Folks
I have a large client that insists that there is yet another
deeper level of examination that I am not performing. The individual at
the client is impressively technical, but I believe has fallen for an
urban myth that I've seen show its face for more than a decade. After
discovery of evidence at the logical file level and then again with a
sector editor with search features I also peek into slack space and
several other pockets where data may still be found. Here is what I've
heard in the past and what I have also heard reiterated by my client:
It might be possible to examine recently overwritten data at the
bit level. This would involve removing the platters from the hard drive
case in a level-10 clean room and remounting them on a highly expensive,
highly sensitive electromagnetic field reader. This reader would have to
have the ability to pin-point and measure each bit recorded on a platter
(not a small task) and record it's electromagnetic readings for each bit
in a separate storage area. By evaluating the readings of the bits you
could then determine which bits had been recently changed. The idea would
then to determine which bits needed to be toggled back to their other
state. In theory, or so I've been told, this would render the data as it
was before it was overwritten.
Two things:
1. I was unable to find any commercial services that advertise or perform
this procedure. I did find references to several technologies that would
lend themselves to being able to read or evaluate the values of a bit, but
none were specifically designed to perform this procedure. I was in the
Air Force in the early 1980s when I first heard about this, but was
surprised to little information on this theory (at least the usenix had
some papers on the subject, theory that is).
2. Even if it were possible, I'd like to see counsel explaining to a
judge how their experts changed the bits to render their evidence. Aside
from the legal issue, I can see three states of a single bit that is
subject to this type of procedures. The first state would be that of the
original data, let's say it's a zero (0). The second state would be that
of the changed bit, that would be a one (1). The third state would be the
recovered bit, which would be a zero (0) once again. This might be fine
as long as there was a difference between state 1 and state 2. What if
the bit was originally a 1 and then during the overwrite it was written
again as a 1. The procedure would overwrite a valid 1 with a false 0 and
probably render the data useless. The technology doesn't not check the
state of a bit when it overwrites it, it just overwrites on demand.
I hope someone else has heard of this theory/procedure and can
shed some more light on the matter. Other feedback is welcome.
Matthew Brown, CISSP
California
This archive was generated by hypermail 2b30 : Sun Apr 29 2001 - 07:30:31 PDT