On Tue, 8 Oct 2002, William Salusky wrote: > I have had loads of success in "dating" cd images, linux's mkisofs and at > least a handful of windows iso image creation tools embed the iso image > creation date time into the image. mkisofs is nice enough to even provide > the exact command line used to create the image which can pinpoint "hidden" > data within the image via the '-hide' and '-hide-joliet' mkisofs options. > ... > Just crank up hexedit on the raw cd and scroll for > a second or so... it's very easy to find. Even easier 'strings' output > analysis would accomplish the same. > > -- > William Salusky > changeat_private Remember, though: Just about anything can be altered. ISO images can be edited. A hex editor, a Perl script... (I've been using this latter technique to customize FIRE ISO images before burning them.) That's all it takes to change those dates and command lines, and you were one keystroke away from doing this in your second paragraph! I think the best approach is to try to find alternate ways of dating files using timestamps on the original system (if you can find it), use MD5 hashes to tell if files have changed or not, and use this secondary evidence to support your primary evidence. I would be very reluctant to try to prove something based solely on timestamps in an ISO CD-ROM. And one last point: How do you know the system clock was correct on the system that created the ISO? ;) -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE97 0C57 0843 F3EB 49A1 0CD0 8E0C D0BE C838 CCB5 ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 07:52:59 PDT