Different Interpretations of ISO-9660 File Systems

¶ … Systems

COMPUTER SCIENCE

Computer forensic is a scientific method of analyzing the digital information which is used as evidence for the criminal, administrative and civil cases. In the contemporary legal environment, computer forensic has become a vital part in solving the complex crimes. Since computer forensic experts use data to solve high level cases, effective data storage and retrieval is critical aspect of forensic investigation and effective data storage is very essential to assist in achieving the data integrity. ISO9660 file system has become an effective method that forensic experts employ to store and retrieve data. (Dixon, 2005). Preserving and storing the critical data and information without alteration of the original state of data is the most important aspect of Computer Forensics. Some of the techniques employed are by using the ISO9660 file system to store data. It is essential to realize an employee might inadvertently overwrite valuable data. Otherwise, a cyber criminal might plant a program to erase the valuable data. Manipulation of valuable data might make a trained law professional to raise doubt about the validity of evidence presented in the court of law in order to defend a case. (Coward, 2009). To address this problem, ISO9660 file system is generally employed to store data on the CDROMs. While ISO9660 file system stores data on the CDROMs, however, ISO9660 file systems are different in design which allows for different interpretation.

Fundamental objective of this paper is to investigate the method digital forensic interprets ISO9660 ?le system.

The study is structured as follows:

First, the study presents the overview of ISO9660 File Systems. The study also discusses different forensic tools and the evaluation methodology to carry out the different interpretations of ISO9660 File Systems. Finally, the paper presents the evaluation results revealing different interpretations of ISO9660 File Systems.

Overview of ISO9660 File Systems

An ISO9660 ?le system which is often referred as CDFS (Compact Disc File System) is a file system that stores data in block and grouping consecutive sectors. However, ISO9660 file system is different in design which allows for different interpretations. Within the first sector of the ISO9660 volume, there is multiple data structure and directory trees that have ability to store file within the ISO9660 structure. There are also data structure that serves purposely to store file system data in both big-endian byte orderings and little-endian byte orderings.

Generally, ISO9660 store data in consecutive blocks and primarily, ISO9660 ?le systems contains one primary and secondary volume descriptors, and these identify size and layout of the file system. Typically, ISO9660 stores data in block and the block sizes are stored in a volume descriptor. More importantly, ISO9660 supports name that could involve the maximum of 8 Latin characters within the file name and 3 Latin characters within the extension. ISO9660 ?le systems also have Joliet extension that store longer names within the Unicode. The starting block of the root directory within the ISO9960 is listed within the volume descriptor and the directory tree assists in locating a file when opening the root directory. While ISO9660 store files in the big Endian orderings and little Endian orderings, however, data stored within the big Endian orderings is the most significant and big Endian orderings considers the byte within the data first before considering the byte stored within the little-endian ordering.

There are different strategies that Forensic tools employed to hide data. One of strategies is the Endian ordering. The ISO9660 stores data structures in both big- and little-endian orderings and there is ability to hide data if the value of the starting block within the directory entries has different values within the locations of big- and little-endian storage. Typically, if the forensic tool is to carry out the analysis, it only locates one of the locations where the hider's tools use the other, and there is high level of possibility that the hidden data may not be identified. Typically, the starting block within the big-endian ?eld is 0x00000020 while the starting block within the little-endian ordering is 0x00000030. Based on the field structure of endian, the forensic stores data within little- and big endian ordering system which are being used to hide data. (Carrier, 2010). With different methods of designing ISO9660, forensic tools interpret the data within the ISO9660 differently.

Computer Forensic Tools for ISO9660 File Systems

"CFTs (Computer Forensic Tools) assist investigators to recover deleted files, reconstruct an intruder's activities, and gain intelligence about a computer's user." (Garfinkel, 2007 P. 1). CFT assists forensics experts in collecting valuable information from computer system as well as making true copy of the information so that it could be useful in the legal proceedings. Typically, CFT falls into two classes:

Persistent data tools assist in analyzing the data stored within the computer system when computer is turned off. Volatile data tools also analyze information in transitory and information that would have been lost. (Garfinkel, 2007). The paper analyzes different computer forensic tools to present different interpretations of ISO9660 File Systems within the forensic field using the following computer forensic tools:

EnCase 6.15 provided by Guidance Software

FTK (Forensic Tool Kit) 1.60 delivered by Access Data.

ISOBuster 2.7, which is also X-Ways Inc.

Linux 2.6 named Lefebvre

Power PC and Apple Inc. OS X 10.4.11

Microsoft Windows XP

Intel and Apple Inc. OS X 10.6.2

TSK ( Sleuth Kit) Carrier

Smart Projects Windows Vista

Microsoft Win Hex Forensics

TSK (Sleuth Kit) is the digital forensic tools that run on UNIX systems, Windows, OS X and Linux. Sleuth Kit is used to analyze disk images as well performing the in-depth analysis of the file systems which include ISO 9660 file systems, FAT, NTFS, HFS+, UFS and Ext3. Typically, TSK is arranged in layers and the data layers are stored within the disk and the metadata. (Marko, 2005).

Encase is another forensic tool that assists with forensics investigation. EnCase is one of the comprehensive computer investigation software that could acquire and analyzing data using the network-based and local versions. Typically, EnCase has ability to analyze many files which include NTFS, UFS, FAT, CD-ROMs, Ext2/3, Reiser, DVDs, JFS, and HFS+.

"EnCase also assists in supporting Microsoft Windows dynamic disks and AIX LVM.

EnCase list the files and directories, recover deleted files, conduct keyword searches, view all graphic images, make timelines of file activity, and use hash databases to identify known files. It also has its own scripting language, called EnScript, which allows automating many tasks. Add-on modules support the decryption of NTFS encrypted files and assist in mounting the suspect data as though it were a local disk." (Carrier, 2005 P. 20).

Encase uses the powerful devices to discover the potential evidence during forensic investigation, and Encase automatically recovers the deleted files within the directory. Typically, the structure of the file could be restored using the EnCase keyword search and EnCase is generally used for file recovery, data acquisition, file parsing and indexing/search. (Martin & Sujeet, 2006).

IsoBuster is also a well-known forensics tool, and many governmental institutions and police department use IsoBuster to gather forensic data. IsoBuster is very unique because it reveals the true layout of optical disc which assists investigators to fully inspect all tracks on a disc to enhance better understanding on the strategies data are being managed on the optical disc.

WinHex is a powerful data recovery tool that forensic experts use as an advanced editor. WinHex could also be used for data analysis, data wiping tool, editing, and data recovery as well as using the tool as evident gathering. Typically, WinHex also provides the following functions:

Ability to read and directly provides editing to hard drives such as FAT and NTFS

Ability to read and edit CD-ROMs, floppy disks, Compact Flash cards, DVDs, and other media.

Directly read and edit RAM.

Interpreting 20 data types

Analyze & compare files.

Join & split files.

Recover data.

Encrypt files up to 128-bit strength.

Clone & image drives.

Create hashes & checksums.

Wipe drives. (Martin & Sujeet, 2006).

Another forensic tool is Access Data which is FTK (Forensic Tool Kit) 1.60. Typically, FTK is computer forensics software which is manufactured by Access Data. Typically, the FTK assists in scanning various data and FTK assists in the interpretation of forensic data. The FTP is used to run a complete data examination which assists in filtering thousands of files as well as email analysis. (Dixon, 2005). More importantly, data hiding approach of FTK is directory tree that uses two or more secondary volume descriptors. While the first secondary volume descriptor contains empty root directory, on the other hand, the second secondary volume descriptor has the file that needs to be hidden. However, the tools mostly focus on the ?rst descriptor since it contains the Unicode ?le names which are from the Joliet extension. While the tool rarely focuses on the secondary descriptor because it rarely exists, however, the files within the root directory second descriptor may never be presented as evidence in court of law.

Evaluation Methodology

The study carries out different evaluations of forensic tools using Endian ordering, Inconsistent directory trees and empty root directory within the secondary volume descriptor. The first evaluation is carried out to determine the inconsistent directory trees to determine whether it will be possible to view an image within the two inconsistent directory trees. The evaluation provides which of the two files will be revealed. The ISO9660 was created using Joliet extensions with "File1.txt" and "File2.txt" within root directory.

Further technique to carry out the evaluation is through secondary volume descriptor that assists in hiding data because some of the tools only rely on the first or secondary volume descriptor. The study identifies which of the files within the volume descriptor to enhance greater understanding of the evaluation procedure. Typically, the secondary volume descriptor is named as File2.txt while the primary volume descriptor is tagged as File1.txt.

The study also carries out the evaluation using the Endian ordering, which has the ability to read one or both of the values stored within the little -- and big ordering.

Results of the Evaluation

Based on the analysis of the tools listed above it is revealed that modified ISO9660 image burnt within the forensic tools and mounted with different operating systems could provide different interpretations. All the forensic tools listed above are designed in different versions leading to different interpretation of ISO9660 File Systems. One of the different interpretations of ISO9660 is that there can be multiple directory hierarchies where each of the directories has its own root directory where one directory has 8 characters within the name and 3 characters within the extension.

As being revealed in Table 1, Win Hex Forensics, Forensic Tool Kit as well as Sleuth Kit shows the two directory hierarchies where the primary hierarchy consists of file named File1.txt while the secondary hierarchy contains file named called File2.txt. Ideally, the ISO9660 needs to reveal both File1.txt and File2.txt. On the other hand, FTK, WinHex and ISOBuster reveal the individual file which is under each of the two volume descriptors. Sleuth Kit provides different interpretation by showing File1.txt as an orphan ?le that could be accessed from root directory and File2.txt as a normal file a normal system. Typically, all the ten forensic tools reveal only one file where five of the tools revealed the contents primary volume descriptor while other five revealed the contents of the secondary volume descriptor. The conclusion the study draws from the forensic evaluation is that the CDs do not have the ability to reveal all data. Thus, it could be risky for individual to use this data hiding approach.

Table 1: Interpretation of ISO9660 File Systems using Inconsistent directory trees

CFT

File1.txt

File2.txt

EnCase

Y

Forensic Tool Kit

Y

Y

ISOBuster

Y

Y

Linux (default options, mount image)

Y

Linux (nojoliet option, mount image)

Y

Linux (norock option, mount image)

Y

Linux CD

Y

OS X mount image

Y

OS X CD

Y

Sleuth kit

Y

Y

Windows XP CD

Y

Windows Vista CD

Y

Default Win Hex Forensics

Y

Win Hex Read ISO9660 Forensics

Y

Y

Table 2 reveals different interpretation of ISO9660. While the some of the findings are similar to the data in the Table 1, however, there are still different interpretations. For example, some of the tools could not reveal the two files. Encase does not reveal the File1.txt and File2.txt. The Linux mounted with noRock, Window XP and Window Vista also reveals different results from the results presented in Table 1. These CFTs do not reveal File1.txt and File2.txt. Similar to the Table 1, other tools reveal both files and one of the files. Sleuth kit, ISOBuster and Win Hex Read ISO9660 Forensics reveal both File1.txt and File2.txt. On the other hand, other CFT tools only reveal File 1.txt. The evaluation of the CFT reveals the inconsistent by which the file is displayed.

Table 2:Interpretation of ISO9660 File Systems using Secondary Volume Descriptor

Tool/OS

File1.txt

File2.txt

EnCase

Forensic Tool Kit

Y