HDD hacking

Most of the machines come with an option called Data "Over Write" which is NOT Free.... There are other options.. customers can ask for the HDD and buy a new or put a new hdd on the machine that is going away... another option is to have your IT dept reformat the HDD or use one of those open source programs that will write a bunch of random 1s and 0s....

Most of the HDD's are standard computer hard drives, easily accessable and can be quickly installed into a PC.

Our return machines have a software program run over the HDD which scrambles everything, as well as a full format done. The option is also there to give the client back their HDD if they are concerned at all. A certificate of data destruction is used and has been widely accepted here. You just never know what might happen in the future... better to be safe than sorry.
I did see the American 60 minutes report on this subject, and it has been discussed here as well.

There's the rub, just how likely is it? Probably not very likely at all, like getting struck by lightning but if it did happen would not be good. I will say it's as easy as plugging the HDD as a 2nd drive and scanning it with an undelete utility like the one included with Norton System works, or google a free one. I'd imagine they had to go through hundreds of HDD's just to find the sensational info for that story though since not all copiers use the HDD the same way or at all depending on what your doing.
I think if I had a business I might look for a cheaper alternative, like scanning 100+ pages of garbage text to every Mailbox/Doc Server to fill it up and then deleting it over and over. That might not be DOD compliant but I would think that would scramble the data enough to defeat any undelete utility. There are ways to get data off HDD that have been in fires, damaged, or formatted, but if you run into someone willing to go to that much trouble to hack your info your screwed anyway.

We do a lot of refurb on lease returned machines and re-sell. I have seen and printed many not password protected files that included mortgage lease documents, tax returns, and medical records. All these documents included sensitive information that a more devious person might use for identity theft, or blackmail. These documents are removed and the HDD reformatted (image area) of course before we send the machine out.

So, in light of recent security concerns, my question is has anyone tried to recover anything off an MFP's hard disk? Even just for interest sake? We as technicians often have access to the HDD's. I've personally not attempted it. Maybe the next time one comes my way I'll give it a try...

I have often wondered about retrieving data just for the giggles. Sure there is stuff in the Doc Server, but in retrospect of old print jobs. Not so sure. Ricoh seems to be pretty confident on their security.

Nondestructive Department of Defense requirements (meaning you don't destroy the drive) require the entire volume to be rewritten with alternating patterns of 0s and 1s several times (I believe 5).

The reason for this dates back to the 1960s and the emergence of the Winchester disk drive when it was discovered that even a disk that has been completely reformatted can be "read" by a controller with sufficient sensitivity to pick up the latent coercivity in the magnetic elements of the disk drive. That's why IBM used to ball-peen their sensitive disk packs upon disposal, and some companies still advise complete destruction of a drive that has ever contained sensitive data. This used to cost a lot of money but the price is coming down because more people are doing it.

For most people, 99.99998% of the time, unless you have someone at the NSA that is going to try to forensically read the disk, using a good program that wipes the disk several times by writing alternating patterns a couple of times will prevent anyone from reading anything that used to be on it. If you're a terrorist and your laptop is seized and you only had the chance to format the drive, expect a visit from the Special Forces.

If you plug a Ricoh HDD into a computer, there is no format or image files recognizable to the PC. Image data stored is raw on the drive, so unless you had some manufacturer program which could read and decipher the data based on their proprietary format, it's gonna be pretty tough to get something from it. Now if there is stuff stored in the document server that has not been deleted, then yes, you could print it out right from the machine.

If your customer is concerned, leave the drive with them for destruction, or return it to the leasing company (if possible) for them to destroy it. As far as new machines going into sensitive environments, I would recommend the data overwrite security for the HDD.

As Fearless mentioned on Ricoh, Konica Minolta drives, the print data parsed on the drive during printing is readable only by the printer. KM hardware also can store scanned or printed or faxed data to the hard disk. As I understand it, this is also readable by the printer. A creative hacker could extract the information however and figure out how to reproduce an image on a pc. Can't say for other brands, but the KMs I've worked on all have encryption kits available, based on Kerberos 128 bit or something like that. The kind of encryption the NSA/CIA would use. These encryption kits are keyed specifically to the machine serial number and a few other hardware markers to keep it from being given to another machine and have the data extracted there. Lawyers and prosecutors offices typically are prime recommendations for such things.

Without encryption, even data overwritten a couple times, can be extracted off of a drive. It requires some pretty serious hardware and a lot of time to extract the data. Forensics labs in the CIA/NSA have the tools...average hacker, not bloody likely.

Some quick methods I have seen to erase a drive from even rudimentary hacking involve simply destroying the hard disk platters. Sledge hammer, heavy duty metal shredder, oxyacetylene torch, industrial electromagnet to name a few.

If required, I use a wipe program accross HDD's that will do 6 passes. This is available free of charge on the Ultimate Bott CD's. The Department of Defence here request the HDD out of all copiers and they do their own wiping on the HDD. If any data can be recovered once the wipe program is finished, then the HDD is used as target practice out on the range. lol

Stirton, I came accross any interesting fact the other day with on a security camera training course. In the US, it is illegal to have encryption with anything greater than 128 bit. The reason being that anything greater than 128 bit requires more processing power and time for the CIA to decrypt. So I would presume that NSA and CIA would use something like 256 or 512 bit encryption. Just a useless fact that I learnt.

I'll concede you are most likely right about the level of encryption for the NSA and CIA, or for that matter, any government inteligence and security operation around the globe. I don't see anyone outside of the espionage of government secrets really going after commercial secrets....unless its that Caramilk bar secret.

For most of our customers, I have explained to them that if they do not make use of the system or user boxes, then anything they copy or print or fax on the machine will more than likely be overwritten by the next use of the machine. The encryption kits being optional, not everyone has them or needs them, the exception being law enforcement or really paranoid real estate lawyers (in one case).

I have had a Toshiba HDD out and played with it. Lots of partitions, very little readable data except for the web ui and the e-file thumbnails. File Share was readily available but all of this easily obtained information is just as easily obtained without even removing the drive from the machine and simply accessing it over the network. Because, that's how it's meant to be accessed.

I tried a file recovery program to find deleted files. I found quite a few, some of them were of some size so they could of been image data. I was unable to open any of the recovered files successfully.

I have downloaded several image recovery programs meant to be used on SD cards and the like. Some of them will rebuild TIFFS, JPG etc from deleted data on a drive so I will see what happens there...

Toshiba's run on VX Works so it would be interesting to find some kind of VX Works emulator and see if you could get any further there but that's a little more than I want to get into.

IMO it is not as easy as they make it look on TV. Most customers don't realize the drive has to be physically removed. They should be more worried about the fact that when I ask them if I can use their computer to "look at the copiers web interface" I am allowed to do so without a second thought. And most places are the same way with their servers, passwords, etc.

I know I have a few HDD's that were in a Panasonic, but I never really hooked them up to explore them. I think one of them is a Seagate or Western Digital. I should stick it in an external case to see what happens.....

Having talked with one of our in house technical gurus (who apparently has more time on his hands than he is willing to admit), some of what I though regarding KM drives was innacurate. Data is not necessarily written over right away in all cases. He had been mucking with this for a while and discovered that some files were partially overwritten, while others were fully intact, and some completely overwritten, with the exception of the stub in the allocation table of the drive. He is currently doing experiments on how files are written to, written over. It is a lengthy process apparently. If I hear more, I'll post what he found.