CD - who burnt it

I recently found an old external CD/DVD player with a CD in it, when I opened the CD I found it was full of images and video clips. Whereas they weren’t inappropriate per se, they were still personal and should not have been on corporate equipment. My question is, is there anyway with only the CD/DVD to determine who burnt/dragged/saved them onto the disc itself? The issue is this device was a section shared device, so technically up to 30 people had access to the device over a 2 year period.

If there is metadata or a way of determining who put the data there, how reliable is such metadata/audit data, and can it be tampered with on such media? If it makes any odds everyone’s PC at the time (which ideally I don’t want to get into a game of having to get a 3rd party in to image everyone’s machine and look for traces of the same image on everyone’s PC) were running Windows XP. There’s no guarantee though the cd/dvd burner wasn’t took offsite and used personally.
LVL 3
pma111Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
PlantwizConnect With a Mentor Commented:
If the image has no copyright info, you have a little bit of a challenge.

IRFANVIEW is a pretty interesting program:
http://www.irfanview.com/
And you could use this to id the camera and possibly the camera owner

And you may also use tineye.com to further search and see if the image is posted anywhere on the Net.  The repository of images is only around a billion, but it is growing and so if the images exist, you may find some online to help ID your owner.


If your window for ID'ing this person is from a 2 year period from several people in an area, it is possible the person no longer works there correct?

Are you looking to solve this for educational purposes?  Or press charges on someone?  Just curious.  
0
 
pma111Author Commented:
Thanks. What about images downlaoded from the net? I could really do with a windows alias/username. As opposed to those dragged on CD from a digital camera archive? Is that tool free? I am having difficulty reading the link on my phone.
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
pma111Author Commented:
>If your window for ID'ing this person is from a 2 year period from several people in an area, it is possible the person no longer works there correct?

Not correct

>Are you looking to solve this for educational purposes?  Or press charges on someone?  Just curious.  

Charge is the wrong word but a quiet word in the ear that such material should not be stored and viewed at work would suffice

As I say, some of these pics are not those taken on a digital camera, some of clearly just those downloaded from the internet
0
 
PlantwizCommented:
>>If your window for ID'ing this person is from a 2 year period from several people in an area, it is possible the person no longer works there correct?

>Not correct

No turnover?  Cool.  


>>Are you looking to solve this for educational purposes?  Or press charges on someone?  Just curious.  

>Charge is the wrong word but a quiet word in the ear that such material should not be stored and viewed at work would suffice

Could go for the bold move of...simply asking.  If the team has been together that long without turnover, it is possible the integrity is high and someone will just say 'hey, it's mine'.

Or tell them you'll track whose it is, but you want to give the team an opportunity to fess-up and leave it as lesson learned.  Might save you hours of work.


>As I say, some of these pics are not those taken on a digital camera, some of clearly just those downloaded from the internet

Use Tineye.com

You may find images on someone's facebook or other personal page.
0
 
pma111Author Commented:
Yeah no turnover in that team I just checked payroll records....

The asking process will take place, but I want something to fall back on incase they all say nope not me. So tinyeye.com will show where on the internet the image can be downloaded from is that correct? So if an image on the camera matches up with an image found on tinyeye.com from a facebook page - yeah I see where you are coming from.


Just to confirm - no where in the CD will there be a windows username that shows it was created by user X, or accessed by user X?

0
 
MistralolConnect With a Mentor Commented:

Mayby you could try this.

md5sum each of the file's on the cd / dvd and then search their documents on the computer for files with matching md5sum's

0
 
pma111Author Commented:
Hmm thats an idea but again would be lengthy process going across 30 PC's...

For starters - how do you MD5 each file, and then, how do you search the MD5 on other devices?,

and can you explain in laymans terms how the MD5 hash works, in the context of if picture X was found on this PC, this server, this camera, if you MD5 the file from any of these devices, then search every other device, if it is on every other device will it flag it up?
0
 
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
While each cd burner has a unique serial number *and* that is burnt to the media when it is used, you will be lucky if that helps - as odds are good it was burnt using the external you found it in and/or using a old drive no longer used by its original owner.

unless you want to look for fingerprints on the physical media (and odds are good you have now handled it enough that any you find are going to be yours, even if the thing wasn't handled entirely from the edges OR there is a handwritten label you might be able to look at the handwriting on, you are unlikely to get far with this one.
0
 
pma111Author Commented:
Just to confirm - no where in the CD will there be a windows username that shows it was created by user X, or accessed by user X?
0
 
brewstermCommented:
Your only going to get information about the computer or burner from the disc.
0
 
pma111Author Commented:
>>While each cd burner has a unique serial number *and* that is burnt to the media when it is used,

how and where can this been seen on the CD itself?
0
 
PlantwizCommented:
No, I do not believe you can find a USER NAME or NETBIOS on a cd.
This info is generally found in the application used to burn the file, but I've not seen it on the cd itself.

I'm going to check one thing...
0
 
pma111Author Commented:
>>Your only going to get information about the computer or burner from the disc.

How? How to get information about the computer or burner from the disc?
0
 
PlantwizCommented:
@pma111

You'll be looking for what is called the  Recorder Identification Code
The software used to burn the media should also be recorded unless these items were 'hacked' to prevent them from identifing the source.


I'm sifting through this:
http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6254

It looks like it will require a 3rd party tool to extract the data
Infinadyne software


still looking...


0
 
PlantwizCommented:
Syngress has some good texts:

http://www.infinadyne.com/cddvdforensicsbook.html

And with their books are typically tools for use.
0
 
PlantwizCommented:
OPEN Source CDRTOOLS

http://cdrecord.berlios.de/private/cdrecord.html


I haven't tested this one, but I'm curious about it now and will test it soon.
0
 
pma111Author Commented:
Thanks so much for your help...
0
 
Dave HoweSoftware and Hardware EngineerCommented:
The drive serial number (aka Recorder Identification Code) is stored in the subtrack data for the leadin - you need a subtrack capable reader (aka a karaoke cd-r drive) and fairly specialist software. The exact data is in the orange book standard, which is only available from Sony under NDA *sigh*

most forensic CD-R software will show the hidden codes (there are many!) if the drive can read them.
0
 
pma111Author Commented:
And is it easy to match this RIC back to the actual burner in a PC? Does the RIC match identically to a code stored against the CD, perhaps somewhere in properties of device manager?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
It is not directly possible, but unless you have a LOT of similar drives, usually doable.

The RIC contains the MANU (a three digit code) and the model of the drive doing the burning. If the manu supplied a custom driver (unusual these days) then the driver might have a code, but usually its enough to scan for a drive with those codes (the driver won't have the serial, but usually the display name is exposed in the registry and once you know one, you can scan your machines quite rapidly for more, or if the department isn't that large, just go look at the machines) and if there are a few to choose from, just find one cd-r burnt with each and check the code for comparison.
0
 
pma111Author Commented:
>>most forensic CD-R software will show the hidden codes (there are many!) if the drive can read them.

Any recommendations on forensic CD software, preferably free?
0
 
pma111Author Commented:
I assume MANU represents manufacturer?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
yup. its a letter code, so PHI for Phillips and so forth.
0
 
PlantwizCommented:
@pma111

Did you look at this one?
OPEN Source CDRTOOLS

http://cdrecord.berlios.de/private/cdrecord.html


I won't be able to download to test until a litlte later, but it may be useful for your need.
0
 
PlantwizCommented:
@pma111

You may find this of interest:
http://superuser.com/questions/80056/is-it-possible-to-confirm-cd-was-burned-on-a-particular-machine

Wow. The above answer is completely wrong. CD/DVD Diagnostic and CD/DVD Inspector both capture RID when it is available, but for the most part it is not.

Yes, there is a standard for RID and it is mandatory for stand-alone CD audio recorders. It has been completely implemented in all of these devices. However, most people are using computer components, not stand-alone stereo components and RID implementation is very, very spotty.

In general you have maybe a 10% chance of finding RID on a CD disc. There is no implementation of RID on DVDs, although there are some indications that a RID-like scheme was proposed as an optional part of DVD recorders, but nobody has done it to my knowledge.

The format of the RID data is completely documented in the standards documents. You just have to dig it out. But for the most part, you aren't going to see it. Look at discs written by older NEC drives (2003-2004) for an example.

Other information, such as the real date the disc was written and the application used to write the disc are much more likely to be present. Not quite as good as a serial number, but it is there and you can get it. CD/DVD Inspector makes it very simple to collect this information

Which comes back to:
http://www.infinadyne.com/cddvd_inspector.html

If you run into this sort of thing a lot, not a bad investment, but for a one time deal, a little pricy (IMO).
0
 
Dave HoweSoftware and Hardware EngineerCommented:
in practice (not withstanding the above url) the majority of burners I have encountered have written RID data (its probable some of the cheaper brands don't, but hp, liteon, philips sony etc all do.

but as I said before - if you have found that disk *in an external burner* odds are good that is what burnt it, so the information isn't of much use.
0
 
_Commented:
Since this is  "corporate equipment", you can run a semi-bluff, and have some fun.

Have a quiet talk with the group, and tell them "in general" what was found, but due to the cost of "cracking" the cd, that upper management decided that random monitoring will be started for now, but ANY red flags will result in the guilty party being uncovered and dismissed.


Just a thought.   : )
0
 
Dave HoweSoftware and Hardware EngineerCommented:
coral47: That's probably the best path forward. I would also suggest that you make sure that your company has a clear, written policy on:

a) What constitutes unacceptable material to be on or in company owned equipment (not only this sort of stuff, but mp3s etc)

b) that you reserve the right to monitor or inspect company owned equipment (including but not limited to web use, email use etc)

c) how and when employees can make private communications (by telephone or email) and if there are any dedicated resources for this purpose.

if you don't already have this, write one, have each person SIGN a copy, and keep them on file.  Downstream, you could be looking at lawsuits for discrimination, invasion of privacy and illegal surveillance (yes, I know, its your company and your equipment, but you would be surprised what you can be sued over regardless; as a fairly trite example, you own the toilets too, but you couldn't stick a secret webcam in there without having quite a *long* chat with the police after it was found)
0
 
pma111Author Commented:
Thanks fof all the advice wil give the points out later today.

Plantwiz - going to download the open source tool you mentioned soon and try it...
0
 
PlantwizCommented:
I downloaded it, CDTools is not what you want for looking for IDs.  I should have read it more carefully. Neat program though.


This one has promise, albeit, not an inexpensive route
http://www.infinadyne.com/cddvd_inspector.html



And I have to 2nd or 3rh the acceptable use policy...confirm what you have on the record today, and if you need to propose a revised plan, than go that route.
0
 
JohnArmstrongCommented:
Please send me a copy of the CD for further study ;-)
0
All Courses

From novice to tech pro — start learning today.