Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Forensic disk duplication modifies the evidence hard disk

from [Clinton E. Troutman] Network Security [Permanent Link]
Subject: Re: Forensic disk duplication modifies the evidence hard disk
Date: Sun, 29 May 2005 23:05:04 -0500 
On Sunday 29 May 2005 19:27, Mark Menz wrote:

Heisenberg's Uncertainty Principle does not apply in a digital enviroment.



In a theoretical environment in which all things are either of "state1" or 
"state2", perhaps...

However, in the real world, even "state1" and "state2" are not exact.

Heisenberg's Uncertainty Principle (HUP) is certainly at work here. You can 
not measure "state1" or "state2" exactly for various reasons not the least of 
which is HUP. Therefore, "state1" must be different from "state2" by an 
amount that is readily distinguishable. A computer works only because 
"state1" is different enough from "state2" and their  measurements are readily 
distinguishable.  

Beyond that, the act of forensically duplicating a disk does not adhere to any 
2-state environment. Simply by virtue of the fact you are taking an electrical 
measurement of the state of a tiny piece of magnetic media (an analog 
function) you introduce infinite states. Any of those states that does not 
fall into either "state1" or "state2" is lumped into the all-too-familiar 
"state3" we know as "disk error" or "can not be read". HUP is at work here in 
that "state1"and "state2" must be readily distinguishable from each other and 
from "state3". Then, introduce all the connectors, wires, electrical and 
magnetic noise, and all the other factors and you certainly have infinite 
states, each of which is affected by HUP.

Having said that, you have caused me to re-read the original post and now I 
see that HUP is not fitting. The Law of Unintended Consequences is what 
really should be applied to the original post. We think we will simply 
duplicate a disk but, due to things we may not know or, possibly, can not 
control, other consequences occur that allow someone to discover the 
duplication was performed. 

I was thinking in terms of "uncertainty of our actions" when I should have 
been thinking in terms of "unintended consequences of our actions".

-- 
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
  Home Office, and Small Business in Fort Worth, Texas
http://cetro.dnsalias.org/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Ghost Norton Fingerprint signature, Valdis . Kletnieks
Previous by Thread:  Re: Forensic disk duplication modifies the evidence hard disk, Pavel Gladyshev
Indexes:  [Date] [Thread] [Top] [All Lists]