The disc TOC also provides an indication of whether the track contains Red Book audio or data sectors, which is required to properly read the con-tents of the disc. Determining what types of sectors are present in a track can be accomplished by examining other control information for the sectors or by examining the file system.
DVDs only have a single type of sector; however, multi-session recording is possible.The index of border zones for a disc is similar to the TOC for a CD, and is required to properly process a multi-session DVD.
In order to construct a binary image of a CD or DVD, each track sector must be on the disc along with an index indicating the type of track (for CDs) and the original starting location of the track.
CD/DVD Inspector 3.0 allows you to make a binary image file of any disc, which can later be run against that image file without the disc being present. While the image file format is specific to CD/DVD Inspector, coor-dination with other tools is expected.
Reproducing Forensic Images
In the case of hard drives, a forensic binary image of a drive is reproducible.
As long as the contents have not been altered, every image taken of a hard drive is identical as long as the scope is limited to hard drives, flash memory, and other magnetic media.
This is not always the case with CD and DVD media, where reading from a disc with different drives can produce different results.This can result from different implementations of error correction strategy in the drive firmware and the hardware controlling the laser and optics.
With some drives, it is possible to obtain non-reproducible results from successive imaging, which can be observed with some Pioneer DVD writers on packet-written Compact Disc Recordable (CD-R) discs.
Assuming that it will always be possible to create identical forensic images from reading CD or DVD media is problematic, and calls into question evi-dence or forensic lab procedures should the MD5 or SHA1 hash value of such images not match. It is strongly recommended that you not attempt to compare forensic images or forensic image hash values unless the examiner is fully aware that mismatches can be “normal.”
www.syngress.com
Forensic Binary Images • Chapter 3 55
A recommended procedure is to either work from the original media or to work from a single image file. When working with the original media, use proper procedures to avoid contamination by software that does not belong on a forensic computer. When working from an image file, use before and after hash values to verify that the image has not been altered. Do not attempt to re-image the media and compare images or image hash values.
56 Chapter 3 • Forensic Binary Images
Collecting CD
and DVD Evidence
Chapter 4
57
The following sections address the number of specific considerations needed for handling and collecting Compact Disc (CD) and Digital Versatile Disc (DVD) evidence.These sections also describe how to recognize CD and DVD media, how to protect yourself while collecting this evidence, and what pre-cautions need to be followed in order to preserve it.
Recognizing CD and DVD Media
A common belief is that it is not necessary to collect manufactured discs as evidence because such evidence can only be stored on recordable discs. If it was possible to correctly identify manufactured discs and recordable discs simply by looking at them, manufactured discs might be able to be excluded.
Unfortunately, this is not the case. If it is necessary to limit the number of discs being collected and time does not permit any analysis of the discs, it may be necessary to select discs based on their appearance.This should be avoided whenever possible. Discs appearing to be manufactured that in reality have been recorded are not uncommon.
As part of the InfinaDyne CD and DVD Forensics class, students are given a disc that has been created with a clear laser-printed color label and that intentionally looks like an America Online (AOL) disc. If inserted into a computer with Windows, this disc behaves like an AOL distribution disc.
Depending on the types of cases you work on, it is possible that you will encounter such a subterfuge.The question is not whether you were able to recognize the disc as recordable, but whether or not a colleague with less experience will be able to make that identification.
It is strongly recommended that you collect every disc potentially con-taining evidence. It is common for a case to be made on the content of a single CD or a DVD.
Collection Considerations
As mentioned previously, CDs are resistant to scratches on the data side, but the top surface can be easily damaged. If the top surface of a disc is scratched, there is no way to recover the data and the disc is rendered unreadable.Touch only the edges of the outer rim and center hole; to avoid contamination, do not touch the flat surfaces.