[sleuthkit-users] CD Forensics

[Nico K. <nka...@gm...>]

Good morning!

This doesn't pertain directly to TSK, but I thought some of you might be
able to offer me some insight into this issue.

I was recently tasked with looking at a CD-R.  There was only a single file
of about 55KB.  However, when checking the properties under Windows it
showed that the used space was somewhere in the vicinity of ~580MB, which
equalled the capacity of the CD-R.  We suspected that there was more data
than just that one file.

We proceeded to get a bit-level image using dcfldd with various
(conv=3Dnoerror,sync) and got to about 50MB when we started getting errors
that simply slowed the read process down dramatically.  The CD was heavily
scratched, which might have caused the issue.  However, when looking at the
CD image we did get using hexedit and hexdump, we did only see that one fil=
e
followed eventually by the file table.  It appears that the CD format was
UDF and that only that one file was on the disk.

I tried to replicate the scenario by writing a single file of similar size
to a new CD-R using various methods native to XP as well as using Nero.  Bu=
t
in each case the amount of used space according to the Windows properties
sheet was in the KB range, which I expected based on file size + file
table.  But nowhere near the full capacity of the CD.

Has anybody run into this or does anybody have any insight?  Do you think
there might be more data?  Since it's a CD-R I really doubt that anybody
would write files to the CD and be able to mess with the file table.
Particularly the person in question.

Also, does anybody have anymore info on the location of the file table?  On
some CD-Rs and CD-RWs I see the file table at the very beginning of the CD
before the files themselves, and on others I see the files first followed
eventually by the file table.

Thank you VERY much for your time and interest.

Cheers!

Nico