Conference PaperPDF Available

Possibilities of the forensic investigation of CD, DVD and Blu-ray Disc

Authors:

Abstract and Figures

In this paper the possibilities of forensic investigation of CD, DVD and Blu-ray Discs is presented. It is shown which information can be read by using freeware and commercial software for forensic examination. It particulary it describes the visualization of hidden content and the possibility to find out information about the burning hardware used for writing.
Content may be subject to copyright.
Possibilities of the forensic investigation of CD, DVD and
Blu-ray Disc
Frank Irmler and Reiner Creutzburg
Brandenburg University of Applied Sciences, Department of Informatics and Media
P.O.Box 2132, D-14737 Brandenburg, Germany
ABSTRACT
In this paper the possibilities of forensic investigation of CD, DVD and Blu-ray Discs is presented. It is shown
which information can be read by using freeware and commercial software for forensic examination.
It particulary it describes the visualization of hidden content and the possibility to find out information about
the burning hardware used for writing.
Keywords: computer forensics, optical media forensics, CD forensics, DVD forensics, Blu-ray Disc forensics
1. INTRODUCTION
In our highly technological environment computers are important in many ways. As an aid, manufacturing
resources, communications and entertainment media are worldwide over a billion computers in use [1]. In 1980,
as a data storage, an optical removable media has been established, the recordable CD followed by its further
developments DVD and Blu-ray Disc. For example about 510 million CD and DVD discs were burned alone in
Germany in 2009 [2]. These removable media can stand irrespective of their location and are easily transported
and distributed. It is very important to investigate if there are data with an illegal background or criminal
relevance. It has been studied in numerous trials which information in addition to the actual, visible, useful data
on the CDs, DVDs and Blu-ray discs can be found.
2. STANDARDS FOR AN IDENTIFICATION OF DISK DRIVES
There are some standards established on CD-R(W), DVD+-R(W) and BD-R(E) for identification of the used
drive by the burning process on the optical media. That gives the possibility to identify the optical drive.
2.1 Recorder Identification of CD-R(W)
In 1995, the company Philips gave under the pressure of the music industry, represented by IFPI, RIAAand
the RIAJ, in their ”Orange Book” standard for recordable CDs a possible identification for the tracking of
pirated content. This Recorder IDentification Code (RID) can be written in the Q-sectors of the individual
songs or/and in the roll-in/out-blocks of the disc.
The RID code consists in 3 groups, including the following information: the manufacturer’s code, followed
by the device type and unique serial number.
2.2 Unique ID Field of DVD-R(W)
An identification for the drive which was used for burning a DVD is defined in ISO/IEC 23912 standard for
recordable DVD media.
This Unique ID Field is written in a specified area previous to the lead-in. The size of the Unique ID Field
is 32 bytes for the manufacturer, 16 bytes for the serial number and 16 bytes for the model name [3].
Further author information: (Send correspondence to F. Irmler)
Frank Irmler: E-mail: irmler@fh-brandenburg.de
Reiner Creutzburg: E-mail: creutzburg@fh-brandenburg.de
International Federation of the Phonographic Industry http://www.ifpi.org/
Recording Industry Association of America http://www.riaa.com/
Recording Industry Association of Japan http://www.riaj.or.jp/e/
2.3 Disc Definition Structure Field with BD-R(E)
Moreover it is possible to identify the drive that was used for burning in the Blu-ray Disc standard. In a fixed
area on the BD is the Disc Definition Structure Field (DDS) for identifying the burning hardware. The size is
variable, but may not exceed 2048 bytes for storing manufacturer, model and the serial number.
At rewritable BD-REs, the identifier is located in the Physical Access Control Field (PAC) [4].
Both fields are located outside the data area of the optical medium [4].
3. INVESTIGATIONS
The aim of this work is to find data that are available in addition to the visible user data on CD, DVD or BD.
These can be hidden data, which are deliberately placed on the disk and not visible by the usual way, when you
open the disc or additional information in a forensics content.
For this reason, the following hardware and software components are presented, which can be used for such
an investigation.
3.1 Investigation of multisession CDs and DVDs
A possible scenario would be here to find two or more different file systems on the disk. In this case only one
session is visible in the OS. The other sessions are invisible.
The program IsoBuster PROin version 2.8 presented in the full version several options. In a tree structure,
IsoBuster PRO will list all the different writing processes on the CD or DVD. So it is possible to see the number
of sessions on the storage medium. Due to the strong support of file systems in IsoBuster PRO, all sessions were
open like directories in a directory browser, and the content could be extracted and viewed. It is also possible
to produce an image of every single session. Integrity is maintained through available hashes.
The same case was also tested with the programs EnCase,FTK
and X-Ways§. All programs show the
number of sessions. Similar to directories in the directory browser, the content can be opened and viewed (see
figure 1).
Figure 1. A multisession CD in EnCase
IsoBuster PRO http://www.isobuster.com/
Guidance Software http://www.guidancesoftware.com/
Forensic Toolkit 3 http://www.accessdata.com/forensictoolkit.html
§X-Ways Software Technology AG http://www.x-ways.net/index-d.html
3.2 File and MAC time analysis
The programs X-Ways Forensics, EnCase and FTK are very comprehensive tools for inspecting the file contents
of the medium.
All these programs use file carving technologies, have filters for different file types and have possibilities for
generating hash values. Interesting for a forensic investigation are the MAC times of the files. X-Ways, EnCase
and FTK provide this information in tabular form to the individual files.
3.3 The imaging process
The creation of forensic duplicates is a standard procedure in investigations of computer crime. This process has
been studied in more detail.
It was found that in opposite to the imaging process on hard drives, where the data of the unpartitioned space
is taken up in the duplicate, only the data that containing between the border areas is copied in the duplicate.
The reason can be found in the fact that optical drives will be mounted just as logical drives in the system,
however, as physical drives.
The choice of the operating system was not relevant in this case. The image generation under the operating
systems Windows XP, Windows 7 and Linux (with the programs dump device (dd), Nero Burning Rom, FTK
Imager, IsoBuster PRO, X-Ways and EnCase) took place and showed identical results.
3.4 Burning tools on different operating systems
The program and the operating system that was used by burning the optical media can be interesting in the
forensic examination. This information is an association from the media to the used computer system.
For this study different records are created by different burning programs on different operating systems.
These discs are opened into the program Nero Disk-Info.
The following table 1 shows the determined identifiers of the software and operating systems that was found
on the media.
Table 1. Identification of burning tool and OS
OS Burning Tool System Identifier Application Identifier
Windows XP Nero Burning Rom - NERO BURNING ROM
Windows XP included burn utility CD-RTOS
CD-BRIDGE
IMAPI ISO-9660 Format-
ter Copyright (C) 2001
Microsoft & Roxio
Windows 7 included burn utility - IMAPI2(1.0) ISO9660
FORMATTER COPY-
RIGHT (C) 2004-2007
MICROSOFT
Linux K3b LINUX K3B THE CD
KREATOR (C) 1998-2010
SEBASTIAN TRUEG
AND MICHAL MALEK
OS X included burn utility APPLE COMPUTER,
INC., TYPE: 0002
-
Therefore it is possibly to determine the used operating system and/or the burning program by the burning
process.
3.5 Investigation of deleted media
This section examines the possibilities to reconstruct the contents of a deleted CD-RW, DVD-RW or BD-RE.
Numerous test were performed on this. Erased discs were checked for access under Mac OS, Linux and
Windows 7. None of the operating systems allowed direct access to the blank disc. The imaging process by using
Windows and Linux broke with an error message. The programs X-Ways, EnCase, FTK, IsoBuster PRO and
CD/DVD Diagnostic found no data on the disk.
3.6 Investigation on the RID (CD)
In the following study it was tested which information can be examined about the used burning hardware on
aCD. For this test various CDs were created on different burners (see table 2). To determine the Recorder
Identification Code the open-source tool PLScsiwas used.
By using an LG drive by this determining process no results could be found. Otherwise by using a Plextor
drive the RID code in some media could be found with PLScsi.
PLScsi found the manufacturer’s code, the device type and the serial number. Often the serial number is
012345(hex). So only manufacturer and type are clearly ascertainable.
The table 2 shows the test results.
Additionally, in this study other programs like Subcode Analyzer, RID code, Nero Disk-Info, PxScan,
CD/DVD Diagnostic, QPxTool, X-Ways, FTK and Encase were tested for the identification of the used burning
hardware of a CD, but without results.
3.7 Investigation on the Unique ID (DVD)
In the following study it was tested which information can be examined about the used burning hardware on a
DVD. For this test various DVD+R(W)s and DVD-R(W)s were created on different burners (see table 3).
To determine the Unique ID the program PxScanwas used.
PxScan runs under MS Windows and requires a Plextor drive.
A possibility to identify the burning hardware of a DVD+R(W) could not be found.
But the examination of the DVD-R test objects were successful. Under the heading ”writer used” there is
shown the Unique ID of the burning hardware (figure 2).
Figure 2. PxScan determine Unique ID on DVD-R
In the table 3, all found Unique IDs are shown to the devices.
PLScsi http://home.comcast.net/˜plavarre/plscsi/
PxScan http://www.alexander-noe.com/cdvd/px/index.ger.php
Table 2. Determination of the RID by PLScsi
Manufacturer Model determined Recorder Identification Code
ASUS DRW-20B1LT -
CyberDrv CW018D CD-R/RW -
HL-DT-ST DVDRAM GH22NS40 -
HL-DT-ST DVD+-RW GSA-H31N -
HL-DT-ST DVD+-RW GSA-U20N -
HL-DT-ST DVDRAM GSA 4040B -
HL-DT-ST CD-RW GCE-8320B Nr.1 HLD PA11 012345(hex)
HL-DT-ST CD-RW GCE-8320B Nr.2 HLD PA11 012345(hex)
HL-DT-ST CD-RW GCE-8320B Nr.3 HLD PA11 012345(hex)
HL-DT-ST DVDRAM GE20LU10 HTC JR08 303030(hex)
HL-DT-ST DVDRAM GH20NS15 -
HP IDE-CD R/RW 9340 -
HP DVD Writer 200j -
Sony NEC Optiarc DVD RW AD-7593A SNY DK10 313031(hex)
Pioneer DVD-RW DVR-103 -
Slimtype DVDA DS8A35 MTK DW12 012345(hex)
Sony CD-RW CRX100E SNY AA00 058702(hex)
TSSTCorp CD/DVDW TS-L632D -
TSSTCorp CD/DVDW TS-L632H -
TSSTCorp CD/DVDW SH-S203D -
TSSTCorp CD/DVDW SH-S223F TSS KW10 012345(hex)
TSSTCorp CD/DVDW SH-W163A -
TSSTCorp CD/DVDW SH-S183A -
In this table are not displayable characters of the serial numbers. They are marked with ”Unicode”.
For the investigation on their Unique ID of DVDs the program QPxTool on Windows XP was tested. The
test DVDs of the past studies and a Plextor drive were used.
An identification of the burning drive that was used for was not possible for DVD+R media.
The test on DVD-R(W) shows the same results like the test with the program PxScan.
Additionally, in this study other program were tested for the identification of the used burning hardware of a
DVD. There could not find a possibility to get the identification by using disc imaging or by using the programs
RID code, Nero Disk-Info, PLScsi, CD/DVD Diagnostic, X-Ways, FTK and Encase.
3.8 Investigation of DDS and PAC on BD-R
The possibilities to identify the drive which was used to create a Blu-ray Disc will be tested in this section. First,
the write-once BD-R discs are examined. Subsequently, the rewritable BD-RE.
In the following study various BD-R (with 25 GB capacity) were created on different burners from Pioneer,
Matshita and LG and these discs are loaded into the program Nero Disk-Info.
In each case the determined values of the DDS was the type designation of the used test hardware. This was
the case in all tests, even with the media, which have been burned with the other drives.
Table 3. Determination of the Unique ID for DVD-R using PxScan
Manufacturer Model Unique ID
HL-DT-ST DVDRAM GH22NS40 HL-DT-ST FA68D89D9574m118 DV-
DRAM GH22NS40
HL-DT-ST DVD+-RW GSA-H31N HL-DT-ST DVD+-RW GSA-H31
HL-DT-ST DVD+-RW GSA-U20N HL-DT-ST K0Z8BF14634h105 DVD+-
RW GSA-U20
HL-DT-ST DVDRAM GSA 4040B HL-DT-ST K133A6D3517L097 DV-
DRAM GSA-4040
HL-DT-ST DVDRAM GH20NS15 HL-DT-ST K0487RI0235f144 DV-
DRAM GH20NS15
Sony NEC Optiarc DVD RW AD-7593A Optiarc 1016134Q111 DVD RW AD-
7593A
Pioneer BD-RW BDR-205 PIONEER IJDL000719WL BD-RW
BDR-205
Slimtype DVDA DS8A35 Slimtype (Unicode) DVD A DS8A3S
TSSTCorp CD/DVDW TS-L632D TSSTcorp (Unicode) TS-L632D
TSSTCorp CD/DVDW TS-L632H TSSTcorp (Unicode) TS-L632H
TSSTCorp CD/DVDW SH-S203D TSSTcorp (Unicode) SH-S203D
TSSTCorp CD/DVDW SH-S223F TSSTcorp (Unicode) SH-S223F
TSSTCorp CD/DVDW SH-W163A TSSTcorp (Unicode) SH-W163A
TSSTCorp CD/DVDW SH-S183A TSSTcorp (Unicode) SH-S183A
3.9 Investigation of DDS and PAC on BD-RE
In the following study of identifying the used burning hardware by rewritable Blu-ray Discs brand-new BD-RE
discs of different manufacturers were used. All of these discs have a capacity of 25 GB.
All media have been burned in different order with the different hardware. For this test the discs have been
deleted in any drive and rewritten with data. After each write process the media was tested by Nero Disk-Info
for the metadata.
Listing 1 shows the final PAC Field of a disc after more then 10 burn processes. The device codes of the used
burning hardware are shown here.
Listing 1. PAC Field Nero Disk-Info
---- Disc Structure: Physical Access Control (PAC) (30h) ----
Media Type: 1, Layer: 0, PAC ID: 50524D h, Format Nr: 00 h, AGID: 0; Length : 32770
--- PAC information of the addressed PAC <PRM> 50524D00 h ---
PAC ID: <PRM>, Format: 0, Update Count: 5
Unknown PAC Rules: 282A00 h, Unknown PAC Entire_Disc_Flag: 0 h
Number of Segments: 0
Known PAC Entire_Disc_Flags: 0
--- PAC specific information ---
Number of Recorder ID entries: 4
Year/Month/Date of initial recording : 0000 00 00
Re-initialization RID_Tag #: 2
------ # 1 ------
Manufacturer name: <MATSHITA >
Additional Info: <BD-MLT SW -5583 B084 08040300 >
Serial Number: <2HE26965 >
------ # 2 ------
Manufacturer name: <PIONEER >
Addition al Info: <BD- RW BDR-205 >
Serial Number: <IJDL000719WL >
------ # 3 ------
Manufacturer name: <MATSHITA >
Additional Info: <BD-MLT SW -5584 1.02 09021000 >
Serial Number: <6H008550 >
------ # 4 ------
Manufacturer name: <HL-DT-ST >
Additional Info: <BD-RE BH10LS30 >
Serial Number: <K93A6982151 >
There are a total of 4 burners, provided by the manufacturer of the device, the type (some with firmware
version) and the serial number.
The first entry of the burner was present at the brand-new medium already. The identification of the
manufacturer and type of the 3 other drives are identical to the hardware in this investigation. The order of the
entries is not the same as the burning order in this study.
It will only add new drives in the list when the drive is not registered in it, yet. This behavior is supported
by the other test objects too.
It is necessary to note that there could not be found an indication for the last used burning hardware in this
field.
4. CONCLUSIONS
The investigations in this work showed, that there are various data that are relevant to a forensic analysis on
CD, DVD and BD.
4.1 Forensic data analysis
Interesting for a forensics analysis is the content on the optical media.
For the inspection of the data on the medium the programs X-Ways Forensics, EnCase and FTK are very
comprehensive. With their carving technologies they show the complete file contents of the disc.
They show content that is placed in other file formats like pictures in text documents or in compressed
archives.
These tools are an opportunity to get the MAC time analysis, too. All three programs determined the Date
and Time of the containing files on disc for a time-line production.
The important task for proof of authenticity can be done with these programs by hash functions.
It is also possible to identify the used burning program and the operating system of a disc.
In addition, the study showed that deleted files can be made readable (only for packet writing). The program
IsoBuster PRO allows to extract all sessions with the previous content. Also the content on multisession discs
can be separately extracted, e.g. for an analysis of a disc with various file formats.
An examination showed that no data could be reconstructed on erased media, even if they made rewritable
by using the quick-erase mode. And there was no possibility to read the data in the unused area of a multisession
disc.
4.2 Identification of CD, DVD and BD burners
For the study to identify the used burner several media on different devices were created and tested with different
programs. The investigation showed that it is possible to determine the used burning hardware with CD-R(W).
The results depend on the type of burner. The device code of the drive is written in the roll-out blocks on the
CD.
No device codes were found in the subchannels.
Only 6 of 21 tested burning drives left a code on the disk which could be determined. This device code
contains the abbreviations to indicate the manufacturer, the model and the serial number. The significance of
the serial number plays a minor role, because of the 3 byte long number field. Three of the 6 different drives
wrote the exact same sequence of numbers 012345(hex).
Another study showed that only the identifier of the first write process can be determined by multisession
CDs.
Furthermore, it is possible to identify the drive which was used to create the DVD. It was found that only
DVD-R(W) media leave an identifier. A total of 14 drives were tested which left details about the manufacturer
and model name on the DVD-R(W) media. In 13 of the 14 drives also the serial number could be traced.
For DVD+R(W) media no identifiers could be determined.
The following table 4 lists the programs and their reliability in determination of how to show the drive that
was used for creating CD and DVD. Some programs require special hardware for the analysis. This is indicated
in the right column.
Table 4. Reliability of the burner identification of CD and DVD
Software Identification
for CD-R(W)
Identification
for DVD-R(W)
Identification
for DVD+R(W)
Special hard-
ware necessary?
RID code none none none none
Nero Disk-Info none none none none
PxScan none very high none yes (Plextor)
PLScsi high none none yes (Plextor)
CD/DVD
Diagnostic
none none none none
QPxTool none very high none yes (Plextor,
LiteOn, ...)
FTK none none none none
X-Ways none none none none
EnCase none none none none
by other imag-
ing processes
none none none none
Furthermore, the ability to identify the burner that was used to create Blu-ray discs was tested. This showed
that it was not possible to determine an identification of recordable BD-R.
Table 5. Reliability of the identification of BD burner
Software Identification
for BD-R
Identification
for BD-RE
Special hard-
ware necessary?
Nero Disk-Info none low not specified
The rewritable BD-RE showed that the identification of all the drives, in which a BD-RE was burned, was
displayed on the medium. During the process only newly added drives where listed regardless whether they
where used multiple times. The code consists of information about manufacturer, model, the serial number and
(if appropriate) the firmware version and is written in the Physical Access Control field on the medium. In every
rewrite process an update counter is incremented in this PAC field.
There was no evidence that a value was established as a pointer in this list that showed the last burner.
From a forensic point of view only the value 1 in this update counter is significant. That would mean, that
the BD-RE is assignable by only one drive.
Furthermore, during the tests it turned out that a brand new BD-RE media can already contain a device
code of a drive.
The table 5 lists the programs which were used and their reliability in determination of the drive which were
used to create at BD.
All of these studies to identify the used drive require the use of the original seized media. To ensure the
integrity of the data on the media, during the investigation a write-blocker has to be used for rewritable CDs,
DVDs and BDs.
Most of the programs do not provide functionalities for tracking and report generation. Therefore, the
examinations are done using the four-eye principle.
The result of this report is also a plan of procedures that is shown in figure 3.
5. PROSPECT
In the next few years, other optical storage media will be established. The question of whether these media are
equipped with an identification option is not answered yet. It depends on the (sometimes conflicting) interests
between customers, music/video industry and the manufacturers.
REFERENCES
[1] Gartner Newsroom: The number of installed PCs worldwide has surpassed 1 billion units.
http://www.gartner.com/it/page.jsp?id=703807 - June 23, 2008
[2] Bundesverband der Musikindustrie: CD, DVD: Anzahl gebrannter Rohlinge Statistik.
http://de.statista.com/statistik/daten/studie/594/umfrage/anzahl-gebrannter-cd–dvd-rohlinge-seit-2000/.
Version: 2010. September 27, 2010
[3] Ecma International: 80 mm (1,46 Gbytes per side) and 120 mm (4,70 Gbytes per side) DVD Recordable
Disk (DVD-R). In: Standard (2004), S. 7374
[4] Blu-ray Disc Association: Rewritable Blu-ray Disc (BD-RE) Multi-Media Command Set Description.
White paper (2004), S. 37
Figure 3. Plan of procedures for investigation on CD, DVD and BD
... At the rewritable BD­RE, the identifier is located in the Physical Access Control (PAC) Field. Both fields are stored outside the data area of ​ ​ BD­R/BD­RE [9,10,11]. ...
Conference Paper
Full-text available
This paper deals with the possibilities of retracing copyright violations on current video game consoles (e.g. Microsoft Xbox, Sony PlayStation, ...) by studying the corresponding optical storage media DVD and Blu-ray. The possibilities of forensic investigation of DVD and Blu-ray Discs are presented. It is shown which information can be read by using freeware and commercial software for forensic examination. A detailed analysis is given on the visualization of hidden content and the possibility to find out information about the burning hardware used for writing on the optical discs. In connection with a forensic analysis of the Windows registry of a suspects PC a detailed overview of the crime scene for forged DVD and Blu-ray Discs can be obtained. Optical discs are examined under forensic aspects and the obtained results are implemented into automatic analysis scripts for the commercial forensics program EnCase Forensic. It is shown that for the optical storage media a possibility of identification of the drive used for writing can be obtained. In particular Blu-ray Discs contain the serial number of the burner. These and other findings were incorporated into the creation of various EnCase scripts for the professional forensic investigation with EnCase Forensic. Furthermore, a detailed flowchart for a forensic investigation of copyright infringement was developed.
... Die Untersuchung zur Identifikation des zum Brennen genutzten Laufwerks setzt neben der Software und gegebenenfalls der nötigen Hardware auch den Einsatz des originalen, sichergestellten Speichermediums voraus [5]. ...
Conference Paper
Full-text available
Dieser Artikel gibt einen kurzen Überblick über die Möglichkeiten der forensischen Untersuchung von CD, DVD und Blu-ray Disc. Gezeigt wird, welche Informationen mit Hilfe von frei erhältlicher sowie kommerzieller Software für die forensische Untersuchung gelesen werden können.
Conference Paper
Full-text available
The aim of this paper is to demonstrate the possibility of forensic determination of DVD-R(W) disks regarding the serial number of the used DVD burner. As it was already shown that the burner identication (serial number and type of burner) works for CD ROMs, it was largely unknown that this burner identication works for DVD-R(W) as well when special drives and special software is used. A detailed analysis is given in this paper. Furthermore, a case study for a forensics training program for investigators is developed.
The number of installed PCs worldwide has surpassed 1 billion units
  • Gartner Newsroom
Gartner Newsroom: The number of installed PCs worldwide has surpassed 1 billion units. http://www.gartner.com/it/page.jsp?id=703807-June 23, 2008
mm (1,46 Gbytes per side) and 120 mm (4,70 Gbytes per side) DVD Recordable Disk (DVD-R)
  • Ecma International
Ecma International: 80 mm (1,46 Gbytes per side) and 120 mm (4,70 Gbytes per side) DVD Recordable Disk (DVD-R). In: Standard (2004), S. 7374
http://de.statista.com/statistik/daten/studie/594/umfrage/anzahl-gebrannter-cd-dvd-rohlinge-seit
  • Bundesverband Der Musikindustrie
Bundesverband der Musikindustrie: CD, DVD: Anzahl gebrannter Rohlinge Statistik. http://de.statista.com/statistik/daten/studie/594/umfrage/anzahl-gebrannter-cd-dvd-rohlinge-seit-2000/. Version: 2010. September 27, 2010