Folks I have a large client that insists that there is yet another deeper level of examination that I am not performing. The individual at the client is impressively technical, but I believe has fallen for an urban myth that I've seen show its face for more than a decade. After discovery of evidence at the logical file level and then again with a sector editor with search features I also peek into slack space and several other pockets where data may still be found. Here is what I've heard in the past and what I have also heard reiterated by my client: It might be possible to examine recently overwritten data at the bit level. This would involve removing the platters from the hard drive case in a level-10 clean room and remounting them on a highly expensive, highly sensitive electromagnetic field reader. This reader would have to have the ability to pin-point and measure each bit recorded on a platter (not a small task) and record it's electromagnetic readings for each bit in a separate storage area. By evaluating the readings of the bits you could then determine which bits had been recently changed. The idea would then to determine which bits needed to be toggled back to their other state. In theory, or so I've been told, this would render the data as it was before it was overwritten. Two things: 1. I was unable to find any commercial services that advertise or perform this procedure. I did find references to several technologies that would lend themselves to being able to read or evaluate the values of a bit, but none were specifically designed to perform this procedure. I was in the Air Force in the early 1980s when I first heard about this, but was surprised to little information on this theory (at least the usenix had some papers on the subject, theory that is). 2. Even if it were possible, I'd like to see counsel explaining to a judge how their experts changed the bits to render their evidence. Aside from the legal issue, I can see three states of a single bit that is subject to this type of procedures. The first state would be that of the original data, let's say it's a zero (0). The second state would be that of the changed bit, that would be a one (1). The third state would be the recovered bit, which would be a zero (0) once again. This might be fine as long as there was a difference between state 1 and state 2. What if the bit was originally a 1 and then during the overwrite it was written again as a 1. The procedure would overwrite a valid 1 with a false 0 and probably render the data useless. The technology doesn't not check the state of a bit when it overwrites it, it just overwrites on demand. I hope someone else has heard of this theory/procedure and can shed some more light on the matter. Other feedback is welcome. Matthew Brown, CISSP California
This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 07:30:31 PDT