Re: [sleuthkit-users] CD Forensics
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] CD Forensics
|
From: Nico K. <nka...@gm...> - 2006-01-12 21:12:13
|
UPDATE! OK, so I was playing around a bit more. Here is what I did with an experimental CD-R: 1) Wrote two files to the CD using standard WinXP method (right-click and Send To D:) 2) Wrote one more file using same method 3) Wrote one more file using same method At this point Windows showed four files on my CD-R. I take the CD and put it into my Linux box. 1) I run readcd dev=3D/dev/cdrom -fulltoc As expected, I get output saying that there are three sessions on that CD-R= : Read speed: 5645 kB/s (CD 32x, DVD 4x). Write speed: 1411 kB/s (CD 8x, DVD 1x). TOC len: 180. First Session: 1 Last Session: 3. 01 14 00 A0 00 00 00 00 01 20 00 01 14 00 A1 00 00 00 00 01 00 00 01 14 00 A2 00 00 00 00 00 06 03 01 14 00 01 00 00 00 00 00 02 00 01 54 00 B0 02 24 03 02 4F 3B 4A 01 54 00 C0 A0 00 40 00 61 11 06 02 14 00 A0 00 00 00 00 02 20 00 02 14 00 A1 00 00 00 00 02 00 00 02 14 00 A2 00 00 00 00 02 2A 06 02 14 00 02 00 00 00 00 02 26 03 02 54 00 B0 04 0C 06 01 4F 3B 4A 03 14 00 A0 00 00 00 00 03 20 00 03 14 00 A1 00 00 00 00 03 00 00 03 14 00 A2 00 00 00 00 04 12 09 03 14 00 03 00 00 00 00 04 0E 06 03 54 00 B0 05 30 09 01 4F 3B 4A Lead out 1: 303 Lead out 2: 12006 Lead out 3: 19209 2) I do a 'hexdump -C /dev/cdrom | less' Everything goes fine for a while. I see the two files I wrote first and th= e TOC. Then I see a 'hexdump: /dev/hdc: Input/output error'. 3) OK, so I try dcfldd (later I tried unsuccessfully using readcd. It produced tons of I/O errors until it finally froze up. After rebooting I look at the image file written by dcfldd (using hexdump) and it ends right where the original hexdump od /dev/cdrom ended. So, eventually I realized that the place the hexdumps stopped and dcfldd froze up was at blocksize (2048) * 303 (Lead Out 1 from readcd output earlier). That tells me that everything is fine while looking at the first session only. But for some reason hexdump and dcfldd won't show me the other two sessions. Any ideas? For what it's worth, mounting the CD using -t iso9660 and doing an ls -l shows all four files. Again, thanks and enjoy the brain teaser! Nico On 1/12/06, Nico Kalteis <nka...@gm...> wrote: > > I would like to thank everyone very much for their input. It has opened > up some interesting additional avenues for exploration, which I will do > right away. > > To answer a couple of questions, I began to dd (dcfldd, actually) the > whole thing but started to run into heavy I/O errors after about 55MB or > so. Obtaining the image slowed to a crawl where I would get about 1MB ev= ery > minute, which ended up becoming unfeasible for this particular situation.= I > would have loved to get the whole thing, but...oh well. So, I did all of= my > analysis on the 50MB chunk. I did run it through foremost and all it fou= nd > was just the one file. I was able to verify that finding fairly easily > using hexdump since it abbreviates the data with a simple asterisk if the > preceeding line occurs more than once. That made the 50+MB fairly easy t= o > skim through manually. > > The link to http://www.agilerm.net/linux1.html is excellent! > > Thanks again for your time! > > Nico > |
