At 07:57 PM 4/28/01 -0700, Brown, Matthew wrote: > It might be possible to examine recently overwritten data at the > bit level. This would involve removing the platters from the hard drive > case in a level-10 clean room and remounting them on a highly expensive, > highly sensitive electromagnetic field reader. This reader would have to > have the ability to pin-point and measure each bit recorded on a platter > (not a small task) and record it's electromagnetic readings for each bit > in a separate storage area. By evaluating the readings of the bits you > could then determine which bits had been recently changed. The idea > would then to determine which bits needed to be toggled back to their > other state. In theory, or so I've been told, this would render the data > as it was before it was overwritten. I don't have any firsthand knowledge of a technique for reconstituting overwritten data by examining the electromagnetic signatures per se, but there is a technique called Scanning Tunnel Electron Microscopy that allows a skilled investigator to look at the physical traces left by old data. Basically, subsequent tracks do not perfectly overwrite one another--each new pass creates a slightly deeper 'ditch' as it interacts with the physical media of the platter. The pattern left by previous writes can often be seen on the 'side walls' of the new track using the STM. This is quite sophisticated technology, I must warn you, and both the price and the learning curve should you decide to take it on yourself would be steep. However, I'm sure there are private firms and university labs which will perform the analyses for you on a contract basis. Cheers, RGF Robert G. Ferrell, CISSP Information Systems Security Officer National Business Center-Texas Robert_G_Ferrellat_private
This archive was generated by hypermail 2b30 : Mon Apr 30 2001 - 10:13:49 PDT