This time last week FBI divers were searching Seccombe Lake, a freshwater lake about three kilometers from the Inland Regional Center, the site of December 2 shooting that left 14 dead and 22 injured. Reports indicated that shooters Tashfeen Malik and Syed Rizwan Farook had ditched their laptop hard drive, which may contain e-mails and other evidence, in the murky water around the time of the attack.
Although the search has concluded, investigators have not confirmed whether or not a drive was recovered. But if one was, data-forensics experts say there is a good chance stored information will still be easily accessible, and that there would have been more effective ways to destroy the drive.
A hard drive works almost exactly like a record player. Data is stored in blocks of 1s and 0s on an aluminum, ceramic or glass platter, which looks a lot like a CD. The platter is centered on a spindle, which controls its rotation; a head uses an electric current to read and write data. An actuator and other electronic components control the entire operation.
Water might short out the electronics, but that’s about it. “The data's still on the platters, regardless if they got wet or not,” explains Russell Chozick, vice president of Flashback Data, a data-recovery firm in Austin, Texas. As long as the platters are not allowed to dry out, which he says could leave hard-to-clean residue behind, forensics experts should be able to recover data with relative ease.
Modern solid-state drives (SSDs) and flash memory can be more susceptible to drowning, Chozick says. Many of them have onboard encryption, which means the drive’s circuit board is necessary to decode anything stored on the memory chip. At the same time, SSDs only represent about one third of the current PC hard drive market, so conventional spinning drives are still mostly the primary concern.
So, what’s better than water? Despite what television and fretful IT guys have taught us, bringing magnets close to the hard drive might not effectively corrupt the data, either. You’d first have to get past the steel sheathing that protects platters in most drives, explains Gleb Budman, CEO and co-founder of Backblaze, a cloud storage company that builds its servers out of consumer-grade hard drives. “Given a good enough magnet, and a close enough proximity, it's certainly a valid attack,” he says, “But if you want guarantee, shredding the platter is the safer way to go.”
Indeed, opening up the drive—a task easily achieved with a screwdriver and hammer in a few minutes—and using brute force on the platter is the best way to destroy it in short order. “Laptop hard drives have glass platters,” Chozick says. “If you throw those hard enough, the glass will shatter, and no one's going to recover that.” (Painstaking recovery is possible in some cases; investigators worked to piece together data from Adam Lanza’s smashed drive after the shooting at Sandy Hook Elementary School in 2012, for instance, but the process is both lengthy and expensive.)
Aluminum platters, often found in desktops, take a little more work, however. A giant scratch, for example, can prevent the drive from initializing and stymie conventional data-recovery efforts. The same goes for a small—or large—crack in the platter. But advanced forensics labs, Budman says, might be able to read between those blemishes. “They don't even necessarily make [the drives] spin; they can look at each individual block on the platter,” he says, which can allow experts to recover enough 0s and 1s to read.
Drilling holes in the platter, on the other hand, generates heat that can easily cause universal damage. “You're potentially distorting the platter itself. You're doing things that might cause all of the rest of the platter to change slightly,” Budman says. “And it doesn't need to change a lot in order for the data to be completely invalid.”
When in doubt, he advises using simple chemistry: acid. “You let the acid peel away everything's that's of value on the platters,” Budman says.
Of course, there are less aggressive ways to wipe clean a drive. Both Windows and Mac OS X include utilities that securely erase drives by overwriting existing contents with random 0s and 1s. Budman recommends doing this twice on newer drives and seven times on older ones, as some advanced forensics labs might be able to find “ghosts” of the overwritten data.
For covering tracks, though, Chozick cautions that a hard drive full of gibberish is still a big red flag. “For litigation, if your drive is being called in question and it's been zeroed out, obviously we know that there's been some spoliation of data. And we can tell that to a jury, and they don't like it so much.” he says.