taylor@hplabsc.UUCP (Dave Taylor) (07/17/86)
This article is from seismo!philabs!pwa-b!mmintl!franka (Frank Adams) and was received on Wed Jul 16 08:08:26 1986 Recent discussions, both here and in other newsgroups, have led me to ask a question. Let me first state the question, and then indulge in some speculation. In previous means of communication, methods have been developed for identifying, verifying, and dating messages. Handwriting analysis works for handwritten material, typed material can be matched to the typewriter on which it was written, etc. Likewise, ink and paper can be dated with some degree of precision. These methods don't seem to be available for computers. Thus, the question: what techniques are or might become available to perform these functions for computer messages? There seems to be almost nothing plausible in this area. It seems possible that one can get some sort of age estimate for items recorded in magnetic media (disk, tapes, etc.); I have no idea how good such estimates would be with current technology, or how good they might become. I know that it is sometimes possible to read data which has been erased from a tape, and even written over. Presumably this can be done for disks, as well. I somehow doubt, however, that it is possible to recover data formerly written on a section of memory which has been written over dozens of times since. What seems to be completely missing, however, is any way to link data to its source. I not only can't come up with any plausible approaches; I have a hard time coming up with any implausible ones. (Time travel?) If this is in fact impossible, we must consider the consequences of a communications technology which permits its users to be truly anonymous. (This came up on the net in the context of the libel laws -- how do you prove libel if you can't establish that the defendant actually originated the libelous statement?) The prospects for real-time monitoring seem somewhat better. I have heard that with current technology, one can pick up the radio transmissions from an unshielded computer, and distinguish the individual instructions being executed. I cannot vouch for the accuracy of this statement. I think I've rambled on long enough, here. Comments welcomed. Frank Adams ihnp4!philabs!pwa-b!mmintl!franka Multimate International 52 Oakland Ave North E. Hartford, CT 06108
taylor@hplabsc.UUCP (07/19/86)
This article is from pyramid!utzoo!henry and was received on Fri Jul 18 19:10:11 1986 > In previous means of communication, methods have been developed for > identifying, verifying, and dating messages. Handwriting analysis works for > handwritten material, typed material can be matched to the typewriter on > which it was written, etc. Likewise, ink and paper can be dated with some > degree of precision. These methods don't seem to be available for > computers. Thus, the question: what techniques are or might become > available to perform these functions for computer messages? The fundamental problem here is the basic digital nature of the data. The whole concept of digital information is that a bit has only two valid states, so any slight variation from the nominal voltage values (or whatever) gets suppressed when the bit is run through the circuitry. This means that the rich "sidebands" of information present in handwritten or typed material are filtered out by the digital storage and processing. They show up again only at the very lowest level (where everything is analog) and at the very highest level (where the content rather than the medium is examined). > ... It seems possible > that one can get some sort of age estimate for items recorded in magnetic > media (disk, tapes, etc.)... Alas, here we run into another problem: these media are erasable and re- usable. There is some possibility of recovering erased data, if it has not been overwritten too many times. The analog medium may retain some traces, which are filtered out by the conversion to digital when the new data is being read in the ordinary way. However, I suspect it's impossible to tell whether the *same* data has been read and rewritten recently. So a date derived by such means could always be adjusted forward, although not backward. Write-once media like some optical disks are more open to such methods. > What seems to be completely missing, however, is any way to link data > to its source... Here the digital storage medium tells us little or nothing, since there are too many middlemen between the source and the storage. HOWEVER, we can learn something by moving from the lowest level to the highest level. Things like word-choice patterns do differ, and statistical analysis of such things is already recognized as a powerful tool for historical and literary research. Disguising the more subtle patterns is said to be fairly difficult. What does seem unlikely, though, is that such methods could ever provide positive proof, as opposed to a strong hint, about the authorship of a document. Henry Spencer @ U of Toronto Zoology {allegra,ihnp4,decvax,pyramid}!utzoo!henry
taylor@hplabsc.UUCP (Dave Taylor) (07/21/86)
This article is from seismo!kitty!larry and was received on Sat Jul 19 22:41:47 1986 > In previous means of communication, methods have been developed for > identifying, verifying, and dating messages. Handwriting analysis works for > handwritten material, typed material can be matched to the typewriter on > which it was written, etc. Likewise, ink and paper can be dated with some > degree of precision. These methods don't seem to be available for > computers. Thus, the question: what techniques are or might become > available to perform these functions for computer messages? I am going offer some reasonable "speculation" in this area. While I have not had any _actual_ experience in attempting to identify computer media, I have already thought about this topic. My "qualification" to offer this speculation is that I am a biochemist/EE who also happens to have been involved with forensic science consulting (on a part-time basis) to various law enforcement agencies for the past 15 years. > There seems to be almost nothing plausible in this area. It seems possible > that one can get some sort of age estimate for items recorded in magnetic > media (disk, tapes, etc.); I have no idea how good such estimates would be > with current technology, or how good they might become. I know that it is > sometimes possible to read data which has been erased from a tape, and even > written over. Presumably this can be done for disks, as well. I somehow > doubt, however, that it is possible to recover data formerly written on a > section of memory which has been written over dozens of times since. > > What seems to be completely missing, however, is any way to link data to its > source. While it may never be possible to _conclusively_ prove that a given item of magnetic media was written on a given computer, various points of correlation can exist, which could - at the very least - be used to DISPROVE that a a given item of magnetic media was written on a given computer. Howzzat? Well, consider a 9-track magnetic tape. Magnetic track "developing solutions" have existed for many years. These developing solutions consist of ultrafine ferric oxide particles (i.e., < 0.5 micron) suspended in a volatile solvent. When the solution is _carefully_ applied to a magnetic tape, and allowed to dry, the _actual_ track and magnetization patterns can be visualized. These developing solutions are nothing exotic; they are often used by computer service personnel in checking tape drives for problems. If a magnetic tape treated with such a developing solution were _carefully_ examined under a microscope (say, a metallurgical microscope with polarizing adapter and measuring stage), certain characteristics of a _given_ tape drive would be evident, including but not limited to: 1. The _actual_ lengths of the interrecord gap 2. The _actual_ spacing between magnetic tracks and the _actual_ spacing of the tracks with respect to the edge of the tape 3. The _actual_ width of the tracks, which is also an indication of the magnetic field strength of the individual tracks 4. Marks on the tape resulting from physical wear of the tape as caused by record and/or playback heads heads, and tape drive rollers The most significant identifying characteristics would be variations in the magnetic track widths. So, let's say our "suspect" tape showed a nominal IRG of X.XXX inches, and showed tracks 1 and 5 to be less than nominal width, with tracks 3 and 7 of greater than nominal width - this would provide ten points of correlation (9 track widths plus IRG). If more than one test tape showed the _same_ magnetic recording signature on our "suspect" tape drive, then there would be some affirmative indication that the tape _could_ have been written on that drive. On the other hand, if more than one test tape showed a _consistent_ magnetic tape signature which was _different_ from the suspect tape, then there would be some correlation that the suspect tape was NOT written on the suspect drive. Of course, there are other factors which must be considered before the above could be qualified as evidence, such as: (1) was the magnetic recording head ever replaced?; (2) was the record head driver board ever replaced, or were the drive levels ever adjusted?; (3) was any portion of the tape drive servo electronics ever replaced or adjusted? (which would affect the IRG); etc. Floppy disks could also be subject to magnetic signature analysis in a manner similar to the above. Here we would have some different parameters since there is only one recording channel (two if a double-sided drive), however such things as circular track width, track step distance, absolute track positioning from center of the hub, marks caused when the hub is locked, etc. could be used as distinguishing characteristics. On the other hand, a recalibration of a floppy diskette drive would clearly create a new signature. Hard disks present a more difficult identification problem, since they would need to be disassembled before they could be subject to magnetic signature analysis. However, unique magnetic signatures could certainly be ascertained. Determining the age of magnetic media presents a tougher problem. All magnetic media "demagnetizes" by itself over time. It may be possible to establish a correlation between the track width of a suspect tape and tapes of a _known_ age. Such a correlation might be simple if tapes were merely archived and never read more than a few times. On the other hand, variations in the number of times tapes were read, and variations in the environmental storage (i.e., the hotter the tape, the faster it demagnetizes) could render useless any attempts at age correlation. Magnetic oxide coatings and their plastic substrates also undergo a chemical change as they age. While it is unlikely that a laboratory procedure could be developed to determine _absolute_ age, some indication of age could be obtained by comparsion with media of the same manufacturer and type whose age was known. A composite material signature for comparison purposes could probably be obtained by total luminance reflectance spectroscopy of both the oxide and non-oxide sides of the tape. Once again, variations in use and storage conditions of a suspect tape versus reference tapes could render useless any attempt at correlation. Determining if two samples of magnetic media resulted from the same manufacturing lot is the easiest task: samples of the media would be taken and subjected to arc emission spectroscopy, or inductive-coupled plasma emission spectroscopy [the newer method]. Presence of like impurities in like concentrations would be indicative of the same manufacturing lot. So, to sum up, some kind of identification that a _given_ item of magnetic computer media was written on a _given_ machine at a _given_ time may be possible. However, there is no magic procedure, and any requirements for such indentifcation would have to be taken on a case by case basis in order to determine if an attempt at indentification is even possible. > The prospects for real-time monitoring seem somewhat better. I have heard > that with current technology, one can pick up the radio transmissions from > an unshielded computer, and distinguish the individual instructions being > executed. I cannot vouch for the accuracy of this statement. Only the NSA knows for sure... :-) Having once been curious about this very topic, I once wrote a simple test program which ran on an Intel SBC-80/20 single board computer (using an 8080 cpu). By sensing some DIP switches connected to a parallel input port, the program would execute various loops which ran different types of instructions, and which accessed different ROM and RAM addresses. I put the computer in a screen room, and examined the RF eminations using an RFI/EMI receiver with a panoramic spectrum display unit (ACL SR-209). Using a ground-plane antenna for signal pickup, I looked at the RF spectrum from 2.0 to 20.0 MHz. In addition, I used a monitor speaker to listen to both the audio monitor output and video output signals. There was _clearly_ a correlation between RF energy-frequency distribution and the instructions being executed (based upon crudely looking at the RF spectrum, 2 MHz chunks at a time). In addition, there was a definite detected audio correlation (for whatever that is worth). I did not go beyond concluding that "yup, this instruction loop produces _this_ RF signature", but I am convinced that a SERIOUS realtime spectral analysis performed using some SERIOUS computer correlation techniques could deduce instructions and memory data transfers. At least in an 8080 under controlled conditions. The problems attendant with analyzing the RF signature from say, an IBM mainframe would be more complex by many orders of magnitude. But given enough "computer power" to perform analysis and correlation, and given enough money and manpower, almost anything is possible... ==> Larry Lippman @ Recognition Research Corp., Clarence, New York