Firefox OS 1
Fedora 1
WinPE 1
FreeDOS 1

 

DR-DOS, FreeDOS and WinPE are often used by OEMs when shipping computers with no operating system installed, or for recovery partitions. Fedora and Firefox OS are much less common - in both cases there was no user-recoverable data in them. This leaves us with 7 images containing installs of various versions of Windows.

 

Personal Data

All 7 of the drives contained some level of personal information about the original owners. In 6 of the 7 drives, it was possible to identify the owner, and obtain details such as their full name and address, and to identify them on social media.

Approximately 35,000 photographs were identified across the 7 drives, with one drive containing 13,500 photos. These included holiday photos, photos of family members and highly personal photographs of either the owner or their partner(s). Two of the drives were also found to contain (adult) pornographic images and videos, and in both cases it was possible to identify the owner of the system.

It was also possible to recover users' browsing histories, which revealed email addresses and social media accounts, as well as other documents. Examples of the more sensitive documents and images identified include:

  • Documents detailing a child custody dispute.
  • A scanned copy of a firearms license.
  • A photograph where the owner had crudely photoshopped themselves into a picture with Zac Efron.

 

As an example, on one of the drives (a 1TB SATA drive with around 69kB of bad sectors), it was possible to obtain the following information:

 

  • The full name and address of the owner.
  • The university the owner's partner attended, and where they currently appear to work.
  • Social media accounts of the owner and their partner.
  • Highly personal and compromising photographs of both the owner and their partner.

 

Obviously this combination of files and information could be extremely damaging to the owner. A malicious third party obtaining this information could potentially use it to blackmail the original system owner, or could otherwise use it to attempt to damage their careers or future relationships.

 

Age of Data

Because of the nature of the HDDs examined, it was expected that the data on them may be a number of years old. In all of the inspected cases the system was at least 5 years old, and in many cases had not been used for a number of years. The oldest system that data was recovered from was last used in 2008.

In many cases this would greatly reduce the value of any information that has changed since. Transient information such as browsing history, passwords and some types of personal data are much less likely to be valid, and the passage of time may increase the difficultly of identifying the owners, as they are likely to have moved houses or jobs.

However other kinds of information would retain their value, or potentially even increase. An example of this would be personal photographs of the owner with their partner; if they have split up and are now in a relationship with someone else then these kinds of photographs could be extremely damaging to both parties. The owners may also have moved into new jobs or more senior roles where they could be potentially more susceptible to blackmail.

Final Thoughts

The information stored on "faulty" or "broken" systems is an area that many people overlook, because of their belief that it is not possible to recover the data, or because their existing tools are insufficient to securely erase the information. As such, it represents an interesting source of information to explore, both for researchers and less ethical people searching for sensitive or personal information.

Although the focus of this project was on hard drives, the same principles apply to many other types of devices. Many organisations forget that larger printers will often contain hard drives, and there is a huge market for damaged or faulty second hand phones available online. Modern games consoles also include HDDs, which may contain personal, or even financial, information that has been overlooked.

When it comes to disposing of damaged physical media, the only way you can really be safe is to physically destroy it. To destroy a large number of HDDs there are specialist companies that provide this service, reducing HDDs to small metal fragments and powder. Destroying the HDDs yourself can be done by removing the platters from the disk and physically cut or break them into multiple parts. Some HDDs have glass platters that will shatter, so care needs to be taken. Alternatively you can drill holes through them, or experiment with the more exotic methods - I will leave this to your imagination.

Dionach have securely disposed of the HDDs and HDD images used in this research.

Posted by Robin

Leave a comment