Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Data Structures

10.2.CD

advertisement 
Alternate Data Storage Forensics
Tyler Cohen & Amber Schroader
2007, Syngress Publishing, Inc.
ISBN 13: 978-1-59749-163-1
Optical Media
• CD – Compact Disk
• DVD
• Digital Versatile Disk
• Digital Video Disk
• Both are organized as a single spiral track
• CD – 6 kilometers
• DVD – 12.5 kilometers
CD Areas
Manufacturer Code
Batch Number
Spindle Hole
Clamping Ring
Stacking Ring
Data Area
Sizes
• CDs
• 5.25 “ – 120 mm
• 3.15” – 80 mm
• Business Card
• DVDs
• 5.25” - 120 mm
• Could be different
• None so far
CD Construction
CD-R Dyes
CD & DVD Types
• CD
• CD-Rom
• CD-R
• CD-RW
• DVD
• DVD-Rom
• DVD-R
• DVD+R
Optical Storage
• CDs
• CD – R - 700 Mbytes
• CD –RW – 570 Mbytes
• DVDs
• Single layer – 4.3 Gbytes
• Two layer – 8.6 Gbytes
• Two sided - ?
CD Organization
• Lead in
• Container for the TOC for a CD session
• 1st has 7,500 sectors (14.65 Mbytes) for lead in
• Subsequent sessions 4,500 sectors (9 Mbytes) for
lead in
• Multi-session has pointer to next writable location
• Next pointer is either 0 or 24 binary 1s to finalize
the disc
CD Organization
• Lead out
•
•
•
•
Indicates end of session
Audio discs stop playing
1st session lead out is 6,750 sectors ( 13.5 Mbytes)
2nd and on 2,250 sectors (4 Mbytes
CD Organization
• Sector
• 2,048 bytes for data discs
• 2,352 bytes for audio discs
• Track
• A single (logical) collection of data on the disc
• Up to 99 tracks on a CD
• Error Detection - Error Correction Codes
• Uses Reed – Solomon EDC-ECC
DVD Organization
• Border Zone / RZone
•
•
•
•
•
•
Contains the real content of the disc
Similar to a CD track
Manufactured DVDs have only 1 border zone
Recordable DVDs can have multiple border zones
DVD does not have specific TOC
A border zone may have the information so that the
app can make a TOC
DVD Frame
Bytes 4
2
6
| ID | ID ECC | copyright Management info |
2048
User data
A 32 Kbyte ECC block
Consists of 12 frames together with ECC for the user data
Cannot access with consumer DVD Drives
4
| EDC |
Media at 30,000x
CD
DVD
Interfaces
•
•
•
•
ATAPI or SATA
SCSI
USB
1394
Logical Structure
• Track-at-once
• CD – data discs
• Disc-at-once
• Audio discs
• DVDs
• Packet writing
• Used with drag & Drop writing software
– Dangerous for forensic workstations
• Non-video DVDs
Logical File Systems
Platform
Red Book
HSG
ISO-9660
Joliet
Rock Ridge
HFS
HFS+
UDF
Long File
names
All
N/A
All
No
All
No
Windows Yes
Linux
Yes
Mac
No
Mac
Yes
Win/Mac Yes
Large Files
Typical Use
>4GB
N/A
No
No
No
No
Yes
Yes
Yes
Audio
Early CD-Rom
Data Files
Data Files, Unicode names
Data files
Mac
Mac, Unicode file names
s, Unicode file names
ISO 9660
• International Standards Organization - $$$
• ECMA 119
• European Computer Manufacturers Association
• Free standard
ISO - 9660
• Supported by most computers
• For example – Elevator Control Systems
• 8-bit ASCII
• File System
• Volume Descriptor
• Path Table
• Directory Entry
ISO 9660
• Files smaller than 4GB
• DVD files are less than 1 GB
Volume Descriptor
• Sector 16
•
•
•
•
01 43 44 30 30 32 01
There is an ISO 9660 file system on the disc
Then at offset 814 (0x32E0 is the create DTG
At offset 575 (0x23F) is the app ID
DTG
•
•
•
•
•
•
•
•
•
4-digit year
2-digit month
2-digit day of month
2-digit hour
2-digit minute
2-digit second
1-digit tenths
1-digit hundredths
I-byte time zone
UDF
Universal Disk Format
• Optical Storage Technology Association
• UDF 1.0 – 1995
•
•
•
•
•
Part of DVD – Video, Audio, Recorders
Uses packet writing
Supports MAC Times
264 – 1 File Sizes
Supports fragmented files
UDF Structure
• Anchor Volume Descriptor Point (AVDP)
• Location
–
–
–
–
Sector 256 and 512
Last sector written to disc
256 sectors after beginning of the track
512 sectors after beginning of the track
UDF Structure
•
•
•
•
DTG of disc creation
Supports MAC DTG of files
Application ID
Disc name
UDF Problems
• Deleted files
• Fragmented files
• Nothing is over written until disc is full
Physical
•
•
•
•
Fingerprints
Drugs
General contamination
Removal
• Solvents
• Drugs
• Body fluids
Defects
• Dirt
• Distilled water
• Soap – Ivory
• Scratches
• Buffing
• Filler
• Cracks
• Broken
CD/DVD Forensics
Hardware
• Readers – writers
• CD, DD –R +R etc.
• DL
• 2 sided
• Plextor 12x writers – good
• Out of production
• Pioneer
• MD5 not repeatable
• LOTS OF TESTING
CD/DVD Forensics
Software
• Free – Sort of
• ISO Buster
– Functional
• $549
• CD/DVD Inspector
– Excellent
– Complete
Forensic Binary Image
• Hash code of Optical Media is often not
reproducible from the media!
• Don’t try to demonstrate as with other
drives
• Make an image and never go back to the
media
Hash Codes
• ECD/ECC
•
•
•
•
Causes differing reads at different times
Scratches
Wear and tear
Different drive electronics result in different reads
Binary Image
• CD/DVD Inspector
• Makes a complete binary image of the media
• Image is specific to CD/DVD Inspector
ISO Buster
Drive Characteristics
Recognizing Media
Media Properties
Extract User Data
Create an Image
Media Image
Related documents
Logic Symbols
Logic Symbols
copyright-policy-nov-2010
copyright-policy-nov-2010
Pick Only 2
Pick Only 2
Introduction to Databases with more than one table
Introduction to Databases with more than one table
PPC Notes
PPC Notes
Computer control all around us
Computer control all around us
Inside the Personal Computer
Inside the Personal Computer
Narrated PowerPoint
Narrated PowerPoint
Ch.13 Secondary Storage Devices
Ch.13 Secondary Storage Devices
Presentation on Optical Discs
Presentation on Optical Discs
5. 建立隊工精神及團隊合作by Bonnie So
5. 建立隊工精神及團隊合作by Bonnie So
CD and DVD technology
CD and DVD technology
Download
advertisement