I have been tinkering with PCs since my first Atari ST1040 in 1988, then a Win95 PC from 1996 on, and have come into possession of many "broken" PCs and parts since, but it still amazes me that you can get old hard disks in boot sales etc. that have masses of personal data of the prior owners, perfectly intact – without even digging deeper or needing to use data recovery tools.
Unbelievable…! So many people are still data unaware past 2010 – in this case.
Intact data is mostly photos – family, friends, holidays etc. – with the occasional "personal" video, but often on Windows drives, there are also Contacts files – personal/business email addresses etc. or even business documents.
I even bought a boot sale camcorder once that had a tape inside with new baby videos on it…
There is the potential for a serious IT nerd/criminal possibly recovering passwords or details to bank accounts or social media etc. which should be enough to make people think very carefully about selling or disposing of an old PC without being sure the data is fully deleted – but they often don't!
Today I bought a WD 250GB SATA from a market stall, put it in my Linux box to check it's functionality with Disks (sudo gnome-disks if you are ssh -X remotely):
to check age, history, SMART tests and benchmark etc:
This is a perfectly good, bootable Windows 7 Home drive that mounts in Mint fine – complete with about 50GB of family photos and other user data!! Videos, MP3s, phone info, email addresses…
What's on it?
Amongst other things, a full $RecycleBin and User account data:
In one account there is 46GB of Photos!
There are mp3s (thanks for the 2 x Prince CDs to add to my collection! I'll delete the rest thanks..)
Because there is so much family data, with 50Gb of photos over a 2010-2013 period, I will contact the owner – a local driving instructor from pic info – that I found the website and number for easily on google.
It could be that they have not backed up the data before the PC was disposed of, so lost the lot, if they didn't bother thinking about the data given away – they may not be very tech savvy. I doubt that though, as they have decent phones and know how to get the pics off, so they SHOULD have backed it all up, but..
If nothing else, it's to let them know about ensuring correct data destruction in future, and if they don't have the pics, I'm sure they will be very pleased. It's a huge collection to lose – lots of their kids pics at key events etc.
There are recoverable jpgs in the Bin:
It won't hurt to run a CAV virus scan on it either while it's in the Mint PC – could show the reason why the owners dumped it as a non-runner? It came up clean – not that one anti-virus program is definitive by ANY means…
So, why not try and boot it in my HP tower…? Windows should not allow this if the hardware is markedly different from that it was originally installed on but…
After about 10 mins of self-repair it declared itself non-recoverable – then promptly restarted up to the log in screen with 4 accounts to choose from!
Now to reboot to the linux based NTPass CD to reset the sydadmin password as explained in the prior Post:
Once into an Admin account by setting a blank password with NTPass, I reset passwords on all others, then recovered everything for each user from their Recycle Bin…or you could have kept those passwords intact with a view to cracking them for other possible uses later…lots of options at this point for potential malicious behaviour for those so inclined…a question of finding whatever you can find…
A hacker/criminal may have had a field day with this drive – who knows if there are hashed bank account passwords to be cracked here or even plain text memory aids that could relate to accounts?
I already know about the pictures etc. but a look in Programs gives info on user services preference, and possible mail accounts, or documents that the C: drive could be searched for by extension such as .pdf; docx; .txt etc..Office 2010 is installed for a start so Word docs probably used:
With more complex hacking tools, registry/password hashes could be found and cracked leading to account access for all sorts of services – it's frightening that people can leave themselves so vulnerable in so many ways just by NOT retaining or correctly wiping/destroying their hard drives when they move a machine on.
OK, it could have been stolen..? There's the strong argument for us all using encryption on our hard drives, but even I don't, so who else will, except the very IT literate/criminal/paranoid/ or those required to for some job reason like forces/gov/police etc?
There is a whole psychological profiling side to this too, that is a really scary prospect for this falling into the wrong hands. The photos tell a lot about this family – standard of living/probable income/social groups/hobbies/vehicle ownership etc.
One decent quality "selfie" may be enough lead to identity theft/passport cloning.
Scary isn't it?! Well, it should be…
Brief Summary of Personal Data and Info Found
family photos 2010-2015
first and family names and children's schools from pics
job and website of family member
Probable Devices/software accounts use: HTC, Sony, Apple/iPod/iTunes, Skype, Win Live Mail, Google
I wonder what the reaction will be when I contact them? I have emailed and am awaiting a response.
With luck they will have backups of it all and I can just delete it and forget it.
If not, I'll make arrangements to send it on a 64GB pen drive in the post to their address.
BE CAREFUL WITH YOUR DATA!!
If data requires reasonable levels of secure deletion read the man page for Linux shred:
info coreutils 'shred invocation'
shred [OPTION]… FILE[…]
shred – overwrite a file to hide its contents, and optionally delete it
shred [OPTION]… FILE…
Overwrite the specified FILE(s) repeatedly, in order to make it harder
for even very expensive hardware probing to recover the data.
CAUTION: Note that shred relies on a very important assumption: that
the file system overwrites data in place. This is the traditional way
to do things, but many modern file system designs do not satisfy this
assumption. The following are examples of file systems on which shred
is not effective, or is not guaranteed to be effective in all file sys‐
This uses many overwrite passes, with the data patterns chosen to
maximize the damage they do to the old data.
For example to delete a file contained in a folder:
sudo shred -v –remove Pictures/SamData/Thumbs.db
shred: Pictures/SamData/Thumbs.db: pass 1/3 (random)…
shred: Pictures/SamData/Thumbs.db: pass 2/3 (random)…
shred: Pictures/SamData/Thumbs.db: pass 3/3 (random)…
shred: Pictures/SamData/Thumbs.db: removing
shred: Pictures/SamData/Thumbs.db: renamed to Pictures/SamData/000000000
shred: Pictures/SamData/000000000: renamed to Pictures/SamData/00000000
shred: Pictures/SamData/00000000: renamed to Pictures/SamData/0000000
shred: Pictures/SamData/0000000: renamed to Pictures/SamData/000000
shred: Pictures/SamData/000000: renamed to Pictures/SamData/00000
shred: Pictures/SamData/00000: renamed to Pictures/SamData/0000
shred: Pictures/SamData/0000: renamed to Pictures/SamData/000
shred: Pictures/SamData/000: renamed to Pictures/SamData/00
shred: Pictures/SamData/00: renamed to Pictures/SamData/0
shred: Pictures/SamData/Thumbs.db: removed
Similarly, to erase all data on a selected partition of your hard
disk, you could give a command like this:
shred –verbose /dev/sda5
For recovery options when your Windows PC fails to boot, you need to have pre-prepared recovery USB or DVD media from your Windows PC. DO IT NOW if you have not done this!!
If these above owners of this drive had done this they likely would have been able to restore this PC themselves and not ended up in this situation.