Notifications
Clear all

recovering&reconstructing data from severely broken cd?

Page 1 / 2
williamsonn
(@williamsonn)
Member

hello everyone

I would like to ask your opinion about if it is currently possible to recover and reconstruct not simple bits but significant user´s data from a cd or dvd with many (more than 10)rough scissors cuts from edge to center, when most pieces are present. Thanks.

Quote
Topic starter Posted : 15/10/2012 2:23 am
mitch
(@mitch)
Active Member

I have the equipment if the media is not broken into bits but badly scratched and I mean scratched to repair and read

Mitch

ReplyQuote
Posted : 15/10/2012 4:52 am
Adam10541
(@adam10541)
Senior Member

I can't think of any way that would be possible as part of the disc would be completely destroyed by the compression of the scissors cutting. The missing portion may only be a millimeter or so but it's still missing data. So assuming you could somehow glue the disc back together and have it be flat enough and strong enough to withstand the centrifugal force of spinning you are still going to be missing significant portions of the disc.

This is pure opinion and speculation on my behalf but I've never heard of anyone managing to reconstruct a disc from what you are talking about.

Maybe if you had a CD reader where the laser spins instead of the disc??

ReplyQuote
Posted : 15/10/2012 6:34 am
Passmark
(@passmark)
Active Member

There was also this old post on the subject,
http//www.forensicfocus.com/Forums/viewtopic/t=8376/

ReplyQuote
Posted : 15/10/2012 10:13 am
mscotgrove
(@mscotgrove)
Senior Member

No - not possible to get anything meaningful

When cut with sissors the film will be severely damaged. Even if a sector could be read using a microscope, it would be meaningless.

The only case that something could be considered useful would be if a sector was read and it's hash value matched a known sector within a known file. This could be considered as a smoking gun.

ReplyQuote
Posted : 15/10/2012 3:46 pm
williamsonn
(@williamsonn)
Member

"The only case that something could be considered useful would be if a sector was read and it's hash value matched a known sector within a known file. This could be considered as a smoking gun."

Does this case mean you have to know previously the exact name of certain file you are looking for, or it also can be done at a random broken cd whoce contents are previously unknown? thank you

BTW,The same impossibility of recovering data above described also happens with a hammered hard drive with platters broken into several pieces?(this usually happens as you know with glass-based hdds).

ReplyQuote
Topic starter Posted : 15/10/2012 5:10 pm
mscotgrove
(@mscotgrove)
Senior Member

LE have databases of CP files by hash values. I do not know if they ever keep hashes of each sector, that is when files could be suspected.

Don't forget that CD sectors are 0x800, while a disk is 0x200, or a NTFS cluster is normally 0x1000 (plus many more sizes for FAT disks).

ReplyQuote
Posted : 15/10/2012 7:30 pm
jaclaz
(@jaclaz)
Community Legend

For the reasons stated on the "other" thread
http//www.forensicfocus.com/Forums/viewtopic/t=8376/
there is NOT one way on earth to "recognize" actual CD/DVD media in a drive (let alone read it's contents) if the pre-groove cannot be read.
A cut/broken CD has (obviously) the pre-groove damaged, and you will need to write a dedicated firmware for the disc drive and possibly additionally modify the drive mechanically/electrically in such a way that you can have it read the pre-groove of an identical (or very similar) media and be able to "swap" the media without the drive knowing it.
Possibly you can have the same using a SCSI disc drive and re-writing the drivers for it (much easier than re-writing a proprietary firmware).
Once you have achieved the above, if you can find a way (and again mechanical modifications to the drive may be needed) to re-assemble and "keep together" the various parts of the broken CD (and for this you will need a microscope to modify the edges of the piece so that they can be put togeteher) , then, maybe, a tool like ddrescue or dd_rescue or similar may be able to read some sectors.

jaclaz

ReplyQuote
Posted : 15/10/2012 8:16 pm
PaulSanderson
(@paulsanderson)
Senior Member

The only case that something could be considered useful would be if a sector was read and it's hash value matched a known sector within a known file. This could be considered as a smoking gun.

LE have databases of CP files by hash values. I do not know if they ever keep hashes of each sector, that is when files could be suspected.

I am struggling with this. I see you a data recovery specialist and not necessarily a forensic type.

If you could get a sector back, which is nigh on impossible, and you could match that sector to a known file (and LE do not keep databases of sectors from files - but ignore that for now) how could it be considered to be a smoking gun?

Other than the possibility that the data could exist in more than one file, even if the data is unique and the file from whcih it comes is contraband (i.e. illegal image of a child) what would you charge the owner of the disk with?

Possession? Making? did he/she possess the complete file, when did they get it…

I am pretty certain that in this country you would be hard pushed to get this off the ground as a basis for prosecution

ReplyQuote
Posted : 15/10/2012 8:40 pm
AngryBadger
(@angrybadger)
Active Member

The only case that something could be considered useful would be if a sector was read and it's hash value matched a known sector within a known file. This could be considered as a smoking gun.

LE have databases of CP files by hash values. I do not know if they ever keep hashes of each sector, that is when files could be suspected.

I am struggling with this. I see you a data recovery specialist and not necessarily a forensic type.

If you could get a sector back, which is nigh on impossible, and you could match that sector to a known file (and LE do not keep databases of sectors from files - but ignore that for now) how could it be considered to be a smoking gun?

Other than the possibility that the data could exist in more than one file, even if the data is unique and the file from whcih it comes is contraband (i.e. illegal image of a child) what would you charge the owner of the disk with?

Possession? Making? did he/she possess the complete file, when did they get it…

I am pretty certain that in this country you would be hard pushed to get this off the ground as a basis for prosecution

If you want to look at it simply from a IIOC point of view then you could build a making charge around it, it's not much different to any other unallocated data. The CPS are perfectly happy to make a charge of making on an image in UC that's missing its tail, this technique means you can find a file that's missing its head.

A single sector will be pretty tricky though….

But the LE hash sets have enough problems with hashing at the file level, at the block level ….

Horses/courses, there are plenty of applications for this technique, it has been talked about for years, Simon Key @ Guidance wrote a enscript to do it in 2009.
https://support.guidancesoftware.com/forum/downloads.php?do=file&id=657 (needs login)

The download also includes the slides from the talk he did at CEIC 2012.

Also have you noticed that, in your avatar, the arrow pointing to your name is pointing the wrong way since the layout of the site changed? P

ReplyQuote
Posted : 15/10/2012 9:19 pm
PaulSanderson
(@paulsanderson)
Senior Member

Yes re the avatar.

But with regard to an image missing its tail - the image is usually displayable with some corruption, an image missing both its head and its tail (which is what we are talking here - single sector) is not going to display and frankly has b****r all chance of running.

ReplyQuote
Posted : 15/10/2012 10:25 pm
AngryBadger
(@angrybadger)
Active Member

Yes re the avatar.

But with regard to an image missing its tail - the image is usually displayable with some corruption, an image missing both its head and its tail (which is what we are talking here - single sector) is not going to display and frankly has b****r all chance of running.

But, if you've got the original file/picture to hand you can present a pretty good argument that the data used to be on that disk, even just a sectors worth (which is 1Kb on a CDROM after all). The chances of it being something else are slim.

Obviously only an utter idiot would build a case just on that but as supporting evidence it has validity.

ReplyQuote
Posted : 15/10/2012 11:34 pm
PaulSanderson
(@paulsanderson)
Senior Member

No validity at all Hugh - if you have the picture on a computer then it is evidence and you dont need a tiny fragment from a CD.

No barrister I have worked with would want to run that past a jury.

Oh, and its 2K on a CD

ReplyQuote
Posted : 15/10/2012 11:49 pm
jaclaz
(@jaclaz)
Community Legend

Oh, and its 2K on a CD

Well, 0x800 does sound a lot like 2,048 and conversely 2K. 😉

jaclaz

ReplyQuote
Posted : 16/10/2012 12:25 am
AngryBadger
(@angrybadger)
Active Member

No validity at all Hugh - if you have the picture on a computer then it is evidence and you dont need a tiny fragment from a CD.

No barrister I have worked with would want to run that past a jury.

Oh, and its 2K on a CD

So how do they float partial DNA matches past the jury ?

Your're missing the point, it's not about the picture. The OP asked about data, not a picture, a picture was used merely as an example.

I made the point that its not something to safely build a case on but could have some validity as supporting evidence.

For (another) example. OP's mate is suspected of being an urban terrorist. Police think he had a copy of the 'Dummies Guide to Urban Warfare' on his CDROM in compressed PDF format, the smoking gun that they need to put him away.
So they get a copy of this file (from a third party source), block hash it and compare those hashes against the 1kB, 2kB or 2,336 byte sector that they've (miraculously) pulled from the CDROM fragment. Hashes match.
Add that to the sweaty balaclava and a dislike of soap and away you go, case stronger for the CD evidence.

Your barrister doesn't sound like any fun at all.

Oh and it's written 2kB.
(Simon is angry)

ReplyQuote
Posted : 16/10/2012 12:56 am
Page 1 / 2
Share:
Share to...