'Re: Forensic disk duplication modifies the evidence hard disk'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    Re: Forensic disk duplication modifies the evidence hard disk
From:       "Clinton E. Troutman" <troutman () mesh ! net>
Date:       2005-05-30 4:05:04
Message-ID: 200505292305.06962.troutman () mesh ! net
[Download RAW message or body]

On Sunday 29 May 2005 19:27, Mark Menz wrote:
> Heisenberg's Uncertainty Principle does not apply in a digital enviroment.
>

In a theoretical environment in which all things are either of "state1" or 
"state2", perhaps...

However, in the real world, even "state1" and "state2" are not exact.

Heisenberg's Uncertainty Principle (HUP) is certainly at work here. You can 
not measure "state1" or "state2" exactly for various reasons not the least of 
which is HUP. Therefore, "state1" must be different from "state2" by an 
amount that is readily distinguishable. A computer works only because 
"state1" is different enough from "state2" and their  measurements are readily 
distinguishable.  

Beyond that, the act of forensically duplicating a disk does not adhere to any 
2-state environment. Simply by virtue of the fact you are taking an electrical 
measurement of the state of a tiny piece of magnetic media (an analog 
function) you introduce infinite states. Any of those states that does not 
fall into either "state1" or "state2" is lumped into the all-too-familiar 
"state3" we know as "disk error" or "can not be read". HUP is at work here in 
that "state1"and "state2" must be readily distinguishable from each other and 
from "state3". Then, introduce all the connectors, wires, electrical and 
magnetic noise, and all the other factors and you certainly have infinite 
states, each of which is affected by HUP.

Having said that, you have caused me to re-read the original post and now I 
see that HUP is not fitting. The Law of Unintended Consequences is what 
really should be applied to the original post. We think we will simply 
duplicate a disk but, due to things we may not know or, possibly, can not 
control, other consequences occur that allow someone to discover the 
duplication was performed. 

I was thinking in terms of "uncertainty of our actions" when I should have 
been thinking in terms of "unintended consequences of our actions".

-- 
Clinton E. Troutman
CeTro
Independent Computer Consultant for Home,
  Home Office, and Small Business in Fort Worth, Texas
http://cetro.dnsalias.org/

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic