This icon overrides any other icon that CD/DVD Inspector would normally apply to the file. Files that have a blue star icon can be selected or excluded from reports easily.The HTML image reports can also be selected to include or exclude hash matches.
Figure 8.1 Blue Star Icon
The report called “Files with MD5 Hash Value” will show the hash matches to the hash set and file identifiers.This report is suggested to have the option to included unmatched files unchecked.
Space Utilization Analysis
The Disc Map tool (in the Tools menu) displays a graphic representation of the space utilization on the media. It is designed to combine only 10 sectors into a single point in the chart, to allow a maximum of visibility and resolu-tion. With larger and larger media (dual-layer, HD, and Blu-Ray) this will likely have to change, but there will always be an attempt to make this is high resolution as possible.
Each point in the chart is assigned a color based on either the most signif-icant utilization, with “unused” being the default if no use can be found of the sector.This discussion is focused on examining either of those areas that are marked as “Unused” (black) or “Not accounted for” (Red). All of the other assignments indicate there is content there, which is significant and part of the file system in one way or another.
You may want to download the ISO image file for this disc so that you can perform the same examination.This disc is called Exercise2Image.iso and is available by following the instructions in Appendix B.
www.syngress.com
Advanced Tasks with CD/DVD Inspector • Chapter 8 171
Figure 8.2Disc Space Utilitization Display
Referring to the example at the right, we have a disc where a significant part of it is categorized as “Not accounted for” and “Data – type unknown.”
It is common for there to be some “Not accounted for” space on a disc but because of the relatively large area that is unknown data as well, we will inves-tigate this disc further. When an area is marked as “Data – type unknown” it is a clear indication that there is data on the disc that CD/DVD Inspector could not connect to any file system. Such data is not difficult to access, but it is beyond the scope of most users.
For example, with even nothing more sophisticated than Linux and the standard command-line tools, the data beginning at sector 30 (the beginning of the large “Data – type unknown” section) could be copied from the disc easily. It is relatively easy to create a disc with real data but not part of the file system.This would be an excellent way to hide documents, photographs, or any other digital material.This would especially be true if the disc was to be sent through the mail or by courier to another party. If the disc was inter-cepted, it is highly unlikely that anyone would consider the possibilities of such data existing.
172 Chapter 8 • Advanced Tasks with CD/DVD Inspector
The first step in determining if there is real content in the space marked
“Unused” is to identify the sectors involved. By clicking on points on the chart the sectors represented by that point are displayed on the dialog. Doing so with this disc shows the following areas of interest:
■ 0 to 9 marked as Not accounted for
■ 30 to 489 marked as Data – type unknown
■ 490 to 749 marked as Not accounted for
It is often the case that sectors below 512 are not used with the UDF file system. Sectors below 16 are generally not used with the ISO9660 and Joliet file systems.This disc was written using the ISO9660 file system, so while we can probably ignore the first 10 sectors, the remainder is of interest.
Additionally, while the trailing “Not accounted for” space will often occur on a disc, being combined with the area marked “Data – type unknown” makes this area suspicious as well.
With the sector numbers in hand, the next step is to determine if there is any non-zero content in these sectors. While it is possible that simply a long string of binary zero bytes could be significant in some situations, it seems safe to say that such cases are very unusual. For our purposes with this disc, we are going to ignore any sector containing only binary zeros.
You can close the Disc Map dialog now, having obtained the relevant sector numbers. Remember that the resolution is 10 sectors – this is impor-tant.
Using the Sector Display tool, display the first potentially unused sector on this disc. It can clearly be seen that this sector does not contain binary zeros – the first few lines of the sector display appear as shown below.
0000 1A935E1C 70EF1334 A5EE7A25 2A44352D ..^.p..4 ..z%*D5-0010 D21455A4 DB852410 6B6AF24B E03C12B1 ..U...$. kj.K.<..
0020 6CFE18A6 17D4AFA2 C0DBC496 6CF2AAC4 l... ....l...
0030 0776AB7B A91B6BFF D32A3CCF 303C161E .v.{..k. .*<.0<..
0040 93CE3530 1D7699C9 0917549D C5C78D60 ..50.v.. ..T....`
There does not appear to be any immediate significance to this data.
Because of the resolution of the Disc Map, it is probably a good idea to scan backward looking for where this begins. In sector 22 a message is present
www.syngress.com
Advanced Tasks with CD/DVD Inspector • Chapter 8 173
indicating that this disc was written by AccuBurn-R and the write operation apparently failed.This may be interesting, but for now all we can do is note that the data follows this text message and continues to sector 30. Scanning forward it can be seen that this continues to sector 31. We will return to this data later.
Sector 32 is all binary zero.The question is if there is any other data pre-sent between sector 32 and sector 489. While it would be possible to move through the sectors one at a time manually checking each one, there is a sim-pler approach. Back up to sector 31 first and then click the Search button and enter “!00” (without the quotes) in the search text and select Hex.This will search for any byte in any of the following sectors, which is not binary zero.
This is an extremely fast search and precludes the possibility that you might miss some non-zero bytes at the end of a sector. Note that the search ignores the sector currently being displayed.
The sector search will stop at sector 307 in the example image file and show the following data with the first character (“T”) highlighted.The first two lines of this sector are shown below.
0000 54444901 50010202 0280FFFF FF000000 TDI.P... ...
0010 00000000 00000000 00000000 00000000 ... ...
If you scroll down through the rest of the sector, it is clear that only the first line has any information in it – the rest is binary zero.This is a track information block that is written by the writer in the 150 sector inter-track gap area.This clearly means that this image file was constructed from a disc with multiple tracks and not all of the information about the disc was pre-served.This is a common problem when attempting to use the limited ISO image file format to represent anything but the simplest disc.
Because of the position of this and the data contained in it, there should be exactly 145 of these track information block sectors before the beginning of the data in the next track. We can check this by looking at sector 450 and 451 – they should look identical to sector 307 in all respects. In this case they do, and sector 452 is completely different.To further verify that these are 145 track information block sectors quickly scan through the sectors looking for any indication that something is different.This is done with the up and down
174 Chapter 8 • Advanced Tasks with CD/DVD Inspector
arrows to the right of the sector number.You should see nothing to indicate there is any change from sector 307 to sector 451.
Sector 452 is interesting in that it is not referenced by any file in the file system but yet obviously contains data.
0000 0000001C 66747970 33677034 00000300 ....ftyp 3gp4....
0010 33677034 33677035 33673261 0000003F 3gp43gp5 3g2a...?
0020 6D646174 54686973 2066696C 65207761 mdatThis file wa 0030 73206765 6E657261 74656420 6279206F s genera ted by o 0040 6E65206F 66204E65 78656E63 6F646572 ne of Ne xencoder 0050 28544D29 2046616D 696C7900 00001A6D (TM) Fam ily....m 0060 64617401 10110602 9F0F0200 01010605 dat... ...
0070 1F0F0200 02000000 206D6461 74C01012 ... mdat...
0080 819302A0 57260428 22829D04 1FC00000 ....W&.( "...
0090 1FC00000 780001F7 086D6461 743CAD31 ....x... .mdat<.1
This continues on until sector 524, where we find another sector of all binary zero. We need to determine if there is anything else on the disc from this point forward, so once again back up to sector 523 and enter the “!00”
hex search term. CD/DVD Inspector responds with there was nothing fur-ther found in the track.
We have found some unknown data following a text message (sectors 22-31) and a “hidden” file (sectors 452-523) on this disc that are not represented by the file system.The data in sectors 22 to 31 is pretty short and has no apparent header information. It could just be a fragment of a file and without further information there isn’t much that can be done with this.
To evaluate the content in sectors 452 through 523 simply all that is required is to write the content to a separate file where it can be examined.
Using the Copy Sectors tool, enter the sector numbers 452 and 523 for the start and end sectors and a file name such as sector452.The extension is not significant. Using the FileIdentify tool (supplied with CD/DVD Inspector) the file can be evaluated and it will be shown as a .3gp MMS video file.This is the sort of video clip that can be sent from a cell phone.
Renaming the file (using FileIdentify) and playing it will show the video clip that was taken with the cell phone.
www.syngress.com
Advanced Tasks with CD/DVD Inspector • Chapter 8 175
ISO9660 Directory Analysis
There are a number of important characteristics of an ISO9660 directory that can provide additional information about a disc.The following describes the directory structure, how to find it, and how to examine it. Usually all of the information that can be derived from examining the directory in detail can be found in the root directory but there may be some cases where it is useful to examine a different directory.
The first step is to locate the directory to be viewed. For the root direc-tory click on the ISO9660 session line in the left pane and then pick the Volume Information item in the Tools menu.This will display the sector number for the root directory. Close this dialog, open the sector display, and enter the sector number for the root directory. For a non-root directory right click the folder entry in the directory above and choose “Display sectors.”
This will immediately display the correct sector.
ISO9660 directory entries are constructed of three parts: the base, the file name, and the extension.The following describes how these are arranged.
Length
Offset (in bytes) Description Type
0 1 Length of the entire entry Binary
1 1 Length of extended attribute data Binary
2 4 Starting sector of data Integer (I)
6 4 Starting sector of data Integer (M)
10 4 Length of file Integer (I)
14 4 Length of file Integer (M)
18 7 Timestamp (YMDHMSZ) Binary
25 1 Flags Binary
26 1 Unit size Binary
27 1 Gap size Binary
28 2 Volume sequence Integer (I)
30 2 Volume sequence Integer (M)
32 1 File name length Binary
33 ? File name Character
176 Chapter 8 • Advanced Tasks with CD/DVD Inspector
The offsets are byte positions with the first byte of a directory entry 0 (not 1.) All values for offsets and lengths are in decimal. Integers can be either Intel byte order indicated by “(I)” or Motorola byte order indicated by “(M.)”
The timestamp field consists of individual binary fields each one byte in length.The first byte is the year minus 1900.The next five bytes are month, day, hour, minute, and second.The last byte is the time zone, which a signed byte representing the offset from GMT time in 15-minute increments.
Central Standard Time USA (GMT -6 hours) is represented as -6 * 4 or -24 which is E8 in hex.
The file name is 8-bit characters for ISO9660 or 16-bit characters for Joliet.
If the length of the entry is greater than the length of the base (33) and the length of the file name then one or more extensions are present.There are three types of extensions: Apple, XA and SUSP (System Use Sharing Protocol). Apple and SUSP extensions allow multiple extensions to be pre-sent. Rock Ridge is a particular use of SUSP to include POSIX information in an ISO9660 file system. Linux is a POSIX-compliant operating system.
Some mastering software, notably Nero Burning ROM®, puts in invalid data following a directory entry which is not a valid extension. Every disc examined with this shows that this extension is a directory entry for a file.
The file doesn’t appear in the directory because it is hidden as an extension.
Apple extensions are written by Macintosh computers or for discs that are specifically intended for use on Macintosh computers.The first two bytes are the letters AA and the third byte is the length of the extension. Apple exten-sions are 14 bytes in length and contain information for processing the disc on a Macintosh computer, such as the 4-character code of the application that created the file and some information for Finder about positioning the file icon.
XA extensions are also 14 bytes in length with the letters XA in positions 6 and 7.The only meaningful item in an XA extension is byte 4 that has bit 4 (0x10) set if the data is recorded in Mode 2 Form 2 (2352 bytes per sector) format.This is the case for VCD discs and some other multimedia formats.
SUSP extensions are written by programs like mkisofs and enable storing POSIX attributes in an ISO9660 file system.This is used specifically with UNIX and UNIX-like operating systems, such as Linux, to store file
permis-www.syngress.com
Advanced Tasks with CD/DVD Inspector • Chapter 8 177