Presentation is loading. Please wait.

Presentation is loading. Please wait.

Alternate Data Storage Forensics Tyler Cohen & Amber Schroader 2007, Syngress Publishing, Inc. ISBN 13: 978-1-59749-163-1.

Published byPeter Elliott Modified over 9 years ago

Similar presentations

Presentation on theme: "Alternate Data Storage Forensics Tyler Cohen & Amber Schroader 2007, Syngress Publishing, Inc. ISBN 13: 978-1-59749-163-1."— Presentation transcript:

1 Alternate Data Storage Forensics Tyler Cohen & Amber Schroader 2007, Syngress Publishing, Inc. ISBN 13: 978-1-59749-163-1

2 Optical Media CD – Compact Disk DVD Digital Versatile Disk Digital Video Disk Both are organized as a single spiral track CD – 6 kilometers DVD – 12.5 kilometers

3 Batch Number Manufacturer Code Spindle Hole Clamping Ring Stacking Ring Data Area CD Areas

4 Sizes CDs 5.25 “ – 120 mm 3.15” – 80 mm Business Card DVDs 5.25” - 120 mm Could be different None so far

5 CD Construction

6 CD-R Dyes

7 CD & DVD Types CD CD-Rom CD-R CD-RW DVD DVD-Rom DVD-R DVD+R

8 Optical Storage CDs CD – R - 700 Mbytes CD –RW – 570 Mbytes DVDs Single layer – 4.3 Gbytes Two layer – 8.6 Gbytes Two sided - ?

9 CD Organization Lead in Container for the TOC for a CD session 1 st has 7,500 sectors (14.65 Mbytes) for lead in Subsequent sessions 4,500 sectors (9 Mbytes) for lead in Multi-session has pointer to next writable location Next pointer is either 0 or 24 binary 1s to finalize the disc

10 CD Organization Lead out Indicates end of session Audio discs stop playing 1 st session lead out is 6,750 sectors ( 13.5 Mbytes) 2 nd and on 2,250 sectors (4 Mbytes

11 CD Organization Sector 2,048 bytes for data discs 2,352 bytes for audio discs Track A single (logical) collection of data on the disc Up to 99 tracks on a CD Error Detection - Error Correction Codes Uses Reed – Solomon EDC-ECC

12 DVD Organization Border Zone / RZone Contains the real content of the disc Similar to a CD track Manufactured DVDs have only 1 border zone Recordable DVDs can have multiple border zones DVD does not have specific TOC A border zone may have the information so that the app can make a TOC

13 DVD Frame | ID | ID ECC | copyright Management info | User data | EDC | Bytes 4 2 6 2048 4 A 32 Kbyte ECC block Consists of 12 frames together with ECC for the user data Cannot access with consumer DVD Drives

14 Media at 30,000x CDDVD

15 Interfaces ATAPI or SATA SCSI USB 1394

16 Logical Structure Track-at-once CD – data discs Disc-at-once Audio discs DVDs Packet writing Used with drag & Drop writing software –Dangerous for forensic workstations Non-video DVDs

17 Logical File Systems

18 ISO 9660 International Standards Organization - $$$ ECMA 119 European Computer Manufacturers Association Free standard

19 ISO - 9660 Supported by most computers For example – Elevator Control Systems 8-bit ASCII File System Volume Descriptor Path Table Directory Entry

20 ISO 9660 Files smaller than 4GB DVD files are less than 1 GB

21 Volume Descriptor Sector 16 01 43 44 30 30 32 01 There is an ISO 9660 file system on the disc Then at offset 814 (0x32E0 is the create DTG At offset 575 (0x23F) is the app ID

22 DTG 4-digit year 2-digit month 2-digit day of month 2-digit hour 2-digit minute 2-digit second 1-digit tenths 1-digit hundredths I-byte time zone

23 UDF Universal Disk Format Optical Storage Technology Association UDF 1.0 – 1995 Part of DVD – Video, Audio, Recorders Uses packet writing Supports MAC Times 2 64 – 1 File Sizes Supports fragmented files

24 UDF Structure Anchor Volume Descriptor Point (AVDP) Location –Sector 256 and 512 –Last sector written to disc –256 sectors after beginning of the track –512 sectors after beginning of the track

25 UDF Structure DTG of disc creation Supports MAC DTG of files Application ID Disc name

26 UDF Problems Deleted files Fragmented files Nothing is over written until disc is full

27 Physical Fingerprints Drugs General contamination Removal Solvents Drugs Body fluids

28 Defects Dirt Distilled water Soap – Ivory Scratches Buffing Filler Cracks Broken

29 CD/DVD Forensics Hardware Readers – writers CD, DD –R +R etc. DL 2 sided Plextor 12x writers – good Out of production Pioneer MD5 not repeatable LOTS OF TESTING

30 CD/DVD Forensics Software Free – Sort of ISO Buster –Functional $549 CD/DVD Inspector –Excellent –Complete

31 Forensic Binary Image Hash code of Optical Media is often not reproducible from the media! Don’t try to demonstrate as with other drives Make an image and never go back to the media

32 Hash Codes ECD/ECC Causes differing reads at different times Scratches Wear and tear Different drive electronics result in different reads

33 Binary Image CD/DVD Inspector Makes a complete binary image of the media Image is specific to CD/DVD Inspector

34 ISO Buster

35 Drive Characteristics

36 Recognizing Media

37 Media Properties

38 Extract User Data

39 Create an Image

40 Media Image

Download ppt "Alternate Data Storage Forensics Tyler Cohen & Amber Schroader 2007, Syngress Publishing, Inc. ISBN 13: 978-1-59749-163-1."

Similar presentations

Lesson 9 Types of Storage Devices.

Lesson 9 Types of Storage Devices.
Types Of Storage Device

Types Of Storage Device
CP1610: Introduction to Computer Components Archival Storage Devices.

CP1610: Introduction to Computer Components Archival Storage Devices.
Professor Michael J. Losacco CIS 1110 – Using Computers Storage Chapter 6.

Professor Michael J. Losacco CIS 1110 – Using Computers Storage Chapter 6.
Win OS & Hardware. Optical Drives Non-Volatile Storage.

Win OS & Hardware. Optical Drives Non-Volatile Storage.
Section 5a Types of Storage Devices.

Section 5a Types of Storage Devices.
Understanding Storage Discovering Computers 2012: Chapter 2-7 1.

Understanding Storage Discovering Computers 2012: Chapter
Optical Storage CD-ROM Originally for audio 650Mbytes giving over 70 minutes audio Polycarbonate coated with highly reflective coat, usually aluminium.

Optical Storage CD-ROM Originally for audio 650Mbytes giving over 70 minutes audio Polycarbonate coated with highly reflective coat, usually aluminium.
1 Storing Digital Audio. 2 Storage  There are many different types of storage medium and encoding methods for the storage of digital audio  CD  DVD.

1 Storing Digital Audio. 2 Storage  There are many different types of storage medium and encoding methods for the storage of digital audio  CD  DVD.
CS 333 Introduction to Operating Systems Class 16 – Secondary Storage Management Jonathan Walpole Computer Science Portland State University.

CS 333 Introduction to Operating Systems Class 16 – Secondary Storage Management Jonathan Walpole Computer Science Portland State University.
Introduction to Computers Section 5A. home Storage Involves Two Processes Writing data Reading data.

Introduction to Computers Section 5A. home Storage Involves Two Processes Writing data Reading data.
XP Practical PC, 3e Chapter 12 1 Accessing Databases.

XP Practical PC, 3e Chapter 12 1 Accessing Databases.
CD, DVD and Sound cards. CD drives Overview optical drive: laser shines on disc and transition from land to pit.laser shines on disc pits and bumps: less.

CD, DVD and Sound cards. CD drives Overview optical drive: laser shines on disc and transition from land to pit.laser shines on disc pits and bumps: less.
Storage Devices Momina.

Storage Devices Momina.
Chapter 1.1. FDD ( Floppy Disk Drive) Needs a data cable for connection Has two 34-pin drive connectors and one 34-pin connector for the drive controller.

Chapter 1.1. FDD ( Floppy Disk Drive) Needs a data cable for connection Has two 34-pin drive connectors and one 34-pin connector for the drive controller.
Storage device.

Storage device.
Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.

Files & Partitions BACS 371 Computer Forensics. Data Hierarchy Computer Hard Disk Drive Partition File Physical File Logical File Cluster Sector Word.
Computer SCIENCE Data Representation and Machine Concepts Section 1.3

Computer SCIENCE Data Representation and Machine Concepts Section 1.3
Using and Configuring Storage Devices Guide to Operating Systems Third Edition.

Using and Configuring Storage Devices Guide to Operating Systems Third Edition.
Storage Media Asad M. Nafees. Outline DVD/DVD-R/DVD+R/DVD-RW/DVD+RW CD/CD-R/CDRW Flash Disk Portable Hard Drive.

Storage Media Asad M. Nafees. Outline DVD/DVD-R/DVD+R/DVD-RW/DVD+RW CD/CD-R/CDRW Flash Disk Portable Hard Drive.

Similar presentations

Ads by Google