Welcome to the SecAware blog

I spy with my beady eye ...

3 Jul 2009

Forensic examination of secondhand disks

Used hard disks bought on an online auction site were found to contain personal and proprietary data. Some of the drives that had supposedly been erased yielded their secrets to forensic examination techniques. Others still had the original undeleted data and could have been read easily by any purchaser. The Irish newspaper article notes that homeworkers were probably the source of at least some of the security lapses, having used their own PCs for work projects, "forgotten" about the sensitive work data they contained, and sold the disks or whole systems privately. This kind of breach would fall outside the remit of most organizations I have worked for, except those few who insist that staff only use company systems for work activities, typically providing laptops for the purpose. That said, whether the laptop hard disks were properly erased at the end of their life, or the extent to which employees complied with the company policies on not working on personal IT equipment, is anyone's guess.


  1. In numerous years of doing Business Continuity work we regularly came across kit that had been loaned out to clients coming back with data on them.
    Only once did this not happen. Some servers went to a 'sensitive' Govt. department.
    The servers came back, along with a box containing the chainsawed hard disks. Plus new disks they had kindly bought to replace the 'deleted' ones.

  2. That's an excellent point, AH. I presume that during BC or IT DR testing, most organizations are entirely focused on the A part of CIA (confidentiality, integrity, availability), completely overlooking the rest. They should at least have placed an explicit contractual requirement on the BC/DR suppliers to maintain the confidentiality of their data securely erasing the data (or chainsawing the disks!) before ceding control of the BC/DR kit would be an excellent suggestion, particularly as the kinds of applications that require recovery on third party hardware tend to be bet-the-farm types, in my experience.

    Thanks for raising that ... I will make a note to bring that up during the revision of ISO/IEC 27002: BC is perhaps the weakest section of '27002 as it stands, and I don't recall any mention of this at all.

    All the best,