CDs and DVDs might not be as popular these days as they used to be, but their structure is very interesting from a forensic point-of-view when someone is learning about data structures. It is interesting how a value can be saved in little-endian and in big-endian formats to provide access regardless of the platform. The date and time stamps are also not in "standard format" that we seen in most forensic investigations on storage devices. The application identifier might also be of use in investigations.
| BytePosition | Field Name | Content |
| 1 | Volume Descriptor Type | 1 |
| 2 - 6 | Standard Identifier | CD001 |
| 7 | Volume Descriptor Version | 1 |
| 8 | Unused Field | (00)17 byte |
| 9 - 40 | System Identifier | a-characters allowed18 |
| 41 - 72 | Volume Identifier | d-characters allowed19 |
| 73 - 80 | Unused Field | (00) bytes |
| 81 - 88 | Volume Space Size | Number of logical blocks in the Volume |
| 89 - 120 | Unused Field | (00) bytes |
| 121 - 124 | Volume Set Size | The assigned Volume Set size of the Volume |
| 125 - 128 | Volume Sequence Number | The ordinal number of the volume in the Volume Set |
| 129 - 132 | Logical Block Size | The size in bytes of a Logical Block |
| 133 - 140 | Path Table Size | Length in bytes of the path table |
| 141 - 144 | Location of Type L Path Table | Logical Block Number of first Block allocated to the Type L |
| Path Table, Type L meaning multiple byte numerical values are | ||
| recorded with least significant byte first. This value is also | ||
| recorded with least significant byte first. | ||
| 145 - 148 | Location of Optional Type L Path Table | 0 if Optional Path Table was not recorded, otherwise, Logical |
| Block Number of first Block allocated to the Optional Type L | ||
| Path Table. | ||
| 149 - 152 | Location of Type M Path Table | Logical Block Number of first Block allocated to the Type M |
| Path Table, Type M meaning multiple byte numerical values are | ||
| recorded with most significant byte first. This value is also | ||
| recorded with most significant byte first. | ||
| 153 - 156 | Location of Optional Type M Path Table | 0 if Optional Path Table was not recorded, otherwise, Logical |
| Block Number of first Block allocated to the Type M Path Table. | ||
| 157 - 190 | Directory record for Root Directory | This is the actual directory record for the top of the directory |
| structure. See the section on directory records for the format of this data. | ||
| 191 - 318 | Volume Set Identifier | Name of the multiple volume set of which this volume is a |
| member. d-characters allowed. | ||
| 319 - 446 | Publisher Identifier | Identifies who provided the actual data contained in the files. a-characters allowed. |
| 447 - 574 | Data Preparer Identifier | Identifies who performed the actual creation of the current |
| volume. a-characters allowed. | ||
| 575 - 702 | Application Identifier | Identifies the specification of how the data in the files are |
| recorded. For example, this field might contain SGML if the | ||
| files were recorded according to the Standard Generalized Markup | ||
| Language | ||
| 703 - 739 | Copyright File Identifier | Identifies the file in the root directory that contains the |
| copyright notice for this volume. If there is no copyright file, | ||
| this field should contain all spaces (20) Level 1 interchange | ||
| restrictions apply.20 | ||
| 740 - 776 | Abstract File Identifier | Identifies the file in the root directory that contains the abstract |
| statement for this volume. If there is no copyright file, this | ||
| field should contain all spaces (20) Level 1 interchange | ||
| restrictions apply. | ||
| 777 - 813 | Bibliographic File Identifier | Identifies the file in the root directory that contains |
| bibliographic records. ISO-9660 does not specify the format of | ||
| these records. If there is no copyright file, this field should | ||
| contain all spaces (20) Level 1 interchange restrictions apply. | ||
| 814 - 830 | Volume Creation Date and Time | Date and time at which the volume was created. |
| Represented by seven bytes: | ||
| 1: Number of years since 1900 | ||
| 2: Month of the year from 1 to 12 | ||
| 3: Day of the Month from 1 to 31 | ||
| 4: Hour of the day from 0 to 23 | ||
| 5: Minute of the hour from 0 to 59 | ||
| 6: second of the minute from 0 to 59 | ||
| 7: Offset from Greenwich Mean Time in | ||
| number of 15 minute intervals from -48(West) to +52(East) | ||
| 831 - 847 | Volume Modification Date and Time | Date and time at which the volume was last modified. |
| Represented the same as the Volume Creation Date and Time | ||
| 848 - 864 | Volume Expiration Date and Time | Date and Time at which the information in the volume may be |
| considered obsolete. Represented the same as the Volume | ||
| Creation Date and Time | ||
| 865 - 881 | Volume Effective Date and Time | Date and Time at which the information in the volume may be |
| used. Represented the same as the Volume Creation Date and Time | ||
| 882 | File Structure Version | 1 |
| 883 | Reserved for future standardization | (00) |
| 884 - 1395 | Application Use | This field is reserved for application use. Its content is not |
| specified by ISO-9660. | ||
| 1396 - 2048 | Reserved for future standardization | All bytes must be set to (00). |
17 Numbers surrounded by parentheses () are hexadecimal numbers.
18 a-characters are A-Z, 0-9, _, space, !, ", %, &, ', (, ), *, +, ,, -, ., /, :, ;, <, =, >, ?
see ISO-9660:1988, Annex A, Table 15
19 d-characters are A-Z, 0-9, _
see ISO-9660:1988, Annex A, Table 14
18 a-characters are A-Z, 0-9, _, space, !, ", %, &, ', (, ), *, +, ,, -, ., /, :, ;, <, =, >, ?
see ISO-9660:1988, Annex A, Table 15
19 d-characters are A-Z, 0-9, _
see ISO-9660:1988, Annex A, Table 14
20 For a description of the level 1 interchange restrictions, see page <?>
Ref: "Introduction to ISO 9660", Disc Manufacturing, Inc., by Clayton Summers
No comments:
Post a Comment