If I only wiped 10% of a hard drive before selling it, am I 90% screwed?
December 15, 2010 8:51 AM   Subscribe

What damage control measures can I do for selling my PC on eBay which was only partially wiped? Yes, I know how stupid this was.

I recently sold a win7 xpc shuttle pc which I was using as an HTPC for about a year, but it got increasingly unstable so I sold it on eBay. There were no saved passwords, but I did run dropbox to sync my (mac) 1password keychain, and it contained about 500 gigs of tv shows and movies. I used the program eraser to delete the local dropbox copies of all files, and then booted into Darik's Nuke and Destory to do a 'Quick' single-pass erase, but I majorly underestimated how long it would take, and only got 10% through before the buyer came to pick it up, and in a stroke of shockingly bad judgement, I just handed it over before it could complete. I should probably mention some of the movies were of the adult variety, and most everything else came from torrents. Location is Australia if relevant.

I've already gone and changed all my major passwords, but I still feel pretty vulnerable. I don't have any particular reason to suspect the buyer themselves has malicious intent, but looking over their feedback in retrospect, I would be surprised if they didn't just buy electronic stuff in bulk and sell it elsewhere for profit, and I can't guarantee they will be installing a new O/S, or if that would even matter in the situation.

I suppose my question is, how concerned should I be, and what (if any) other damage control measures can I take, apart from going back in time and not being such a moron.

posted by anonymous to Computers & Internet (8 answers total) 1 user marked this as a favorite
Your mind is leaping to the worst possible conclusion.

If you think of the patience, technical expertise AND motivation that would be required of anything particularly embarrassing or serious coming of this you can see it is very unlikely indeed. Even if the buyer had the expertise to recover the remaining data, he'd have to have a pretty big grudge against you (a stranger) to make anything of this.

Weighing up the scenarios, the best for you - he reinstalls an OS on the drive when he gets home - seems highly likely to me.
posted by fire&wings at 9:08 AM on December 15, 2010

Wiping the first 10% (or even 1%) of a drive is extremely damaging. The machine won't boot and the drive won't appear to have any data on it unless someone uses special data recovery tools. They'll have to reinstall the OS before the machine is at all usable. I don't think you have much to worry about, as the machine will probably be sold to someone who just wants to use it and who will start with a fresh install.
posted by pocams at 9:09 AM on December 15, 2010

I might follow up with the buyer and ask how the computer is doing, and if they are 100% satisfied with it or not. This opens the door for a return if they have any buyers remorse, which helps return some control back to you. Otherwise it makes them think "really awesome seller", so if they find some personal data on the computer they might be more inclined to do the right thing. If they're reselling the computer B2B or to another client, then yeah, it's out of their hands, but someone along the chain is more more likely to wipe the drive and put a sparkling new OS on it.
posted by crapmatic at 9:19 AM on December 15, 2010

Agree with all those who say that it sure seems like the most likely outcome is that someone will just reinstall an OS and not bother with your PC.

If someone *does* decide to snoop on the HD, it's not so clear what you are worried about:

- Are you worried they will steal your passwords? But, apart from possibly already being unreadable do to being erased (not clear to me how you erased it) and being on a partially-nuked drive,the 1password keychain is encrypted.

- You seem to have some set of worries about the porn and torrents. It's not clear what those concerns are.
posted by ManInSuit at 10:01 AM on December 15, 2010

It is very unlikely they will be able to get anything off of that drive. The filesystem is in complete shambles. All they will be able to do is run a scanner program that looks at every block of the drive and see if that block contains a recognizable file header. If it does, part of that file might be accessible. But (as I learned the hard way) probably only the files that aren't fragmented will be anything near intact. Movie files are right out. Images and text files, potentially.

But that's only if they ever tried or had the expertise to do this. It is a pretty rare skill/hobby.
posted by gjc at 5:28 PM on December 15, 2010

I don't doubt that this person has probably simply reinstalled the OS and wiped the drive.

I don't want to worry you, but it is possible to recover from wiping the first 10%. They would locate a copy of the NTFS boot sector just after at the end of the NTFS partition, and from that boot sector copy, they could find the start of the Master File Table (MFT), which often starts farther in than the first 10% of the drive. Using the MFT, which is a table of contents, they could have perfect access to what is left of your drive (specifically, what's left and not encrypted).

In fact, even without the MFT, if you did overwrite it, they could carve out the files that remain, especially images and movies. For example, scalpel is a program that does that well, and it's free.

So, if you have some illegal content on there (beyond copyrighted material), then yeah, I'd be worried. But if you are just embarrassed by something legal but prurient, then don't worry about it. File carving is pretty specialized knowledge. They'd need to know how to boot the computer into linux and mount your drive as a secondary file system, and then compile and run scalpel.

[on preview, gjc and I agree.]
posted by Tristram Shandy, Gentleman at 5:43 PM on December 15, 2010 [1 favorite]

While the geek in me would be tempted to run some sort of recovery software on an HD I bought on the internet. I ultimately would just re-wipe the drive and load my files/OS on to it. Yes, you could be a little screwed, but the likely scenario is that they will use it and write over whatever you didn't erase.
posted by darkgroove at 6:38 AM on December 16, 2010

10% of a 500 gig disk is quite a bit of data. Most likely you destroyed the OS and user profile stuff as thats going to be written on the first part of the disk (lets ignore fragmentation for now, which actually works in your favor). These are the areas that are going to have all the juicy info.

Arguably, a malicious buyer with a lot of time on his hands could retrieve data from the other 90% part of the disk but as others have said, the MFT is probably gone (perhaps not its backup closer to the middle of the disk) and fragmentation is difficult to overcome without this information. I've done enough amateur data recovery to know that this stuff isn't trivial and that a casual techie could start pulling valuable information (passwords, etc) from this is far fetched.

In other words, you're over-worrying.
posted by damn dirty ape at 8:10 AM on December 16, 2010

« Older Need your creative juice for filling a toy vending...   |   She's leaving but not gone. Newer »
This thread is closed to new comments.