Secrets in your hard drive

Think your data's deleted? Think again...
06 June 2017

Interview with 

Graham Ryme, Computer Laboratory in Cambridge


What do people tend to do with an old computer? Half of UK owners take their old machines to the tip, which amounts to millions of dumped computers. But what about the data that was on those computers? Most people believe that, if you delete something, it’s gone. Unfortunately, it hasn’t, as Izzie Clarke found out...

Izzie - Have you ever sold an old laptop? If so, you probably made sure you deleted all your files before you parted ways. But how can you be sure that all your data was wiped from your device? I’ve got my hands on a used hard drive, the data storage device on a computer and all the files from the previous owner have, apparently, been deleted. This is a process called formating. It’s a simple function on your computer that gets rid of all of your data so there shouldn’t be any information left on here - right?

Well, to double check, Graham Rymer from the Computer Laboratory in Cambridge is going to run a few tests to see if the hard drive is indeed empty…

The hard drive from a computer is usually the size of a paperback book. All of your files and any activity that you do on your computer is recorded there. Graham had about 24 hours to investigate.

So what did you find? I can see loads of different files right in front of me

Graham - There is an element of triage because there’s just so much data available. This chap was a keen photographer…

Izzie - Is that someone’s wedding photos?

Graham - It is. We’ve got hundreds of wedding photos. We have a trip to Paris here and one of the Eiffel Tower. This is the owner of the laptop himself on a skiing holiday.

Izzie - Not only did we have enough archive to track his life over a ten year period but lots of digital photographs have data embedded by the device…

Graham - I can tell that it was taken at about 2.58 pm back in 2009 on the 19th February. A lot of devices now, including the ubiquitous iphone, as well as most cameras, embed GPS data as well.

Izzie - So had this photograph been taken on a smartphone we’d even be able to tell what mountain the previous owner standing on. Date, time and location. But whilst it’s unnerving, there’s only so much damage can be caused knowing this information.

What else were you able to find?

Graham - We have invoices. I expect the most compromising information that we have is this chap’s driving licence.

Izzie - So that’s got his address on there, his date of birth.

Graham - It’s got his signature.

Izzie - And his signature - yeah. Say he had thought that he’d deleted his hard drive, which is effectively what he thinks he’s done, what could happen if this got into the wrong hands?

Graham - It’s limitless. Obviously there’s the potential for identity fraud. There will be files with passwords saved in and perhaps online banking credentials. Anything which you think is safe on your computer that’s not encrypted is not safe in this context. So anything he left lying about on his computer which could be exploited by an attacker for financial gain perhaps is fair game.

Izzie - Encryption is a modern form of cryptography that allows a user to hide information from others. It uses a complex algorithm which turns your data into a series of seemingly random characters. That means it’s unreadable by those without a special key or password which will then unscramble and decrypt your data. But this hard drive isn't encrypted. We were able to find out the previous owner’s signature, home address, and his bank details thanks to that saved invoice. But can a hard drive reveal even more about an owner…

Graham - Your internet history is just a computer file. It’s a little bit tricker and time consuming to extract that sort of information but anything that existed on his computer before it was formatted is potentially discoverable.

Izzie - Whilst it takes longer to find, this means we would be able to access his email account, his contacts, and even passwords to various online accounts. Potentially bank accounts included.

Obviously we’re based here at the Computer Laboratory in Cambridge. You must have access to so many different techniques and so many utensils - how have you been able to retrieve this information?

Graham - Utensil wise, we used an old wooden spoon really. This is free open source software which we used. Normally that hard drive would be plugged into a computer so that’s exactly what I did. I just got a garden variety desktop PC; I took the side off it; I found a spare cable; I was able to read the data straight off that drive. Any attacker with half an hour of googling could learn the same techniques which we’ve used here. Very, very simple technology.

Izzie - That’s quite terrifying. Effectively what we’ve learnt is that  by clicking that delete button, your files aren’t actually removed from the hard drive.

Graham - Absolutely not. It’s like having a book and just ripping out the contents page. If you still want to read the book everything’s there. You just can’t jump to the interesting bits straight away. If you want to rifle through it page by page, you can still find all the information and that’s exactly what these fast deleting and formatting techniques do.

Izzie - How do we properly delete our data from a hard drive? Luckily we’ve come across it, but in the wrong hands that could be quite problematic.

Graham - The only way to defend against this is to overwrite every single part of the disc. Going back to that analogy that would be going through your book quite painstakingly over many, many hours and tipp-exing over every single letter in the book. Obviously, people don’t like to do this routinely because it takes quite a long time but it’s something you might consider doing before you go to sell a laptop. Another defence, which is much, much faster and better for several reasons, is to use encryption. So both OSX has had filevault since the lion version. Since Windows Vista we’ve had bitlocker included. Both these programmes allow you to encrypt volumes on your hard drive and that means that if you ever leave your laptop on a train, if you have your laptop stolen, all that data is useless because it’s just garbled junk on a disk. You don’t have to worry about overwriting the disk afterwards because it’s already junk. Without the password to decrypt it, it’s quite useless to an attacker so I would recommend people seriously consider looking into the encryption options available. This doesn’t have to be a software option. Lots of modern hard drives, especially SOLIS hard drives in business class laptops support encryption as well.


Add a comment