What sensitive data is lurking on your old SD card? | Tech Security

SD cards – those tiny devices that go into your camera or tablet – may be small, but they can hold a lot of revealing information. Because they are often used for storing photos, that information can be highly visual. A research team from the University of Hertfordshire just bought 100 second-hand SD cards and found two thirds of them carrying incriminating files.

The team, commissioned by consumer device advisory site Comparitech, found that 65% of the SD cards still had sensitive files ranging from pornography and intimate personal photos through to passport pictures.

SD cards use a different technology to hard drives, but they have some commonalities. One of these is that deleting a file or even using the standard quick format option in your operating system doesn’t really erase the data. It only marks the file as deleted in the drive’s index, which tells the operating system that the space occupied by that file is now available. The file’s data is still there, and curious users – or organizations wanting to prove a point – can recover it with freely-available forensics tools.

The researchers’ report on the project explains that the cards came from various sources including second hand shops, auctions, and eBay. Researchers typically bought the cards one at a time, and then used a free data forensics tool called FTK Imager to create a bit-for-bit copy of each card. This enabled them to work from a copy without disturbing the original. Then, they used WinHex and OSForensics to work out what data was in the imaged disk.

Four of the drives couldn’t be read at all, four of them had no data present, 25 had been properly wiped with a data erasing tool, and 29 had been improperly formatted, leaving the data easily recoverable. On two of the disks, files had only been deleted (again, leaving the files exposed). Alarmingly, 36 of the drives’ former owners had taken no steps to remove their data. This enabled the researchers to recover data from 65% of the cards.

What was on the cards?

The most common content (around 37%) was photographic, followed by multimedia. ‘Sexualised content’ came third, accounting for just over 5%. Business documentation and CVs came last.

One card contained a large collection of photos, some of them intimate, from a female student at a UK university. A photograph of her passport was on the same card. On others, the researchers found photographs of a woman together with her email address and phone number, and the names and phone numbers of friends. On yet another was personal details including vehicle registration numbers, credit card PIN numbers, home addresses and phone numbers from another UK university student, the report said.

Why are people leaving sensitive information on SD cards for others to find? Alarmingly, some of them seem to think that it isn’t their job to remove it, the report suggested:

While the sellers had, in some cases, claimed prior to sale that the media had been formatted or wiped, in other cases they had included a disclaimer saying that there may be data present and that they buyer should remove it.

These cards come from smart phones and tablets, but also from satnav systems, drones, and dash cams. The researchers warned of growing attack footprints as the number of devices containing these cards grows.

For example satellite navigation systems (SatNav) data can be used to determine the home location of the user, and also the routes that they regularly use and locations that they have identified as being of interest, which may include their place of work and the homes of family and friends.