(quite long back) i recall a case of stolen document.(i dont have ref or URL/NEWS) The culprit who stole the document made copy of it in CD & sold. It was discovered after the cd with the stolen document was recovered & the CD had the serial number of the cd burner from which it was created. Later during investigation pointed to the culprit…
I tried studying similar by burning a simple test file with samsung cdrw using nero 7. but i fnd no forensic information except the date at which the cd was created.
So Is this product dependent? Can you point me to any pther products/stories/anything….. that might be a useful info?
Based on my (limited) knowledge, both the CD and drive have their own serial numbers but I wouldn't normally expect the CD to contain information about the drive serial number. That said, the serial number/signature would be generated by a simple algorithm which may be derived from the drive ID. Although the odds are against it, it is perfectly feasible for randomly authored disks to have the same signature but this is fairly rare. As may be obvious, the chances of this happening are fairly small so this serial number may well have given the investigation team a drive ID, a burning application ID or a date/time-stamp, all of which could be matched to the suspect PC in their possession - I doubt that they could have proved this without them having access to the PC itself (once they'd obtained a search warrant) though I could be wrong…
It's also worth noting that there are some differences between what different drives (as well as the interrogation apps) can read from a CD. As an example, here's a Toast report that I found from a Mac support site I was looking at recently
DVD-RAM Read Yes
DVD-R Read Yes
DVD-ROM Read Yes
Method 2 Yes
CD-RW Read Yes
CD-R Read Yes
DVD-RAM Write No
DVD-R Write Yes
Test Write Yes
CD-R/RW Write Yes
CD-R Write Yes
BUF Yes
Multi Session Yes
Mode 2 Form 2 Yes
Mode 2 Form 1 Yes
Digital Port (2) No
Digital Port (1) No
Composite Yes
Audio Play Yes
Read Bar Code Yes
UPC Yes
ISRC Yes
C2 Pointers supported Yes
R-W De-interleaved & corrected No
R-W Supported No
CD-DA Stream is Accurate Yes
CD-DA Cmds Supported Yes
Eject (Individual or Magazine) Yes
Prevent Jumper No
Lock State No
Lock Yes
R-W in Lead-in Yes
Side Change Capable No
S/W Slot Selection (SSS) No
Changer Supports Disc Present No
Separate Channel Mute Yes
Separate volume levels Yes
LSBF No
RCK No
BCK No
Length 32
Loading Mechanism Type Tray
Number of Volume Levels Supported 256
Buffer Size Supported 2 MB
Needless to say, I have no idea what C2 Pointers are but this list gives you an idea as to what status flags or disk areas can or cannot be interrogated.
Hope that helps,
Neil
I am very interesting this title .
BTWWho can tell me some info about software of Nero's Logfile?
Guys i'm writing a book that will try to cover indepth analysis of almost all aspects of digital forensics (psycology, physical security, monitering, technology etc) FROM anti-forensic standpoint.
Here are my quick conclusions that i'll be talking abt on the book so far…. Detailed conclusions maybe later, in freetime.
———[uncomplete conclusions]———————–
Nero's Logfile Nero keeps logfile of file size, file attrib, timestamp, path of original physical storage. ( & maybe other unknown privecy leaking info!) Dont trust NERO to burn & distribute important files as its has undocumented features that might store & leak personal info( further analysis later)
I am using samsung cd-rw but after firmware upgrade sometimes back my firmware ver & serial seem to vanished which i concluded from INFOtool of NERO. So i cant confirm right now if such hardware info are stored in CD.
I used ISOburner & CD/DVD inspector & encase 4 but didnt found any forensically useful info.
Verifying with FTK left.
use "isoinfo" in linux to get any forensic info left in a CD
ref ftp//
I have successfully compiled it under CYGWIN without any problem
from antiforensic standpoint
to evade any possible logs in CD-R during burning create a iso file system in linux & copy files to it. Burn the ISO image. This will leave least forensic fingerprint. Change the system date before burning to evade date.
Nero keeps log of burned cd at \Program Files\Ahead\Nero\NeroHistory.log
It contains info about the Physical memory, CD burned, CD size, hardware device used to burn the cd etc
To get any forensic info from the CD;
bash-3.00$ isoinfo /dev/scd0
——————————————————————–
Example output ( the ISO was created using MKISOFS )
SYSI=LINUX
VOLI=knoppix-std
VOLS=
PUBL=
PREP=
APPI=MKISOFS ISO 9660/HFS FILESYSTEM BUILDER & CDRECORD CD-R/DVD CREATOR (C) 1993 E.YOUNGDALE (C) 1997 J.PEARSON/J.SCHILLING
ABST=
BIBL=
# creation date 2004-01-12 211210
# modification date 2004-01-12 211210
# expiration date 0000-00-00 000000
# effective date 2004-01-12 211210
# volume space size 254236 blocks (of 2048 bytes), 562961 msf
# volume space size 520675328 Bytes
# volume space size 496 MBytes
# boot catalog block 66
# boot image block 67
# boot image size 1 sectors (of 512 Bytes)
# boot arch x86
# extended info
——————————————————————–