The “Mode 2 Form 2 Supported” item is reported as true or false, based on the ability of the drive to read XA Mode 2 Form 2 sectors.These sectors are used for multimedia discs such as VCD or SVCD.This is a standard capability of nearly all drives.
Digital output on port 1
The Digital Output on Port 1” item is reported as true or false, based on the existence of a digital output connector on the rear of the drive.This is fairly common with modern drives, but is seldom used.
Digital output on port 2
The “Digital Output on Port 2” item is reported as true or false, based on the existence of a second digital output connector on the drive.This is not a common feature on recent drives.
www.syngress.com
CD/DVD Inspector - The Basics • Chapter 6 129
Audio play supported
The “Audio Play Supported” item is reported as true when the drive supports commands that begin playing an audio track through the analog and/or dig-ital audio ports. It has been a requirement for compatibility with Microsoft Windows since Microsoft Windows 95.
Reading CDDA supported
The “Reading CDDA Supported” item is reported as true when the drive supports reading audio track data, and is common for all drives manufactured since 1998. If it is not supported, you cannot collect audio track information in a disc image file. For forensic purposes, it is recommended that you check to ensure that this is reported as true.
CD-Text/CD+G supported
The “CD-Text/CD+G CDDA Supported” item is reported as true when the drive can access R-W subchannel data where Philips-style CD text informa-tion and CD+G graphics informainforma-tion are stored. For forensic purposes, it is recommended that you check to ensure that this is reported as true.
CD-Text/CD+G Decoded
The “CD-Text/CD+G Decoded” item is reported as true when the drive decodes and de-interleaves R-W subchannel data. Both higher accuracy and better error correction are provided when CD/DVD Inspector does the de-interleaving for displaying CD+G graphics.This is not required for forensic purposes; however, many high-quality drives support this.
Accurate CDDA positioning
This is reported as true when the drive supports accurate positioning within an audio track. Such accurate positioning requires additional work by the drive because audio sectors are only required to have position information every 15 sectors. Some software is affected but CD/DVD Inspector is not.
130 Chapter 6• CD/DVD Inspector - The Basics
Transfer Block supported
The “Transfer Block Supported” item is reported true when the drive sup-ports transferring sector data with errors. It is not common with lower cost drives. For forensic purposes, this item should be checked and only those drives that support Transfer Block should be used for collecting evidence.
Inactivity spin-down
The “Inactivity Spin-down” item reports the amount of time a drive waits before turning the spindle motor off.
Device capabilities
The “Device Capabilities” item reports the types of discs that the drive sup-ports for reading and writing.
Device buffer size (in K)
The “Device Buffer Size (in K)” item reports the size of the drive buffer, which is used for buffering during read and writing operations.
Drive serial number
The “Drive Serial Number” item reports the drive serial number when it is available.
The Volume Information Display
The volume information display is accessed by clicking the Volume
Information item in the Tools menu (see Figure 6.17).The file system informa-tion display is chosen by selecting one of the file systems and/or sessions in the left-hand side of the Volume Information window. Each file system type (e.g.,ISO 9660 Joliet, HFS, HFS+, HSG, and UDF) has a different display.
Other file system types (e.g., Red Book Audio), do not have volume informa-tion available.
www.syngress.com
CD/DVD Inspector - The Basics • Chapter 6 131
Figure 6.17Volume Information Display Dialog
The following describes the information that is displayed for each of the file system types.
ISO 9660 Volume Information
For ISO 9660 file systems, all of the fields from the Primary Volume Descriptor are formatted and displayed.
Volume ID
The name of the file system can be up to 32 characters. Correctly constructed ISO 9660 file system names use only uppercase letters, numbers, and the underscore (_) characters.
System ID
The “System ID” field contains information that is designed to be used by the operating system reading the disc. Common values for this field are “APPLE COMPUTER INC,” which indicates that the disc has Apple Macintosh extensions, and “CD-RTOS CD-BRIDGE,” which indicates that the disc is written in XA mode.
Other information can also appear in this field (e.g., the software and/or operating system that created the disc). Windows ignores this field com-pletely; therefore, many writing programs use this for their own purposes.
132 Chapter 6• CD/DVD Inspector - The Basics
Volume size
The “Volume Size” field indicates the size of the volume declared by the file system. It can differ from the actual space taken by the track. Some writing software terminates writing without writing the entire file system. In this case, the value is reflected in the intended size of the volume, whereas the actual track size will be considerably smaller.
It is not necessarily a bad situation when the volume size is smaller than the space occupied by the track. However, when the volume size is larger than the track, it indicates a serious problem; files are probably missing from the disc that is represented in the directory.
This value is shown from the little-endian or Intel format) value.The big-endian or Motorola format value is displayed later in the list of values.
System use
The “System Use” field contains information on how to use the operating system. It does not have any defined use for ISO 9660 file systems.
Volume set size
The original use of the “Volume Set Size” field was to indicate how many discs made up the entire volume of data.There were very few multi-disc vol-umes created.Today, this field always contains the value 1.This value is shown from the little-endian or Intel) format value.The big-endian or Motorola format value is displayed later in the list of values.
Volume in set
When the volume set size is larger than 1, it indicates the volume that is within the set. No current operating system examines this field; however, it should be set to a value between 1 and the number of discs in the volume set.
This value is shown from the little-endian ªor Intelº format value.The big-endian or Motorola format value is displayed later in the list of values.
Block size (bytes)
This field indicates the number of bytes for each “block” of data used in this volume. It is possible to see values of either 512 or 2,048 in this field;
how-www.syngress.com
CD/DVD Inspector - The Basics • Chapter 6 133
ever, discs with the value of 512 may be difficult to read under existing oper-ating systems. A value of 512 bytes was common in discs created for Sun workstations in the early 1990s.
The value is shown from the little-endian or Intel format value.The big-endian or Motorola format value is displayed later in the list of values.
Path table size (bytes)
The “Path Table Size (Bytes) field contains the number of bytes used in the path table for the file system.The path table contains the names of subdirec-tories and the starting sector of the subdirectory, which is used to quickly navigate through directories.
This value is shown from the little-endian or Intel) format value.The big-endian or Motorola format value is displayed later in the list of values.
Path table (L)
The “Path Table (L) field contains the sector number on the disc of the L-format path table. If the path table size is greater than 2,048, there are mul-tiple sequential sectors beginning with the sector number in this field.This version of the path table has little-endian or Intel format integers.
Path tables contain one entry for each subdirectory in the file system.
Each entry consists of the following data items:
Length Type Description
1 Binary The length of the path table entry 1 Binary The length of the extended attributes
4 Integer The starting sector number for a subdirectory 2 Integer The path entry of a parent directory
??? Character The name of a subdirectory
In the L path table, the fields identified as integers are in little-endian or Intel form. In the M path table, these fields are in big-endian or Motorola form. Clicking on the path table line will result in a new window showing the contents of the path table.
134 Chapter 6• CD/DVD Inspector - The Basics
Optional path table (L)
The “Optional Path Table (L) field specifies the starting sector number of the optional second L format path table.This is not commonly used.
Path table (M)
The “Path Table (M)” field contains the sector number of the M format path table on the disc. If the path table size is greater than 2048, there are multiple sequential sectors beginning with the sector number in this field.This version of the path table has either big-endian or Motorola format integers.
Optional path table (M)
The “Optional Path Table (M)” field specifies the starting sector number of the optional second M format path table.This is not commonly used.
Root directory sector
The “Root Directory Sector” field contains the sector number of the begin-ning of the root directory.The first entry in the root directory contains the information about the directory itself.This value is shown from the little-endian or Intel format value.The big-little-endian or Motorola format value is dis-played later in the list of values.
Root directory timestamp
This field contains the timestamp from the root directory “.”entry.This usu-ally matches the volume create date and time (described below). If it does not match, it is a clear indication that the person creating the disc is attempting to mislead people about the creation date and time of the disc, thus, there is no way to be certain which date and time is actually correct.
Volume set
The “Volume Set” field describes the volume set.This can be used to describe the disc; however, it is not commonly used.
www.syngress.com
CD/DVD Inspector - The Basics • Chapter 6 135
Publisher
The “Publisher” field contains a message that describes the publisher of the disc. It can be set by most mastering software; however, it is not done often.
If the first character of this field is a vertical bar (“|,” [hex 5F]), the remainder of the field is a filename in the root directory containing the pub-lisher information.
Data preparer
The “Data Preparer” field contains a message describing the data preparer of the disc. It can be set by most mastering software; however, it is not done often.The Microsoft Windows XP disc writing tool inserts a message in this field about the IMAPI interface licensed from Roxio by Microsoft.This makes identifying discs written by the Windows XP disc writing tool simple.
If the first character of this field is a vertical bar (“|,” [hex 5F]), the remainder of the field is a filename in the root directory containing data pre-parer information.
Application
The “Application” field contains a message describing the application that created the disc. It can be set by some mastering software; others insert their own text in this field (e.g., Roxio Easy CD Creator inserts information describing the application into this field).
If the first character of this field is a vertical bar (“|,” [hex 5F]) the remainder of the field is a filename in the root directory containing applica-tion informaapplica-tion.
Copyright file
The “Copyright File” field contains the name of a file in the root directory containing the copyright information for the disc. It is usually blank or binary 0.
Some writing software provides an easy way to set this information, while others make it extremely difficult. It is unusual to find this set on commercial discs where copyright information is important. No current operating system uses this information or makes it available in any manner.
136 Chapter 6• CD/DVD Inspector - The Basics
Abstract file
The “Abstract File” field contains the name of a file in the root directory containing information about the contents of the disc. It is usually blank or binary 0.
Some writing software provides an easy way to set this information, while others make it extremely difficult. No current operating system uses this information or makes it available in any manner.
Bibliography file
The “Bibliography” field contains the name of a file in the root directory containing bibliographic information about the disc. Because this field is rarely used, it is usually blank or binary 0.
Volume created
The “Volume Created” field is the date and time the volume was created.The date is a string of numeric digits with the following meanings:
■ 4-digit year
■ 2-digit month
■ 2-digit day
■ 2-digit hour
■ 2-digit minute
■ 2-digit second
■ 1- digit tenths of seconds
■ 1-digit hundredths of seconds
■ 1-byte binary time zone
The binary time zone is a signed 8-bit value with positive values repre-senting time zones that are east of GMT, and negative values reprerepre-senting time zones that are west of GMT.The value is in 15-minute increments, therefore, a value of 4 bits is 1 hour east of GMT, and a value of –24 (hex E8) is 6 hours west of GMT.
www.syngress.com
CD/DVD Inspector - The Basics • Chapter 6 137
Volume modified
The “Volume Modified” field is the date and time that the contents of the volume were last updated. While this field might have originally had some meaning, today it is either equal to the volume-created timestamp, blank, or all 0s. If a time is present, it has the same format as the volume created time.
Volume expires
The “Volume Expires” field is the date and time that the contents of the volume are considered obsolete or expired.There is no other meaning for this field other than descriptive and, because it is never displayed, it has no real use. It is sometimes set to 10 or 100 years after the volume created date by the writing software, but it also commonly contains 0s or is left blank. If a time is present, it has the same format as the volume created time.
Volume effective
The “Volume Effective” field is the date and time the contents of the volume are considered effective.There is no other meaning for this field other than descriptive and, because it is never displayed, it has no real use.The usual values for this field are the same date and time as the volume created date, all 0s, or blank. If a time is present, it has the same format as the volume create time.
Volume size
“The Volume Size” field is the big-endian or Motorola-format volume size.
Volume set size
The “Volume Set Size” field is the big-endian or Motorola-format volume size. It should be equal to the previous volume set size.
Volume in set
The “Volume in Set” field is the big-endian or Motorola-format volume size.
It should be equal to the previous volume in set.
138 Chapter 6• CD/DVD Inspector - The Basics
Block size (bytes)
The “Block Size (Bytes)” field is the big-endian or Motorola-format volume size. It should be equal to the previous block size.
Path table size (bytes)
The “Path Table Size (Bytes)” field is the big-endian or Motorola format volume size. It should be equal to the previous path table size.
Root directory sector
The “Root Directory Sector” field is the big-endian or Motorola format volume size. It should be equal to the previous root directory sector.
Joliet volume information
For Joliet file systems, all of the fields in the Supplementary Volume Descriptor are formatted and displayed. In most cases, the fields for a Joliet file system are identical to those for an ISO 9660 file system. However, all character strings are Unicode rather than ASCII, and some of the fields have special meaning. All Unicode characters are stored in big-endian or Motorola format.
Volume ID
The name of the file system can be up to 16 UCS-2 16-bit Unicode charac-ters. Unlike ISO 9660, there are no character restrictions.
System ID
The System ID contains information that is designed to be used by the oper-ating system reading the disc. Most commonly, this contains the string “CD-RTOS CD-BRIDGE,” indicating the disc is written in XA mode.This string should be in UCS-2 16-bit Unicode characters, but is often ASCII.The System ID should be considered an identifying characteristic of writing software.
www.syngress.com
CD/DVD Inspector - The Basics • Chapter 6 139
Volume size
The “Volume Size” field indicates the size of the volume that is declared by the file system. It can differ from the actual space taken by the track. Some writing software terminates writing early without finishing the entire file system. In this case, the value reflects the intended size of the volume, whereas the actual track size will be considerably smaller.
When the volume size is smaller than the space occupied by the track, it indicates an unusual, but not necessarily bad, situation. However, when the volume size is larger than the track, it indicates a serious problem and there are probably files missing from the disc that may be represented in the direc-tory.
For Joliet file systems, this is almost always the same as the value for the corresponding ISO 9660 file system.
This value is shown from the little-endian or Intel-format value.The big-endian or Motorola format value is displayed later in the list of values.
System use
The “System Use” field contains information about operating system use.The field is used to indicate the type of character set that is present in a Joliet file system.The following coding is used for this:
ASCII Characters Hex Coding Description
%/@ 25 2F 40 UCS-2 level 1
%/C 25 2F 43 UCS-2 level 2
%/E 25 2F 45 UCS-2 level 3
The definitions of various UCS levels are found in ISO-10646 and the Unicode standard. For forensic purpose, the specific meanings are not important.
Volume set size
The original use of the Volume Set Size was to indicate how many discs made up the entire volume of data.There were very few such multi-disc vol-umes created.Today this field always contains 1.
140 Chapter 6• CD/DVD Inspector - The Basics
This value is shown from the little-endian or Intel format value.The big-endian or Motorola format value is displayed later in the list of values.
Volume in set
When the Volume in Set size is larger than 1, it indicates the volume within
When the Volume in Set size is larger than 1, it indicates the volume within