Matthew: You left out a few key elements. Matthew.Brownat_private wrote: > > Javi > > This issue comes back from time to time. The Usenix needs to > provide a proof of concept, I'm not sure they realized how often this > theory would be revisited. This was a concern of ours during the Cold > War, while I was in the DoD that is. Usenix is just a non-refeered forum for discussion where folks like Peter Guttman and others can share interesting ideas about technology. They really don't need to provide a proof of concept. Besides in his paper Peter references issues of IEEE Spectrum and other sources where experimental work is cited. > > Costs: The equipment costs, no longer appears to be an issue. You would > need a raw disk platter controller and mount, a clean room, a semi > powerful microscope. This is just the basic equipment list, but could cost > under $10,000.00 before you could start your own microscopic examination > of the bit areas, which are referred to as "domains". The trick is to take your list and add a device to "reference' the platter as well as an oscilloscope and mutimeter with sensitivity in the micro volt range below. You also need detailed information about disk geometry (Cylinder, Head, Sector as well as LBF info) from the manufacturer. Even if you do find "data" in what you call domains it eventually has to be mapped to the file system structure you suspect was present at some time. Some times it helps to know the low level formatting information as well (such as the fact that sectors are really 579 bytes rather than 512). > > Probability/Candidates: There are two types of candidates for this > theoretical procedure. > 1. If the drive has been zeroized (old Crypto variable term) to > overwrite all data (hex 00 written to each byte = all binary zeros written > to each domain). It might be like trying to interpret a poster on a wall > that has been white-washed. The problem is that both the ones and the > zeros have had zeros written on top of them. The only hope you have is > that the most recent constant zeroizing process would be slightly > (microscopically) off-set, there by revealing the previously recorded > binary digit pattern. This may even work even if the different patterns > are swept across the drive several times. > 2. If the drive has been re-partitioned, reformatted, and a new > instance of an operating system has been installed. Good luck. That > would be like trying to interpret a poster with another poster plastered > on top. I do not consider this a candidate, at all. What you say is true but the technique described by the Guttman paper and most other work in the field I know about was meant to bypass the restrictions you have defined. In a nutshell, all magnetic media operates in the same way using the same principle. This is an oversimplification but true nonetheless. Magnetic fields will induce a current and a current will generate a magnetic field. SO disks are made of a magnetic substrate and heads are used to transfer current to of from the magnetic platter. Media substrate is several molecules (Fe compounds) thick and heads are not designed to position themselves over the same exact spot on the platter each time. They "wobble" within known tolerances, again by manufacturer. This plus the fact that magnetic fields have varying levels of retentivity (known as hysterysis) and you get what is known as residual magnetic effect. This occurs all over the magnetic surface of every drive that was ever put to use. The goal of Remenance Microscopy is to determine the contents that has been over written either by viewing the orientation of molecules beside or below the location that the head would normally park at in any given sector assignment. This is difficult to say the least but no where near impossible. It is also ripe for automation. > > Time: Do the math! How many domains are there on a 20GB laptop hard > drive? Multiply the number of domains by how long it would take to > visually determine a single domain and then toggle the domain on another > drive. I didn't promise there wouldn't be a math test today. Hint: A > lifetime. I'd hate to QC this person's work, what an error rate. I do > concede that this process could possibly be automated. Here you raise an interesting point. This is a very precise operation and any mechanism that was built to allow measurement at the molecular level would need to be extraordinarily sensitive. Therefore, although I convinced that the technology exists to allow us to recover data that has been overwritten, I'm just as sure that a vast majority of the time no one would use it and that machine would sit doing nothing. The cost benefit ratio is too high. > > Legal: Opposing counsel's expert witness would have a field day. "So, > basically you changed the bits as you saw fit"? There is no changing of bits involved. The device observes what is physically there and in some cases will interpolate the result according to established standard transform rules. > > Conclusion: Possible Urban Myth. I've seen what these domains look like > under a microscopic examination, only after seeing the actual work in > front of you, do you truly realize what we are talking about. I have seen them as well and it is awesome to think that just finding a single cluster of ferrous molecules oriented in a certain direction takes so much time (initially). That one oriented molecule represented a single bit of data (I was viewing a 2 gb HD platter) there are 8 bits /byte 2 bytes /character, etc. An Urban Myth? Maybe for John Q crimefighter, but behind some vault door somewhere you'll no doubt find a device that does just this very thing. Gary > > Thanks, > Matthew Brown, CISSP > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Oct 03 2001 - 06:36:34 PDT