0x07D2 = 2002 byte order is reversed - this is pretty standard. Paul =========== Paul Sanderson T. +44 (0)1869 325667 F. +44 (0)1869 369001 M. +44 (0)7808 773856 http://www.sandersonforensics.co.uk -----Original Message----- From: Mark G. Spencer [mailto:dreadnought13at_private] Sent: 04 October 2002 00:07 To: forensicsat_private Subject: Dating the creation of a CD-R/RW? I forwarded the message below to my coworkers in an attempt to date a variety of CD-R's and CD-RW's .. -----Original Message----- Are there any utilities which will date the creation of a CD-R or RW? As far as I understand it, each format (Joliet, ISO, etc.) has a specification for a creation stamp? Do burn applications also leave behind their own date and time stamps? -----Original Message----- And today one of them sent me the following: UDF Time Calculations First we need to find the Anchor Volume Descriptor Pointer (AVDP). It will be located in Sector 256 or 512 at offset 0x14. The value in this example is "E0". Next we have to take the AVDP and convert it into a decimal number. The decimal equivalent is the sector number where the Volume Description Table is located. In this example you would take "E0" convert it to decimal and get "224". Now we have to go to that sector number to find the Volume Description Table. Now that we know which sector the Volume Description Table is located at, we need to get the date stamp. The date stamp is located at whichever sector found previously at offset 0x178. In this example it would be at sector 224 + 0x178. The offset converted to decimal is "376". Now that we have the location of the date stamp all we have to do the conversion. The break down is as follows. Date Stamp = 16-bit time zone & type value 16-bit year 8-bit month 8-bit day 8-bit hour 8-bit minute 8-bit seconds The following is a break down of the values in this example. Type Hex Value Decimal Value 16-bit time zone & type value C4 0F 196 15 16-bit year value D2 07 210 07 8-bit month value 0A 10 8-bit day value 01 01 8-bit hour value 0A 10 8-bit minute value 2E 46 8-bit second value 0C 12 Taking the above decimal values we can put together the date stamp. We should get the following: 10/01/2002 10:46:12am The only problem with this is that we do not understand how to get the year and time zone from the 16 bit values. How does Hex value D2 07 equal the year 2002? Any comments or advice appreciated .. It could be a simple matter of my ducking out of math class as often as possible in high school. Also, this may lead to a discussion of whether this data is even useful. I am not sure how well different CD burn applications adhere to this UDF format regarding dating. I have also noticed some applications (Nero) actually allow you to manipulate all the date information before burning! Mark ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 08 2002 - 12:46:00 PDT