Possibilities of the forensic investigation of CD, DVD and
Frank Irmler and Reiner Creutzburg
Brandenburg University of Applied Sciences, Department of Informatics and Media
P.O.Box 2132, D-14737 Brandenburg, Germany
In this paper the possibilities of forensic investigation of CD, DVD and Blu-ray Discs is presented. It is shown
which information can be read by using freeware and commercial software for forensic examination.
It particulary it describes the visualization of hidden content and the possibility to ﬁnd out information about
the burning hardware used for writing.
Keywords: computer forensics, optical media forensics, CD forensics, DVD forensics, Blu-ray Disc forensics
In our highly technological environment computers are important in many ways. As an aid, manufacturing
resources, communications and entertainment media are worldwide over a billion computers in use . In 1980,
as a data storage, an optical removable media has been established, the recordable CD followed by its further
developments DVD and Blu-ray Disc. For example about 510 million CD and DVD discs were burned alone in
Germany in 2009 . These removable media can stand irrespective of their location and are easily transported
and distributed. It is very important to investigate if there are data with an illegal background or criminal
relevance. It has been studied in numerous trials which information in addition to the actual, visible, useful data
on the CDs, DVDs and Blu-ray discs can be found.
2. STANDARDS FOR AN IDENTIFICATION OF DISK DRIVES
There are some standards established on CD-R(W), DVD+-R(W) and BD-R(E) for identiﬁcation of the used
drive by the burning process on the optical media. That gives the possibility to identify the optical drive.
2.1 Recorder Identiﬁcation of CD-R(W)
In 1995, the company Philips gave under the pressure of the music industry, represented by IFPI∗, RIAA†and
the RIAJ‡, in their ”Orange Book” standard for recordable CDs a possible identiﬁcation for the tracking of
pirated content. This Recorder IDentiﬁcation Code (RID) can be written in the Q-sectors of the individual
songs or/and in the roll-in/out-blocks of the disc.
The RID code consists in 3 groups, including the following information: the manufacturer’s code, followed
by the device type and unique serial number.
2.2 Unique ID Field of DVD-R(W)
An identiﬁcation for the drive which was used for burning a DVD is deﬁned in ISO/IEC 23912 standard for
recordable DVD media.
This Unique ID Field is written in a speciﬁed area previous to the lead-in. The size of the Unique ID Field
is 32 bytes for the manufacturer, 16 bytes for the serial number and 16 bytes for the model name .
Further author information: (Send correspondence to F. Irmler)
Frank Irmler: E-mail: firstname.lastname@example.org
Reiner Creutzburg: E-mail: email@example.com
∗International Federation of the Phonographic Industry http://www.ifpi.org/
†Recording Industry Association of America http://www.riaa.com/
‡Recording Industry Association of Japan http://www.riaj.or.jp/e/
2.3 Disc Deﬁnition Structure Field with BD-R(E)
Moreover it is possible to identify the drive that was used for burning in the Blu-ray Disc standard. In a ﬁxed
area on the BD is the Disc Deﬁnition Structure Field (DDS) for identifying the burning hardware. The size is
variable, but may not exceed 2048 bytes for storing manufacturer, model and the serial number.
At rewritable BD-REs, the identiﬁer is located in the Physical Access Control Field (PAC) .
Both ﬁelds are located outside the data area of the optical medium .
The aim of this work is to ﬁnd data that are available in addition to the visible user data on CD, DVD or BD.
These can be hidden data, which are deliberately placed on the disk and not visible by the usual way, when you
open the disc or additional information in a forensics content.
For this reason, the following hardware and software components are presented, which can be used for such
3.1 Investigation of multisession CDs and DVDs
A possible scenario would be here to ﬁnd two or more diﬀerent ﬁle systems on the disk. In this case only one
session is visible in the OS. The other sessions are invisible.
The program IsoBuster PRO∗in version 2.8 presented in the full version several options. In a tree structure,
IsoBuster PRO will list all the diﬀerent writing processes on the CD or DVD. So it is possible to see the number
of sessions on the storage medium. Due to the strong support of ﬁle systems in IsoBuster PRO, all sessions were
open like directories in a directory browser, and the content could be extracted and viewed. It is also possible
to produce an image of every single session. Integrity is maintained through available hashes.
The same case was also tested with the programs EnCase†,FTK
‡and X-Ways§. All programs show the
number of sessions. Similar to directories in the directory browser, the content can be opened and viewed (see
Figure 1. A multisession CD in EnCase
∗IsoBuster PRO http://www.isobuster.com/
†Guidance Software http://www.guidancesoftware.com/
‡Forensic Toolkit 3 http://www.accessdata.com/forensictoolkit.html
§X-Ways Software Technology AG http://www.x-ways.net/index-d.html
3.2 File and MAC time analysis
The programs X-Ways Forensics, EnCase and FTK are very comprehensive tools for inspecting the ﬁle contents
of the medium.
All these programs use ﬁle carving technologies, have ﬁlters for diﬀerent ﬁle types and have possibilities for
generating hash values. Interesting for a forensic investigation are the MAC times of the ﬁles. X-Ways, EnCase
and FTK provide this information in tabular form to the individual ﬁles.
3.3 The imaging process
The creation of forensic duplicates is a standard procedure in investigations of computer crime. This process has
been studied in more detail.
It was found that in opposite to the imaging process on hard drives, where the data of the unpartitioned space
is taken up in the duplicate, only the data that containing between the border areas is copied in the duplicate.
The reason can be found in the fact that optical drives will be mounted just as logical drives in the system,
however, as physical drives.
The choice of the operating system was not relevant in this case. The image generation under the operating
systems Windows XP, Windows 7 and Linux (with the programs dump device (dd), Nero Burning Rom, FTK
Imager, IsoBuster PRO, X-Ways and EnCase) took place and showed identical results.
3.4 Burning tools on diﬀerent operating systems
The program and the operating system that was used by burning the optical media can be interesting in the
forensic examination. This information is an association from the media to the used computer system.
For this study diﬀerent records are created by diﬀerent burning programs on diﬀerent operating systems.
These discs are opened into the program Nero Disk-Info.
The following table 1 shows the determined identiﬁers of the software and operating systems that was found
on the media.
Table 1. Identiﬁcation of burning tool and OS
OS Burning Tool System Identiﬁer Application Identiﬁer
Windows XP Nero Burning Rom - NERO BURNING ROM
Windows XP included burn utility CD-RTOS
IMAPI ISO-9660 Format-
ter Copyright (C) 2001
Microsoft & Roxio
Windows 7 included burn utility - IMAPI2(1.0) ISO9660
RIGHT (C) 2004-2007
Linux K3b LINUX K3B THE CD
KREATOR (C) 1998-2010
AND MICHAL MALEK
OS X included burn utility APPLE COMPUTER,
INC., TYPE: 0002
Therefore it is possibly to determine the used operating system and/or the burning program by the burning
3.5 Investigation of deleted media
This section examines the possibilities to reconstruct the contents of a deleted CD-RW, DVD-RW or BD-RE.
Numerous test were performed on this. Erased discs were checked for access under Mac OS, Linux and
Windows 7. None of the operating systems allowed direct access to the blank disc. The imaging process by using
Windows and Linux broke with an error message. The programs X-Ways, EnCase, FTK, IsoBuster PRO and
CD/DVD Diagnostic found no data on the disk.
3.6 Investigation on the RID (CD)
In the following study it was tested which information can be examined about the used burning hardware on
aCD. For this test various CDs were created on diﬀerent burners (see table 2). To determine the Recorder
Identiﬁcation Code the open-source tool PLScsi¶was used.
By using an LG drive by this determining process no results could be found. Otherwise by using a Plextor
drive the RID code in some media could be found with PLScsi.
PLScsi found the manufacturer’s code, the device type and the serial number. Often the serial number is
012345(hex). So only manufacturer and type are clearly ascertainable.
The table 2 shows the test results.
Additionally, in this study other programs like Subcode Analyzer, RID code, Nero Disk-Info, PxScan,
CD/DVD Diagnostic, QPxTool, X-Ways, FTK and Encase were tested for the identiﬁcation of the used burning
hardware of a CD, but without results.
3.7 Investigation on the Unique ID (DVD)
In the following study it was tested which information can be examined about the used burning hardware on a
DVD. For this test various DVD+R(W)s and DVD-R(W)s were created on diﬀerent burners (see table 3).
To determine the Unique ID the program PxScanwas used.
PxScan runs under MS Windows and requires a Plextor drive.
A possibility to identify the burning hardware of a DVD+R(W) could not be found.
But the examination of the DVD-R test objects were successful. Under the heading ”writer used” there is
shown the Unique ID of the burning hardware (ﬁgure 2).
Figure 2. PxScan determine Unique ID on DVD-R
In the table 3, all found Unique IDs are shown to the devices.
Table 2. Determination of the RID by PLScsi
Manufacturer Model determined Recorder Identiﬁcation Code
ASUS DRW-20B1LT -
CyberDrv CW018D CD-R/RW -
HL-DT-ST DVDRAM GH22NS40 -
HL-DT-ST DVD+-RW GSA-H31N -
HL-DT-ST DVD+-RW GSA-U20N -
HL-DT-ST DVDRAM GSA 4040B -
HL-DT-ST CD-RW GCE-8320B Nr.1 HLD PA11 012345(hex)
HL-DT-ST CD-RW GCE-8320B Nr.2 HLD PA11 012345(hex)
HL-DT-ST CD-RW GCE-8320B Nr.3 HLD PA11 012345(hex)
HL-DT-ST DVDRAM GE20LU10 HTC JR08 303030(hex)
HL-DT-ST DVDRAM GH20NS15 -
HP IDE-CD R/RW 9340 -
HP DVD Writer 200j -
Sony NEC Optiarc DVD RW AD-7593A SNY DK10 313031(hex)
Pioneer DVD-RW DVR-103 -
Slimtype DVDA DS8A35 MTK DW12 012345(hex)
Sony CD-RW CRX100E SNY AA00 058702(hex)
TSSTCorp CD/DVDW TS-L632D -
TSSTCorp CD/DVDW TS-L632H -
TSSTCorp CD/DVDW SH-S203D -
TSSTCorp CD/DVDW SH-S223F TSS KW10 012345(hex)
TSSTCorp CD/DVDW SH-W163A -
TSSTCorp CD/DVDW SH-S183A -
In this table are not displayable characters of the serial numbers. They are marked with ”Unicode”.
For the investigation on their Unique ID of DVDs the program QPxTool on Windows XP was tested. The
test DVDs of the past studies and a Plextor drive were used.
An identiﬁcation of the burning drive that was used for was not possible for DVD+R media.
The test on DVD-R(W) shows the same results like the test with the program PxScan.
Additionally, in this study other program were tested for the identiﬁcation of the used burning hardware of a
DVD. There could not ﬁnd a possibility to get the identiﬁcation by using disc imaging or by using the programs
RID code, Nero Disk-Info, PLScsi, CD/DVD Diagnostic, X-Ways, FTK and Encase.
3.8 Investigation of DDS and PAC on BD-R
The possibilities to identify the drive which was used to create a Blu-ray Disc will be tested in this section. First,
the write-once BD-R discs are examined. Subsequently, the rewritable BD-RE.
In the following study various BD-R (with 25 GB capacity) were created on diﬀerent burners from Pioneer,
Matshita and LG and these discs are loaded into the program Nero Disk-Info.
In each case the determined values of the DDS was the type designation of the used test hardware. This was
the case in all tests, even with the media, which have been burned with the other drives.
Table 3. Determination of the Unique ID for DVD-R using PxScan
Manufacturer Model Unique ID
HL-DT-ST DVDRAM GH22NS40 HL-DT-ST FA68D89D9574m118 DV-
HL-DT-ST DVD+-RW GSA-H31N HL-DT-ST DVD+-RW GSA-H31
HL-DT-ST DVD+-RW GSA-U20N HL-DT-ST K0Z8BF14634h105 DVD+-
HL-DT-ST DVDRAM GSA 4040B HL-DT-ST K133A6D3517L097 DV-
HL-DT-ST DVDRAM GH20NS15 HL-DT-ST K0487RI0235f144 DV-
Sony NEC Optiarc DVD RW AD-7593A Optiarc 1016134Q111 DVD RW AD-
Pioneer BD-RW BDR-205 PIONEER IJDL000719WL BD-RW
Slimtype DVDA DS8A35 Slimtype (Unicode) DVD A DS8A3S
TSSTCorp CD/DVDW TS-L632D TSSTcorp (Unicode) TS-L632D
TSSTCorp CD/DVDW TS-L632H TSSTcorp (Unicode) TS-L632H
TSSTCorp CD/DVDW SH-S203D TSSTcorp (Unicode) SH-S203D
TSSTCorp CD/DVDW SH-S223F TSSTcorp (Unicode) SH-S223F
TSSTCorp CD/DVDW SH-W163A TSSTcorp (Unicode) SH-W163A
TSSTCorp CD/DVDW SH-S183A TSSTcorp (Unicode) SH-S183A
3.9 Investigation of DDS and PAC on BD-RE
In the following study of identifying the used burning hardware by rewritable Blu-ray Discs brand-new BD-RE
discs of diﬀerent manufacturers were used. All of these discs have a capacity of 25 GB.
All media have been burned in diﬀerent order with the diﬀerent hardware. For this test the discs have been
deleted in any drive and rewritten with data. After each write process the media was tested by Nero Disk-Info
for the metadata.
Listing 1 shows the ﬁnal PAC Field of a disc after more then 10 burn processes. The device codes of the used
burning hardware are shown here.
Listing 1. PAC Field Nero Disk-Info
---- Disc Structure: Physical Access Control (PAC) (30h) ----
Media Type: 1, Layer: 0, PAC ID: 50524D h, Format Nr: 00 h, AGID: 0; Length : 32770
--- PAC information of the addressed PAC <PRM> 50524D00 h ---
PAC ID: <PRM>, Format: 0, Update Count: 5
Unknown PAC Rules: 282A00 h, Unknown PAC Entire_Disc_Flag: 0 h
Number of Segments: 0
Known PAC Entire_Disc_Flags: 0
--- PAC specific information ---
Number of Recorder ID entries: 4
Year/Month/Date of initial recording : 0000 00 00
Re-initialization RID_Tag #: 2
------ # 1 ------
Manufacturer name: <MATSHITA >
Additional Info: <BD-MLT SW -5583 B084 08040300 >
Serial Number: <2HE26965 >
------ # 2 ------
Manufacturer name: <PIONEER >
Addition al Info: <BD- RW BDR-205 >
Serial Number: <IJDL000719WL >
------ # 3 ------
Manufacturer name: <MATSHITA >
Additional Info: <BD-MLT SW -5584 1.02 09021000 >
Serial Number: <6H008550 >
------ # 4 ------
Manufacturer name: <HL-DT-ST >
Additional Info: <BD-RE BH10LS30 >
Serial Number: <K93A6982151 >
There are a total of 4 burners, provided by the manufacturer of the device, the type (some with ﬁrmware
version) and the serial number.
The ﬁrst entry of the burner was present at the brand-new medium already. The identiﬁcation of the
manufacturer and type of the 3 other drives are identical to the hardware in this investigation. The order of the
entries is not the same as the burning order in this study.
It will only add new drives in the list when the drive is not registered in it, yet. This behavior is supported
by the other test objects too.
It is necessary to note that there could not be found an indication for the last used burning hardware in this
The investigations in this work showed, that there are various data that are relevant to a forensic analysis on
CD, DVD and BD.
4.1 Forensic data analysis
Interesting for a forensics analysis is the content on the optical media.
For the inspection of the data on the medium the programs X-Ways Forensics, EnCase and FTK are very
comprehensive. With their carving technologies they show the complete ﬁle contents of the disc.
They show content that is placed in other ﬁle formats like pictures in text documents or in compressed
These tools are an opportunity to get the MAC time analysis, too. All three programs determined the Date
and Time of the containing ﬁles on disc for a time-line production.
The important task for proof of authenticity can be done with these programs by hash functions.
It is also possible to identify the used burning program and the operating system of a disc.
In addition, the study showed that deleted ﬁles can be made readable (only for packet writing). The program
IsoBuster PRO allows to extract all sessions with the previous content. Also the content on multisession discs
can be separately extracted, e.g. for an analysis of a disc with various ﬁle formats.
An examination showed that no data could be reconstructed on erased media, even if they made rewritable
by using the quick-erase mode. And there was no possibility to read the data in the unused area of a multisession
4.2 Identiﬁcation of CD, DVD and BD burners
For the study to identify the used burner several media on diﬀerent devices were created and tested with diﬀerent
programs. The investigation showed that it is possible to determine the used burning hardware with CD-R(W).
The results depend on the type of burner. The device code of the drive is written in the roll-out blocks on the
No device codes were found in the subchannels.
Only 6 of 21 tested burning drives left a code on the disk which could be determined. This device code
contains the abbreviations to indicate the manufacturer, the model and the serial number. The signiﬁcance of
the serial number plays a minor role, because of the 3 byte long number ﬁeld. Three of the 6 diﬀerent drives
wrote the exact same sequence of numbers 012345(hex).
Another study showed that only the identiﬁer of the ﬁrst write process can be determined by multisession
Furthermore, it is possible to identify the drive which was used to create the DVD. It was found that only
DVD-R(W) media leave an identiﬁer. A total of 14 drives were tested which left details about the manufacturer
and model name on the DVD-R(W) media. In 13 of the 14 drives also the serial number could be traced.
For DVD+R(W) media no identiﬁers could be determined.
The following table 4 lists the programs and their reliability in determination of how to show the drive that
was used for creating CD and DVD. Some programs require special hardware for the analysis. This is indicated
in the right column.
Table 4. Reliability of the burner identiﬁcation of CD and DVD
RID code none none none none
Nero Disk-Info none none none none
PxScan none very high none yes (Plextor)
PLScsi high none none yes (Plextor)
none none none none
QPxTool none very high none yes (Plextor,
FTK none none none none
X-Ways none none none none
EnCase none none none none
by other imag-
none none none none
Furthermore, the ability to identify the burner that was used to create Blu-ray discs was tested. This showed
that it was not possible to determine an identiﬁcation of recordable BD-R.
Table 5. Reliability of the identiﬁcation of BD burner
Nero Disk-Info none low not speciﬁed
The rewritable BD-RE showed that the identiﬁcation of all the drives, in which a BD-RE was burned, was
displayed on the medium. During the process only newly added drives where listed regardless whether they
where used multiple times. The code consists of information about manufacturer, model, the serial number and
(if appropriate) the ﬁrmware version and is written in the Physical Access Control ﬁeld on the medium. In every
rewrite process an update counter is incremented in this PAC ﬁeld.
There was no evidence that a value was established as a pointer in this list that showed the last burner.
From a forensic point of view only the value 1 in this update counter is signiﬁcant. That would mean, that
the BD-RE is assignable by only one drive.
Furthermore, during the tests it turned out that a brand new BD-RE media can already contain a device
code of a drive.
The table 5 lists the programs which were used and their reliability in determination of the drive which were
used to create at BD.
All of these studies to identify the used drive require the use of the original seized media. To ensure the
integrity of the data on the media, during the investigation a write-blocker has to be used for rewritable CDs,
DVDs and BDs.
Most of the programs do not provide functionalities for tracking and report generation. Therefore, the
examinations are done using the four-eye principle.
The result of this report is also a plan of procedures that is shown in ﬁgure 3.
In the next few years, other optical storage media will be established. The question of whether these media are
equipped with an identiﬁcation option is not answered yet. It depends on the (sometimes conﬂicting) interests
between customers, music/video industry and the manufacturers.
 Gartner Newsroom: The number of installed PCs worldwide has surpassed 1 billion units.
http://www.gartner.com/it/page.jsp?id=703807 - June 23, 2008
 Bundesverband der Musikindustrie: CD, DVD: Anzahl gebrannter Rohlinge Statistik.
Version: 2010. September 27, 2010
 Ecma International: 80 mm (1,46 Gbytes per side) and 120 mm (4,70 Gbytes per side) DVD Recordable
Disk (DVD-R). In: Standard (2004), S. 7374
 Blu-ray Disc Association: Rewritable Blu-ray Disc (BD-RE) Multi-Media Command Set Description.
White paper (2004), S. 37
Figure 3. Plan of procedures for investigation on CD, DVD and BD