Recommendation
- Wipe the drive
- I actually have a fair amount of experience doing this. I have done this to many drives.
- See if your drive supports using “Secure Erase”. If you can do that, then do so.
- I am mostly writing this based on things I have read. I am guessing that, with the right software, this is probably pretty easy. However, I certainly have not done this recently, and so I am not currently providing details on just how easy this actually is.
- Finally, choose from the following, based on your desires:
- Install an operating system, so the hard drive can be used to usefully operate the computer again
- or, damage the drive
- Investigate the DiskStroyer product (mentioned elsewhere on the page). Maybe do this first, in case there is some expectation of rotating the drive platters. If you are willing to spend the time and money to take such an approach, this may be one rather feasible option.
- I am mentioning this based on research/reading, and am not trying to provide a recommendation based on prior practical experience.
- Both of these are recommended if you are sure you don't want this drive to be getting easily used again:
- throw it at something that won't get hurt. I'm most used to seeing this be concrete/pavement
- crack open, and submerge in liquid
To clarify, from what I've been told in the question that was asked, I consider that step #1 has not yet been done to my satisfaction (as I mention later), so if you're concerned, I would start with that.
Sounds sloppy
He should have wiped the drive, not the C: partition. That would involve erasing every sector, including the first sector of the disk (at least in pre-GPT systems, this was called the MBR). In all probability, destroying the data on the C: will be good enough for you. However, I wonder why he didn't just destroy data on the entire drive, instead of just the C:.
Why didn't he just use DBAN to have the computer perform a software-based "nuke"/"shred" of the entire drive? (Personally, I favor dd. There are multiple ways to accomplish this task.) I'm guessing he simply used some software that provided an easy option to select the C:, and took what he felt like was the easy route. Th
fact that he mentioned DOD, as if that is sufficient, helps to make me feel rather unconvinced that he thoroughly applied even the first step of my recommendation. It suggests to me that he heard something that sounded impressive, and went with that. Sadly, I think that's pretty common. My research indicates that the various often-cited DOD standards, which basically involve repeated wiping (possibly involving various patterns and/or psuedo-randomization), provides tons of extra benefit. (As I go on to mention below, it just ain't true.)
If I knew that drive had information that might be valuable (like taxes, which may be valuable to identity thieves), and so I actually cared about protecting the data, I would take the time to start over and have it done right. After all, I estimate that first step would only take me about four minutes of my time, most of which is plugging cords into the computer or finding a blank CD to write to.
No guarantees
Well, maybe one available method offers a pretty good guarantee.
Should my data be gone?
Let's look a bit further at the answer to this question.
The most promising method I've seen to be effective at protect data from being retrieved is DriveSlag, as shown by these pictures (which are just a few of the ones available on the site):
hot, hotter, poured
Anything short of that may be insufficient, from some of the reading I've done on the subject.
I know, I know. Your computer store made the “impressive-sounding” claim of a DoD-wipe. Surely if it meets the standards of the U.S. Department of Defense (“DOD”), that is good enough for you, right?
Well, no... the commonly-cited DOD standard refers to a standard the DOD used in 1983, before the discovery of some methods to retrieve data after a wipe. So, if all you care about are adversaries who limit themselves to technology before the mid 1980s then maybe that's just fine.
See, if you want to prevent me from recovering your data, all you really need to do is perform a full wipe. Take all the ones, and make them zeros. Or vice versa. Or use some other variation that does a complete job, like completely making sure every bit is random. That's fine. That will prevent me from recovering your data, because I don't have use of equipment like an electron microscope.
However, such equipment does exist. For those who are really interested in seeing what used to be on a drive (e.g., perhaps forensic labs used by law enforcement), they may use tools beyond what I, a professional computer technician, have successfully used.
University of California San Diego (UCSD) Center for Magnetic Recording Research (CMRR): G.F. Hughes: Secure Erase, as archived on July 5, 2013 by the Wayback Machine @ Archive.org notes, “Many commercial software packages are available using some variation of DoD 5220, some going to as many as 35 overwrite passes. Unfortunately the multiple overwrite approach is not very much more effective than a single overwrite”...
So, how about Diskstroyer which, like DriveSlag, also takes the approach of damaging the equipment.
CMRR's website had a document that had this question: ““Does physical destruction of hard disk drives make the data unrecoverable?” Here is the answer provided:
The disks from disk drives can be removed from the disk drives, broken up and even ground to very fine pieces to prevent the data from being recovered. However, even such physical destruction is not absolute if any remaining disk pieces are larger than a single record block in size, about 1/125” in today’s drives (Note that as the linear and track density of magnetic recording increases the resulting recoverable pieces of disk must become ever smaller if all chances of data recovery after physical destruction alone are to be thwarted). Pieces of this size are found in bags of destroyed disk pieces studied at CMRR2. Physical destruction nevertheless offers the highest level of data elimination (although it is more effective if the data is first overwritten since then there is almost no potential signal to recover) because recovering any actual user data requires overcoming almost a dozen independent recording technology hurdles.
Hold up a ruler. Do you see those little lines? The ones for 1/8 of an inch? How about those really-little lines, which are 1/16 of an inch? CMRR said they can recover from something more than 7.7 times smaller than that: 1/125 of an inch.
Note: This doesn't say that recovery would still be impossible. This just says there'd be a dozen hurdles. However, if the United States government knew that a damaged hard drive contained information about where Bin Laden was hiding during the Bush administration, you can bet that tons of resources would have been deployed to recover that data.
Even the process I recommended above, specifically getting liquid in the drive, might not be sufficient if the adversary is sufficiently funded. For instance, Kroll Ontrack's 2007 list of data disasters documents a British scientist drilling a hole into a drive, and then pouring oil into that hole, yet even that scenario led to data being recovered. Western Digital Data Recovery – Oil Damaged – Yes, Oil! also mentions recovery with oil in a drive. So the point of attacking your drive with liquid is just to reduce simplicity of someone attacking, which will hopefully reduce the likelihood of someone successfully getting that data, but not necessarily to offer an absolute guarantee.
The popular disk wiping software called “Darik's Boot and Nuke” (“DBAN”) has Darik's Boot and Nuke FAQ: “Are you absolutely sure that DBAN works properly?” starts out by simply saying, “No.” (The FAQ then goes into more details of why that's true.)
Feasible Options
To provide a reasonable amount of protection, which will deter many simplistic recovery efforts (including any that I've been able to pull off), take all the ones, and make them zeros. Or vice versa. Or use some other variation that does a complete job, like completely making sure every bit is random. So, fully wipe the drive.
There was once a time when that was considered sufficient. Then, some people started being concerned about "hidden sectors". Specifically, SSDs might have some "extra" sectors that the drive tries to use in case there is an error in the original batch of sectors. Such sector-remapping techniques had potential for a sector to “survive” (in other words: not be erased) even if the software managed to erase as many sectors as what the drive said is reported.
Perhaps the best approach against that problem is to use a standard called "Secure Erase". This uses an implementation that is built into the drive, and created by the drive manufacturer, specifically for the purpose of erasing data from the drive. If you restrict yourself to what software can perform (without relying in irreversible damage to the drive), there might be no approach that will be more thorough than this.
(Canadian) Communications Security Establishment: Clearing and Declassifying Electronic Data Stroage Devices (ITSG-06): printed page 7 (PDF page 13) states: “Since about 2001, all ATA IDE and SATA hard drive manufacturer designs include support for the “Secure Erase” standard. However, SCSI and Fibre Channel hard drives do not support the Secure Erase standard”.
Still not guaranteed
Still, with Secure Erase, you're trusting the drive to do what you told it to. You'd still be vulnerable to the possibility of the drive doing what someone else told it to do before you performed your destructive actions on your old data.
ars Technical: How “omnipotent” hackers tied to NSA hid for 14 years—and were found at last notes:
One of the Equation Group's malware platforms, for instance, rewrote the hard-drive firmware of infected computers—a never-before-seen engineering marvel that worked on 12 drive categories from manufacturers including Western Digital, Maxtor, Samsung, IBM, Micron, Toshiba, and Seagate.
The malicious firmware created a secret storage vault that survived military-grade disk wiping and reformatting, making sensitive data stolen from victims available even after reformatting the drive and reinstalling the operating system.
If an attacker has managed to get parts of your computer to lie to you, then you may be unable to use software on the compromised machine to be able to recover. (This is basically following the logic of "Reflections of Trusting Trust", a paper written in the 1970s by Ken Thomson, co-author of Unix. Basically, even extraordinary efforts can be potentially insufficient, if the attacker's attack was sufficient to compensate for those measures.)
Summary
Note that if you just have concern about specific person accessing data, you don't need to be safe from just that person's level of technical competence, but also from the technical capabilities that this person may ask (as a favor, or perhaps paying).
Even if you don't have a 100% guarantee about not having the data be lost, what you can do is assess how important it is that this data isn't recovered, and how simple or expensive your options are, and make a reasonable choice that you're satisfied with. If you're satisfied with the claim made by the store that helped you, that may be okay enough for some people. (Presumably you aren't satisfied with that, since you wrote this question.) The process I laid out at the very start of this answer (in the "Recommendation section") is one that I believe is pretty inexpensive, and yet thorough enough to protect against most unfinanced (potential) attackers.