carl_legere
asked on
CD WHEN WAS IT WRITTEN?
Working on a forensic job. Need to determine WHEN a CD was copied with a disk copier similar to Easy CD creator. The standard tools that read ATIP info which unfortunately gives the date the CD was initially mastered. We are dealing with CD's that are copied, according to a quick experiment with a manufactured disk, the Content Date reported by Nero Info Tool is the same value on a copy and original. Where to look for hidden information about when the copy was done?
knoxzoo
The whole idea behind a copier utility is to make an exact duplicate of the original. If the date info changed anywhere on the disk, there would be no need for all the various copyguard schemes. It would be a simple matter of telling the program to look for a specific date on a specific area of the disk.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use IsoBuster Pro 1.8, load the CD/DVD, go to Sector view, jump to sector 16 and following -- there you will find all of the forensic information you can get from the burning event itself. Most is encoded, and sorry, I cannot say what it all means, that would be a little too much for a public forum, but you can figure out a lot of it yourself.
Short of that, you would have to do a surface analysis of the disc and this would not be conclusive. Remember, other than the burning event information Ive shown you how to find, above, a true clone is a true clone, there is not ONE byte difference at the sector level across the entire disc.
Short of that, you would have to do a surface analysis of the disc and this would not be conclusive. Remember, other than the burning event information Ive shown you how to find, above, a true clone is a true clone, there is not ONE byte difference at the sector level across the entire disc.
The Primary Volume Descriptor recorded starting at Sector 16 does indeed contain the recording date and time ==> but I'm not at all sure this is replaced when duplicating a CD. It won't hurt to check it, however. The Recording Date and Time is in byte positions 19 through 25, and is structured as shown in the detailed layout of the Primary Volume Descriptor shown here:
http://www.cdroller.com/htm/technol.html
Let us know if that field is indeed updated when a copy is made.
http://www.cdroller.com/htm/technol.html
Let us know if that field is indeed updated when a copy is made.
carl_legere => Just curious if you were able to determine the date from the primary volume descriptor ...
I think my answer answers this Q as best as can be done
I don't believe IsoBuster shows the Primary Volume Descriptor info, which is what is required to determine the actual date information --> it's also not clear that the PVD is modified during a "copy" operation. But if it is, it requires more detailed tools; IsoBuster is more of an "extract the data" program than a "show the raw sectors" program.
ASKER
.. was not able to solve the problem, which is logical considering the details.
I'm not surprised ... as I noted earlier, it's not clear the PVD is modified during a copy; and if not then there's no way to determine the actual date it was written (only the date the original was written).