¶ … Systems COMPUTER SCIENCE

Computer forensic is a scientific method of analyzing the digital information which is used as evidence for the criminal, administrative and civil cases. In the contemporary legal environment, computer forensic has become a vital part in solving the complex crimes. Since computer forensic experts use data to solve high level cases, effective data storage and retrieval is critical aspect of forensic investigation and effective data storage is very essential to assist in achieving the data integrity. ISO9660 file system has become an effective method that forensic experts employ to store and retrieve data. (Dixon, 2005). Preserving and storing the critical data and information without alteration of the original state of data is the most important aspect of Computer Forensics. Some of the techniques employed are by using the ISO9660 file system to store data. It is essential to realize an employee might inadvertently overwrite valuable data. Otherwise, a cyber criminal might plant a program to erase the valuable data. Manipulation of valuable data might make a trained law professional to raise doubt about the validity of evidence presented in the court of law in order to defend a case. (Coward, 2009). To address this problem, ISO9660 file system is generally employed to store data on the CDROMs. While ISO9660 file system stores data on the CDROMs, however, ISO9660 file systems are different in design which allows for different interpretation.

Fundamental objective of this paper is to investigate the method digital forensic interprets ISO9660 ?le system.

The study is structured as follows:

First, the study presents the overview of ISO9660 File Systems. The study also discusses different forensic tools and the evaluation methodology to carry out the different interpretations of ISO9660 File Systems. Finally, the paper presents the evaluation results revealing different interpretations of ISO9660 File Systems.

Overview of ISO9660 File Systems

An ISO9660 ?le system which is often referred as CDFS (Compact Disc File System) is a file system that stores data in block and grouping consecutive sectors. However, ISO9660 file system is different in design which allows for different interpretations. Within the first sector of the ISO9660 volume, there is multiple data structure and directory trees that have ability to store file within the ISO9660 structure. There are also data structure that serves purposely to store file system data in both big-endian byte orderings and little-endian byte orderings.

Generally, ISO9660 store data in consecutive blocks and primarily, ISO9660 ?le systems contains one primary and secondary volume descriptors, and these identify size and layout of the file system. Typically, ISO9660 stores data in block and the block sizes are stored in a volume descriptor. More importantly, ISO9660 supports name that could involve the maximum of 8 Latin characters within the file name and 3 Latin characters within the extension. ISO9660 ?le systems also have Joliet extension that store longer names within the Unicode. The starting block of the root directory within the ISO9960 is listed within the volume descriptor and the directory tree assists in locating a file when opening the root directory. While ISO9660 store files in the big Endian orderings and little Endian orderings, however, data stored within the big Endian orderings is the most significant and big Endian orderings considers the byte within the data first before considering the byte stored within the little-endian ordering.

There are different strategies that Forensic tools employed to hide data. One of strategies is the Endian ordering. The ISO9660 stores data structures in both big- and little-endian orderings and there is ability to hide data if the value of the starting block within the directory entries has different values within the locations of big- and little-endian storage. Typically, if the forensic tool is to carry out the analysis, it only locates one of the locations where the hider's tools use the other, and there is high level of possibility that the hidden data may not be identified. Typically, the starting block within the big-endian ?eld is 0x00000020 while the starting block within the little-endian ordering is 0x00000030. Based on the field structure of endian, the forensic stores data within little- and big endian ordering system which are being used to hide data. (Carrier, 2010). With different methods of designing ISO9660, forensic tools interpret the data within the ISO9660 differently.

Computer Forensic Tools for ISO9660 File Systems

"CFTs (Computer Forensic Tools) assist investigators to recover deleted files, reconstruct an intruder's activities, and gain intelligence about a computer's user." (Garfinkel, 2007 P. 1). CFT assists forensics experts in collecting valuable information from computer system as well as making true copy of the information so that it could be useful in the legal proceedings. Typically, CFT falls into two classes:

Persistent data tools assist in analyzing...

Volatile data tools also analyze information in transitory and information that would have been lost. (Garfinkel, 2007). The paper analyzes different computer forensic tools to present different interpretations of ISO9660 File Systems within the forensic field using the following computer forensic tools:
EnCase 6.15 provided by Guidance Software

FTK (Forensic Tool Kit) 1.60 delivered by Access Data.

ISOBuster 2.7, which is also X-Ways Inc.

Linux 2.6 named Lefebvre

Power PC and Apple Inc. OS X 10.4.11

Microsoft Windows XP

Intel and Apple Inc. OS X 10.6.2

TSK ( Sleuth Kit) Carrier

Smart Projects Windows Vista

Microsoft Win Hex Forensics

TSK (Sleuth Kit) is the digital forensic tools that run on UNIX systems, Windows, OS X and Linux. Sleuth Kit is used to analyze disk images as well performing the in-depth analysis of the file systems which include ISO 9660 file systems, FAT, NTFS, HFS+, UFS and Ext3. Typically, TSK is arranged in layers and the data layers are stored within the disk and the metadata. (Marko, 2005).

Encase is another forensic tool that assists with forensics investigation. EnCase is one of the comprehensive computer investigation software that could acquire and analyzing data using the network-based and local versions. Typically, EnCase has ability to analyze many files which include NTFS, UFS, FAT, CD-ROMs, Ext2/3, Reiser, DVDs, JFS, and HFS+.

"EnCase also assists in supporting Microsoft Windows dynamic disks and AIX LVM.

EnCase list the files and directories, recover deleted files, conduct keyword searches, view all graphic images, make timelines of file activity, and use hash databases to identify known files. It also has its own scripting language, called EnScript, which allows automating many tasks. Add-on modules support the decryption of NTFS encrypted files and assist in mounting the suspect data as though it were a local disk." (Carrier, 2005 P. 20).

Encase uses the powerful devices to discover the potential evidence during forensic investigation, and Encase automatically recovers the deleted files within the directory. Typically, the structure of the file could be restored using the EnCase keyword search and EnCase is generally used for file recovery, data acquisition, file parsing and indexing/search. (Martin & Sujeet, 2006).

IsoBuster is also a well-known forensics tool, and many governmental institutions and police department use IsoBuster to gather forensic data. IsoBuster is very unique because it reveals the true layout of optical disc which assists investigators to fully inspect all tracks on a disc to enhance better understanding on the strategies data are being managed on the optical disc.

WinHex is a powerful data recovery tool that forensic experts use as an advanced editor. WinHex could also be used for data analysis, data wiping tool, editing, and data recovery as well as using the tool as evident gathering. Typically, WinHex also provides the following functions:

Ability to read and directly provides editing to hard drives such as FAT and NTFS

Ability to read and edit CD-ROMs, floppy disks, Compact Flash cards, DVDs, and other media.

Directly read and edit RAM.

Interpreting 20 data types

Analyze & compare files.

Join & split files.

Recover data.

Encrypt files up to 128-bit strength.

Clone & image drives.

Create hashes & checksums.

Wipe drives. (Martin & Sujeet, 2006).

Another forensic tool is Access Data which is FTK (Forensic Tool Kit) 1.60. Typically, FTK is computer forensics software which is manufactured by Access Data. Typically, the FTK assists in scanning various data and FTK assists in the interpretation of forensic data. The FTP is used to run a complete data examination which assists in filtering thousands of files as well as email analysis. (Dixon, 2005). More importantly, data hiding approach of FTK is directory tree that uses two or more secondary volume descriptors. While the first secondary volume descriptor contains empty root directory, on the other hand, the second secondary volume descriptor has the file that needs to be hidden. However, the tools mostly focus on the ?rst descriptor since it contains the Unicode ?le names which are from the Joliet extension. While the tool rarely focuses on the secondary descriptor because it rarely exists, however, the files within the root directory second descriptor may never be presented as evidence in court of law.

Evaluation Methodology

The study carries out different evaluations of forensic tools using Endian ordering, Inconsistent directory trees and empty root directory within the secondary volume descriptor. The first evaluation is carried out to determine the inconsistent directory trees to determine whether it will be possible to view an image within…