Alternate Data Storage Forensics

Tyler Cohen & Amber Schroader

2007, Syngress Publishing, Inc.ISBN 13: 978-1-59749-163-1

Optical Media

• CD – Compact Disk

• DVD• Digital Versatile Disk

• Digital Video Disk

• Both are organized as a single spiral track• CD – 6 kilometers

• DVD – 12.5 kilometers

Batch Number

Manufacturer Code

Spindle Hole

Clamping Ring

Stacking Ring

Data Area

CD Areas

Sizes

• CDs• 5.25 “ – 120 mm

• 3.15” – 80 mm

• Business Card

• DVDs• 5.25” - 120 mm

• Could be different

• None so far

CD Construction

CD-R Dyes

CD & DVD Types

• CD• CD-Rom

• CD-R

• CD-RW

• DVD• DVD-Rom

• DVD-R

• DVD+R

Optical Storage

• CDs• CD – R - 700 Mbytes

• CD –RW – 570 Mbytes

• DVDs• Single layer – 4.3 Gbytes

• Two layer – 8.6 Gbytes

• Two sided - ?

CD Organization

• Lead in• Container for the TOC for a CD session

• 1st has 7,500 sectors (14.65 Mbytes) for lead in

• Subsequent sessions 4,500 sectors (9 Mbytes) for lead in

• Multi-session has pointer to next writable location

• Next pointer is either 0 or 24 binary 1s to finalize the disc

CD Organization

• Lead out• Indicates end of session

• Audio discs stop playing

• 1st session lead out is 6,750 sectors ( 13.5 Mbytes)

• 2nd and on 2,250 sectors (4 Mbytes

CD Organization

• Sector• 2,048 bytes for data discs

• 2,352 bytes for audio discs

• Track• A single (logical) collection of data on the disc

• Up to 99 tracks on a CD

• Error Detection - Error Correction Codes• Uses Reed – Solomon EDC-ECC

DVD Organization

• Border Zone / RZone• Contains the real content of the disc

• Similar to a CD track

• Manufactured DVDs have only 1 border zone

• Recordable DVDs can have multiple border zones

• DVD does not have specific TOC

• A border zone may have the information so that the app can make a TOC

DVD Frame

| ID | ID ECC | copyright Management info | User data | EDC |

Bytes 4 2 6 2048 4

A 32 Kbyte ECC blockConsists of 12 frames together with ECC for the user data Cannot access with consumer DVD Drives

Media at 30,000x

CD DVD

Interfaces

• ATAPI or SATA

• SCSI

• USB

• 1394

Logical Structure

• Track-at-once• CD – data discs

• Disc-at-once• Audio discs• DVDs

• Packet writing• Used with drag & Drop writing software

– Dangerous for forensic workstations

• Non-video DVDs

Logical File SystemsPlatform Long File Large Files Typical Use

names >4GBRed Book All N/A N/A AudioHSG All No No Early CD-RomISO-9660 All No No Data FilesJoliet Windows Yes No Data Files, Unicode namesRock Ridge Linux Yes No Data filesHFS Mac No Yes MacHFS+ Mac Yes Yes Mac, Unicode file namesUDF Win/Mac Yes Yes s, Unicode file names

ISO 9660

• International Standards Organization - $$$

• ECMA 119• European Computer Manufacturers Association

• Free standard

ISO - 9660

• Supported by most computers• For example – Elevator Control Systems

• 8-bit ASCII

• File System • Volume Descriptor

• Path Table

• Directory Entry

ISO 9660

• Files smaller than 4GB

• DVD files are less than 1 GB

Volume Descriptor

• Sector 16• 01 43 44 30 30 32 01

• There is an ISO 9660 file system on the disc

• Then at offset 814 (0x32E0 is the create DTG

• At offset 575 (0x23F) is the app ID

DTG

• 4-digit year

• 2-digit month

• 2-digit day of month

• 2-digit hour

• 2-digit minute

• 2-digit second

• 1-digit tenths

• 1-digit hundredths

• I-byte time zone

UDFUniversal Disk Format

• Optical Storage Technology Association• UDF 1.0 – 1995

• Part of DVD – Video, Audio, Recorders

• Uses packet writing

• Supports MAC Times

• 264 – 1 File Sizes

• Supports fragmented files

UDF Structure

• Anchor Volume Descriptor Point (AVDP)• Location

– Sector 256 and 512

– Last sector written to disc

– 256 sectors after beginning of the track

– 512 sectors after beginning of the track

UDF Structure

• DTG of disc creation

• Supports MAC DTG of files

• Application ID

• Disc name

UDF Problems

• Deleted files

• Fragmented files

• Nothing is over written until disc is full

Physical

• Fingerprints

• Drugs

• General contamination

• Removal• Solvents

• Drugs

• Body fluids

Defects

• Dirt• Distilled water

• Soap – Ivory

• Scratches• Buffing

• Filler

• Cracks

• Broken

CD/DVD ForensicsHardware

• Readers – writers• CD, DD –R +R etc.

• DL

• 2 sided

• Plextor 12x writers – good• Out of production

• Pioneer• MD5 not repeatable

• LOTS OF TESTING

CD/DVD ForensicsSoftware

• Free – Sort of• ISO Buster

– Functional

• $549• CD/DVD Inspector

– Excellent

– Complete

Forensic Binary Image

• Hash code of Optical Media is often not reproducible from the media!

• Don’t try to demonstrate as with other drives

• Make an image and never go back to the media

Hash Codes

• ECD/ECC • Causes differing reads at different times

• Scratches

• Wear and tear

• Different drive electronics result in different reads

Binary Image

• CD/DVD Inspector• Makes a complete binary image of the media

• Image is specific to CD/DVD Inspector

ISO Buster

Drive Characteristics

Recognizing Media

Media Properties

Extract User Data

Create an Image

Media Image