[sleuthkit-users] CD Forensics
Brought to you by:
carrier
Menu
▾
▴
[sleuthkit-users] CD Forensics
|
From: Nico K. <nka...@gm...> - 2006-01-12 15:12:40
|
Good morning! This doesn't pertain directly to TSK, but I thought some of you might be able to offer me some insight into this issue. I was recently tasked with looking at a CD-R. There was only a single file of about 55KB. However, when checking the properties under Windows it showed that the used space was somewhere in the vicinity of ~580MB, which equalled the capacity of the CD-R. We suspected that there was more data than just that one file. We proceeded to get a bit-level image using dcfldd with various (conv=3Dnoerror,sync) and got to about 50MB when we started getting errors that simply slowed the read process down dramatically. The CD was heavily scratched, which might have caused the issue. However, when looking at the CD image we did get using hexedit and hexdump, we did only see that one fil= e followed eventually by the file table. It appears that the CD format was UDF and that only that one file was on the disk. I tried to replicate the scenario by writing a single file of similar size to a new CD-R using various methods native to XP as well as using Nero. Bu= t in each case the amount of used space according to the Windows properties sheet was in the KB range, which I expected based on file size + file table. But nowhere near the full capacity of the CD. Has anybody run into this or does anybody have any insight? Do you think there might be more data? Since it's a CD-R I really doubt that anybody would write files to the CD and be able to mess with the file table. Particularly the person in question. Also, does anybody have anymore info on the location of the file table? On some CD-Rs and CD-RWs I see the file table at the very beginning of the CD before the files themselves, and on others I see the files first followed eventually by the file table. Thank you VERY much for your time and interest. Cheers! Nico |
