Verified Document

Different Interpretations Of ISO-9660 File Systems Research Paper

¶ … Systems COMPUTER SCIENCE

Computer forensic is a scientific method of analyzing the digital information which is used as evidence for the criminal, administrative and civil cases. In the contemporary legal environment, computer forensic has become a vital part in solving the complex crimes. Since computer forensic experts use data to solve high level cases, effective data storage and retrieval is critical aspect of forensic investigation and effective data storage is very essential to assist in achieving the data integrity. ISO9660 file system has become an effective method that forensic experts employ to store and retrieve data. (Dixon, 2005). Preserving and storing the critical data and information without alteration of the original state of data is the most important aspect of Computer Forensics. Some of the techniques employed are by using the ISO9660 file system to store data. It is essential to realize an employee might inadvertently overwrite valuable data. Otherwise, a cyber criminal might plant a program to erase the valuable data. Manipulation of valuable data might make a trained law professional to raise doubt about the validity of evidence presented in the court of law in order to defend a case. (Coward, 2009). To address this problem, ISO9660 file system is generally employed to store data on the CDROMs. While ISO9660 file system stores data on the CDROMs, however, ISO9660 file systems are different in design which allows for different interpretation.

Fundamental objective of this paper is to investigate the method digital forensic interprets ISO9660 ?le system.

The study is structured as follows:

First, the study presents the overview of ISO9660 File Systems. The study also discusses different forensic tools and the evaluation methodology to carry out the different interpretations of ISO9660 File Systems. Finally, the paper presents the evaluation results revealing different interpretations of ISO9660 File Systems.

Overview of ISO9660 File Systems

An ISO9660 ?le system which is often referred as CDFS (Compact Disc File System) is a file system that stores data in block and grouping consecutive sectors. However, ISO9660 file system is different in design which allows for different interpretations. Within the first sector of the ISO9660 volume, there is multiple data structure and directory trees that have ability to store file within the ISO9660 structure. There are also data structure that serves purposely to store file system data in both big-endian byte orderings and little-endian byte orderings.

Generally, ISO9660 store data in consecutive blocks and primarily, ISO9660 ?le systems contains one primary and secondary volume descriptors, and these identify size and layout of the file system. Typically, ISO9660 stores data in block and the block sizes are stored in a volume descriptor. More importantly, ISO9660 supports name that could involve the maximum of 8 Latin characters within the file name and 3 Latin characters within the extension. ISO9660 ?le systems also have Joliet extension that store longer names within the Unicode. The starting block of the root directory within the ISO9960 is listed within the volume descriptor and the directory tree assists in locating a file when opening the root directory. While ISO9660 store files in the big Endian orderings and little Endian orderings, however, data stored within the big Endian orderings is the most significant and big Endian orderings considers the byte within the data first before considering the byte stored within the little-endian ordering.

There are different strategies that Forensic tools employed to hide data. One of strategies is the Endian ordering. The ISO9660 stores data structures in both big- and little-endian orderings and there is ability to hide data if the value of the starting block within the directory entries has different values within the locations of big- and little-endian storage. Typically, if the forensic tool is to carry out the analysis, it only locates one of the locations where the hider's tools use the other, and there is high level of possibility that the hidden data may not be identified. Typically, the starting block within the big-endian ?eld is 0x00000020 while the starting block within the little-endian ordering is 0x00000030. Based on the field structure of endian, the forensic stores data within little- and big endian ordering system which are being used to hide data. (Carrier, 2010). With different methods of designing ISO9660, forensic tools interpret the data within the ISO9660 differently.

Computer Forensic Tools for ISO9660 File Systems

"CFTs (Computer Forensic Tools) assist investigators to recover deleted files, reconstruct an intruder's activities, and gain intelligence about a computer's user." (Garfinkel, 2007 P. 1). CFT assists forensics experts in collecting valuable information from computer system as well as making true copy of the information so that it could be useful in the legal proceedings. Typically, CFT falls into two classes:

Persistent data tools assist in analyzing...

Volatile data tools also analyze information in transitory and information that would have been lost. (Garfinkel, 2007). The paper analyzes different computer forensic tools to present different interpretations of ISO9660 File Systems within the forensic field using the following computer forensic tools:
EnCase 6.15 provided by Guidance Software

FTK (Forensic Tool Kit) 1.60 delivered by Access Data.

ISOBuster 2.7, which is also X-Ways Inc.

Linux 2.6 named Lefebvre

Power PC and Apple Inc. OS X 10.4.11

Microsoft Windows XP

Intel and Apple Inc. OS X 10.6.2

TSK ( Sleuth Kit) Carrier

Smart Projects Windows Vista

Microsoft Win Hex Forensics

TSK (Sleuth Kit) is the digital forensic tools that run on UNIX systems, Windows, OS X and Linux. Sleuth Kit is used to analyze disk images as well performing the in-depth analysis of the file systems which include ISO 9660 file systems, FAT, NTFS, HFS+, UFS and Ext3. Typically, TSK is arranged in layers and the data layers are stored within the disk and the metadata. (Marko, 2005).

Encase is another forensic tool that assists with forensics investigation. EnCase is one of the comprehensive computer investigation software that could acquire and analyzing data using the network-based and local versions. Typically, EnCase has ability to analyze many files which include NTFS, UFS, FAT, CD-ROMs, Ext2/3, Reiser, DVDs, JFS, and HFS+.

"EnCase also assists in supporting Microsoft Windows dynamic disks and AIX LVM.

EnCase list the files and directories, recover deleted files, conduct keyword searches, view all graphic images, make timelines of file activity, and use hash databases to identify known files. It also has its own scripting language, called EnScript, which allows automating many tasks. Add-on modules support the decryption of NTFS encrypted files and assist in mounting the suspect data as though it were a local disk." (Carrier, 2005 P. 20).

Encase uses the powerful devices to discover the potential evidence during forensic investigation, and Encase automatically recovers the deleted files within the directory. Typically, the structure of the file could be restored using the EnCase keyword search and EnCase is generally used for file recovery, data acquisition, file parsing and indexing/search. (Martin & Sujeet, 2006).

IsoBuster is also a well-known forensics tool, and many governmental institutions and police department use IsoBuster to gather forensic data. IsoBuster is very unique because it reveals the true layout of optical disc which assists investigators to fully inspect all tracks on a disc to enhance better understanding on the strategies data are being managed on the optical disc.

WinHex is a powerful data recovery tool that forensic experts use as an advanced editor. WinHex could also be used for data analysis, data wiping tool, editing, and data recovery as well as using the tool as evident gathering. Typically, WinHex also provides the following functions:

Ability to read and directly provides editing to hard drives such as FAT and NTFS

Ability to read and edit CD-ROMs, floppy disks, Compact Flash cards, DVDs, and other media.

Directly read and edit RAM.

Interpreting 20 data types

Analyze & compare files.

Join & split files.

Recover data.

Encrypt files up to 128-bit strength.

Clone & image drives.

Create hashes & checksums.

Wipe drives. (Martin & Sujeet, 2006).

Another forensic tool is Access Data which is FTK (Forensic Tool Kit) 1.60. Typically, FTK is computer forensics software which is manufactured by Access Data. Typically, the FTK assists in scanning various data and FTK assists in the interpretation of forensic data. The FTP is used to run a complete data examination which assists in filtering thousands of files as well as email analysis. (Dixon, 2005). More importantly, data hiding approach of FTK is directory tree that uses two or more secondary volume descriptors. While the first secondary volume descriptor contains empty root directory, on the other hand, the second secondary volume descriptor has the file that needs to be hidden. However, the tools mostly focus on the ?rst descriptor since it contains the Unicode ?le names which are from the Joliet extension. While the tool rarely focuses on the secondary descriptor because it rarely exists, however, the files within the root directory second descriptor may never be presented as evidence in court of law.

Evaluation Methodology

The study carries out different evaluations of forensic tools using Endian ordering, Inconsistent directory trees and empty root directory within the secondary volume descriptor. The first evaluation is carried out to determine the inconsistent directory trees to determine whether it will be possible to view an image within…

Sources used in this document:
References

Carrier, B. (2005). File System Analysis. Addison Wesley Professional .USA.

Carrier, B.D. (2010).Different interpretations of ISO9660 file systems. Digital Investigation. 7:S 1-2 9-S 1-3 4

Coward, J. (2009). Computer Forensics: Breaking down the 1's and 0's of cyber activity for potential evidence. Information Security Writers.

Dixon, P.D. (2005). An overview of computer forensics. IEEE Potentials (IEEE) 24 (5): 128-136.
Cite this Document:
Copy Bibliography Citation

Related Documents

Operating System Discuss the Relative
Words: 3006 Length: 10 Document Type: Term Paper

One of the main drawbacks of the user authentication is the essence of various attacks to the protection mechanism. The concept of user authenticity is weak and susceptible to numerous attacks. The protection mechanism also relates to the ability of the user to maintain the user ID and password secret for the purposes of minimizing threats and attacks (Weber 2010). This is an indication that the users must have

Operating System Design Null Hypothesis:
Words: 1126 Length: 3 Document Type: Case Study

The system will also assist the company to incorporate a fleet management system that has a tracking device to assist the Jinx Transport & Logistics Company to track all its fleet of vehicles located at any location. With the new systems, customers will have platform to interact with the systems, and the system will assist them to make inquiry and track their parcels. 2. OS Processor and Core Jinx Transport &

Operating Systems Are the Very
Words: 1889 Length: 6 Document Type: Essay

Without the consent of the user, the program will never be elevated to administrator privilege. The MIC or integrity levels is again a new security concept with Vista OS. This feature is controlled by the Access control entry (ACE) in the System Access control List (SACL) of a file, process or a registry key. By associating every process with an integrity level, the OS limits privilege escalation attacks. [Matthew

Operating Systems Comparing the MS-DOS,
Words: 981 Length: 3 Document Type: Essay

Configuration of Microsoft Windows in more complex networking environments required an extensive amount of add-in software and programming to ensure all systems could work. Finally the levels of security inherent in the Microsoft Windows operating system continue to be problematic (Bradley, 2009). The Linux and UNIX operating systems are comparable in terms of kernel and memory architectures (MacKinnon, 1999)(Predd, Cass, 2005). There are variations in the pricing models used for

Operating System in My Job
Words: 722 Length: 2 Document Type: Term Paper

In addition the cost makes it expensive to own the hardware required to support these systems as personal computers. The university has also indicated its preference for the PC and the Windows operating system. All training and skill acquisition is also generally offered for the windows system in the college. Standardization and uniformity of the design platform of Microsoft has greatly enhanced the applicability in the workplace. Standard packages

Operating System Analysis Report: Microsoft
Words: 1902 Length: 5 Document Type: Term Paper

7 billion by 2008 establishing the fact that Linux is no more a fringe player but rather a mainstream. IDC admitted that Linux is not being used just on new hardware only. As an alternative customers frequently reinstall existing servers to run Linux. While considering for such use as also the use of Linux for secondary OS, IDC forecasts for servers running Linux to remain 26% larger in 2008. Evidently,

Sign Up for Unlimited Study Help

Our semester plans gives you unlimited, unrestricted access to our entire library of resources —writing tools, guides, example essays, tutorials, class notes, and more.

Get Started Now