Skip to content

Reliability of Timestamps on Optical Media

October 26, 2011

Recently, I was teaching a class and we were looking at a disc that was produced for the students on a disc publishing system. There was a difference between two timestamps that should really be the same on the disc. One of the students suggested that this discrepancy called into question all of the times on the disc and pretty much invalidated the entire disc as a source of evidence.

Well, I don’t think I would go so far as invalidating the disc, but it is important to understand the relationship between all the different times on a disc and what is means or does not mean when there are unexplained differences.

Today, in the PC world there are two types of discs that are common to encounter: ISO 9660/Joliet and UDF. ISO 9660 combined with Joliet provides for up-to-64 character Unicode file names and file sizes up to 2GB-1 bytes and these discs can generally be read by both PC-type and Mac-type computers today. UDF discs are usually made with drag-and-drop writing programs but can also be made using the native disc writing capabilities in Windows 7.

On the Mac front most discs are going to be either ISO 9660 or HFS/HFS+. ISO 9660 has the advantage of being readable on a PC whereas HFS/HFS+ discs cannot be.

For the purposes of this discussion I am going to focus on the ISO 9660 file system structure with the understanding that Joliet is identical in structure as far as dates and times are concerned. If both file systems are present on a disc, then everything that is described here is applicable to Joliet as well as ISO 9660.

The first thing to understand is how many timestamps are present on a disc. Let’s consider a disc with 100 files on it organized as follows:

\
README.TXT
PICS\
[50 .jpg picture files]
MUSIC\
[49 .mp3 music files]

So, how many timestamps do you believe are present on this disc? Most people aren’t going to get this one right. The answer is 110. Unlike hard-disk file systems there is only a single time for each file, so that takes care of 100 of those. There are three directories on the disc: root, PICS and MUSIC. The directories PICS and MUSIC each have a directory entry for the directory itself plus a . (self) and .. (parent) directory entry in the directory itself. The root directory also has a directory entry and a . and .. directory entry. All this adds up to 109. The last one comes from the file system structure itself with a Volume Create timestamp.

Most of these timestamps are visible from Windows or anything that will display a directory. However, the important timestamps are those that are not visible without more specialized tools. Obviously, I’d like to think you are going to use CD/DVD Inspector for this sort of thing, but there are others out there that will do the job as well.

The first thing that I want to stress here is that for ISO 9660 and Joliet file systems there is only a single time stamp per file. If you would like to check this out, you might try reading the information in the ISO 9660 standard or the copy that the ECMA provides for free. Check out the ECMA 119 standard document. You want to look at page 27, section 9 where a directory entry is described. Now, if you have access to EnCase or FTK I suggest examining a disc with an ISO 9660 file system on it. Note that there is the clear implication of there being more than a single time stamp present. This is a danger that you must contend with if you are going to use tools not specifically designed for examining CDs and DVDs.


Note: this item in EnCase has tripped up at least one forensic consultant that I know of.

One of the more common questions when looking at a CD or DVD is when this disc was written. Unfortunately, there is no impartial standard time that is present on a disc. We are completely at the mercy of the computer’s clock and whatever it was set to at the time the disc was written. These days it is pretty common for all computers to actually have the correct, current time so this is not the issue it was before Internet connections were common.

So, where can we look on the disc to see when it was written? Amazingly, there is no field on the disc that Windows displays that shows this. For ISO 9660 there is a standard timestamp called Volume Create which is almost always set and your CD examination tool should be displaying it. The negative side of this timestamp is that many disc mastering programs allow the user to specify this date and time as anything the user wishes.

However, there are three more timestamps that can be interesting. The root directory has a file directory entry and there are the . and .. entries. Each of these have a time stamp and no mastering software that I have encountered allows the user to set these values. So the root directory timestamps are going to be more accurate than the Volume Create timestamp or at least equal to it.

One note aside here is that as a result of the class at the FBI I contacted the disc publisher manufacturer and advised them of the discrepancy between timestamps. They suggested that if it was a problem that the UDF file system be used instead. The exact discrepancy is that the Volume Create time is one hour in advance of the correct time which is in the root directory timestamp. So, again the root directory timestamp proves to be the more accurate and we have a handy way of identifying discs produced on a Rimage system with nearly 100% certainty.

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: