The Association of Digital Forensics, Security and Law (ADFSL)
All organisations, whether in the public or private sector, increasingly use computers and other devices that contain computer hard disks for the storage and processing of information relating to their business, their employees or their customers. Individual home users also increasingly use computers and other devices containing computer hard disks for the storage and processing of information relating to their private, personal affairs. It continues to be clear that the majority of organisations and individual home users still remain ignorant or misinformed of the volume and type of information that is stored on the hard disks that these devices contain and have not considered, or are unaware of, the potential impact of this information becoming available to their competitors or to people with criminal intent.
This is the third study in an ongoing research effort that is being conducted into the volume and type of information that remains on computer hard disks offered for sale on the second hand market. The purpose of the research has been to gain an understanding of the information that remains on the disk and to determine the level of damage that could, potentially be caused, if the information fell into the wrong hands. The study examines disks that have been obtained in a number of countries to determine whether there is any detectable national or regional variance in the way that the disposal of computer disks is addressed and to compare the results for any other detectable regional or temporal trends.
The first study was carried out in 2005 and was repeated in 2006 with the scope extended to include additional countries. The studies were carried out by British Telecommunications, the University of Glamorgan in the UK and Edith Cowan University in Australia. The basis of the research was to acquire a number of second hand computer disks from various sources and then determine whether they still contained information relating to a previous owner or if information had been effectively erased. If they still contained information, the research examined whether it was in a sufficient volume and of enough sensitivity to the original owner to be of value to either a competitor or a criminal. One of the results of the research was that, for a very large proportion of the disks that were examined, there was significant information present and both organisations and individuals were potentially exposed to the possibility of a compromise of sensitive information and identity theft. The report noted that where the disks had originally been owned by organisations, they had, in most cases, failed to meet their statutory, regulatory and legal obligations.
In the third and latest study, conducted in 2007, the research methodology of the previous two studies conducted was repeated, but in addition to Longwood University in the USA joining the research effort, the scope was broadened geographically and the focus was extended to determine what changes had occurred in the availability of sensitive information might be occurring over time.
American Forces Press Service (2006), Current Service members Possibly Affected by VA Data Loss, 6 June 2006.
BBC News (2005), Data dangers dog hard drive sales, BBC, 12 September 2005.
Calvert, J, Warren, P (2000), Secrets of McCartney Bank Cash Are Leaked, Daily Express, 9 February 2000, pp 1–2.
Canadian Globe and Mail (1993), Disk Slipped Into Wrong Hands, Canadian Globe and Mail, 2nd August 1993.
Garfinkel S.L, Shelat A, (2003), Remembrance of Data Passed: A Study of Disk Sanitization Practices. IEEE Security & Privacy, Vol. 1, No. 1, 2003.
Gutmann, P. (1996), Secure Deletion of Data from Magnetic and Solid-State Memory, Sixth USENIX Security Symposium Proceedings, San Jose, California, July 22-25, 1996.
Gutmann, P. (2001), Data Remanence in Semiconductor Devices, 10th USENIX Security Symposium, Washington, D.C., August 13-17, 2001.
Jenkins, C. (2005), Govt data sent to auction. The Australian, 2nd August 2005.
Johannes, R. (2006), The Demographics of Identity Fraud: Through education and vigilance, banks can prepare and protect those most vulnerable, Javelin Research, http://www.javelinstrategy.com/uploads/607.R_2006_IDF_Demographics.pdf, Aug 2006
Jones, A., Mee, V., Meyler, C., and Gooch, J,(2005), Analysis of Data Recovered From Computer Disks released for sale by organisations, Journal of Information Warfare, (2005) 4 (2), 45-53.
Jones, A., Valli, C., Sutherland, I., and Thomas, P,(2006), The 2006 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market, Journal of Digital Forensics, Security and Law, (2006) 1 (3), 23-36.
Kerber R (2006), Firm will settle with state over data loss: Missing laptop had information on thousands, Boston Globe, 12 December 2006.
Leyden, J. (2004), Oops! Firm accidentally eBays customer database, The Register, 7 June 2004.
Price Waterhouse Cooper (2006), DTI Information security breaches survey 2006, http://www.dti.gov.uk/industries/information_security Sept 2006.
Synovate, (2003), Federal Trade Commission – Identity Theft Survey Report, Federal Trade Commission, June 2006.
TechWeb, (2005), Seven-In-Ten Second-hand Hard Drives Still Have Data, TechWeb News, 31 May 2005.
Valli, C. (2004), Throwing out the Enterprise with the Hard Disk, In 2nd Australian Computer, Information and Network Forensics Conference, WeBCentre.COM, Fremantle Western Australia.
Vance A (2006a), Ernst & Young fails to disclose high-profile data loss: Sun CEO's social security number exposed, The Register, 25 February 2006.
Vance A (2006b), Wells Fargo fesses up to data loss: Lightning strikes twice for HP man, The Register, 12 May 2006.
Jones, Andy; Valli, Craig; Dardick, Glenn S.; and Sutherland, Iain
"The 2007 Analysis of Information Remaining on Disks Offered for Sale on the Second Hand Market,"
Journal of Digital Forensics, Security and Law: Vol. 3
, Article 1.
Available at: http://commons.erau.edu/jdfsl/vol3/iss1/1