Discarded Devices – A Danger to your Data

Wednesday, January 31, 2018

Every rainy and windy day I walk through many parts of London and there are endless displays of rubbish strewn across the sidewalks (some neighbourhoods more than others). Perhaps the collection is Thursday and people have left their refuse on display on a Tuesday – naughty tenants.

Among the discarded artefacts are wilted attempts to ‘eat green’, packaging for fitness trackers and crumpled New Year’s slogans plastered to dated copies of Time Out. The most alarming of these casual observances are ditched electronic storage devices. Did someone get a new tablet or ‘thin computer’ during the holidays and decide to dispose of the old model? If my wife isn’t with me, I will often inspect the desktops and laptops left on the roadside to see if hard drives are still resting comfortably, though never actually touching them –other people’s data, gross!

Likely unbeknownst to the persons discarding these items, tools like X-Ways, Bulk_Extractor and others can be used to run pattern queries (Regular Expression ‘RegEX’ or GREP) to pull out strings of commonly structured data, for instance a National Insurance Number (UK), Social Security number (US), e-mail address, phone number, American Express card details and the list goes on.

I am always reminded of a peer-reviewed journal article from ten years past titled, Who is Reading the Data on Your Old Computer, which was published in the Journal of Digital Forensics Security and Law (JDFSL), in which I have also reviewed pieces and authored content ( The premise of the article is raising awareness of potentially sensitive data that is likely to remain on storage devices that are carelessly discarded, citing older photocopiers for instance, which may contain unencrypted copies of passports, medical records and other high-risk information.

This study has not been replicated with the same structure and focus since 2008 or hasn’t been published to my knowledge. The difference between this study and my cheeky sidewalk example is that older computers were bought on auctioning sites (think: eBay), versus being grabbed off the street. Poorly mitigated, or improperly destroyed devices, could present serious risk to companies of all types. Theft of intellectual property and corporate espionage are just a few of the examples that come to mind.

This is a stark reminder that data needs to be properly encrypted, or barring that, truly destroyed. These methods are no longer reserved for specialised police units or government task forces. Our society is far more technically savvy and those who wish to exploit data, itself an emerging currency of sorts, can access tools to accomplish these feats with relative ease.

There are several reasons companies will want to look inward at their information security, not the least of which are:

  1. It gives peace of mind to shareholders and employees.
  2. It may not only be a requirement, but a benefit to appease insurers who underwrite the business, particularly if it can be adequately demonstrated that such mitigating efforts have been implemented.
  3. What’s happening with out-of-date devices inside a company? Are they being stored until they can be securely destroyed or are they ‘recycled’ among the other bits? As controllers of data, companies will have 72-hours to report data breaches (upon becoming aware) under forthcoming GDPR legislation, so knowing where data resides and its life status are becoming more important than ever.

Similar to a departing employee protocol, companies should consider data destruction fundamental to their process and strategy. Companies can reduce risk and save on cost by forensically acquiring devices so their contents are soundly preserved, but where the originals can be securely wiped for recirculation or reuse. If the devices have hit their end of life, then I think I’ve made a fairly strong case for sound destruction regardless. Think long and hard before you just toss your devices in the trash bin – and not just because it’s the wrong collection day in London – or anywhere else around the globe!  Data knows no boundaries.

Author: Timothy LaTulippe


With a Masters in Data Forensics Management, Timothy holds a variety of certifications including EnCE, CCE the DFCP. He has assisted in complex investigations in both the public and private sectors, working with government agencies, Fortune 100 corporations and AM Law 100 firms to provide complete, correct analysis of incidents and issues from theft of data, to breach and egress issues.

More Posts

View all Posts


    Subscribe to receive our
    Experts’ Insights Blog feed.

  • Get in Touch