Javi
This issue comes back from time to time. The Usenix needs to
provide a proof of concept, I'm not sure they realized how often this
theory would be revisited. This was a concern of ours during the Cold
War, while I was in the DoD that is.
Costs: The equipment costs, no longer appears to be an issue. You would
need a raw disk platter controller and mount, a clean room, a semi
powerful microscope. This is just the basic equipment list, but could cost
under $10,000.00 before you could start your own microscopic examination
of the bit areas, which are referred to as "domains".
Probability/Candidates: There are two types of candidates for this
theoretical procedure.
1. If the drive has been zeroized (old Crypto variable term) to
overwrite all data (hex 00 written to each byte = all binary zeros written
to each domain). It might be like trying to interpret a poster on a wall
that has been white-washed. The problem is that both the ones and the
zeros have had zeros written on top of them. The only hope you have is
that the most recent constant zeroizing process would be slightly
(microscopically) off-set, there by revealing the previously recorded
binary digit pattern. This may even work even if the different patterns
are swept across the drive several times.
2. If the drive has been re-partitioned, reformatted, and a new
instance of an operating system has been installed. Good luck. That
would be like trying to interpret a poster with another poster plastered
on top. I do not consider this a candidate, at all.
Time: Do the math! How many domains are there on a 20GB laptop hard
drive? Multiply the number of domains by how long it would take to
visually determine a single domain and then toggle the domain on another
drive. I didn't promise there wouldn't be a math test today. Hint: A
lifetime. I'd hate to QC this person's work, what an error rate. I do
concede that this process could possibly be automated.
Legal: Opposing counsel's expert witness would have a field day. "So,
basically you changed the bits as you saw fit"?
Conclusion: Possible Urban Myth. I've seen what these domains look like
under a microscopic examination, only after seeing the actual work in
front of you, do you truly realize what we are talking about.
Thanks,
Matthew Brown, CISSP
Javi Polo <javipoloat_private>
10/02/2001 06:06 AM
To: forensicsat_private
cc:
Subject: Recovering data from a wiped HD
What technics could be used for recovery of an HD, floppy or whatever
magnetic device from a ... let's say, completely overwritten by zeroes, or
random stuff ... :?
I've heard that this can be done, so it's just curiosity on how could I
wipe
more securely data ... I suppose that by refilling severall times the same
sectors, it does hardens the recovernig process .. :?
Does anybody know of this?
--
Javi Polo - DrSlump - Registered Linux User #97502
Proud member of the Panda Gey Community (powered by linux)
http://javipolo.ivworlds.org/ - Fidonet 2:347/1.1
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 04:14:45 PDT