Difference between revisions of "ISO9660"

From SleuthKitWiki
Jump to: navigation, search
(Reworded some of the text a little. The directories section still needs to be cleaned up.)
(Updated and corrected this page.)
Line 21: Line 21:
 
Supplementary volume descriptors are very similar to primary volume
 
Supplementary volume descriptors are very similar to primary volume
 
descriptors.  The main difference is that supplementary volume
 
descriptors.  The main difference is that supplementary volume
descriptors store filenames as UCS-2 characters and are used
+
descriptors can store filenames in other encodings, such as Unicode and mixed case.  
in Microsoft Joliet extensions to allow mixed case filenames up to
+
103 characters.
+
  
 +
== Metadata ==
 +
File and directory metadata are stored in directory entries in the blocks allocated by the parent directory.  Each entry has a dynamic length that is dependent on the length of the file name.  Files are not assigned a numerical identifier.  Instead, the file name is supposed to be the identifier in the directory.  File content is located in contiguous blocks.  The metadata points to the starting block and provides the number of bytes in the file.
  
== Files ==
+
== File Names and Directories ==
ISO9660 file are stored in contiguous blocksTheir location is stored by recording the starting block and the size of the file (in bytes).  
+
The root directory is pointed to in the volume descriptor. From there, you can traverse the directory tree, like other file systemsISO9660 also has a path table, which contains an entry for each directory.  It will point you to the starting block for the directory.  This allows you to jump to the directory faster (if the path table has been loaded).  
  
A file is considered unique if its extent address is unique.
 
  
File (and directory) metadata are stored in two locations.  One is in the data allocated to the parent directory and the other is in the path table.  The path table has an entry for every file and includes the file's name and parent directory.
 
 
 
== Directories==
 
Directory names are only stored in the path table of the volume
 
descriptor.  As a directory is encountered as a directory descriptor
 
inside another directory's extent, the address of its data extent
 
is examined by the ISO9660 implementation to see if we've seen this
 
directory before and figure out what its name is.
 
 
Directories are unusual in the way they are identified as a unique
 
inode.  If we examine the root directory using a primary volume
 
descriptor then its extent address is where on the volume the extent
 
containing the list of directory descriptors with 8.3 encoded names
 
exists.  If we examine the root directory of that same volume using
 
a supplementary volume descriptor we will find that the extent
 
address is different because these directory descriptors are UCS-2
 
encoded, even though each directory descriptor will point at the same
 
data extent for each file.
 
 
This last paragraph is quite complicated.  Lets simplify:
 
 
Imagine a CD with 3 files on it: file-1.txt, file-2.txt, file3.txt.
 
 
The path table in a primary volume descriptor has one directory in it
 
and its extent contains 3 directory descriptor structures with 8.3
 
uppercase encoding.  The path table in a supplementary volume
 
descriptor describing this same volume has one directory but its extent
 
is different because those 3 directory descriptor structures are
 
different than the previous 3.  The files are not considered unique
 
because their extent addresses (where their data lies) is not unique.
 
  
  

Revision as of 20:30, 18 February 2010

ISO9660 is a file system format that is used on many CDs. It is supported by TSK. See the ISO9660 Implementation Notes for ways that the file system was converted to the TSK layers.

ISO9660 Overview

This provides a quick introduction to the ISO9660 file system. The terms used are different then with other file systems. For a full overview of the file system, refer to the document "Volume and File Structure of CDROM for Information Interchange"

http://www.ecma-international.org/publications/standards/Ecma-119.htm

http://en.wikipedia.org/wiki/ISO_9660


Volume Descriptors

ISO9660 uses one or more Volume Descriptors to store information about the files on an ISO9660 volume. There will be a primary descriptor and other descriptors may exist that describe the files on the image differently (different file name restrictions, etc.). The volume descriptors define the block sizes, block counts, and point to other important file system structures.

Primary volume descriptors only allow uppercase filenames in the 8.3 format (8 chars dot 3 chars).

Supplementary volume descriptors are very similar to primary volume descriptors. The main difference is that supplementary volume descriptors can store filenames in other encodings, such as Unicode and mixed case.

Metadata

File and directory metadata are stored in directory entries in the blocks allocated by the parent directory. Each entry has a dynamic length that is dependent on the length of the file name. Files are not assigned a numerical identifier. Instead, the file name is supposed to be the identifier in the directory. File content is located in contiguous blocks. The metadata points to the starting block and provides the number of bytes in the file.

File Names and Directories

The root directory is pointed to in the volume descriptor. From there, you can traverse the directory tree, like other file systems. ISO9660 also has a path table, which contains an entry for each directory. It will point you to the starting block for the directory. This allows you to jump to the directory faster (if the path table has been loaded).



Reference Documents

  • ECMA-119, The ECMA version of the ISO9660 standard. This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
  • IEEE P1281: System Use Sharing Protocol, this defines how to use the System Use area of the ISO9660 spec. The System Use area is used by the Rock Ridge Extensions.
  • IEEE P1282: Rock Ridge Interchange Protocol, this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
  • Joliet Specification, this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".
Retrieved from "http://wiki.sleuthkit.org/index.php?title=ISO9660&oldid=450"