Instead I'd use a decent hex editor, like HxD on Windows, and use the information in the ISO 9660 or Ecma-119 standards to identify the relevant bytes, and interpret them by hand. Personally, however, I would not use any tool I hadn't validated to do this job correctly. I'm also sure that the Sleuthkit can be used, though for just getting just this information, it's probably overkill. I'm fairly certain ISObuster or the products from Infinadyne do it, though I haven't validated either to do a complete job (that is, cover the full range and resolution of the time stamps). I'm out of office right now, so I can't verify this. I haven't found anything in the Internet. You may claim that it is probable that it is, and refer to the ISO 9660 standard, but that has to be taken in relation to reality.Ĭould you tell me about any tool which is capable of doing that? So, you can't, just by looking at an ISO 9660 Volume Creation Date and Time assert that it identifies the actual time of creation. (The parenthesis notation is that used by ISO 9660.) Some tools even set illegal time stamps (typically use a binary (00) where a numeral (30) is expected), which may or may not upset the forensic tools you're using to extract the information. However … in reality, that time stamp may be left blank or may be set to some other date, decided by the tool used or the person who does the burning. If you burn files to a CD-R or DVD-R, that is a) first create the ISO file system, b) then record that on the CD, the ISO image should contain a Volume Creation Date and Time, which according to ISO-9660 should be that date. There may be records left on the computer on which that happened. there is nothing in general to tell you when that happened, not on the optical disc itself. So what do you mean by that, exactly? If you burn an. I just need to know about the date in which a CD/DVD was recorded, nothing else. If you use some particular tool that modifies the volume or optimizes or updates it in any way as part of the copy, it very well may change dates. If you extract an ISO image, and then write that to a new medium, no changes take place. You may be able to use the ECMA-119 standard as well, although it is dated, and partially modified by an amendment to ISO 9660, issued in 2013.ĭoes this information change when you duplicate the CD-R or the information persist unalterable in the copy?ĭepends on how the copy is made. However, it depends on what tool you are using while most use 'now' as the creation date, there are tools that allow you to specify some other date.īut the ISO standard will tell you all this. The Creation Date of an ISO-9660 file system should be present. That is a mastered file system, so it is created before it is recorded on the underlying medium (CD or DVD or …) 'DVD' is a bit vage, as there are DVD-ROM, DVD-R, DVD-RW and even DVD-RAM … you need to more specific. Have you tried any tool which is able to extract forensic information from a CD-R or DVD? I need to know the date in which the CD-R was recorded.Īs far as I know, no such information is stored on a CD-R.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |