ISO9660 is a file system format that is used on many CDs. It is supported by TSK. See the ISO9660 Implementation Notes for ways that the file system was converted to the TSK layers.

ISO9660 Overview

This provides a quick introduction to the ISO9660 file system. The terms used are different then with other file systems. For a full overview of the file system, refer to the document "Volume and File Structure of CDROM for Information Interchange"

http://www.ecma-international.org/publications/standards/Ecma-119.htm

Volume Descriptors

ISO9660 uses structures called Volume Descriptors to store information about the directory hierarchy of an ISO9660 volume. At 32768 bytes into the image there is a contiguous list of volume descriptors. A primary volume descriptor contains an address of a Path Table which is a list of every directory on the volume. In this path table each directory record has a single run of contiguous bytes known as an Extent. Each directory's single data extent contains a group of contiguous directory descriptors which represent files, directories or other standard file types.

Primary volume descriptors only allow uppercase filenames in the 8.3 format (8 chars dot 3 chars).

Supplementary volume descriptors are very similar to primary volume descriptors. The main difference is that supplementary volume descriptors store filenames as UCS-2 characters and are used in Microsoft Joliet extensions to allow mixed case filenames up to 103 characters.

All volume descriptors are stored at least once, with there being a requirement to have only a single primary volume descriptor for an image to be valid. Supplementary volume descriptors usually contain the same data as primary volume descriptors.

Files

ISO9660 file are stored in an extent whose size is measured in bytes.

A file is considered unique if its extent address is unique.

Directories

Directory names are only stored in the path table of the volume descriptor. As a directory is encountered as a directory descriptor inside another directory's extent, the address of its data extent is examined by the ISO9660 implementation to see if we've seen this directory before and figure out what its name is.

Directories are unusual in the way they are identified as a unique inode. If we examine the root directory using a primary volume descriptor then its extent address is where on the volume the extent containing the list of directory descriptors with 8.3 encoded names exists. If we examine the root directory of that same volume using a supplementary volume descriptor we will find that the extent address is different because these directory descriptors are UCS-2 encoded, even though each directory descriptor will point at the same data extent for each file.

This last paragraph is quite complicated. Lets simplify:

Imagine a CD with 3 files on it: file-1.txt, file-2.txt, file3.txt.

The path table in a primary volume descriptor has one directory in it and its extent contains 3 directory descriptor structures with 8.3 uppercase encoding. The path table in a supplementary volume descriptor describing this same volume has one directory but its extent is different because those 3 directory descriptor structures are different than the previous 3. The files are not considered unique because their extent addresses (where their data lies) is not unique.

Reference Documents

• ECMA-119, The ECMA version of the ISO9660 standard. This is a formal spec that is not the easiest to read as an "Intro to ISO9660".
• IEEE P1281: System Use Sharing Protocol, this defines how to use the System Use area of the ISO9660 spec. The System Use area is used by the Rock Ridge Extensions.
• IEEE P1282: Rock Ridge Interchange Protocol, this defines how to use the System Use area to store long file names, POSIX info, sym links etc.
• Joliet Specification, this defines the Joliet methods for storing longer file names and using Unicode in a "Secondary Volume Descriptor".