Protection Mechanisms Based on the Read Timing Characteristics

CD-R and CD-RW discs represent ideal backup media for saving moderate amounts of information (and any serious programmer carries out periodical backups of the information entrusted to him or her). Unfortunately , no one is perfect, and no job can be completed without some danger of errors (ERRARE HUMANUM EST To err is human , as the ancients said). Therefore, the accidental deletion of files from CD-R/CD-RW discs, as well as the clearing of these disks, sometimes happens. Experience, in fact, suggests that this happens far too often.

To our knowledge, special utilities for restoring lost information from CDs have yet to be developed (or, at least, be widely available on the market), therefore, recovering information from corrupted CDs is something you will have to tackle on your own. In this chapter, we ll try to explain what can be done in this case and how to accomplish this task.

Restoring Deleted Files from CD-R/CD-RW

Having announced their support for multisession CDs, Microsoft s operating systems, including Windows 9x and all versions of Windows NT (up to W2K) have maintained their silence about the fact that this support is only partial. Each session is a standalone volume (a logical disk, according to Windows terminology), which has its own file system and its own files. Thanks to the pass-trough numbering of CD sectors, the file system of one session can reference files physically located in any other session. In order to ensure the possibility to work with the disk in the same way as with a unified volume, the file system of the last session must include the contents of the file systems of all previous sessions. If this condition isn t met, then the TOCs of all other sessions will be lost when viewing the disk using standard equipment. This is the case because Windows mounts only the last session of the disk and ignores all the others. Programs for burning CD-R/CD-RW discs, by default, add the contents of the file systems from the previous sessions to the current one. However, this doesn t necessarily mean that the last session always contains everything that was present in the previous sessions.

For example, let s look at how files are deleted from CD-R/CD-RW disks. No, this isn t a misprint (or an error, or a joke)! The contents of CD-R disks can, in principle, be deleted, despite the impossibility of re-writing them. To imitate file deletion, CD burners simply do not include a reference to the file that has to be deleted into the file system of the last session [i] . Consequently, although the deleted file is still present on the disk (it is physically present, since it takes up some disk space [ii] ), this file won t be displayed in the directory when viewing the disk contents using Windows built-in tools. So what is the meaning of deleting files from the CD-R if the available disk space isn t increased, but, on the contrary, is reduced ?! In fact, the actual sense of this operation (if, of course, we can use the term sense) lies in hiding the deleted files from normal users. Since deleted files aren t visible when viewing the disk contents using standard tools, they are formally unavailable to the normal user. As a result, they are not available for Windows standard built-in tools. On the other hand, Macintosh allows the user to mount any disk session as a separate volume, thanks to which all deleted files immediately reveal themselves when viewing multisession discs under Mac OS.

The situation is similar when deleting information from CD-RW discs. Despite the theoretical possibility of physically destroying their contents, most programs for writing disks support only a function for clearing the entire disk, and are unable to delete individual files. Thus, all that was said above about CD-R discs is equally applicable to CD-RWs.

Therefore, if you write information to a disc in order to pass it to a third party, never use discs that have contained confidential data . The deletion of data previously written to a disk doesn t mean complete removal!

Viewing the contents of a CD that you have received from a friend or colleague, or even just recovered from the garbage, it makes sense to try viewing previous sessions. Sometimes, it is possible to find a lot of hidden information. As experience has shown that there is often much of interest to be found. On the other hand, you might need to restore incidentally deleted files from your own disk, or even recover an entire session that has been destroyed by accident . (Some programs for writing CDs allow users to choose: they can either add a file system from the previous session when creating a new session, or include only new files in the new session. Choosing incorrect settings when preparing to write a CD will result in the loss of the contents of all of the previous sessions. Fortunately, however, this loss is reversible.)

The lack of standard tools for the selective mounting of sessions seriously complicates the life of all Windows users, leaving them to search for ways to bypass this problem. Ideally, it is best to implement a custom CDFS driver providing the required minimum of functional capabilities. However, this task is not simple and involves serious labor. This undertaking only makes sense in cases where you need to recover accidentally deleted files several times a day. Writing a set of utilities for working directly with the disc at the physical level is much simpler. In this case, all that you need is a display of the contents of the file system in a readable form. We are particularly interested in the following information: the file name and its starting address and length. Knowing these three important attributes, you can grab the file to the hard disk with ease and then do whatever you need with it. This technique is ideal for recovering small amounts of deleted (overwritten) files from any sessions. However, it is not practical in those situations where it is necessary to recover the entire session. In such cases, it makes more sense to copy the sessions being recovered to a separate CD-R/CD-RW disc.

Getting Access to Deleted Files

Before we start recovering deleted files, let s recall the main principles of ISO 9660 (Joliet) file system organization. The 16th sector of the first track of each session is strictly bound to the primary volume descriptor. This is easily recognized by the CD001 signature, which is stored in the sector by offset 1. If this is really the case (suppose that we have a disc without a file system, such as an Audio CD), then at the offset 156 of this sector you ll find the Directory Record of the root directory. Above all, the following fields of this record are of the highest importance: the length of the Directory Record itself (the byte at offset 0), the starting LBA address of a file/subdirectory (double word; in low-endian format, by offset 2), the length of file/subdirectory (double word; in low-endian format, by offset 10), the file attributes (byte by offset 25), the length of the name of the file/subdirectory (byte at the offset 32) and, finally, the filename itself (the chain of bytes starting at the offset 33). The Joliet file system is organized in a similar manner. Its corresponding volume descriptor, however, is located in sector 17, instead of sector 16.

If the first bit, counting from zero, is set to 1, then we are dealing with a subdirectory. Otherwise, the object in question represents a file. Nested directories (subdirectories) represent sets of Directory Records, each of which points either to a file or to another subdirectory.

Therefore, in order to view the contents of an arbitrary session, we need only know the starting address of its first track. This information can be obtained easily by reading the TOC at the raw level (command: 43h , format: 02h ). Besides this, it is possible to use any CD-burning utility that is able to display information about the disc geometry (for instance, utilities such as Roxio Easy CD Creator, Stomp Record Now!, Ahead Nero ”Burning Rom, and many other tools, are capable of doing this). Having increased the starting address of the first track by 16 (when working with ISO 9660) or 17 sectors (for working with Joliet), we will find the volume descriptor, i.e., the root directory. After that, recursive traversing of the directory tree will function as a well-lubricated mechanism. While running Windows, there is not even the need to worry about stack overflow, provided, of course, that the file system doesn t contain severe errors that will result in a fall into infinite loops (by the way, these types of tricks are frequently used in protection mechanisms).

Now, all that is left is to view the directories of all of the disk sessions in order to find the files that are missing from the directory of the last session. When doing so, it is necessary to pay attention not only to file names, but also to their starting addresses. Files having identical names , but different starting addresses, are different files! For example, if you periodically save your entire current project to CD, always writing it with the same name, then all previous versions of this file will be lost for the built-in Windows tools. However, a manual investigation of the contents of all of the sessions will allow you to recover any of the file versions that were earlier saved on the CD! By the way, in practice, this need arises frequently, so this skill is always useful.

For further experiments, we will need the ISO9660.dir utility, which was can be found on the companion CD. Using any CD burning program, let s write three sessions on CD-RW/CD-R so that the first or the second session will contain some deleted files that we actually need to find.

Let s assume that the starting addresses of the disk sessions are located as shown below.

Listing 10.1: The starting addresses of the first tracks of each of the three disk sessions (track number AA is the Lead-out area and doesn t present any interest to us)
image from book
 > ISO9660.dir.exe 1.1  track  Start LBA  ------+----------   1            0    2        13335    3        22162   AA        24039 
image from book
 

Now, let s call the image from book  ISO9660.dir.exe utility consecutively, specifying for it the following starting addresses: 0, 13335 and 22162. Having done so, we ll see the contents of the first, second, and third sessions, respectively. For convenience of comparison, the result is presented in the form of a horizontal table:

Listing 10.2: A comparison of the contents of the directories of three sessions shows that the second session contains the deleted file, See You.mp3 (in this listing, in bold), which is missing from the third session
image from book
   >ISO9660.dir 1.1 0 -Joliet   startsize   name  -----+-------+----------------- 22   2048   .  22   2048   ..  25   3591523PersonalJesus.mp3   >ISO9660.dir 1.1 13335 -Joliet   startsize   name  -----+-------+----------------- 133572048   .  133572048   ..  25   3591523PersonalJesus. mp3  133603574805See You.mp3    >ISO9660.dir 1.1 22162 -Joliet   startsize   name  -----+-------+----------------- 221842048   .  221842048   ..  25   3591523PersonalJesus.mp3  221873472405Strangerlove.mp3 
image from book
 

As you can see, the second session contains the See You.mp3 file, which is missing from the TOC of the third session. This means that this file is practically unavailable to built-in OS tools! In fact, the dir command shows only two files:

Listing 10.3: The operating system views the disc contents as shown in this listing. However, we aren t so easily deceived! We know that there is one deleted file
image from book
 The volume in drive G has the NEW label.   Volume serial number: 417170DC   Contents of the G:\ directory  30.06.2003  00:10            3 591 523 01Personal Jesus.mp3  30.06.2003  00:12            3 472 405 03Strangerlove.mp3  2 files       7 063 928 bytes                 0 folders     0 bytes free 
image from book
 

In order to restore this file, it is enough to run our utility with the following command-line options: image from book  ISO9660.dir.exe 1.1 See You.mp3 13360 3574805 or to use any program capable of grabbing disc sectors (in this case, however, we ll have to cut off the tail of the last sector by the required value manually). Briefly speaking, we must read 3,574,805 bytes, starting from sector 13,360, up to the last sector of the file (because of the lack of sector fragmentation, sectors belonging to the file are always located sequentially).

If everything has been done correctly, a new See You.mp3 file will appear on the hard disk, which you can play using any mp3-player. It is also possible to use any CD-burning program to write the restored file to the same CD by adding another session to it. Of course, this is not the optimal solution, since the recovered file will now be written twice. Unfortunately, however, none of the burner utilities with which I am familiar allows for interfering with the process of file system generation or for the manual creation of links to files from previous sessions.

Now let s prepare the disc so that we can test the recovery procedures. Write a file to CD. Then, after modifying its contents slightly, write the file to the same disc under the same name one or more times. Make sure that when you are viewing the disc contents using built-in standard Windows tools you can see only one file ”namely, the one that was written last. Now imagine that it is of critical importance to gain access to one of the earlier versions. No problem! Start ISO9660.dir , and you ll see that the disc contains the sessions shown in Listing 10.4.

Listing 10.4: The disk being recovered has two sessions with starting addresses equal to 0 and 12,000, respectively
image from book
 >IS09660.dir.exe 1.1  track  Start LBA  ------+---------- 1              0  2          12000  AA         12600 
image from book
 

By consecutively starting the ISO9660.dir utility with the and 12.000 command-line options, you ll find that Well, don t rush forward. Now you ll see everything for yourself.

Listing 10.5: Both sessions contain the same file, asm.drf.zip; however, the starting addresses of the file don t match, and their lengths are also different
image from book
   > ISO9660.dir.exe 1.1 0 -Joliet   > ISO9660.dir.exe 1.1 12000 -Joliet   start    size     name             start     size       name  --------+--------+-------------      ---------+-----------+-------- 22      2048    .                  12022    2048       .  22      2048    ..                 12022    2048       ..  25      38189   asm.drf.zip        12025    354533     asm.drf.zip  
image from book
 

At first glance, everything appears to be OK. The asm.drf.zip file is present in both sessions, and if you aren t careful enough, it could seem to you that you are dealing with the same file in both cases. However, a closer investigation shows that starting addresses of the files do not match. Therefore, we are dealing with two different files! The file lengths are also different and, to all appearances , the last file represents a newer version. To retrieve the previous version of the file, issue the following command: image from book  ISO9660.dir.exe 1.1 asm.drf.zip 25 38189 . It really works!

The image from book  ISO9660.dir.exe utility is, unfortunately, terribly inconvenient for practical use. But don t judge it too severely. After all, it is only a demo example. In an attempt to stimulate the reader s creativity, I suggest that you implement all of the missing functionality on your own. Task number would be the development of a convenient GUI for the program, or, even better, the rewriting of it as a console application. For example, you can write a plug-in for FAR Manager displaying the contents of the chosen session in a pane. This is considerably simpler to do than to program a fully-functional disk driver. From the end-user point of view, however, the effect will be the same. The task of comparing file names and starting addresses should be automated, since manual searches for deleted or overwritten files are extremely inefficient. In fact, a typical CD-ROM contains thousands or even tens thousands of files distributed over a large tree-like hierarchy. Naturally, testing and analyzing them all is a tedious proposition!

Recovering Entire Sessions

An alternative method for the recovery of deleted files consists of the removal of one or more of the last sessions from the disc (we will refer to this method as peeling the onion). When proceeding in this manner, you expose each previous layer, which now becomes the most recent and, consequently, the one accessible by the operating system s standard tools. Naturally, physically removing sessions from CD-R discs is virtually impossible (the removal of sessions from CD-RW discs is theoretically possible. The problem here, however, lies in the lack of required software). However, nothing prevents us from saving a disk image as a file, process the created file appropriately, and then burn it again. (In the case of a CD-RW, the same disc can be used. In the case of CD-R s, we need a new disc.) No one would argue that this method isn t long and tedious, but no more so than writing a custom burning program.

So let s start to prepare an experimental disk. Write one or two sessions on the test CD, instructing the burning program to join the file system of the new session with that of all previous ones (this usually takes place by default). Then, let s add another session, this time separate from all of the others. To do this, in Ahead Nero, you have to choose the Start Multisession disk menu item, instead of Continue Multisession . In Stomp Record Now!, it is necessary to select the New Volume option, instead of Load Last Track . When you start the recorder to burn a CD, you will notice that the contents of all previous sessions have been lost. For the sake of accuracy, we should point out that, for instance, Stomp Record Now! allows you to recover the ruined disk easily. To do this, simply choose the Load Track 1 item from the Mutlisession drop-down list and write any file to the disc. This is necessary in order to initiate the recording process. After this, the contents of session 1 will appear, while that of the session 2 will disappear into thin air. Is this a problem? Let s change the option from Load Track 1 to Load Track 2 and initiate recording once again. This time the contents of the first two sessions will reappear, plus some files that we were forced to record in order to get Stomp Record Now! to agree and start burning.

Ahead Nero, when the Continue Multisession option has been selected, automatically requests that the user specify the session which holds the contents that it should use. Unfortunately, current versions of this program do not allow for the merging of the TOCs of two or more sessions. If there is, however, such a need, it is possible to use the sequential cascading method described above.

If you do not have Stomp Record Now! (or a similar program) at your disposal, it will be necessary to recover the overwritten sessions manually, i.e., using programs such as Clone CD or Alcohol 120%. Let s create one more test disc, the last session of which overwrites all of those before it. Then use Clone CD to create a disc image, and then the only thing left to do is to discard all references to the last session from the IMAGE.CCD file. The contents of the Sessions field must first be decreased by one. Then, it is necessary to discard all [Entry] sections, for which the Session value was the latest. Then subtract the number of the deleted [Entry] sessions from the value of the TocEntries field, and, finally, remove the last [TRACK] section. Now, the edited image can be written to a new CD and there will be no last session ”just as if it had never been present!

Beginners Errors, or What You Should Never Do

You will sometimes hear the suggestion that grabbing one of the sessions of the disc being recovered, turning it into an ISO image and, then, mounting it to a virtual CD-ROM drive (or burning it to a physical disc) will make it possible to access its contents. In this way, we ll be able to quickly view the contents of all required sessions.

You ll be able to access the deleted files and do whatever you want with them. Be careful! When viewing the contents of the grabbed session, always bear in mind that: First, files belonging physically to other sessions will be still not available from the current session, despite abundant references to these files. When referencing a file that doesn t really exist, you ll either be confronted with some senseless garbage or an error message. Your system may also end up freezing. If this happens, simply press the <EJECT> button. Windows will immediately wake up and joyfully display a Device not ready message. Second, because of the pass-through sector addressing, each grabbed session must be written to the same disc location where it was located earlier, or all references to starting file addresses within that session will become invalid. Usually, the desired result can be achieved by means of changing the starting address of the first track. The method for doing this will be described in the next section, which is dedicated to restoring information from cleared CD-RW discs.

[i] However, not all programs are capable of doing so. For example, Roxio Easy CD Creator provides this possibility, while Stomp Record Now! doesn t.

[ii] The reduction of available free space is explained by the fact that each newly opened session requires some space. However, if deletion of some files is accompanied by writing another files, it is necessary to open a new session, anyway, and in this case the deletion overhead is not present.



CD Cracking Uncovered. Protection against Unsanctioned CD Copying
CD Cracking Uncovered: Protection Against Unsanctioned CD Copying (Uncovered series)
ISBN: 1931769338
EAN: 2147483647
Year: 2003
Pages: 60

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net