Caveat Venditor, Used USB Drive Owner

Abstract: USB drives are a great way of transferring and backing up files. The problem is that they are easily lost, and users do not understand how to secure or properly erase them. When used to store private and sensitive information, this constitutes a risk that users may be unaware of. Consider that people sell used USB drives online -- presumably either their own or drives others have lost. This raises some interesting questions, such as whether sellers know how to ensure that private data is erased before they relinquish the drive to an unknown buyer, and whether sellers use these drives in an attempt to compromise an unwary buyer's device. Governments do indeed issue advice about the risks of used mobile media, but we do not yet know whether this advice is reaching, and being heeded by, the general public. To assess the situation, a sample of used USB drives were purchased from eBay sellers to determine, first hand, what was on the drives. This acts as an indicator of actual security-related behaviours to answer the questions posed above. Using forensic analysis, it was found that a great deal of private and sensitive information remained on many of the drives, but there was no trace of malicious software. More effective ways of enlightening the public are needed, so that private data is not unwittingly leaked via sold used media.