CD/DVDs may contain information not accessible by a normal user however this data can be recovered using highly specialized forensic software potentially creating E-Discovery issues especially where this “hidden” data has not been intentionally produced. Moreover, the duplication process of a CD/DVD may yield two unique copies – two copies that have two different MD5 hashes. CD-ROM stands for Compact Disc Read-Only Memory, a mass storage medium utilizing an optical laser to read microscopic pits on the aluminized layer of a polycarbonate disc; DVD is short for Digital Versatile Disc or Digital Video Disc that holds a minimum of 4.7GB (gigabytes) of data.
A forensic image can be made of a CD/DVD using HELIX, available at http://www.e-fense.com/helix/, an MD5 hash of the original media and an MD5 hash of the forensic copy should be done to verify that an exact duplicate has been made. A chain of custody form should be generated that can be recorded and signed by the party completing the duplication process. This method of duplication is preferred for two reasons: (1) one preserves file system metadata (essential to establishing authenticity); and (2) one prevents access to the original CD/DVD (which may contain un-reviewed content).
One product called CD/DVD inspector used by the DOJ and FBI can retrieve information not otherwise available to the average user. (http://www.infinadyne.com/cddvd_inspector.html) This tool in particular seems to be marketed to law enforcement. Another
product with fewer features is ISOBuster available at http://www.isobuster.com/isobuster.php. This product has been included in FTK Toolkit for imaging disks of common formats, apparently, similar support is not found in EnCase. To ensure that one knows what is precisely being provided to the government he/she must use either use CD/DVD Inspector to perform an analysis of the disk prior to
turning the item over to the government (third party), or one follow a duplication process outline above.
|
Type |
Platform |
Typical Use |
Linux Drivers |
|
Red Book |
All |
Format Followed by |
Included in Linux |
|
HSG |
Windows 95; MS DOS |
Early Format |
Format Can Be Read |
|
ISO9660 |
All |
Most Common Data File |
Included in Linux This is an ASCII text |
|
Joilet |
Windows |
Unicode Data Format; |
Included in Linux (-hide-joliet [filename] |
|
Rock Ridge |
Linux |
Data Format |
Included in Linux |
|
HFS |
Mac |
Data Format |
Can be compiled into |
|
HFS+ |
Mac |
Unicode Data Format |
Can be compiled into |
|
UDF |
All |
DVD Format |
Included in Linux
|
Linux can use mkisofs and cdrkit (http://www.cdrkit.org/) to write multi-format CD/ DVDs. For example to make an HFS, Rockridge, and Joliet using “mkisofs -o output.iso -V “volume lable” -r -J -hfs -map MAP_FILE -magic MAGIC_FILE ./”.
File System
Metadata
File system metadata can establish when a file was last changed, modified, and/or viewed (Modified Access Created is abbreviated as “MAC” times). MAC times are pieces of file system metadata that record when a file was last modified, accessed, or changed. UNIX (and Linux) file systems follow this standard and store these three pieces of file time metadata. Windows file systems, such as FAT32 and
NTFS are use “ctime” to refer to “creation time”.
|
Modification time (mtime)
A file’s modification time described when the content of the file most recently changed. Because most file systems do not compare data written to a file with what is already there, if a program overwrites part of a file with the same data as previously existed in
that location, the modification time will be updated even though the contents did not technically change.
Access time
A file’s access time identifies when the file was most recently opened for reading. A running program can maintain a file as “open” for some time, so the time at which a file was opened may differ from the time data was most recently read from the file.
Change time (ctime) and creation time
Unix and Windows file systems interpret ‘ctime’ differently:
· Unix systems maintain the historical interpretation of ctime as being the time when certain file metadata, note its contents, were last changed, such as the file’s permissions or owner (e.g. ‘This files metadata was changed on 05/05/02 12:15pm’); and
· Windows systems are the only systems that use ctime to mean ‘creation time’ (also called ‘birth time’) (e.g. ‘This file was created on 05/05/02 12:15pm’).
Identifying Tampering
Inconsistencies can be identified by comparing the root directory timestamps with file metadata contained within the CD/ DVD disk. Note, the Access, Modification and Change times in the root directory are the same. All other files within the CD/DVD should
predate the Access, Modification and Change times of the root directory.
The root directory is created when the CD/DVD is written.
|
|
|
Figure 2-Root |
If the root directory post-dates files from a given CD/DVD, this provides evidence of tampering.
Related posts:
- E-Discovery Vendors, in Texas, Who Analyze Content of Computer Files Required To Be Licensed Private Investigators In 2007, the Texas Legislature passed HB 2833 (available at...
- California Electronic Discovery Act Signed Into Law — Takes Effect Immediately The California E-Discovery Act(“the Act”) establishing procedures for a party...
- The Scope of Payment Reform Challenges Congress, Providers and Investors As the “Three Tenors” (Chairmen Waxman, Miller and Rangel) struggle...
- Avoiding Rule 37(f) Safe Harbor Protection in Absence of Specific Electronic Discovery Requests Information not originally thought to be relevant may become a...