So … we are doing this whole data on a thrift store laptop thing again huh? Alright, let us get this over with.
Just to get started, I will not be showing off a bunch of pictures from this one. Firstly because in an effort to expand this article to epic proportions I ended up misplacing my original notes / screen shots and need to start over. Secondly, time around someone left more than just a bunch of links and random useless files behind. This time, there were business contracts, company tax information, personal information, and even … believe it or not … images and videos from security cameras (also there was contracts with an adult film company).
Despite all the files that were left behind, the details of the files show the last access dates were sometime between 2000 and 2002, putting the computer sitting on a shelf for a while – it was running Windows 98. That shelf sitting was long enough that when I took a casual search for some of the companies in the documents no longer existed. Even though all the material left behind on the machine were old and from companies that no longer exist – the drive should have been wiped long before I even saw it in the thrift store. At the end of the day though – finding what was left behind, the drive got wiped after the quick peek for this post.
Keeping on from Part 3, I start the next drive in the stack. Well ok, this drive was another of the later ones that I recovered, and when I started it I quickly noticed some names that I would recognize from earlier drives that will be getting posted later this week.
Clearly there are files to be seen herea lot of recovered folders too Clearly another full Operating System drive complete with Windows and User foldersWith more than 1 user or better stated there were several service level accounts in the user folder (I did not redact the postgres behind on purpose)
I stop with any screenshots here because I recognize one of the user names from other drives that are coming up later, as I mentioned earlier. This drive is just a toe into the pool of WTF that is coming up.
Pictures of women used for some kind of personal ad (the image has a phone number on it)
Head shots that appear to be multiple people from social media
Keeping going from Part 4 yesterday and the next drive off the stack. Things start getting spicy here. Let me get the pictures and I will explain more …
The drive auto ran when it was connected to my laptop and shows very emptyBut in past looks with the Hex Editor, there is data NTFS Recover works its magic and brings back a whole lot of stuff …… in a only a few drive structures
At this point I stop with the images because from this point, things go down hill very rapidly. This was another drive that I had looked at later in the adventure and became quickly horrified by what I turned up. There was just about no OPSEC (Operation Security, aka “Clean up your stuff”) before this drive was just formatted and thrown up for sale. The quick list of content recovered included …
Adult Images / Videos
Family pictures
Vacation and Holiday event pictures
Legal documents from family court
Divorce papers and “Sanitized” divorce papers (the names were changed to protect … someone)
Tax documents
Cisco test prep materials
Hardware Manuals
Outlook email archives (some were fairly large, over 1+GB)
Honestly, this was not a good discovery and I just kept repeating “Why am I able to see ANY OF this ?!” The part that bothered me the most was that the name I referred to yesterday was the same name that was turning up in these drives. Somehow both these drives are connected to the same person.
After the last Tales of eBay I got to thinking, I wonder if I can find other drives that were not cleaned … Or … better put how MANY I can find. So off to eBay I went to buy more drives than I needed to answer this question, because I put bids on auctions not expecting to win .. and did. I set out on this adventure with a total of 23 drives and a goal to see IF I could recover anything from an erased drive sold on eBay. Then the scope crept a bit to include NTFS Recover and Forensics practice. Then the scope crept more to include pairing up similar drives to attempt to swap platters (in the future).
After way too long of letting tools run, I decided after a few hundred thousand files, that I had enough material to answer my original question. In retrospect, this project took way too long and got way too complicated for a casual experiment. I settled on 6 drives out of the batch and will be putting out a post on each one to make a full week of posts on this (sloppy) Adventure in Data Recovery.
I start with the drive where I remembered to snag the screenshots from the searches with NTFS Recovery before it processed the files for recovery.
Selecting All the Files to recover… and we are off to the races Time to recover and see what is there The last folder is just all the loose files, the other 2 are the structure as it was on the drive… and as expected, there is stuff not removed.
My point of this exercise is not to call out SPECIFIC data but just to say that things were not removed like they should have been. However just a little bit of what did not get removed included
Passwords
Hardware Manuals, Training docs
Emails
Encrypted Zip files
So, first drive into the batch and I have already found things and am disappointed. 1 down, 5 to go. Onward tomorrow with the next drive.
“New Phone, Who Dis?” famous words said countless times to any number of people days, weeks, and even months after replacing a mobile phone. The strange “Who Dis?” dance goes on when we get a new computer too, though the moves are a little different. Worse, the steps of the dance especially when the computer is not exactly Brand New and the previous owner left their grubby fingerprints all over.
I have had some luck in the past 18 months or so finding really interesting computers at thrift stores and in ‘lots’ of “junk” computers from various online sellers. One of these so-called “junk” laptops happened to be this little Asus EEE PC pictured below. By today’s standards, the EEE PC no where NEAR anything to write home about, but back in the day this little brick was a pioneer, kicking off the ‘Netbook’ style of computers (outside Japan).
Of course, when the machine arrived the battery was completely drained and there was no power supply included – but a quick once over and the machine looked to be in working order. A power supply was quickly sourced and once power was applied, the laptop bounced back to life, and started Windows.
Awesome, already loaded with Windows 7. Since this machine was part of a lot of machines I really did not need anyway, seeing this I am about ready to get this little laptop ready to throw onto eBay. Until …
Oh. Well. A password prompt, lovely. It is at this moment of our story that I need to make a point or three. First, the powers I am about to demonstrate can be used for good or evil, and while this really is not a sophisticated trick – Do. No. Evil. with what you may learn. Second, I feel comfortable sharing these screen shots as there honestly not enough information here to identify the previous owner OR anything personally identifiable (aside from a name and a few internet favorites, random files, et cetera). Third, the point I am aiming for is that – before you donate a computer to your local charity, erase your stuff…
Now, seeing a password prompt I can easily just erase the drive and reuse the computer, but I simply cannot pass up the opportunity to see what a computer was used for in a past life. Cracking the password just is not worth the time as the machine is now mine and seeing Windows 7 Starter is installed, it is not encrypted. At this point, I reach for a trusty USB drive with a Live Ubuntu image and booted right up to the drive, and I am around the password.
Now with the password problem sorted, time to check the hard drive. The first observation is that this drive was spilt into 2 volumes (something like an OS partition and a Data partition). Starting with the partition with Windows on it, the folder layout on the drive drive looks very much like a Windows 7 Installation would. This means that if there is anything obvious to be found, the Users folder is where to begin.
With just a few clicks we find ourselves in the previous owner’s user profile (Jon) and can now see what was left behind, aside from a password that is.
Not much music to listen to …At least it has virus protection, or well there was an attempt … Someone was saving some links to fix their computers …Lots of audio shortcuts on the desktop …But no pictures to speak of … Onto the second partition … and not much here either (just Windows created folders) …
There was not much to speak of on this machine, only a few bit and crumbs left behind. Although, the more technical readers will be quick to point out that I did not look for internet cookies, internet cache, or temporary files and they would be correct. Finding all the crumbs to build a profile on a particular user was not the point of this exercise … The point of this exercise was to point out how simple it was to get the data off the machine even though a password was in place. No fancy or complicated tricks were used, just a bit of time and patience and then I could see anything left behind.
Of course I should not have to say this again, but this was a machine I purchased second hand from a thrift store and the drive was securely wiped after writing this. A method like this should not be used to bypass any sort of security on devices that you do not own … and, in conclusion, for the love of all that is holy … Erase your stuff BEFORE selling or donating them!
Coming into the home stretch now, keeping up from Part 5 and moving onto the next drive. This drive I spent easily the most time on and had to wrangle back in the searching ..
Again connecting the drive to my laptop and autorun opened …… opened twice actuallyAnd Hex Editor backs up there is data on the drive Lots of files to recover … and a bunch of structures to recoverApplying some Forensics this time for a deeper dive and look at more than files … specifically emails
This drive I spent the most time on, the file carving took nearly 3 days. 67000 images, 876 word documents, 617 pdfs, and 4714 emails of multiple users. Among all those files …
Adult Images / Videos
Family pictures
Pay stubs
Bank documents
Divorce papers
Tax documents
Cisco test prep materials
Hardware Manuals
Network configurations and maps (many years old though)
This was by far the worst drive that I looked at in this little adventure. The fact that the user left adult photos and movies right next to the family pictures is mind blowing to me, but it was the piece de resistance of the whole project. To top it off, this is the 3rd drive out of the stack with the same names attached to it … That is right the drives from Part 4, 5, and now 6 were all from the same person and from a little poking around, this person was an IT Manager, a person who should have known the meaning of data destruction.
We reached the end of this adventure, picking up from Part 6 and the last drive. This drive we are approaching strictly from a Forensics point of view, no file recovery to be had here. Then again, files cannot be recovered if the content of the files are actually trashed as the files on this drive were.
As before, the drive might have appeared blank, but clearly …Not enough fragments of any kind of files could be found … But the number of email addresses that were found …
The summation of discovery about this drive brings this experiment to a close, and not a moment too soon. We end up finding just about nothing here, except for a whole lot of email addresses, as opposed to a lot of legal documents. If I were a spammer, I would be in heaven right now with all the potential new addresses to send to.
This little project will come across as rough and amateurish, and for good reason, I started off wanting to answer the question of IF I could find data on hard drives bought off eBay, not what I could find. I found quickly once I got started that the better question was WHAT I could find on the drives and had to refocus more than a few times. Clearly the answer to the original question is, Yes … yes I can find something left behind on a supposedly “clean” drive sold on eBay, and the drives have been either wiped completely or destroyed since I poked around the crumbs left behind and I did not use any of the information that I gathered to look up any of the individuals (aside from the web site in Part 6).
This experience got me to thinking about Insider Threats, how something so simple as throwing out an old hard drive could be huge deal. Granted, not an intentional leak, but imagine what sort of foot hold this might give to a potential bad guy, its frightening and with it being right next to the adult film section – a little disgusting.
The moral of this story is simply this – Cleaning a hard drive before getting rid of it is not hard … and if you cannot clean it, then pull it out of the machine and smash it with a hammer, repeatedly to destroy it.
I was recently in the market for a pair of 4 TB hard drives for a duo of USB enclosures that I had picked up a few years ago. So not wanting to spend retail prices I hoped onto eBay and grabbed up a pair for a deal. Few days later the drives arrived in the mail and found their way into the enclosures. So I plug the first drive into my desktop to format it …
… the drive is formatted and named. I was expecting to see a RAW drive, not a partitioned drive. Does that mean that I got a drive with data on it? Ugh…
So fire up 010 Hex Editor and lets take a look at the raw bits. The first page has data, which makes sense since there is a partition on the drive…
Ugh … There IS something on this drive …
Well … something is the word. Applying some digital forensics to the drive (because why gratuitous use of forensic tools), the tools show a structure that looks like a drive with data.
I could use some forensic type tools to carve whatever data might be on here, but I really want to try a new (to me) commercial tool and see if it can recover data from a formatted drive. So I fire up Disk Internals NTFS Recovery, point it at the drive, and tell it to search for the popular files. Let me be clear at this point, this attempt is going to be sloppy, I am aiming to recover ANYTHING, just to get some practice with this tool.
NTFS Recover seems to have found something? Does not look like anything too interesting, just an Outlook archive file. So, I tell the software to recover the file …
Turns out … the recovered file IS an Outlook archive file. No way I am connected that to my outlook to see what is in it – I do not need to know, more over, I could care less what is in the file. I would like to ask WHY can I find anything on a 2nd hand drive … and now … are there more out there?
Stay tuned, I start answering that question tomorrow.
Next week I have a special project queued up – an entire week of data recovery. That is I bought a stack of hard drives that were supposedly cleaned and I see how clean they actually were. This is probably one of the nerdiest things I have done for a long while and I am really glad to be done with it, stick around and see why. I have Digital Forensics on my resume, because I was proud that I had taken (and passed) a course in college. In a job interview many years ago, the hiring manager asked why I had that on my resume. At the time I stumbled for an answer, but now I can unequivocally answer – that the next time you think a bit of electronic information is lost that at least 1 person has the knowledge and talent to recover it.
Then again, I am not using just one tool to recover things along the way, but I believe the spirit is the same between the tools … or at least the file recovery ones are concerned. The only difference is that the commercial tool recovers lost files, while the forensics tool ‘carves’ them out. Come back next week for a wild adventure with interesting discoveries to be had.
Continuing from Part 2, I cringe and recover the next drive in the stack, against just looking to recover files from the drive…
Yep, more stuff left behind …It looks like there was a lot … … a full hard drive worth …
This was a hard drive that definitely came from a Dell computer, judging by the “Dell” folder that was full of drivers. Plus it was Windows 10, and had at least 1 feature update – OR was upgraded from Windows 7 as shown by the $Windows.bt folder.
Single user, name redactedSome music left behindbut a whole mess of family pictures left behind, also redacted
This was one of the later drives that I actually ran across and it looks like it was from the family laptop that only got turned on once in a while. There were no document or anything else major of note, and I skipped applying any sort of Forensics against it because at this point – I was just happy to see a machine that looked at least part way clean.
2 down, 4 to go. Onward to .. something… Tomorrow!
