USB drives are a convenient way of backing up your valued photos and other documents, and for transferring files between devices.
On the other hand, there are also some risks involved in using them. In particular:
(1) if the drive gets lost or stolen, someone else will get hold of all the files;
(2) if people decide to sell or give away their drive, and they do not delete the files properly, the buyer could get hold of the stored files.
It turns out that people do sell used USB drives. We visited an online auction site and found hundreds of second-hand USB drives for sale.
With this kind of transaction, both the seller and buyer are at risk. The seller’s risk: some files containing personal or sensitive information may have been unwittingly left on the device. The buyer, if unscrupulous, could use this information to harm the seller. The buyer’s risk: the USB could be a plant with malware or viruses poised to compromise the buyer’s computer when he or she plugs it in. Of the two, the risk to the buyer is much smaller than the risks to the seller.
To gauge the size of these risks, we bought 100 second-hand drives from an online auction site and analysed them.
Method
We were scrupulously ethical in carrying out our investigation. In the first place, we did not open any of the files to look at their contents. Instead we examined only the file names to infer their contents. Once we had completed our investigation, we securely wiped all the drives so that none of the files the sellers had inadvertently left on the drives could be used to compromise them.
We commenced by making forensic image copies of the drives. We then tested these images to detect the presence of malware or viruses (i.e. to identify a plant). That done, we used forensic tools such as Autopsy to analyse their contents.
Seller Risk
Only 32 of the drives had been properly wiped and held no data. We were able to extract partial files from 26 of the drives, and extracted all the files from the remaining 42 drives.
We recovered a total of 75,518 files from the 68 drives, including 46,465 image files, 9,723 Microsoft office files, 4,671 PDF files and 8098 plain text files. Using the file names and extensions, we categorised the files as likely to be of:
(1) low sensitivity (OS files: 2091 – 2%),
(2) medium sensitivity (images, including some with embedded location data), and
(3) high sensitivity (files called “Passwords.”, contracts, tax returns and bank statements – PDF and plain text files were likely to fall into this category).
An unscrupulous buyer could feasibly use such recovered files to access sellers’ accounts if the passwords are still valid, or try the password on the person’s other accounts, given that password reuse is so widespread. They would likely be able to get the seller’s email address from the files on the drive. They could try to siphon money from the bank accounts or blackmail the seller by threatening to reveal embarrassing information.
Buyer Risk
We did not find any trace of malicious software that could infect buyers’ devices when they plugged the drives in.
Summary
In essence, the risk to the buyer from our 100 purchased drives was zero. The risk to the seller would have been significant if we had not purchased the drives purely for our own investigation.
Our findings suggest that the public need to be made aware of the need to wipe their USB drives (and devices containing hard drives) before they relinquish them. Then, any private and sensitive data that happens to be stored on the device will not unwittingly be leaked.
Reducing the Risks
USB drive owners should be made aware that deleting the data on the drive doesn’t actually remove it. It simply hides it from you; it is still there to be found by publicly-available forensics tools. If you want to sell or give an existing USB drive away, wipe it by using a software tool.
On Windows:
Bleachbit, Roadkil’s Disk Wipe or Eraser will wipe the files irrevocably and permanently.
On a Mac: it’s easier because the operating system has a built-in facility for digitally shredding files.
If you want to discard a USB disk (and you don’t want to sell it), destroy it physically with a hammer before throwing it away. Make it impossible for anyone else to get hold of any data that you might have left on the drive.
If you are planning to buy a new drive, the best way to mitigate the risks is to buy an encrypted USB drive. If you want to encrypt your existing USB drives you can also do this, but it is a bit more of a hassle. To effectively protect your data you’ll need to create a strong password for each drive.
This research was carried out by Jim Conacher during his Masters research project at Abertay University in Scotland.