Re: Bit Level Forensics Examinations - Fact or Fiction

• Previous message: Daniel Oderbolz (by way of Daniel Oderbolz : "Re: Bit Level Forensics Examinations - Fact or Fiction"
• In reply to: Brown, Matthew: "Bit Level Forensics Examinations - Fact or Fiction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Brown, Matthew wrote:

> 1.  I was unable to find any commercial services that advertise or
> perform this procedure.  I did find references to several technologies
> that would lend themselves to being able to read or evaluate the
> values of a bit, but none were specifically designed to perform this
> procedure.  I was in the Air Force in the early 1980s when I first
> heard about this, but was surprised to little information on this
> theory (at least the usenix had some papers on the subject, theory
> that is).
>
> 2.  Even if it were possible, I'd like to see counsel explaining to a
> judge how their experts changed the bits to render their evidence.
>  Aside from the legal issue, I can see three states of a single bit
> that is subject to this type of procedures.  The first state would be
> that of the original data, let's say it's a zero (0).  The second
> state would be that of the changed bit, that would be a one (1).  The
> third state would be the recovered bit, which would be a zero (0) once
> again.  This might be fine as long as there was a difference between
> state 1 and state 2.  What if the bit was originally a 1 and then
> during the overwrite it was written again as a 1.  The procedure would
> overwrite a valid 1 with a false 0 and probably render the data
> useless.  The technology doesn't not check the state of a bit when it
> overwrites it, it just overwrites on demand.
>
>         I hope someone else has heard of this theory/procedure and can
> shed some more light on the matter.  Other feedback is welcome.
>
> Matthew Brown, CISSP
> California


Look at is this way.  You are recording digital information on an analog
media.  There is no such thing as '1' and '0', they are just very close
to it.  At the hardware level this is interpreted to be ones and zeros.
Your software never sees the analog values, just the circuitry of the
hard drive itself.

That means, as you write and overwrite stuff,   the values add to and
cancel each other.  In other words, if you have an extremely high value
for sero, it just might have been recently overwritten.  You can scan
the bits with an electron microscope and use a supercomputer to
calculate original values.  Remember the games where you'd shoot a laser
through a blank matrix and you'd have to calculate which nodes were used
by how the laser reflected?  That is very similar to this method.


-b

--
"People love to smack Microsoft,"
	--Bruce Schneier

• Previous message: Daniel Oderbolz (by way of Daniel Oderbolz : "Re: Bit Level Forensics Examinations - Fact or Fiction"
• In reply to: Brown, Matthew: "Bit Level Forensics Examinations - Fact or Fiction"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 01 2001 - 06:50:40 PDT