Vulnerabilities in the Corporate Sector
by =-virus-=
If you search any auction site, you will find lots of laptops and desktops for sale. Many of these computers are sold with the hard drive still inside. The computer is sent to you with no partition table on the drive, or a freshly installed operating system on it.
However, the hard drive had all of its data previously erased, since no one intends to have confidential data floating around an auction site, let alone corporate data (such as what could be found on a corporate lease laptop sold on an auction site).
This is an article about retrieving that data.
I took it upon myself to see what I could find, and if I was able to successfully recover data. I went on a common auction site and bought a cheap laptop. I wanted the hard drive, so I searched for a laptop that had been a "corporate lease" at some point in its journey to me.
First I would need some tools:
When it arrived I hurried to open both the box and the laptop.
When I looked inside the laptop though, I realized I had come across a bump in the road. The hard drive was not 2.5", it was 1.8" and additionally it had a special connector, not the standard 1.8" IDE connector. For a moment I thought I wouldn't be able to do much with this.
Then I got an idea.
I wouldn't try to install anything on the hard drive, in fear of writing over any data.
First things first, I booted the laptop with a Linux boot disk to see what the drive contained. It was blank.
But had this been an NTFS formatted drive before?
If it had been, I may be in luck, since NTFS stores a backup copy of the MBR and file table in a second portion of the hard drive. The Microsoft article can be read at: How to Recover Data from Corrupt NTFS Boot Sectors (Mirror)
I searched through the hard drive, sector by sector, and found the backup MBR, but it wasn't complete. It seemed this drive had more done to it than a simple format. They had deleted the partition table and may have created a second one on top as well. I wouldn't be able to copy and paste the backup NTFS hex code to the front sector.
What could I do next?
The NTFS recovery program was a Windows XP based one, GetDataBack (Ver. 3+ / NTFS).
How could I scan this drive with it? Finally, after a night of poor sleep, I figured it out.
I'd copy the drive! Normal hard drive copying would mean I'd only get a copy of the sectors that had actual data on them, not marked by the drive file table as "write over me."
I made a boot disk using BartPE, and used a program that made a sector for sector copy of the hard drive. This is very important.
A hard drive cloning program that can handle sector for sector cloning must be used. This will make an exact copy of the drive, with all errors, faulty sectors, hidden data, etc.
I let the cloning program do its thing, copying the 1.8" drive to an extra external drive.
Note: The drive you clone to will be completely erased and replaced with data from the drive you are cloning.
Use a spare drive that's at least as big as the drive you are cloning. I let it run for the night.
The next day, I hooked up the drive I had cloned to my Windows box, and started up the NTFS recovery program. I told it to scan for any file structure that was similar to NTFS or FAT32, and I selected the drive (not any partition of the external drive) as source.
It found a few sources and I selected the largest NTFS partition it listed for me, and let the program run. About seven hours later it had found every lost bit, and put it in a nice file structure for me. I copied all the data to a safe location. I was excited to see what I would reap. And reap I did.
I had stumbled across the personal files, pictures, diagrams, and, best of all ".PST" files of an employee at an IT firm! (The PST file, for those not familiar with Outlook, is where all the contacts, appointments, and emails are stored.)
I'm still sorting through it all, though off the bat I am able to see VPN access files, VPN keys, PGP keys, internal emails, links, information, etc. This could lead to a whole host of attacks, both technological and social, on this company.
The important lesson here is if you are selling off extra computer equipment, make sure you get a professional to get rid of all your data, even if it means melting the hard drives down.
