Solved

CD - who burnt it

Posted on 2011-03-01
32
526 Views
Last Modified: 2012-05-11
I recently found an old external CD/DVD player with a CD in it, when I opened the CD I found it was full of images and video clips. Whereas they weren’t inappropriate per se, they were still personal and should not have been on corporate equipment. My question is, is there anyway with only the CD/DVD to determine who burnt/dragged/saved them onto the disc itself? The issue is this device was a section shared device, so technically up to 30 people had access to the device over a 2 year period.

If there is metadata or a way of determining who put the data there, how reliable is such metadata/audit data, and can it be tampered with on such media? If it makes any odds everyone’s PC at the time (which ideally I don’t want to get into a game of having to get a 3rd party in to image everyone’s machine and look for traces of the same image on everyone’s PC) were running Windows XP. There’s no guarantee though the cd/dvd burner wasn’t took offsite and used personally.
0
Comment
Question by:pma111
  • 12
  • 9
  • 6
  • +4
32 Comments
 
LVL 2

Assisted Solution

by:brewsterm
brewsterm earned 25 total points
ID: 35006489
0
 
LVL 3

Author Comment

by:pma111
ID: 35006563
Thanks. What about images downlaoded from the net? I could really do with a windows alias/username. As opposed to those dragged on CD from a digital camera archive? Is that tool free? I am having difficulty reading the link on my phone.
0
 
LVL 11

Accepted Solution

by:
Plantwiz earned 100 total points
ID: 35006683
If the image has no copyright info, you have a little bit of a challenge.

IRFANVIEW is a pretty interesting program:
http://www.irfanview.com/
And you could use this to id the camera and possibly the camera owner

And you may also use tineye.com to further search and see if the image is posted anywhere on the Net.  The repository of images is only around a billion, but it is growing and so if the images exist, you may find some online to help ID your owner.


If your window for ID'ing this person is from a 2 year period from several people in an area, it is possible the person no longer works there correct?

Are you looking to solve this for educational purposes?  Or press charges on someone?  Just curious.  
0
 
LVL 3

Author Comment

by:pma111
ID: 35006708
>If your window for ID'ing this person is from a 2 year period from several people in an area, it is possible the person no longer works there correct?

Not correct

>Are you looking to solve this for educational purposes?  Or press charges on someone?  Just curious.  

Charge is the wrong word but a quiet word in the ear that such material should not be stored and viewed at work would suffice

As I say, some of these pics are not those taken on a digital camera, some of clearly just those downloaded from the internet
0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35006827
>>If your window for ID'ing this person is from a 2 year period from several people in an area, it is possible the person no longer works there correct?

>Not correct

No turnover?  Cool.  


>>Are you looking to solve this for educational purposes?  Or press charges on someone?  Just curious.  

>Charge is the wrong word but a quiet word in the ear that such material should not be stored and viewed at work would suffice

Could go for the bold move of...simply asking.  If the team has been together that long without turnover, it is possible the integrity is high and someone will just say 'hey, it's mine'.

Or tell them you'll track whose it is, but you want to give the team an opportunity to fess-up and leave it as lesson learned.  Might save you hours of work.


>As I say, some of these pics are not those taken on a digital camera, some of clearly just those downloaded from the internet

Use Tineye.com

You may find images on someone's facebook or other personal page.
0
 
LVL 3

Author Comment

by:pma111
ID: 35006867
Yeah no turnover in that team I just checked payroll records....

The asking process will take place, but I want something to fall back on incase they all say nope not me. So tinyeye.com will show where on the internet the image can be downloaded from is that correct? So if an image on the camera matches up with an image found on tinyeye.com from a facebook page - yeah I see where you are coming from.


Just to confirm - no where in the CD will there be a windows username that shows it was created by user X, or accessed by user X?

0
 
LVL 6

Assisted Solution

by:Mistralol
Mistralol earned 25 total points
ID: 35006900

Mayby you could try this.

md5sum each of the file's on the cd / dvd and then search their documents on the computer for files with matching md5sum's

0
 
LVL 3

Author Comment

by:pma111
ID: 35006970
Hmm thats an idea but again would be lengthy process going across 30 PC's...

For starters - how do you MD5 each file, and then, how do you search the MD5 on other devices?,

and can you explain in laymans terms how the MD5 hash works, in the context of if picture X was found on this PC, this server, this camera, if you MD5 the file from any of these devices, then search every other device, if it is on every other device will it flag it up?
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 100 total points
ID: 35006986
While each cd burner has a unique serial number *and* that is burnt to the media when it is used, you will be lucky if that helps - as odds are good it was burnt using the external you found it in and/or using a old drive no longer used by its original owner.

unless you want to look for fingerprints on the physical media (and odds are good you have now handled it enough that any you find are going to be yours, even if the thing wasn't handled entirely from the edges OR there is a handwritten label you might be able to look at the handwriting on, you are unlikely to get far with this one.
0
 
LVL 3

Author Comment

by:pma111
ID: 35006990
Just to confirm - no where in the CD will there be a windows username that shows it was created by user X, or accessed by user X?
0
 
LVL 2

Expert Comment

by:brewsterm
ID: 35007024
Your only going to get information about the computer or burner from the disc.
0
 
LVL 3

Author Comment

by:pma111
ID: 35007055
>>While each cd burner has a unique serial number *and* that is burnt to the media when it is used,

how and where can this been seen on the CD itself?
0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35007083
No, I do not believe you can find a USER NAME or NETBIOS on a cd.
This info is generally found in the application used to burn the file, but I've not seen it on the cd itself.

I'm going to check one thing...
0
 
LVL 3

Author Comment

by:pma111
ID: 35007088
>>Your only going to get information about the computer or burner from the disc.

How? How to get information about the computer or burner from the disc?
0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35007287
@pma111

You'll be looking for what is called the  Recorder Identification Code
The software used to burn the media should also be recorded unless these items were 'hacked' to prevent them from identifing the source.


I'm sifting through this:
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6254

It looks like it will require a 3rd party tool to extract the data
Infinadyne software


still looking...


0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35007300
Syngress has some good texts:

http://www.infinadyne.com/cddvdforensicsbook.html

And with their books are typically tools for use.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 11

Expert Comment

by:Plantwiz
ID: 35007309
OPEN Source CDRTOOLS

http://cdrecord.berlios.de/private/cdrecord.html


I haven't tested this one, but I'm curious about it now and will test it soon.
0
 
LVL 3

Author Comment

by:pma111
ID: 35007328
Thanks so much for your help...
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35007730
The drive serial number (aka Recorder Identification Code) is stored in the subtrack data for the leadin - you need a subtrack capable reader (aka a karaoke cd-r drive) and fairly specialist software. The exact data is in the orange book standard, which is only available from Sony under NDA *sigh*

most forensic CD-R software will show the hidden codes (there are many!) if the drive can read them.
0
 
LVL 3

Author Comment

by:pma111
ID: 35007804
And is it easy to match this RIC back to the actual burner in a PC? Does the RIC match identically to a code stored against the CD, perhaps somewhere in properties of device manager?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35008334
It is not directly possible, but unless you have a LOT of similar drives, usually doable.

The RIC contains the MANU (a three digit code) and the model of the drive doing the burning. If the manu supplied a custom driver (unusual these days) then the driver might have a code, but usually its enough to scan for a drive with those codes (the driver won't have the serial, but usually the display name is exposed in the registry and once you know one, you can scan your machines quite rapidly for more, or if the department isn't that large, just go look at the machines) and if there are a few to choose from, just find one cd-r burnt with each and check the code for comparison.
0
 
LVL 3

Author Comment

by:pma111
ID: 35008360
>>most forensic CD-R software will show the hidden codes (there are many!) if the drive can read them.

Any recommendations on forensic CD software, preferably free?
0
 
LVL 3

Author Comment

by:pma111
ID: 35008377
I assume MANU represents manufacturer?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35008710
yup. its a letter code, so PHI for Phillips and so forth.
0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35009405
@pma111

Did you look at this one?
OPEN Source CDRTOOLS

http://cdrecord.berlios.de/private/cdrecord.html


I won't be able to download to test until a litlte later, but it may be useful for your need.
0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35010510
@pma111

You may find this of interest:
http://superuser.com/questions/80056/is-it-possible-to-confirm-cd-was-burned-on-a-particular-machine

Wow. The above answer is completely wrong. CD/DVD Diagnostic and CD/DVD Inspector both capture RID when it is available, but for the most part it is not.

Yes, there is a standard for RID and it is mandatory for stand-alone CD audio recorders. It has been completely implemented in all of these devices. However, most people are using computer components, not stand-alone stereo components and RID implementation is very, very spotty.

In general you have maybe a 10% chance of finding RID on a CD disc. There is no implementation of RID on DVDs, although there are some indications that a RID-like scheme was proposed as an optional part of DVD recorders, but nobody has done it to my knowledge.

The format of the RID data is completely documented in the standards documents. You just have to dig it out. But for the most part, you aren't going to see it. Look at discs written by older NEC drives (2003-2004) for an example.

Other information, such as the real date the disc was written and the application used to write the disc are much more likely to be present. Not quite as good as a serial number, but it is there and you can get it. CD/DVD Inspector makes it very simple to collect this information

Which comes back to:
http://www.infinadyne.com/cddvd_inspector.html

If you run into this sort of thing a lot, not a bad investment, but for a one time deal, a little pricy (IMO).
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35010641
in practice (not withstanding the above url) the majority of burners I have encountered have written RID data (its probable some of the cheaper brands don't, but hp, liteon, philips sony etc all do.

but as I said before - if you have found that disk *in an external burner* odds are good that is what burnt it, so the information isn't of much use.
0
 
LVL 32

Expert Comment

by:_
ID: 35014526
Since this is  "corporate equipment", you can run a semi-bluff, and have some fun.

Have a quiet talk with the group, and tell them "in general" what was found, but due to the cost of "cracking" the cd, that upper management decided that random monitoring will be started for now, but ANY red flags will result in the guilty party being uncovered and dismissed.


Just a thought.   : )
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35015145
coral47: That's probably the best path forward. I would also suggest that you make sure that your company has a clear, written policy on:

a) What constitutes unacceptable material to be on or in company owned equipment (not only this sort of stuff, but mp3s etc)

b) that you reserve the right to monitor or inspect company owned equipment (including but not limited to web use, email use etc)

c) how and when employees can make private communications (by telephone or email) and if there are any dedicated resources for this purpose.

if you don't already have this, write one, have each person SIGN a copy, and keep them on file.  Downstream, you could be looking at lawsuits for discrimination, invasion of privacy and illegal surveillance (yes, I know, its your company and your equipment, but you would be surprised what you can be sued over regardless; as a fairly trite example, you own the toilets too, but you couldn't stick a secret webcam in there without having quite a *long* chat with the police after it was found)
0
 
LVL 3

Author Comment

by:pma111
ID: 35015332
Thanks fof all the advice wil give the points out later today.

Plantwiz - going to download the open source tool you mentioned soon and try it...
0
 
LVL 11

Expert Comment

by:Plantwiz
ID: 35017884
I downloaded it, CDTools is not what you want for looking for IDs.  I should have read it more carefully. Neat program though.


This one has promise, albeit, not an inexpensive route
http://www.infinadyne.com/cddvd_inspector.html



And I have to 2nd or 3rh the acceptable use policy...confirm what you have on the record today, and if you need to propose a revised plan, than go that route.
0
 
LVL 1

Expert Comment

by:JohnArmstrong
ID: 35434454
Please send me a copy of the CD for further study ;-)
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now