Solved

CD WHEN WAS IT WRITTEN?

Posted on 2006-07-05
10
272 Views
Last Modified: 2010-04-03
Working on a forensic job.  Need to determine WHEN a CD was copied with a disk copier similar to Easy CD creator.  The standard tools that read ATIP info which unfortunately gives the date the CD was initially mastered.  We are dealing with CD's that are copied, according to a quick experiment with a manufactured disk, the Content Date reported by Nero Info Tool is the same value on a copy and original. Where to look for hidden information about when the copy was done?
0
Comment
Question by:carl_legere
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 11

Expert Comment

by:knoxzoo
ID: 17046612
The whole idea behind a copier utility is to make an exact duplicate of the original.  If the date info changed anywhere on the disk, there would be no need for all the various copyguard schemes.  It would be a simple matter of telling the program to look for a specific date on a specific area of the disk.

0
 
LVL 70

Accepted Solution

by:
garycase earned 500 total points
ID: 17051171
Do you know the specific copy utility that was used?   As knoxzoo noted, the goal of a good copier is to make an EXACT copy -- so there may very well be no indication of the date it was made.   That's the reason Microsoft uses disk holograms to identify legitimate copies of their software -- they tried various schemes to embed info on the CD's, but the duplication industry could duplicate any of them.   So they resorted to a physical modification of the CD (holograms) that is very difficult to duplicate; and to the activation process so the copies couldn't be used.

IF by chance the original disc used a copy protection mechanism, then the copy will most likely be identifiable as to what technique was used to bypass the copy protection;  but from your description this does not appear to be the case.   So I suspect you simply won't be able to identify the date the copy was made.  Even very detailed forensic analysis software (e.g. Infinadyne's CD/DVD Inspector) is not likely to be able to help -- they are focused on recovering WHAT is on the disc, and showing everything that was ever recordered on it; but in a disc copy case (i.e. not a FILE copy case) the only thing ever recorded on the blank is most likely simpy an exact copy of the original CD.


0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 17056473
Use IsoBuster Pro 1.8, load the CD/DVD, go to Sector view, jump to sector 16 and following -- there you will find all of the forensic information you can get from the burning event itself.  Most is encoded, and sorry, I cannot say what it all means, that would be a little too much for a public forum, but you can figure out a lot of it yourself.  

Short of that, you would have to do a surface analysis of the disc and this would not be conclusive.  Remember, other than the burning event information Ive shown you how to find, above, a true clone is a true clone, there is not ONE byte difference at the sector level across the entire disc.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 70

Expert Comment

by:garycase
ID: 17056541
The Primary Volume Descriptor recorded starting at Sector 16 does indeed contain the recording date and time ==> but I'm not at all sure this is replaced when duplicating a CD.  It won't hurt to check it, however.   The Recording Date and Time is in byte positions 19 through 25, and is structured as shown in the detailed layout of the Primary Volume Descriptor shown here:
http://www.cdroller.com/htm/technol.html

Let us know if that field is indeed updated when a copy is made.


0
 
LVL 70

Expert Comment

by:garycase
ID: 17453086
carl_legere => Just curious if you were able to determine the date from the primary volume descriptor ...

0
 
LVL 44

Expert Comment

by:scrathcyboy
ID: 17597160
I think my answer answers this Q as best as can be done
0
 
LVL 70

Expert Comment

by:garycase
ID: 17597492
I don't believe IsoBuster shows the Primary Volume Descriptor info, which is what is required to determine the actual date information --> it's also not clear that the PVD is modified during a "copy" operation.   But if it is, it requires more detailed tools;  IsoBuster is more of an "extract the data" program than a "show the raw sectors" program.
0
 
LVL 18

Author Comment

by:carl_legere
ID: 17600833
.. was not able to solve the problem, which is logical considering the details.
0
 
LVL 70

Expert Comment

by:garycase
ID: 17601211
I'm not surprised ... as I noted earlier, it's not clear the PVD is modified during a copy;  and if not then there's no way to determine the actual date it was written (only the date the original was written).

0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lets start to have a small explanation what is VAAI(vStorage API for Array Integration ) and what are the benefits using it. VAAI is an API framework in VMware that enable some Storage tasks. It first presented in ESXi 4.1, but only after 5.x sup…
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
This video teaches viewers how to encrypt an external drive that requires a password to read and edit the drive. All tasks are done in Disk Utility. Plug in the external drive you wish to encrypt: Make sure all previous data on the drive has been …
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question