| Author | Message | ||
     J. Grotepass Username: jgrotepass Registered: N/A |
Hi all, as a newbie to this product, I might have overseen something important, but my template that lists ISO9660 Directory Entries gets a wrong calculation when the data is correct (at least as far as I can see and calculate it). First of all, I was really missing some CD templates. This seems to be a black shaded area in all forensic tools. Anyhow, I build a basic template that should list all entries in a directory sector. Here the template: ======== template "ISO9660-Directory Records" // Template by Jochen Grotepass // SAGA D.C. GmbH // To be applied to sector indicated in root-record of volume info description "ISO9660 Directories" applies_to disk sector-aligned read-only // multiple begin { int8 "DirRecLen" IfEqual "DirRecLen" 0 exitloop else section "ISO9660 Directory Entry ~" hex 1 "Should be 00" uint32 "First Sector of Data or Dir" move 4 uint32 "No of Bytes for data or LDir" move 4 int8 "Year (+1900)" int8 "Month" int8 "Day" int8 "Hour" int8 "Minute" int8 "Second" int8 "Offset to UTC" binary "File Flags (M00PRADH) see doc" int8 "File unit size" int8 "Interleave gap size" uint16 "Vol-Seq-No" move 2 int8 "idlength" char[idlength] "Name" move (DirRecLen-(idlength+33)) endsection Endif }[unlimited] end ======= The specs to build this template was - besides others - found here: http://alumnus.caltech.edu/~pje/iso9660.html After reading several CDs with this template I ran into an issue with one CD. The data is correct, the calculation in a pen test is also correct. But the "move" (DirRecLen-(idlength+33)) moves 4 bytes to far, so the next directory section is garbage. Question now is: Is there something wrong with my template or what happened on the CD. - Don't know if this makes sense, but I'm trying to also show the data that raises the error. The issue started at Directory-Entry #13. The data start at entry 11 and ends after entry 15: ======= 3C00B9000200000200B9BDDA00000000DABD69040717230800040000010000010C5F423551303031382E4A50470041410E024A5045473842494D04003C00D7000200000200D7D09C040000049CD069040717230800000000010000010C5F423551303031382E4A50470041410E024A5045473842494D04003C006D0102000002016D9FDA00000000DA9F69040717230D00040000010000010C5F423551303032372E4A50470041410E024A5045473842494D04003C008B0102000002018B639A040000049A6369040717230D00000000010000010C5F423551303032372E4A50470041410E024A5045473842494D0400 ==== Maybe somebody has an idea what happens. Thanks Jochen | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
You could further track down the error if you check the value of DirRecLen and idlength in that particular loop where the result of move is wrong. | ||
| J. Grotepass Username: jgrotepass Registered: N/A |
Hi Stefan, thanks for that hint. I have checked the values and logic multiple times before posting here. Here an extract from the print of that template: ===== ISO9660 Directory Entry 13 66264 DirRecLen 60 66265 Should be 00 00 66266 First Sector of Data or Dir 131287 66274 No of Bytes for data or LDir 302288 66282 Year (+1900) 105 66283 Month 4 66284 Day 7 66285 Hour 23 66286 Minute 35 66287 Second 8 66288 Offset to UTC 0 66289 File Flags (M00PRADH) see doc 00000000 66290 File unit size 0 66291 Interleave gap size 0 66292 Vol-Seq-No 1 66296 idlength 12 66297 Dir or File-Name _B5Q0018.JPG ISO9660 Directory Entry 14 66328 DirRecLen 2 66329 Should be 00 00 66330 First Sector of Data or Dir 1828782592 66338 No of Bytes for data or LDir 2681864192 66346 Year (+1900) 35 66347 Month 13 66348 Day 0 66349 Hour 4 66350 Minute 0 66351 Second 0 66352 Offset to UTC 1 66353 File Flags (M00PRADH) see doc 00000000 66354 File unit size 0 66355 Interleave gap size 1 66356 Vol-Seq-No 24332 66360 idlength 81 66361 Dir or File-Name 0027.JPG AAııJPEG8BIMı < ‹ıı ıı‹cšı ıšciııı#ı ı ıı_B5Q0027. ============== As you can see, in record 13 the DirRecLen is 60 and the idlength is 12. Looking at the offset it shows, that the move is going 4 bytes too far. I also played a bit around and showed the information at the location before moving. The interesting part is that the error than occured one record earlier. I get the impression as if there are limitations somewhere that I have overseen of something similar. Thanks for any hint, Jochen | ||
| J. Grotepass Username: jgrotepass Registered: N/A |
One more thing I just found. When I use "multiple" and skip by single clicks through the directory, the logic works. So I assume something is broken in the "loop" logic here. Because I need a report on the whole directory, I thought to use a template, show everything and then print that. Maybe there is another solution that I haven't found yet to accomplish that. Jochen | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
> Because I need a report on the whole directory With your specialist license you can easily export a list of items selected in the directory browser. See directory browser context menu. | ||
| J. Grotepass Username: jgrotepass Registered: N/A |
Hi Stefan, well that would be the easy way;-) I like the hard way... (even with my specialist license). Unfortunately the cds I have to analyse are Hybrid CDs and I need to find if the data are identical on both FS. Because one major issue on those CDs are that the data is commonly stored and a directory link is missing, I need to check the real data from the native disk instead of the logical disk. Thats why I build the template and made my life a bit more difficult (as always). Also it is a good training to build templates because I have not seen many tools around with CD templates or definitions. Also I found that there were I guess one or two requests already for the ISO9660 stuff. Cheers, Jochen |