how to acquire CD /...
 
Notifications
Clear all

how to acquire CD / DVD ??

19 Posts
9 Users
0 Likes
2,277 Views
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

hi hello to all
excuse if i don't write english very well….

in this period i must acquire many cd & dvd i do this with encase but often there are many errors and so encase is not a good idea…..

can you give me an idea of what can i do and how….

i have used other programs like isobuster or badcopypro for recovery data from cd but how i can give a forensic specification at all??

P.S. I'm really sorry for my english 😉

 
Posted : 09/03/2010 4:37 pm
 p4c0
(@p4c0)
Posts: 9
Active Member
 

I've used Isobuster and I think it's a good tool also because let's you acquire even the different sessions on a multisession cd, so you don't risk to miss a file that was "deleted" between two sessions.

Paco

 
Posted : 09/03/2010 5:12 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

yes now i'm trying isobuster in the same minute you answer me, but what i must hash? only the iso generated?

now for example isobuster found a damage sector and ask me if i want replace with null information or jump the sector….i choose the first but now i know that is different from orginal….

 
Posted : 09/03/2010 5:15 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 

For various assorted reasons, that I can't honestly remember without looking it up in the course notes, you can _never_ truly image a CD or DVD - you can get a logical copy of content, and it is this, once you have it completely, that you should hash.

Personally, I'd go for NULLs over skipping - as this at least gives the impression of where something _might_ have been.

 
Posted : 09/03/2010 5:50 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

so your counsel is to do an Iso image with one program as isobuster nero kr3b or similar and after hash this? also if this Iso is affect by many errors?

 
Posted : 09/03/2010 5:55 pm
(@dietro)
Posts: 51
Trusted Member
 

FTK Imager which uses, the ISObuster engine, will create an ISO image of a CD/DVD and it will generate a hash for you.

 
Posted : 09/03/2010 6:03 pm
azrael
(@azrael)
Posts: 656
Honorable Member
 

Personally I don't use any of those tools - however that's not to say that they aren't perfectly acceptable. I'd be careful if any of the media is rewritable, so as to be sure not to cause any modification to it.

As said above the FTK imager does all the hard work for you …

Being a UNIX nut, I'd use dd and hash the image ( or dcfldd, which will hash it for you ).

-)

 
Posted : 09/03/2010 6:15 pm
 p4c0
(@p4c0)
Posts: 9
Active Member
 

For various assorted reasons, that I can't honestly remember without looking it up in the course notes, you can _never_ truly image a CD or DVD - you can get a logical copy of content, and it is this, once you have it completely, that you should hash.

What do you mean with "the logical copy of the content"? Do you mean just what you see in Window Explorer once you put the cd into the pc?

The problem you may have with cd/dvd is that you risk to miss some file on multisessions cd. Once you write on a cd, you cannot delete (not talking about cd-rw) but in a multisession you can decide to "remove" something from what you've burned in the previous session. This means that in the TOC of the new session that file will not appear, but it stil lexist on the cd of course.
That's why you need to be aware of that and to use tools that will show every session.

Personally, I'd go for NULLs over skipping - as this at least gives the impression of where something _might_ have been.

Totally agree.

 
Posted : 09/03/2010 6:17 pm
(@gremodic)
Posts: 24
Eminent Member
Topic starter
 

yes i use dd o dfcldd or also dc3dd but all of this CD / DVD are damage and so….if i hash the device and the image you can be sure the 2 hash is different….i try to understand what is the best effort way to acquire this kind of device…..the device without errors i'm acquiring with encase….

 
Posted : 09/03/2010 6:20 pm
(@jot49)
Posts: 16
Active Member
 

Don´t forget read errors of your CD/DVD-drive. That´s the reason why it is most likely to get different hashes when hashing the same cd/dvd twice.
It doesn´t matter which tool you use (dd, ftk imager, ….)
You have to hash the files/folders.

 
Posted : 09/03/2010 6:32 pm
Page 1 / 2
Share: