tag:blogger.com,1999:blog-1466903740262764947.post2240601971644224781..comments2023-12-28T03:01:49.774-06:00Comments on Hacking Exposed Computer Forensics Blog: Back to Basics, CD and DVD basic forensicsDavid Cowenhttp://www.blogger.com/profile/17629115910611763170noreply@blogger.comBlogger9125tag:blogger.com,1999:blog-1466903740262764947.post-15573833404863765422012-08-18T22:20:44.691-05:002012-08-18T22:20:44.691-05:00Since the time stamp in burned CDs also includes t...Since the time stamp in burned CDs also includes the GMT timezone offset, it should be possible to identify if a suspect modified the timezone settings before/after burning a CD. It might be possible to see time zone change patterns by comparing a few burned CDs from the suspect's collection. I have not seen other standards than ISO 9660 that includes the timezone info in its time stamps. It is also interesting to note that many of the values saved in ISO 9660 are stored in little-endian and big-endian formats most likely to be able to read it in Intel and PowerPC based hardware. <br /><br />Time stamp structure:<br />1: Number of years since 1900<br />2: Month of the year from 1 to 12<br />3: Day of the Month from 1 to 31<br />4: Hour of the day from 0 to 23<br />5: Minute of the hour from 0 to 59<br />6: second of the minute from 0 to 59<br />7: Offset from Greenwich Mean Time in<br /> number of 15 minute intervals from<br /> -48(West) to +52(East)<br /><br />i.e: 70070F062B1900<br />Meaning: 2012 May, 15 at 6:43:25 a.m. GMT-00Anonymoushttps://www.blogger.com/profile/04169430805336883550noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-84193645479867176272012-08-08T13:40:35.996-05:002012-08-08T13:40:35.996-05:00Hi Anonymous, sorry for the late reply.
The CD d...Hi Anonymous, sorry for the late reply. <br /><br />The CD does not have its own internal clock. The only thing you can hope for is that the event logs show the time change or that MFT records a file id out of sequence for the create time to detect that fact.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-49977505334997908972012-07-10T13:49:40.924-05:002012-07-10T13:49:40.924-05:00Hi David, is there a way to identify the actual ti...Hi David, is there a way to identify the actual time of burning if the system clock of the computer was tampered with or modified? Wouldn't the CD have its own internal clock in its system? I'm not sure if ISO 9660 has its own date and time internalized once a cd is manufactured...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-73730635049184441552012-06-14T20:27:33.654-05:002012-06-14T20:27:33.654-05:00I like reading articles like this since this is al...I like reading articles like this since this is almost an art form that is disappearing with all the push-button "Nintendo" forensic tools around. You also have a great gift to explain complex concepts in a simple manner. Feed us more, we are hungry :-)Anonymoushttps://www.blogger.com/profile/04169430805336883550noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-74706481223616606412012-02-28T18:21:45.097-06:002012-02-28T18:21:45.097-06:00Sorry its only what the software/iso format choose...Sorry its only what the software/iso format chooses to place there.David Cowenhttps://www.blogger.com/profile/17629115910611763170noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-86968817848304705232012-02-21T19:56:56.340-06:002012-02-21T19:56:56.340-06:00Hmmmm.... I would have guessed all of that, but mo...Hmmmm.... I would have guessed all of that, but more importantly to forensics, why would it not include the OS that was used including possibly the serial number of the OS? Or what about any other serial numbers of other hardware/software that could be tracked to a suspect, if they had registered it? Most of that info seems circumstantial at best. Wait.....maybe they burned the volume label with their name and address? :-)Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-66408336373094813802012-02-07T04:21:31.860-06:002012-02-07T04:21:31.860-06:00Really i impressed. What a wonderful presentation....Really i impressed. What a wonderful presentation.Now i am happy.Thank You<br /><b><a href="https://socialkik.zendesk.com/" rel="nofollow">Socialkik</a></b>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-1040025735863436532011-12-15T04:05:25.390-06:002011-12-15T04:05:25.390-06:00Wow, great article, I really appreciate your thoug...Wow, great article, I really appreciate your thought process and having it explained properly, thank you!<br /><a href="http://www.printhead911.com/" rel="nofollow">Uv Ink</a>printhttps://www.blogger.com/profile/10671669669985739614noreply@blogger.comtag:blogger.com,1999:blog-1466903740262764947.post-48358574183975427682011-12-05T12:15:04.632-06:002011-12-05T12:15:04.632-06:00Very interesting article! Reminds me of the stuff ...Very interesting article! Reminds me of the stuff I used to do way back in the day!Forensic Computerhttp://www.forensicstore.com/forensic-computers.htmlnoreply@blogger.com