Hi I have been browsing through old post, and my curiosity has peaked!
I will probably end up playing with this out of my own curiosity, as I have been doing forensics for 4 years and never once had to image optical media.
How do you go about imaging and preserving CD Evidence?
I was asked by someone for advice, I assumed you can image it using dcfldd, or dd. Or you could simply take an iso since it is (generally speaking) not likely to have deleted files etc on it.
I then got to think about the file system structure on a CD vs A HD, and found myself at a loss as to if this would actually work. - Reading the old threads has made me less confident in knowing what to do.
Personally, I do not like the idea of working from the live media, as you may end up inadvertently destroying the evidence- scratches, laser burn, etc etc, so I would always work from an image.
I am currently reading CD and DVD Forensics, by Pawl Crowley which is very useful but is product specific. I am looking for an open source way to do the investigation (my department wants forensics, but has no budget for it).
Anyway, any good starting points for me to experiment?
I am looking for an open source way to do the investigation…
Can you clarify what you mean by "investigation"?
Perhaps if you could break what you're trying to do into discrete goals, then how to go about achieving them might be a bit easier to get to.
For example, you mention imaging the optical media, and you mention a couple of tools. Have you tried them?
Some resources that may assist you (from Google)
http//
http//
http//
The ForensicsWiki page mentions CD/DVD Inspector that might meet your needs. If you're department is given the requirement for performing forensic analysis of the media, but has no budget, then these are competing requirements that cancel each other out.
Thanks!
I was basically mean going from acquisition to examination. So what is the best way to capture evidence, validate that evidence as being forensically sound, and then finally, how to examine that evidence for artifacts?
Totally helpful reply! DI am checking out all those sites now.
How do you go about imaging and preserving CD Evidence?
Much the same as in any other case – if you know what you are investigating, you can choose the apporpriate system level – if you don't know, or want to play it safe, you choose the 'lowest' system level that you can manage to access.
For CD's, this usually means the 'raw' CD information. This will be a combination of 'raw' data sectors and administrative information that (I think ) can only be extracted by special commands to the CD drive.
I like CloneCD from Slysoft, myself, but there are several other tools on the market, some intended for forensic practice, and some for bypassing CD copy protection.
I was asked by someone for advice, I assumed you can image it using dcfldd, or dd. Or you could simply take an iso since it is (generally speaking) not likely to have deleted files etc on it.
This depends a lot on what kind of CD you are using. An sinmgle-session ISO-9660 CD would probably be mounted as a device giving you access to the sectors of that particular volume. However, you also need to cover multi-session CD's, and even perhaps CD's where session information have been deliberately obfuscated. If the CD device driver gives you that information, fine. Burn a couple of test CDs and keep as references. One should definitely have multiple sessions (you want to be able to identify the mutiple sessions, as well as access all of them without having to remount the CD).
Kris Kaspersky's book 'CD Cracking Uncovered Protection Against Unsanctioned CD Copying' provides much of the foundation, though I'm afraid it's a rather hard read if you don't have a good background in software development. Paul Crowley's book on CD and DVD forensics, contains some good stuff, but to a great extent appears to be a users guide to a software product, and so won't make sense unless you have that software.
Recently I was discussing the top three vendors' various shortcomings on CD/DVD imaging and interpretation of the collected images.
Make sure the tool you end up with, functions as expected. Two of the three would not image properly in certain instances and had problem locating "deleted" files or rewritable DVDs.
jhup,
Any chance that you could share the details? "Two of the three" is pretty vague when you don't know what the two or the three are. And how do the two not image properly?
EnCase 6.19 FTK 4.2 & X-Ways 17.
DVD is RW.
Session opened.
Multiple files written.
Single file deleted.
Additional files written to DVD.
Session is not closed.
EnCase could see the deleted file, but unable to carve directly.
FTK could not see the file.
X-Ways could see the deleted file, but unable to carve directly.
All were able to locate through raw data view, and carve manually, and completely.