Buy an electronic device and get the data for free: personal information remains on the donated gadgets

If you have accumulated old computers, flash drives, phones or hard drives, and you do not use them, you may want to take them to the commission for sale, to a charity store , sell them yourself or send them for recycling. But have you ever wondered what is happening with these devices and the data stored on them? Are your data destroyed, or are these things being resold, keeping all your memories and personal data available to the next owner? And if this data is available, what will happen if someone like me starts combing all commissions and charity shops near home, only to find out how much personal data he can find there?

To find out exactly how much, I spent six months, extracting all the data that I could find in the devices sold where they sell restored computers or accept gadgets for resale. By the end of the experiment, studies have shown that many enterprises do not provide what they guarantee and do not erase data from the devices that people offer them.

Let's take a look at how my experiment went, what data I managed to extract, and methods for ensuring that data from your old devices were deleted before they were sold.
')

Process

My first step was the least interesting part of the experiment: I studied which enterprises sell reconditioned, donated or used computers near my home in Wisconsin. I visited 31 stores and bought everything I could for $ 600. Here is what I purchased:

Desktops and Laptops - 41
Removable media (flash drives, memory cards) - 27
Hard Drives - 11
Mobile Phones - 6

When buying a device, I returned to the control center (as I call my basement), and began the process of extracting data. When I brought my computer home, I tried to load it in order to find out if it is being loaded and if it requires a password. I wrote a script on PowerShell that runs through the disk and compiles a list of all images, documents, saved emails and the history of correspondence in instant messengers. Then I archived it all nicely and cataloged it on my desktop. Only one laptop from Dell was cleaned as it should.

Most of the hard drives were with an IDE interface, so I used an external device to quickly connect hard drives ( IDE toaster ), and a Python script that cataloged all the data. I found that no hard drive was encrypted, and everything worked fine (except for the old 30 GB Hitachi, which was cleared).

The phones I bought were very old and I had to buy three different proprietary charges on eBay, which increased costs to $ 650 (not taking into account gasoline and coffee). The phones did not require a PIN, and for some of them I could not find software to connect to the computer.

In the case of flash drives and memory cards, I simply connected them, and then used the Python script to organize the data.

In general, the result of my research was shocking. Of the 85 devices purchased, only two (Dell's laptop and Hitachi hard drive) have been thoroughly cleaned. And only three devices were encrypted.

Data

Armed with a mountain of data and a basement, cluttered iron that was older than me, I developed a plan for sorting all the data in search of personal information. I used pyocr to define social security numbers, birthdays, credit card numbers, and phone numbers on images or PDFs. Then I used PowerShell to go through all the documents, emails and texts in search of the same information. All the regulars for the processing of personal information I saved .

Despite the fact that OCR is not 100% accurate, and there could be data on images or PDF that I wouldn’t extract, I can confirm that the regulars used to extract social security numbers, birthdays, credit card numbers The telephone numbers and driver license numbers were quite comprehensive.

Below is a summary of the processed data (not including several correspondence stories in MSN / AIM) and file formats. I have excluded some formats (XML, HTML and CSS) for short.

Images (JPEG, TIFF, GIF, BMP, PNG, BPG, SVG) - 214 019
Documents (DOC, DOCX, PDF, CSV, TXT, RTF, ODT) - 3,406
Emails (PST, MSG, DBX, EMLX) - 148 903

As you can see, a lot of what was found. And the most interesting is that I managed to extract a lot of personal information. Here is the alignment of the unique values ​​for each type of information:

Email Addresses - 611
Date of birth - 50
Social Security Number - 41
Bank card number - 19
Driving license number - 6
Passport number - 2

It is surprising that most of the numbers from bank cards were obtained from photographs or scans of cards, and both the front and the back of the card were photographed. Passport numbers were also taken from scans.

Cost of

Doing research further, I realized how cheap and easy it is to buy information from people on Darknet. Social Security numbers are for $ 1, full documents (dox) are for $ 3. So the initial investment of $ 600 we can not justify.

An interesting conclusion follows: data leaks are so frequent that they drop the cost of data. I saw a few dumpnuts with social security numbers in Darknet, worth even less than $ 1 apiece.

How to safely get rid of your gadgets

When giving to a charity or selling a gadget, you need to make sure that all data from it is deleted, and not to hope that the seller will do it for you. But if you want to give your gadgets for recycling, here are some ways to make sure that you cannot recover data from them by permanently destroying the device or media:

• Hammer.
• Burning (caution, toxic products of combustion).
• Industrial grind.
• Drill.
• Acid.
• Electrolysis.
• Microwave.
• Termite welding

When using such methods, you will need to secure the workplace and wear reasonable protection (at least, glasses and gloves). And providing protection, with the destruction of gadgets can be great fun.

Here, for example, how thermite welding destroys a desktop PC:



In principle, if you did not physically destroy the device, experts can extract data from it. If you care, it is better to be safe and destroy it. However, it is usually sufficient to simply strip your device, usually it is very easy and simple [for example, for Android devices, it is enough to encrypt all data, and then reset the settings to factory settings].

If you want to clean the hard drive, Darik's Boot And Nuke will help. However, this method does not work with solid-state drives or RAID disks. In the latter case, PartedMagic works well .

Conclusion

If you are concerned that your data may be in the hands of intruders, destroy the data. If you want to donate a device for good purposes, make sure it is cleared. Even if you receive a written statement about the destruction of data, you will not be able to verify this - except to erase them yourself.