ISO9660 Implementation Notes
The ISO9660 file system is used on many platforms and has many variations and extensions. At the most basic level of ISO9660 there are several differences than traditional file systems due to the type of media available.
This document describes how it was implemented. It assumes that you know the basics of the ISO9660 format.
Due to many reports of mastering software errata, there are some issues that The Sleuth Kit handles that the specifications for ISO9660 say will never happen. The specs say that there is only one unique primary volume descriptor per volume. The Sleuth Kit handles the possibility of finding more and alerts the user to this.
When TSK loads the file system, it runs through the path tables and processes each directory listed in the path table. It starts with the secondary volume descriptors and moves the primary ones. If an entry already exists for this file, then it is not added. This is under the assumption that we are now processing a primary descriptor with a more basic name and we should instead use the secondary / unicode name.
NOTE: The above design does not seem to work well because it is hard to detect duplicate files. We have some images that have duplicate files that are different names, but that have the same starting block address (the current method for detecting duplicate files).
ISO9660 does not assign numeric addresses to each file. TSK must therefore determine them. It does this by assigning an address to each file as it is loaded during the startup. If it gets added to the list, it gets the next address.
The file name code in TSK processes each directory, but needs to figure out the metadata address. Therefore, it searches the previously loaded data. It needs to match the loaded files with the current file. It does this based on starting block, but we have found problems with this because multiple files can have the same starting block.
What TSK Cannot Currently Do
There are a few things that The Sleuth Kit is not yet able to do with ISO9660:
- Multisessions CDs are not handled.
- High Sierra is not handled.
- Files that are stored with an interleave gap
Original Version By: Wyatt Banks, Crucial Security