Trash your Tech
October 14, 2013
How to Securely Dispose of Used Devices
– Computers, Laptops, Phones, Tablets, etc.
Today you can buy used devices and sell your old electronics practically anywhere. Shopping centers boast ecoATMs where you simply insert your old device and cash is then spewed out to you instantly. Meanwhile, Craigslist and eBay have pages of cell phones and laptops for sale and just about every garage sale, thrift shop and recycling center will offer a number of electronic devices to choose from. Additionally, dumpster diving is yet another easy and often legal way to not only find perfectly good but free devices.
There really should be no doubt that getting your hands on an old electronic device is extremely simple to do, but is it safe to just let your device slip away so easily from you?
To answer that question, take a moment and think about the data you house on your current personal and work-related mobile devices. Consider this list of Personally Identifiable Information (PII) that is commonly stored on mobile devices including phones, laptops, USB drives and more:
- Network and Domain Information
- Software Keys
- Financial Data
- Social Security Numbers
- Health Records
- Tax Returns
- Bank Account Numbers
- Insurance Information
If you can identify any of the above information as ever being on your current device then keep reading before you decide to turn yours in, this post may just give you a new perspective on the used device industry.
When PII Becomes a Problem
People store their PII onto their devices in order to make it more accessible. However, the premise of making such private data easy for the individual to find also makes it easy for the criminal to find, even if it is deleted. People often forget what they don’t see, which is why when data is seemingly deleted from a device and becomes invisible to an untrained eye the person thinks it truly is gone. In reality though, deleting data doesn’t mean it’s really gone it just means it’s hidden from the average Joe.
Tech savvy criminals understand this common train of human thought and they know how to uncover the unseen value in abandoned devices. Just as criminals breach organizations such as TJ Maxx and Citibank, put skimming devices on ATMs or steal your wallet when you turn a blind eye, picking up a discarded device can hold mounds of financial gain to the properly trained individual. All the information listed above can paint a detailed picture of a person’s life from their physical health to their banking preferences, making the possibilities for executing a complete takeover of a person’s identity endless.
How Criminals Extract PII on Unencrypted Devices
PII is a valuable resource for a criminal and unsurprisingly the more data a criminal has on a single person, the more valuable it is. On the black market, PII can be worth anywhere from $2 for a partial record to $90 for a complete record, which includes full names, addresses, phone numbers, wages, social security information and in some cases bank accounts and routing numbers. So long as the data on the device is unencrypted, which in most instances it is, it can be accessed easily through two easy to use and free tools.
Access Data Forensic Toolkit (FTK)
The first tool that can be utilized applies to devices which contain an operating system (OS). The Forensic Toolkit can be used to create a forensic bit copy of the device, which is an exact replica of the files and data the device contains. This can be done even if the device contains encrypted data, however, when it comes to extracting the information from the device it typically needs to be unencrypted to prove useful to a criminal.
Once the raw disk image is created by the FTK, then a criminal can transform it to an interactive and user-level perspective through Live View. This tool creates a VMware virtual machine from the raw image so that it can “boot-up” and be used without altering the underlying environment. At this point, so long as the data is unencrypted, the only thing left to do is bypass the user’s passwords in order to gain access to important and valuable PII. And anyone who has read through our previous piece on Password Cracking already understands how easy that can be to do.
Accessing Data on a “Cleaned” Device
Now the above tools address the ease with which an abandoned device can have data accessed, but what if the previous owner already tried to wipe the hard drive? Things get a little trickier at this point but can still be managed by the right person. Before understanding how it can be done, the ways a drive can be wiped need to be addressed. There are two ways that a user can try to remove the data on a hard drive, either through a full format or quick erase.
In a full format erase, an entire layer of data is completely rewritten so that no recoverable data is left. Unrecoverable data is exactly what you want from a security perspective; however, it is a time consuming process that is not always done properly, leading many individuals to often take the fast road. Users will regularly opt instead for a quick reformatting which only destroys the pointers and not the data itself, which in this case leaves the opportunity for recovery wide open it will just take a little longer and a lot more skill.
The EnCase processor, while expensive, can be used to carve data out of the raw material in order to find the hidden and valuable pieces. This is a master level technique that can be used to retrieve even a wiped device’s data pieces, however, if the data is encrypted it may be more time consuming and expensive to retrieve it then it ends up being worth. It can also lead to only partial data pieces that may never be re-grouped into a readable format.
Also to note, EnCase and other carving tools are not capable of reading data from a solid state hard drive and will prove useless on many of today’s latest technologies, especially mobile phones.
Sanitizing to Prevent Data Discovery
No matter how much you try to protect your mobile devices there are tools readily available to extract the viable information from them if the attacker has the time and resources to do so. With this as the case, how do you really know if your PII will even be safe if it falls into the wrong hands? There are currently only three approved methods for device sanitation, wiping, degaussing and destruction. NIST Publication 800-88 outlines these three methods for sanitation that will effectively eliminate the recovery of data from a device even through a laboratory attack.
While a full wipe truly changes the layer of data it is only as effective as the number of times the hard drive has been wiped clean, re-written and then wiped again. It is typically done a minimum of three times but realistically it will need to run through at least 15 cycles of wiping and rewriting before it is truly unrecoverable. Three popular and free software available for data destruction include:
- DBAN – Darik’s Boot and Nuke
- Disk Wipe
- Secure Erase
Before trading in or disposing of your device, test to make sure that the wipe was successful by trying to access your media through your device. Also note that if the wipe has not gone through enough cycles then it can still leave your device open to criminals utilizing carving methods for data extraction.
This works by demagnetizing the drives to remove data, which makes it impossible to use on a solid state hard drive. Additionally, due to the nature of this sanitation technique by the time it has successfully removed the data it will often destroy the entire device all together and make it useless from working in the future. This end result combined with the money it takes to degauss a device makes the final sanitation method of destruction more cost effective while still producing the same final result.
This is by far the most secure method for protecting your information. Device destruction eliminates it from being reused and recycled in any way. It can be done by smashing the device with a steel rod, shooting or setting fire to it. Whichever of the methods you choose just make sure that you have fully dismantled and destroyed the hardware of the device so that recovery is impossible.
DISCLAIMER: this method is also extremely fun!
Realize the Risk and Speak Out
Understanding the risks you face is the first step in protecting yourself. The idea that there are tools readily available and affordable for device extraction can make the thought of trading in your mobile device for cash a scary thought, and quite frankly it should be, especially if you know that it contains PII that can be used against you. However, by following the approved methods for sanitation as listed above, you can ensure that your data is safe no matter whose hands your device may end up in. You may not make that extra fifty bucks at the echoATM but with your identity on the line it seems like only a small price to pay.
Data protection transcends past just personal devices and affects your work-related technologies as well. If you are regularly using a company-issued device and know that your PII or that of co-workers and clients can be housed on it make sure that proper disposal methods are being followed throughout your organization. If you are unsure as to whether or not their disposal methods are following the proper procedures for disposal then don’t be afraid to inquire about it or pass this article around. Sometimes it just takes a little reminder about what your device could contain to make a person see the valuable inside.