ISO 9660 metadata f...
 
Notifications
Clear all

ISO 9660 metadata forensic?

13 Posts
6 Users
0 Likes
1,672 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Hello everybody,

Have you tried any tool which is able to extract forensic information from a CD-R or DVD? I need to know the date in which the CD-R was recorded.

Does this information change when you duplicate the CD-R or the information persist unalterable in the copy?

Thanks everybody!

 
Posted : 09/02/2016 4:36 am
(@athulin)
Posts: 1156
Noble Member
 

Have you tried any tool which is able to extract forensic information from a CD-R or DVD? I need to know the date in which the CD-R was recorded.

As far as I know, no such information is stored on a CD-R. 'DVD' is a bit vage, as there are DVD-ROM, DVD-R, DVD-RW and even DVD-RAM … you need to more specific.

Then you mention ISO9660 in the subject. That is a mastered file system, so it is created before it is recorded on the underlying medium (CD or DVD or …)

The Creation Date of an ISO-9660 file system should be present. However, it depends on what tool you are using while most use 'now' as the creation date, there are tools that allow you to specify some other date.

But the ISO standard will tell you all this. Go read it. You may be able to use the ECMA-119 standard as well, although it is dated, and partially modified by an amendment to ISO 9660, issued in 2013.

Does this information change when you duplicate the CD-R or the information persist unalterable in the copy?

Depends on how the copy is made. If you extract an ISO image, and then write that to a new medium, no changes take place. If you use some particular tool that modifies the volume or optimizes or updates it in any way as part of the copy, it very well may change dates.

Thanks everybody!

 
Posted : 09/02/2016 1:19 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Hello athulin,

I just need to know about the date in which a CD/DVD was recorded, nothing else. Obviously I know there must be recording tools in Which you can select another date apart of "now" but it is like everything…

Could you tell me about any tool which is capable of doing that?

I haven't found anything in the Internet.

Thanks!

 
Posted : 09/02/2016 4:02 pm
(@cotem)
Posts: 14
Active Member
 

http//superuser.com/questions/559031/how-to-find-out-when-a-disc-dvd-has-been-written-burned

Read that a while ago and it helped me on a case.
You can also use this program

http//www.cdroller.com/htm/tester.html

 
Posted : 09/02/2016 10:33 pm
(@athulin)
Posts: 1156
Noble Member
 

I just need to know about the date in which a CD/DVD was recorded, nothing else.

So what do you mean by that, exactly? If you burn an .ISO to a CD-R. there is nothing in general to tell you when that happened, not on the optical disc itself. There may be records left on the computer on which that happened. If you burn files to a CD-R or DVD-R, that is a) first create the ISO file system, b) then record that on the CD, the ISO image should contain a Volume Creation Date and Time, which according to ISO-9660 should be that date. However … in reality, that time stamp may be left blank or may be set to some other date, decided by the tool used or the person who does the burning. Some tools even set illegal time stamps (typically use a binary (00) where a numeral (30) is expected), which may or may not upset the forensic tools you're using to extract the information. (The parenthesis notation is that used by ISO 9660.)

So, you can't, just by looking at an ISO 9660 Volume Creation Date and Time assert that it identifies the actual time of creation. You may claim that it is probable that it is, and refer to the ISO 9660 standard, but that has to be taken in relation to reality.

Could you tell me about any tool which is capable of doing that?

I haven't found anything in the Internet.

I'm out of office right now, so I can't verify this. I'm fairly certain ISObuster or the products from Infinadyne do it, though I haven't validated either to do a complete job (that is, cover the full range and resolution of the time stamps). I'm also sure that the Sleuthkit can be used, though for just getting just this information, it's probably overkill.

Personally, however, I would not use any tool I hadn't validated to do this job correctly. Instead I'd use a decent hex editor, like HxD on Windows, and use the information in the ISO 9660 or Ecma-119 standards to identify the relevant bytes, and interpret them by hand. It's almost always found in sector 16 (or more priceisely, in the sctor where the Primary Volume Descriptor is found), at byte offset 814–830 (decimal notation). (And that is as ISO 9660 defines it, but it counts bytes from 1, not from 0, so you have to adjust it if your hex editor starts at 0.)

For actual details, find Ecma-119 on the net – it's free to download from ECMA –, and look at 8.4.26, where much of this is covered.

 
Posted : 10/02/2016 1:10 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

http//superuser.com/questions/559031/how-to-find-out-when-a-disc-dvd-has-been-written-burned

Read that a while ago and it helped me on a case.
You can also use this program

http//www.cdroller.com/htm/tester.html

I had read that before posting, but "dd" didn't work properly. It says me it's a directory and it cannot do anything.

I will try the tool.

Thanks!

 
Posted : 10/02/2016 2:20 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I just need to know about the date in which a CD/DVD was recorded, nothing else.

So what do you mean by that, exactly? If you burn an .ISO to a CD-R. there is nothing in general to tell you when that happened, not on the optical disc itself. There may be records left on the computer on which that happened. If you burn files to a CD-R or DVD-R, that is a) first create the ISO file system, b) then record that on the CD, the ISO image should contain a Volume Creation Date and Time, which according to ISO-9660 should be that date. However … in reality, that time stamp may be left blank or may be set to some other date, decided by the tool used or the person who does the burning. Some tools even set illegal time stamps (typically use a binary (00) where a numeral (30) is expected), which may or may not upset the forensic tools you're using to extract the information. (The parenthesis notation is that used by ISO 9660.)

So, you can't, just by looking at an ISO 9660 Volume Creation Date and Time assert that it identifies the actual time of creation. You may claim that it is probable that it is, and refer to the ISO 9660 standard, but that has to be taken in relation to reality.

Could you tell me about any tool which is capable of doing that?

I haven't found anything in the Internet.

I'm out of office right now, so I can't verify this. I'm fairly certain ISObuster or the products from Infinadyne do it, though I haven't validated either to do a complete job (that is, cover the full range and resolution of the time stamps). I'm also sure that the Sleuthkit can be used, though for just getting just this information, it's probably overkill.

Personally, however, I would not use any tool I hadn't validated to do this job correctly. Instead I'd use a decent hex editor, like HxD on Windows, and use the information in the ISO 9660 or Ecma-119 standards to identify the relevant bytes, and interpret them by hand. It's almost always found in sector 16 (or more priceisely, in the sctor where the Primary Volume Descriptor is found), at byte offset 814–830 (decimal notation). (And that is as ISO 9660 defines it, but it counts bytes from 1, not from 0, so you have to adjust it if your hex editor starts at 0.)

For actual details, find Ecma-119 on the net – it's free to download from ECMA –, and look at 8.4.26, where much of this is covered.

Thank you. It's a very useful information. Finally, the CD-R is not a CD-R, it's a DVD, but I have checked it was burned with a Joliet ISO 9660 format.

Then, do you recommend to use a HEX editor instead of any tool? Does the metadata have a size of 16 bytes (830-814=16)?

Do you recommend to create an ISO image of the DVD in order to inspect it with the HEX editor rather than inspecting the DVD directly?

Thanks!

 
Posted : 10/02/2016 2:39 pm
(@mscotgrove)
Posts: 938
Prominent Member
 

[quote="Skywalker


Then, do you recommend to use a HEX editor instead of any tool?

First port of call should always be a Hex editor.

 
Posted : 10/02/2016 9:37 pm
(@athulin)
Posts: 1156
Noble Member
 

Then, do you recommend to use a HEX editor instead of any tool?

To answer the single question 'What's in the Volume Creation Date and Time field' … yes.

Does the metadata have a size of 16 bytes (830-814=16)?

No.

Do you recommend to create an ISO image of the DVD in order to inspect it with the HEX editor rather than inspecting the DVD directly?

In general, yes. In general you don't want to subject any evidence or such to more wear and tear than necessary.

I recently had an old DVD scratched by a poor DVD reader – now there's a circular band about half way through it where the head seems to have touched the surface, and it doesn't read well anymore. (No, it wasn't evidence.)

(As for the 'metadata size must be 16' you really have to figure that out for yourself. You probably already have -)

 
Posted : 11/02/2016 12:22 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Then, do you recommend to use a HEX editor instead of any tool?

To answer the single question 'What's in the Volume Creation Date and Time field' … yes.

Does the metadata have a size of 16 bytes (830-814=16)?

No.

Do you recommend to create an ISO image of the DVD in order to inspect it with the HEX editor rather than inspecting the DVD directly?

In general, yes. In general you don't want to subject any evidence or such to more wear and tear than necessary.

I recently had an old DVD scratched by a poor DVD reader – now there's a circular band about half way through it where the head seems to have touched the surface, and it doesn't read well anymore. (No, it wasn't evidence.)

(As for the 'metadata size must be 16' you really have to figure that out for yourself. You probably already have -)

I have created an ISO file of the DVD, because it's not possible to open the disk as a "file" with HxD. I haven't found the burning date in the offset you said nor anywhere… 😯

Another question please… The ISO tells me the burning program was NERO. Another person has another copy of that DVD and it has obtained more metadata from the files burned (video files, using MediaInfo). Could a copy burned using NERO lose metadata of some files?

Thanks!

 
Posted : 11/02/2016 2:42 am
Page 1 / 2
Share: