CD and DVD Forensics

Book description

CD and DVD Forensics will take the reader through all facets of handling, examining, and processing CD and DVD evidence for computer forensics. At a time where data forensics is becoming a major part of law enforcement and prosecution in the public sector, and corporate and system security in the private sector, the interest in this subject has just begun to blossom.

CD and DVD Forensics is a how to book that will give the reader tools to be able to open CDs and DVDs in an effort to identify evidence of a crime. These tools can be applied in both the public and private sectors. Armed with this information, law enforcement, corporate security, and private investigators will be able to be more effective in their evidence related tasks. To accomplish this the book is divided into four basic parts: (a) CD and DVD physics dealing with the history, construction and technology of CD and DVD media, (b) file systems present on CDs and DVDs and how these are different from that which is found on hard disks, floppy disks and other media, (c) considerations for handling CD and DVD evidence to both recover the maximum amount of information present on a disc and to do so without destroying or altering the disc in any way, and (d) using the InfinaDyne product CD/DVD Inspector to examine discs in detail and collect evidence.
  • This is the first book addressing using the CD/DVD Inspector product in a hands-on manner with a complete step-by-step guide for examining evidence discs
  • See how to open CD's and DVD'd and extract all the crucial evidence they may contain

Table of contents

  1. Copyright
  2. Visit us at:
    1. Solutions Web Site
    2. Ultimate CDs
    3. Downloadable E-Books
    4. Syngress Outlet
    5. Site Licensing
    6. Custom Publishing
  3. Acknowledgments
  4. Author
  5. Technical Editor
  6. Introduction
    1. Conventions in this Book
  7. 1. Physical Characteristics of CD and DVD Media
    1. CD Features
      1. CD Sizes and Shapes
      2. CD and DVD Types
      3. CD and DVD Colors
      4. CD-R Dyes
      5. Information Storage on CDs and DVDs
      6. CD and DVD Organization and Terminology
        1. Border Zone
        2. Lead In
        3. Lead Out
        4. Philips CD Text
        5. RZone
        6. Sector
        7. Session
        8. Sony CD Text
        9. TOC
        10. Track
      7. CD and DVD Sectors
      8. R-W Subchannels
      9. CD and DVD Differences
      10. CD-ROM Manufacturing Process
      11. Inside a CD-ROM Drive
      12. External Interfaces
      13. Drive Firmware
  8. 2. CD and DVD Logical Structure
    1. Writing to a CD or DVD
    2. Logical File Systems
    3. CD and DVD File Systems
      1. Red Book Audio
      2. HSG
      3. ISO9660
      4. Joliet
      5. Rock Ridge
      6. UDF
      7. HFS
      8. HFS+
      9. El Torito
    4. Space Allocation by CD and DVD File Systems
    5. Disc Accessibility Problems
      1. ISO9660/Joliet File Systems
      2. UDF File Systems
      3. Other File Systems
  9. 3. Forensic Binary Images
    1. Reproducing Forensic Images
  10. 4. Collecting CD and DVD Evidence
    1. Recognizing CD and DVD Media
    2. Collection Considerations
    3. Marking Discs
    4. Transporting Discs
    5. Documenting and Fingerprinting Discs
    6. Officer Safety
  11. 5. Preparing for Disc Examination
    1. Forensic Hardware
    2. Forensic Software
    3. Forensic Workstation
    4. Validation
    5. Disc Triage
  12. 6. CD/DVD Inspector - The Basics
    1. CD/DVD Inspector Installation
    2. CD/DVD Inspector Facts
    3. Getting Started with CD/DVD Inspector
      1. Data Window Usage
      2. Disc Memory
      3. Useful Tools
        1. Analysis
        2. Compute Disc MD5
        3. Compute MD5 Hash
        4. Disc Map
        5. Disc Report
        6. Hardware Information
        7. Scan Files
        8. Sector Display
        9. TOC
        10. View Image
        11. Write Image File
      4. Searching
        1. Scan Files
          1. POSIX Character Classes
        2. Producing a Forensic Image
          1. Creating an Image Zip File
          2. Creating a Binary Image File
        3. Copying Files from the Media
    4. User Preferences
      1. Options Settings
        1. Remove Version Marker from Files
        2. Show Analysis File Details
        3. Save Window Position
        4. Sort Initial Display by Name
        5. Accept All Errors without Prompting
        6. Always Prompt for Filename on Copy
        7. Force intensive UDF Examination
        8. Keep Duplicate Files from UDF Examination
        9. Automatically Examine Disc at Startup
        10. Enable Special Features
        11. Recover without Prompts
        12. Show Extents in Disc Reports
        13. Disable Disc Memory Feature
        14. Forensic Use
        15. Use 64-bit ZIP Extensions for ZIP Image Files
      2. Disc Memory Settings
        1. Keep Last nnn Discs in Disc Memory
        2. Empty Button
        3. Click to Delete a Single Item
        4. Disc Memory Catalog
    5. The Analysis Tool
      1. name File System in Track nn Recorded as Part of Session nn
      2. nnnnn Sectors are Used Out of nnnnn Available Sectors
      3. type (media) load nnnn at 0xnnnn from Sector nnnn
      4. A Properly Written Post-gap was Found For This Track
      5. All Linked Files (nnnn) in this Session Came from Session nn
      6. Application Identification
      7. ATIP Reference Power = nn, Reference Speed = nn
      8. Blank Disc with nnnnn Free Sectors
      9. Bootable Disc Information Found, Boot Catalog at Sector nnn
      10. Bootable Media from company, platform= platform
      11. CDDB Key for this CD is xxxxxxxx
      12. Data Preparer Identification: ssssssss
      13. Disc is a DVD-kind Type is type
      14. Disc Manufacturer: ssssss Type: ssssss
      15. DVD Manufacturer is ssssss
      16. Error nnn in Manufacturer Determination, Manufacturer Information Not Available
      17. Error Reading Boot Catalog, Sense=0xnn 0xnn
      18. Error Reading File System Data from Disc, No Further Information Available
      19. Error Reading Sector nnnnn in Track nn, Analysis of Track Skipped
      20. Error Returned Obtaining ISRC Code, Sense = ss ss
      21. File ssssss is Linked to Track nnn, Session nn
      22. HFS Volume Name ssssss
      23. Image File in type Format: ssssss
      24. Invalid Boot Catalog Found, Key Values = 0xnn 0xnn
      25. Lead-out Track Starts at Sector nnnnn
      26. Little-endian Block Size (nnnn) Not Equal to Big-endian Block Size (nnnn)
      27. Little-endian Volume Size (nnnnn) Not Equal to Big-endian Volume Size (nnnnn)
      28. Media Catalog Number for this Disc is ssssss
      29. Minimum Recording Speed = nnX, Maximum Recording Speed = nnX
      30. Mismatched File Counts Between this File System and the ssssss File System
      31. Next Writable Location on Disc is nnnnn
      32. No Directory Was Found for This File System
      33. No ISRC/RID Code Present for This Track
      34. No Manufacturer Information was Returned for This Disc
      35. None of the Files in This Session Are Linked to Prior Sessions
      36. Note: Directory Depth of nn May Cause Problems on Some MSCDEX Versions
      37. Note: Directory Depth of nn Violates ISO 9660 Limit of Eight
      38. One or More Files are Using Characters Which MS-DOS Cannot Access
      39. One or More Files Do Not Have a Trailing Version Identifier (“;1”)
      40. Partition Name: ssssss
      41. Publisher Identification
      42. Rock Ridge Extension Information is Present
      43. Table of Contents
      44. The “.” Directory Entry is Missing From One or More Directories
      45. The “..” Directory Entry is Missing From One or More Directories
      46. The tttttt Code for This Track is cccccc
      47. The Block Size is nnnn, Not 2048 as Would Be Expected
      48. The Directory in This File System Qualifies as Using the setname Character Set
      49. The Disc Is Not Recorded in XA Mode, But This File System is Marked for XA Mode
      50. The Disc Is Recorded in XA Mode, But This File System Is Not Marked for XA Mode
      51. The File “ssssss” Appears in the Directory But is Not Present
      52. The Files ssssss and ssssss Overlap and One or Both are Destroyed
      53. The Last Track in the Table of Contents is Not the Lead-out
      54. The Mastering Program for this Disc Did Not Place Version Numbers (“;1”) After the Filenames
      55. The Post-gap for This Disc is Either Missing or Invalid .nnn Trailing Sectors Found
      56. The System Identifier in the ISO 9660 Volume Descriptor Contains Other Than “a” Characters
      57. The Volume Identifier in the ISO 9660 Volume Descriptor Contains Other Than “d” Characters
      58. The Volume Identifier is Blank. This May Cause Problems
      59. There Appear To Be Additional Boot Definitions Present
      60. There are nnn Files in the Directory Which Are Not Recorded in This File System
      61. There are nnn Accessible Files and nnn Directories Contained in This File System
      62. There are nnn Directories in This File System
      63. There are nnn Files in This File System
      64. There are nnn Files Linked from Session nn
      65. There are nnn Files That Could Not Be Connected to a Filename
      66. There are nnnn Free Sectors in This Track
      67. There is a Total of nnn File Systems on Disc
      68. This Disc Appears to be “Open” and Can Have Data Added to It. The Pointer is nnnnn
      69. This Disc Has nn Layers
      70. This Disc Is Still “Open” and Can Have Data Added To It
      71. This File System Contains Compressed Data
      72. This File System Was Written by ssssss
      73. This File System Was Written by Packet-writing Software
      74. This Track Contains Audio with Pre-emphasis
      75. This Track Contains Audio without Pre-emphasis
      76. This Track Contains Data and Contains ssssss File System(s)
      77. This Track Contains Data from the File System in the Prior Track
      78. This Track Has Been Recorded in XA Mode
      79. This Track is Marked as Being Blank
      80. Track nn Has Been Added to Represent an Open Session
      81. Track nn is an Audio Track
      82. Track nn Occupies nnn sectors (nn Min, nn Sec, nn Frames)
      83. Track Contains MCN of nnnnnn
      84. Track Image Written with nnnn Byte Sectors
      85. Track Was Written with Fixed-length Packets nnnn Bytes in Length
      86. Track Was Written with Variable-length Packets
      87. UDF Examination Error: ssssss
      88. UDF Partition Exceeds Size of Track According To Disc Information
      89. Volume Create Date date
      90. Volume Size Appears Suspicious; Header Says nnnnn While Track is nnnnn Sectors
      91. Warning: One or More Checksum Errors were Detected in the UDF Structures
      92. Warning: Root Directory Length is Specified as Zero
      93. Warning: This Disc is Marked as Having a Sparable Partition, But No Sparing Information Table is Present
      94. Warning: Virtual Allocation Table Missing
      95. Warning: VAT Not Found in Conventional Place
      96. Whole Disc MD5 Hash Value xxxxxxxxxxxxxxxxx
      97. The Hardware Information Display
      98. Device Name
      99. Revision
      100. Date of Revision
      101. Read CDDA Command
      102. “RAW read” Command
      103. Track Information Command
      104. Using 10 Byte Commands
      105. Readability Test Reason Code
      106. Loading Mechanism
      107. Bar Code Reading Supported
      108. UPC Code is Read
      109. ISRC Code is Read
      110. C2 Error Pointers
      111. Maximum Reading Speed
      112. Multi-session Capable
      113. Mode 2 Form 1 Supported
      114. Mode 2 Form 2 Supported
      115. Digital Output on Port 1
      116. Digital Output on Port 2
      117. Audio Play Supported
      118. Reading CDDA Supported
      119. CD-Text/CD+G Supported
      120. CD-Text/CD+G Decoded
      121. Accurate CDDA Positioning
      122. Transfer Block Supported
      123. Inactivity Spin-down
      124. Device Capabilities
      125. Device Buffer Size (in K)
      126. Drive Serial Number
      127. The Volume Information Display
      128. ISO 9660 Volume Information
        1. Volume ID
        2. System ID
        3. Volume Size
        4. System Use
        5. Volume Set Size
        6. Volume in Set
        7. Block Size (Bytes)
        8. Path Table Size (Bytes)
        9. Path Table (L)
        10. Optional Path Table (L)
        11. Path Table (M)
        12. Optional Path Table (M)
        13. Root Directory Sector
        14. Root Directory Timestamp
        15. Volume Set
        16. Publisher
        17. Data Preparer
        18. Application
        19. Copyright File
        20. Abstract File
        21. Bibliography File
        22. Volume Created
        23. Volume Modified
        24. Volume Expires
        25. Volume Effective
        26. Volume Size
        27. Volume Set Size
        28. Volume in Set
        29. Block Size (Bytes)
        30. Path Table Size (Bytes)
        31. Root Directory Sector
        32. Joliet Volume Information
        33. Volume ID
        34. System ID
        35. Volume Size
        36. System Use
        37. Volume Set Size
        38. Volume in Set
        39. Block Size (Bytes)
        40. Path Table Size (Bytes)
        41. Path Table (L)
        42. Optional Path Table (L)
        43. Path Table (M)
        44. Optional Path Table (M)
        45. Root Directory Sector
        46. Root Directory Timestamp
        47. Volume Set
        48. Publisher
        49. Data Preparer
        50. Application
        51. Copyright File
        52. Abstract File
        53. Bibliography File
        54. Volume Created
        55. Volume Modified
        56. Volume Expires
        57. Volume Effective
        58. Volume Size
        59. Volume Set Size
        60. Volume in Set
        61. Block Size (Bytes)
        62. Path Table Size (Bytes)
        63. Root Directory Sector
    6. HFS and HFS+ Volume Information
      1. Volume ID
      2. Files
      3. Directories
      4. Allocation Size (Bytes)
      5. Allocation Blocks
      6. Free Blocks
      7. Volume Created
      8. Volume Modified
      9. HSG Volume Information
      10. UDF Volume Information
        1. Volume Descriptor Sequence
        2. Volume ID
        3. Interchange Level
        4. Volume Set Name
        5. Implementation Identifier
        6. Application
        7. Recording Time
    7. Disc Reports
      1. Disc Contents by Folder
      2. Disc Contents by Name
      3. Disc Contents by Extension
      4. Files with MD5 Hash Value
      5. CSV Format Export
      6. Image Reports
  13. 7. Using CD/DVD Inspector
    1. Examining a Disc—A Step-by-step Guide
      1. Starting CD/DVD Inspector
      2. Initial Observations
      3. Analysis Tool
      4. Disc Map
      5. Quick Image Examination
      6. Scan Files for Keywords
    2. Other Examination Tasks
      1. Create an ISO Image File
      2. Create an InfinaDyne Image File
      3. Determining the Writing Application
      4. Date Correspondence
      5. Missing Files
      6. Multi-Session Hiding
  14. 8. Advanced Tasks with CD/DVD Inspector
    1. Using Hash Matching and MD5 Hashes
    2. Space Utilization Analysis
    3. ISO9660 Directory Analysis
    4. Unknown Data Track Issues
  15. 9. Reporting Your Findings
    1. Full List of All Files on the Media
    2. Image Report(s)
    3. Analysis Report
    4. Scan Files Results
    5. Raw Search Results
  16. 10. Things to Keep In Mind
  17. A. Disc Swap Modifications
    1. Connecting the Modified Drive
    2. Using the Modified Drive
  18. B. Downloading Additional Materials
  19. Glossary

Product information

  • Title: CD and DVD Forensics
  • Author(s): Paul Crowley
  • Release date: December 2006
  • Publisher(s): Syngress
  • ISBN: 9780080500805