Lesson learned? Most used memory cards contain data when sold

Martin Brinkmann
Jul 9, 2018
Updated • Sep 14, 2018
Security
|
32

A recent study conducted by researchers of the University of Hertfordshire about the implications of selling used memory cards revealed that about two-thirds still contain data from previous owners.

The researchers bought one hundred memory cards over the course of four months on various platforms including eBay or second-hand shops and were able to recover personal data on two-thirds of them.

Personal data found on the memory cards included IDs, contact lists, selfies and intimate photos, resumes, the browsing history, passport copies, and pornography.

Only 25 of the 100 cards were wiped properly so that no data could be recovered from these devices. A total of 36 devices were not wiped or formatted at all and 29 were formatted but data could still be recovered by the researches. The remaining memory cards did not work, had no data present, or had data deleted manually (which meant it could be recovered).

Used data that buyers recover from memory cards or hard drives can result in all kinds of issues for the previous owner. Possibilities include identity theft and impersonation, blackmail, or sharing of personal photos online.

Most memory cards were used in smartphones and tablets, but some were used in digital cameras, drones, or navigational systems.

No change in the past 10 years?

Techradar ran a similar story back in 2008. The company bought used hard drives from marketplaces like eBay and concluded that 66% of them were not properly erased so that data could be recovered.

While Techradar did not reveal the types of data that it recovered from these drives, it likely included personal data such as documents and photos as well.

Is it a coincidence that the recovery rate has not gone down between 2008 and 2018?

Avast analyzed used smartphones in 2014 and found all kinds of personal data on them. The data included more than 40,000 photos including nude photos and photos of children, email and text messages, loan applications, contact names, and more.

What is the reason?

If you take the findings of the University's memory card research, you will notice that only a quarter of users used wiping tools to erase the data on the cards properly. While the number may change if you increase the sample size, it is clear that many users don't seem to be aware of the dangers.

One reason for that is that devices come without instructions to properly erase data. While you find articles on my site and others on the topic, it is necessary that users are aware of the issue and implications to even search for it.

Over a third of devices were formatted by their previous owners. While these owners knew that they had to do something about the data on the drive before selling the memory card, they did not know that formatting, especially quick formatting, does not delete data sufficiently.

What can you do about it?

It is important that users get educated about the dangers of selling used storage devices online. There are a couple of things that users can do to make sure data cannot be recovered.

Probably the best is to keep the storage devices and not sell them in first place. It is clear that this may not always be possible, for example when you need the money from the sale.

The second best option in my opinion is to encrypt the entire storage device and format it afterward.

Assuming that you can connect the memory card or storage device to your PC:

Option 1: using command line tool cipher

Cipher is a command line tool that is part of any version of Windows.  Here is how you use it:

  1. Open the Start menu.
  2. Type cmd.exe.
  3. Right-click on the cmd.exe item in the results list, and select run as administrator from the context menu.
  4. Open Windows Explorer, and check the drive letter of the memory card / hard drive you want to erase data on properly.
  5. Make sure you replace D on the next line with the actual drive letter.
  6. Type cipher /w:D:
  7. Wait for the process to complete.

Cipher's /w option commands the tool to wipe the location. The tool has three passes: 1) replace all data with 1's, 2) replace all data with 0's, 3) replace all data with random numbers.

Option 2: using encryption software VeraCrypt

  1. Download and install the free encryption software VeraCrypt.
  2. Select "create volume" when you start VeraCrypt.
  3. Select "Encrypt a non-system partition/drive" in the VeraCrypt Volume Creation Wizard window and click next.
  4. Confirm the UAC prompt.
  5. Select next when asked to select a volume type.
  6. Click on select device and pick the memory card that you want to erase data on completely so that it cannot be recovered.
  7. Double-check to make sure you have selected the right drive.
  8. Select "create encrypted volume and format it", and select next.
  9. On the encryption options page, select next.
  10. On the volume size page, select next.
  11. Type a password. Make sure it is secure but note that you don't need it after the creation. Select next.
  12. Select no when asked whether you want to store large files on the drive.
  13. Move your mouse around and hit format on the volume format page. Confirm the erase prompt if it is displayed.
  14. Follow the prompts to complete the process.

After the encryption / erasing

recuva data recovery

What you may want to do after you have run one of the operations explained above is to check whether recovery software can recover data on the drives.

You may use free programs for Windows such as Recuva, Undelete 360, or Undelete my Files for that.

Closing Words

The process of erasing data on memory cards, hard drives or other storage devices is quite technical. Some manufacturers offer custom programs to erase data on storage devices but those tools need to be downloaded and installed manually usually.

Now You: Do you sell old memory cards, hard drives, or other storage devices?

Summary
Lesson learned? Most used memory cards contain data when sold
Article Name
Lesson learned? Most used memory cards contain data when sold
Description
A recent study conducted by researchers of the University of Hertfordshire about the implications of selling used memory cards revealed that about two-thirds still contain data from previous owners.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Hamaiton said on January 18, 2020 at 12:25 pm
    Reply

    an interesting article that allows you to deal with many problems https://www.ghacks.net/2018/07/09/lesson-learned-most-used-memory-cards-contain-data-when-sold/

  2. Anonymous said on July 9, 2018 at 8:59 pm
    Reply

    Frankly surprised that so many sold storage devices were properly wiped. I doubt, even 5% of the population understand that they need to special-wipe these devices.

    I guess, there’s obviously something to be said about mainly more tech-savvy people buying (and therefore also re-selling) storage devices. Maybe there’s also some bigger companies that bother with wiping and re-selling all of their storage devices.

  3. Find Data said on July 9, 2018 at 7:17 pm
    Reply

    What about the data service people, manufacturers can recover when cards, hdd etc.die and you send them for warranty?

    1. Kevin said on July 11, 2018 at 3:28 am
      Reply

      This is why it is a good idea to encrypt drives, even if you just write the passphrase on masking tape and stick it on the top. Drive dies while in warranty? No problem, rip off the passphrase and send it in; they can’t read the data since it is encrypted and they don’t have the passphrase.

      Of course writing the passphrase in a special place is better than sticking it on the drive, since that will protect you from data disclosure in the event of theft.

  4. John Fenderson said on July 9, 2018 at 5:36 pm
    Reply

    People sell used memory cards?? And other people buy them???

    I’m honestly surprised. Neither of those things make any sense to me at all.

  5. Kevin said on July 9, 2018 at 5:25 pm
    Reply

    I found a nice I7 laptop with support for up to 16GB (came with 8), hybrid graphics, and even two hard drives installed at a thrift store for $100. A nice deal… It did come with Windows installed and in a corrupted state. I’m sure I could have found lots of personal data in there if I went looking for it. But instead, I wiped the drives (while doing a bad sector test on them) and installed Linux.

    Another laptop I got at the thrift store, the previous user was smarter. It came with no hard drive installed. But I’m glad the first one came with 2 500GB drives, and I’m sure the previous user would be glad to know that I had better things to do than go sifting through data on the thing.

  6. John in Mtl said on July 9, 2018 at 4:57 pm
    Reply

    I can’t count on the fingers of my 2 hands, the number of times I’ve picked up a used computer by the curb or near a recycle bin; took the thing home and found the users’ hard disk left in the box and full of personal information!! Non-tech people have no clue of the potential damage that can be inflicted upon them by carelessly disposing of their old machine. Education is sorely needed in this area.

    Thankfully for them, I’m not a hacker or harbout malevolent intentions so I just wipe the disk and if its any good, reuse it otherwise just toss it in the recycle bin. On the plus side, I did acquire a lot of nice music from those disks !

    1. George P. Burdell said on July 10, 2018 at 1:29 pm
      Reply

      > I can’t count on the fingers of my 2 hands

      OK, @John, here is how to use your fingers to count to higher numbers…

      Assuming you are equipped with two ordinary human hands, note that each hand has a thumb and four fingers, and that each finger consists of three bones (phalanges). Using *one* hand only, rest your thumb in turn on each of your twelve finger bones. You see, already you can count to twelve using only one hand.

      For the next stage of this process, on the opposite hand you can similarly count the number of dozens you counted on your first hand. When you run out of finger bones you will have counted a dozen dozens, or 144 units. The historical word for this is “a gross”. So, you can count to 144 on two hands.

      Boxes of pencils and similar bulk items used to be sold by the gross, and maybe still are.

      https://en.wikipedia.org/wiki/Gross_%28unit%29

      https://www.amazon.com/iScholar-Gross-Pencils-Yellow-33144/dp/B003JFL1WY

      There are many advantages to base-12 counting. For one thing, the number 12 can be evenly divided without fractions by 2,3,4 and 6, an advantage base-10 counting cannot claim.

      http://www.dozenalsociety.org.uk/index.html

      Sometimes when I see somebody counting to ten on their fingers, using both hands to do so, I ask them if they are counting 1 to 10 or zero to 9. The zero to nine people are likely to be computer programmers.

      The singular of phalanges is phalanx, a word used by the ancient Greeks.

      https://en.wikipedia.org/wiki/Phalanx

      Hope this helps.

      1. Clairvaux said on July 10, 2018 at 7:20 pm
        Reply

        I don’t know if it helps, but it’s certainly fun reading when mathematics buffs try and share their passion.

  7. Clairvaux said on July 9, 2018 at 3:55 pm
    Reply

    If Cipher is enough to erase disks, why do people use, and recommend, third-party software such as DBAN ?

    Is Cipher suited to flash memory, as well as spinning disks ?

    1. Martin Brinkmann said on July 9, 2018 at 5:00 pm
      Reply

      SSDs are tricky when it comes to wiping them securely. I suggest you encrypt and then overwrite or run a full format, and then use file recovery software to test. You should not see any traces left thanks to the encryption. Some suggest to encrypt a second time after encrypt and full format to remove any chance of recovering the encryption key.

      Cipher is a command line tool and many may dislike using cipher because of that. I think it is great because it is integrated in Windows and does not require extra downloads. Still, it is best in my opinion to encrypt and then run a software like Cipher or whatever other program overwrites or erases data securely on the drive.

      1. Clairvaux said on July 9, 2018 at 5:43 pm
        Reply

        Thank you. Is it correct to assume that the extra challenge represented by erasing non-spinning storage memory applies similarly to SSDs, memory cards, USB flash drives and any such beasts ?

        Also, my understanding is there are specific problems related to erasing a system disk (mechanical or otherwise), as opposed to a data storage unit.

      2. Martin Brinkmann said on July 9, 2018 at 6:29 pm
        Reply

        SSDs are special as they do come with special firmware and functionality that USB Flash drives and memory cards don’t come with.

  8. Ben said on July 9, 2018 at 3:42 pm
    Reply

    I don’t get why anyone would sell, let alone buy, some used SD card. It’s not like this is some high-priced stuff.

  9. Anonymous said on July 9, 2018 at 3:41 pm
    Reply

    “Normal” people don’t care about data from others, only so-called “researchers” with their “studies” are interested in data nowadays. We all know for who in a large proportion they are doing that job.

    1. John Fenderson said on July 9, 2018 at 6:17 pm
      Reply

      @Anonymous: “Normal” people don’t care about data from others

      Perhaps not (although I think that “normal” people are pretty nosy), but “normal” people (and researchers, for that matter) aren’t the ones that you have to be concerned about. Criminals are, and they certainly do care.

    2. Yuliya said on July 9, 2018 at 5:24 pm
      Reply

      Idk, if I were to buy a second hand drive, the first thing I’d do is run something like Recuva on it (: Curious what kind of nastiness was in there, and maybe have a good laugh.

  10. Weilan said on July 9, 2018 at 12:00 pm
    Reply

    I once bought an HDD that when I install Windows on it, a minute later on the desktop the icons of VLC, WinRAR and a few more would show up on their own. Very weird experience.

    Took some formatting to get rid of this crap.

  11. Paul(us) said on July 9, 2018 at 11:42 am
    Reply

    Other ways to go are:
    A ferry powerful magnet will not work https://www.kjmagnetics.com/blog.asp?p=hard-drive-destruction
    So then this method (also for memory card a possibility to use) is a possibility:
    https://hackaday.com/2008/09/16/how-to-thermite-based-hard-drive-anti-forensic-destruction/
    Or go with Martin his method! :-)

    1. John Fenderson said on July 9, 2018 at 9:41 pm
      Reply

      The last major security software firm I worked for followed a fun method of HDD destruction — they would stack them all* up and use a logsplitter on them.

      *not all, since the logsplitter method is not considered sufficient by the US government, so hard drives used for government work were disposed of by a company specializing in such things.

  12. George P. Burdell said on July 9, 2018 at 11:08 am
    Reply

    Without warning, my basic flip phone became non-functional. Now it cannot be powered on or reset in any way, but it still has its non-removable memory chip in it.

    I think a large hammer and a blow torch will be my only tools for rendering its memory inaccessible. Such violence is kind of sad to contemplate, since the phone was a faithful friend at need.

    Maybe I should just encapsulate the carcass in epoxy and send it to a household trash landfill, to be buried until the next civilization sends around its archaeologists.

    I am stuck in the paralysis of analysis.

    1. Martin Brinkmann said on July 9, 2018 at 5:04 pm
      Reply

      I don’t sell or give away any old devices: I still have my original Google Phone, other smartphones, hard drives, external storage devices, memory cards, and even entire laptops and PCs (all encrypted or securely erased of course).

      1. John Fenderson said on July 9, 2018 at 5:38 pm
        Reply

        I happy that I’m not the only oddball like that!

        I do sometimes give away older computers, but even then, I remove and keep the hard drive.

    2. Yuliya said on July 9, 2018 at 11:22 am
      Reply

      Disassemble it and take the memory chip off the motherboard. Maybe use some pliers to crush it. It will be more than enough. You might find someone who needs the casing of that phone, the display, battery, keyboard, you name it. You’ll make someone happy and end up with a couple of beers worth of money :)

  13. Yuliya said on July 9, 2018 at 11:07 am
    Reply

    I have in my phone a Toshiba Exceria 64GB SDXC USH-I U3. Rated to support 4k recording (it does), quite happy with this thing. I paid about (the equivalent of) 25 EUR a year ago for it. Brand new. I don’t think anyone would pay 10 EUR for it now. Till March 2018 it’s also been heavily used in a camera which records non-stop footage. I wouldn’t sell it for this kind of money, I can’t think of anything I can buy and need of 10 EUR value, so I’d rather keep it and repurpose it at some time in future.

    I wouldn’t sell a HDD either, though I kind of understand why people would do it – they are better value, more expensive and also kind of keep their value. I wouldn’t buy a second hand HDD, but that’s probably just me.

    On the encryption part: most modern phones encrypt their internal storage. They actually enforce it and make it impossible for the average user to disable it. So there a simple format and you should be safe to sell the phone (I’d probably still try to fill it’s memory once with inimportant data, just to be sure). SHould be more than enough to stop most users from recovering anything.

    The SD card encryption is optional though, and I personally would not encrypt them on Android phones. It is a hassle if you want to format the phone and then be able to read it again. The way I do it is, anything personal goes to internat storage. Music, videos, wallpapers, downloaded pictures, etc. go to the SD card.

    Be aware if you did not encrypt the drive from the very beginning: If it mapped some sectors (aka marked some sectors as “bad”) while unencrypted, after you encrypt it, software can be used to recover the unencrypted data which is contained in those bad sectors. You might be so unlucky to have some sensitive data there.

  14. Harro Glööckler said on July 9, 2018 at 11:06 am
    Reply

    Why buy an used card if you can get a new 32gb microsd for 6€ and 128gb for 29€? I think the only buyers are people who want to use data recovery software on them.

    With such low prices they’re also not worth selling…why bother with writing classified ads, packaging and wasting time at post office to get paid an equivalent of a cheap sandwich?

  15. Cinikal said on July 9, 2018 at 10:02 am
    Reply

    Would be interesting to know how many of these devices were stolen before being sold.

    1. Tom Hawack said on July 9, 2018 at 11:09 am
      Reply

      Side-note and 100% off-topic guaranteed…

      In my younger years I’d often buy second-handed books and several of them included written notes appended by former readers. Some people dislike this practice, considering a book is to remain intact, but personally not only do I not dislike it but I moreover love it: it’s like reading and the book and the previous readers’ comments, an added source of thoughts.

      Back to the modern age and its digital devices and life and to your comment, Cinikal:

      “Would be interesting to know how many of these devices were stolen before being sold.”

      My surreal suggestion, to incite device thieves to add to a text file that would never be deleted something like “josh78abc-bronx” used this device from [date] to [date]” — In other words a transparent following of a hand-to-hand device’s odyssey. Now ain’t that a splendid idea?

      1. Cinikal said on July 10, 2018 at 12:02 pm
        Reply

        Creepy

  16. Cinikal said on July 9, 2018 at 9:44 am
    Reply

    Never have sold any but did buy a used replacement for an old laptop. The info on Amazon claimed all hard drives are formated and tested yet I found close to 3 gb of home video, pics and my kind of music. And was able to patch up that windows 7 enough to install windows 10 during the free “upgrade”.

  17. BalaC said on July 9, 2018 at 9:24 am
    Reply

    The article covers the impact of personal data recovery from the used PC/laptop perspective alone and doesn’t contain the steps required for smartphones. If that was also included then it would benefit a lot of people as smartphones are more common now-a-days with lot of personal stuff in them.

  18. Tom Hawack said on July 9, 2018 at 8:47 am
    Reply

    To encrypt the entire storage device and format it afterward seems to be the very best solution to render all data unrecoverable. Why did I have to wait July 9th, 2018 to be aware of this?!

    Speaking of awareness the fact so many owners of computing devices still don’t consider the availability of their data on devices they remove is striking, as those (same users?) who manage passwords apparently unconscious of their relation to their privacy.

    I’m wondering if there is not a widely spread mental process which considers privacy and security only within physical situations, as one’s bicycle or car but less/not at all in digital environments. Yet they wouldn’t share the credit card passwords would they? Odd.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.