Introduction

This test has three images in it. Each tests how a tool decides to interpret an ISO9660 file system. By design, there can be multiple interpretations of an ISO9660 file system. For example, there can be multiple directory hierarchies and each will have its own root directory. One will have names that are limited to 8 characters in the name and 3 characters in the extension and the other directory hierarchy will have long Unicode names. There is no requirement that these two directory hierarchies be equivalent. If a forensics tool shows only one of the hierarchies, then you may miss important files.

My Different Interpretations of ISO9660 File Systems DFRWS 2010 paper outlines the tests in detail. But, here is a quick summary:

• iso-dirtree1.iso: This image contains two directory hierarchies. The primary hierarchy has a file named "File1.txt" and the secondary hierarchy has a file name "File2.txt". Ideally, your tool should show you both files.
• iso-dirtree2.iso: This image contains three directory hierarchies. The primary hierarchy has a file named "File1.txt", the first secondary hierarchy has no files in it, and the second secondary hierarchy has a file named "File2.txt". Ideally, your tool should show you both files.
• iso-endian.iso: This image has a single file in it, but the starting block of the file content has a different value in the big- and little-endian storage locations (ISO9660 stores numbers in both little-endian and big-endian). Open the file and read the text to see which value your tool uses (or maybe it will show you both).

Download

This test case has three ISO9660 images. Each is less than 1MB and they have the following MD5 values:

• iso-dirtree1.iso = 481c16151a64ef7cb86bee07aab6115b
• iso-dirtree2.iso = a8653cf9568cab9826a7b812776d744a
• iso-endian.iso = 76aa526d12ea82f7c317d268f291e1f5

This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

• zip file

Results

The Different Interpretations of ISO9660 File Systems DFRWS 2010 paper outlines what you should see from running each image and what my initial test results were. One update is that ISOBuster was able to show both Endian values if you select the correct configuration setting. The paper says that it showed only the big endian value, which is the default settings.

For those who do not want to read the full paper, the summary is that when you load iso-dirtree1.iso and iso-dirtree2.iso, then you will want to see two files (File1.txt and File2.txt). When you load iso-endian.iso, then you will want to open the text file and see what its contents say. This will show you if your system is reading the little endian value or the big endian value (or both).

Author

Brian Carrier (carrier <at> digital-evidence <dot> org) created the test cases and the test image. This test was released on August 4, 2010 at the DFRWS 2010 conference.

Disclaimers

These tests are not a complete test suite. These were some of the first ones that I thought of and little formal theory of completeness was put into their design.

Passing these tests provides no guarantees about a tool. Always use additional test cases (and email them to me so we can all benefit!).

Copyright © 2010 by Brian Carrier Email: carrier <at> digital-evidence <dot> org

Last Updated: August 11, 2010