| Jump to This Time | Transcription Text |
|---|---|
| 00:00:00 | Hello and welcome to THE COIN BOT. I'm running out of hard drive space, so today we're going to perform a little experiment. I'm going to go on eBay and buy a bunch of used hard drives and we're going to see how much data we can recover from them. I think this experiment is important because it'll show just exactly how much |
| 00:00:18 | exploitable data we can gather just by examining some old corporate devices. And I think it's important to note. That often we can recover these files even though you think you've already deleted anything that might contain sensitive information. Of course there are ways to protect yourself against exploits like this, |
| 00:00:37 | and we'll go over those at the end of the video. But for now, let's get right into it, shall we? Now, in order to understand how all this works, we need to understand the basics of data recovery. Your computer stores a little database at the beginning of its hard drive called the partition table. |
| 00:00:57 | That partition table stores the physical location of all of the files on your computer. But you need to understand that when you delete a file from your system, that file is not actually removed from the system. It is simply updating the partition table and marking that space on the disk as free so that it can be overwritten with new files. |
| 00:01:17 | If you want to recover the file, you can use special software that ignores the partition table, looks at each sector of the disk and looks for new file information. And statistically speaking, the larger the hard drive, the more likely it is that we'll be able to recover files, since it is less likely that those files would have been overwritten by something new. |
| 00:01:39 | When I started making YouTube videos, it became pretty clear, pretty quickly that I was going to run out of hard drive space if I continue to shoot video like this. As I did some online research, it became clear also that hard drives that are pretty large in size are also fairly expensive. I already had an external drive enclosure. |
| 00:01:58 | So that got me looking at used hard drive lots on eBay. One ad on eBay really caught my eye because it was listing ten 500GB used laptop hard drives for around $50 with free shipping. So I couldn't really pass that up. I placed a bid in Auction Sniper. And waited to see what happened. |
| 00:02:20 | A couple of days later it ended up that I won the auction, but it took several weeks for the hard drives to arrive. I guess you get what you pay for when it comes to shipping. They arrived with very little padding. There was just some paper shoved in between them and I was really concerned that the hard drives will be damaged. |
| 00:02:39 | But when I mounted them in Windows, all of the drives mounted just fine except for one. It appeared that one of them had been damaged. The seller immediately refunded a partial refund for that one broken drive. Now, I thought it odd that this ad was actually advertising these drives as not being wiped. |
| 00:02:57 | What that means is they've taken the hard drive out of the laptop, but they haven't done anything to secure the data that's on it. And of course, my curiosity got the better of me and I wanted to find out what was on them. All of the drives mounted properly. Three were Windows system disks. |
| 00:03:14 | Three drives were encrypted with BitLocker. Two drives were empty. They were showing that they had the standard corporate hard drive partitions on them, but they were showing as blank. One disk had Linux operating system on it. And one drive was broken and clicking due to the shipping damage that I talked about earlier. If you intend to recover files from an old hard drive, it's important that you don't put |
| 00:03:36 | that drive in a new computer as the primary drive and try to start it. The operating system on the drive might still be intact and it'll perform updates and may overwrite the files that you're trying to recover. The key is to attach the drive externally in a docking station and do all of your searching in a nondestructive way. There's lots of these external docking stations. |
| 00:03:59 | That are available on Amazon, and I'll put a couple of links in the description below. Now, I do have to admit that I took some precautions before plugging these drives in, I made sure that my. Internet connection was turned off, and I also made sure that I only plugged them into my wife's laptop so I didn't hurt my own. |
| 00:04:18 | Now, there are lots of software packages that are available to help you recover data from your old hard drives, and they vary in price and complexity. That being said, I tend to be more of a DIY guy, and since I didn't really care about any of the data on these drives, I did it myself. But if I did have personal files |
| 00:04:37 | I wanted to recover, I would need to seriously weigh the options regarding price, security, and reputation. DIY is great and often free, but if you screw something up, the results can often be irreversible and catastrophic, and the files permanently unrecoverable. So be careful out there. |
| 00:05:00 | So, like I stated before, the empty drives had their corporate laptop drive partitions on them, but the drive showed empty in Windows File Explorer. However, for demonstration purposes, I thought I would dig just a little further using common and off the shelf tools for file and partition recovery. For the first pass, I tend to use MiniTool Power Data Recovery as it's |
| 00:05:20 | a bit faster, and they offer a free trial version. If that program finds anything that I might be interested in, I'll take the extra step of recovering the files with an open source file recovery system like Test Disk. As you can see, even the empty drive still contains quite a bit of useful data. Given that these drives came from adisks |
| 00:05:40 | corporate environment and that it appears to be from a healthcare system, this information could be extremely dangerous if put in the wrong hands. The windows system disks still contain the operating system, proprietary medical software, including a piece of software called Guardrails. And when I did a quick internet search |
| 00:06:02 | on what that software does, it looks like it is a safety protocol that the hospitals use in order to make sure that they're injecting the right medications into IV lines. At first, I didn't think these drives contained any patient information, but a quick file search for common office file extensions such as word documents, excel spreadsheets, |
| 00:06:25 | and PDF documents turned up several files, such as excel documents containing lists of patient names, drugs administered, prescribing doctor's names, and the patient's underlying medical conditions. I didn't dig too far, but one PDF I opened was lab orders with a patient's full name, date of birth, weight, medical condition, and doctor's full name. |
| 00:06:48 | These disks also contain the corporate logo of the healthcare system, laptop registry files, and event logs. And these all provide valuable clues as to where these drives came from and how the facility's network infrastructure is organized. Regarding the site employees, there were employee medical equipment access logs showing the employee name and their job titles. |
| 00:07:11 | In addition, each of these drives contains multiple windows user folders, which tended to be in the format of first initial, last name, and sometimes a number, and that information probably carries over to the replacement laptops. In turn, that last name and first initial could be used to do online research about employees at the facility. |
| 00:07:32 | And all of that information in aggregate could be used to social engineer access to the new laptops or the network. Speaking of social engineering, when you think about it, all that information that you could gather from these laptops could be used to really fine tune a spear phishing attack into the corporate network, where you could send a spoof email based on someone's username and try to get more |
| 00:07:57 | information about their network or passwords and things like that. So it's really critical that you secure this kind of information before you sell laptop hard drives or before you sell old laptops online. Again, even though three of the drives were encrypted with BitLocker, the information gathered from all of these drives in aggregate |
| 00:08:17 | put the entire facility at risk. Just out of curiosity, I thought it would might be good to type the name of the healthcare facility and "BitLocker password" into Google, but it returned no results. But again, that doesn't mean that your corporate environment is safe. |
| 00:08:32 | You really have to be careful, because again, the information that you gather from these drives could be used to call someone in their IT department, and you could sound like an authentic user and try to get those BitLocker passwords reset for you. In large corporate organizations, the encryption passwords tend to be standardized. So they usually |
| 00:08:52 | include some sort of dictionary word or a phrase plus a numerical portion. And that means iterations of the password are guessable, if you know what the pattern is. IT departments use passwords like this so that they can help end users get into their laptops without using up all the guesses before the laptop is actually locked. |
| 00:09:15 | So what's the verdict? In my personal opinion, I think the entire IT department at this particular healthcare system really needs to be retrained in information security. They also need to be trained on how to properly wipe hard drives before |
| 00:09:29 | they offer them up for sale on eBay or offer them for disposal to a third party. And if this was my team, I would definitely try to find the person responsible and hold them accountable for this. That being said, I intend to wipe all these hard drives to Department of. Defense standards with seven passes using |
| 00:09:46 | the mini tool Partition Wizard, which you can download from the Internet for free. I'll leave a link below in the description to all of the software that I used in today's video. If you like this type of content I hope you'll smash the like button. That you subscribe to the channel, and |
| 00:10:01 | that you'll hit the notification bell so. You don't miss out on any future videos. I also hope you'll leave a comment down below and tell me what you think should be done with the IT department at this particular healthcare system. Until next time, I hope you have. |
| 00:10:05 | A great day, and I look forward. To seeing you in the next video. Have a great day, everyone. |
Automated Coin Roll Hunting