Rendering Hard Drives Unrecoverable

I’ve tried my best to write this as seriously as possible, but anything involving axes and PACS Managers legitimately using them in day-to-day work is never going to be 100% straight faced!

Recently, there has been concern in some regions about the excessive costs from 3rd parties related to the ‘proper’ destruction of hard drives (hard drives removed from PACS servers or reporting workstations following decommissioning, procurement of a new system, or simply failed drives replaced under a managed service agreement).

There is actually no need to pay 3rd parties for the ‘secure’ destruction of hard drives as it’s a fairly simple process to carry out in-house.

Hard drives are sensitive and precise devices - opening up and taking out the platters, scratching and deforming them, renders the data entirely unrecoverable except to state level reconstruction efforts. This takes around 30 minutes per drive. However, to reduce this (still safety and securely) to around 10 minutes per drive the following procedure has been used for those whose budgets for 3rd party destruction are non-existent and have limited time:

1. remove the circuit board (usually just 4 screws) - this is sent for electronics waste recycling as per normal;
2. lay out the drives on bricks, concrete blocks, or the floor if you aren’t in a PPI building;
3. drive an axe* into the centre of each disk, once from each side;
4. transfer and leave the drives in a bucket of salt water for 1 week;
5. send the remains for recycling (or landfill).

Following the process above will remove almost any possibility of resurrecting the drives (or recovering data) and does not require spend on specialist destruction companies.

If the drives were already defective prior to this process (swapped out due to failures) then the likelihood of reconstruction attempts succeeding is nil. If the drives were also part of a RAID, meaningful recovery is zero.

For newer solid state drives (SSDs), simply using the axe on the device will render it permanently irrecoverable.

*yes, an axe is not standard equipment in PACS offices, but estates generally carry spares. If you now see an axe in the PACS Office in the future, it may or may not be that the team has been handling a batch of disks for destruction (it could be that the volume of IEP requests became too much).

While an axe is not standard issue, neither is the protective gear needed to mitigate the flying pieces of metal*. And for anything on optical media (anyone got CDs/DVDs going around?), there is genuinely a cleanup cost from shattering polymers (personal experience).

• Perhaps a decent drill might be a better option - and require less military-style PPE?

I think you will be better off buying a small hydraulic press for around £500, such as this one:

Sealey Premier Hydraulic Press 15tonne Bench Type (craigmoreonline.co.uk)

Place the drive in a plastic bag, press it to a 60 degree angle and call it done. Pieces that come off the drive will be retained in the bag. Then send for recycling.

I’m not sure I completely agree with the blanket comment that recovery chances of a disk on a RAID array are zero. This will depend on the RAID level: e.g. RAID1 mirrored drives are likely to be recoverable in full (before physical destruction). It also may be possible to repair a mechanically failed disk for data recovery, if your adversary has the resources.

Two other (software) approaches that require less hardware (axes or otherwise) and might be of interest (especially for any home equipment containing sensitive data that you would like to re-purpose):

shred

• shred Linux Command - How to Use With Examples a good intro
• Is shred, srm, or wipe, considered good enough against forensics (when using with ext4)? a bit more background

crypto-erasing for users of encrypted discs:

• Crypto-shredding - Wikipedia

The National Cyber Security Centre has produced guidelines on exactly this topic:

• Secure sanitisation of storage media

I think the Hydraulic Press may be over-engineering it slightly but it could still be good value depending on what third parties are quoting!! It sounds like they may be taking advantage. In my opinion, doing it (properly) yourself is far better than using a trusted third party (if you are competent to perform this), as it’s the only way you can be absolutely sure of the outcome.