SecureArtisan

My Road to Digital Forensics Excellence

CDROM Burning

Posted by Paul Bobby on April 1, 2009

The blog, Hacking Exposed Computer Forensics Blog, has been publishing a series of articles entitled “What did they take when they left?”. Part 1 discusses CDROM burning – a common method for exfiltrating data from the corporation – and a commonly asked question of Ethics/HR.

To build on what was posted in Part 1, I performed a test using my own IBM T42 laptop.

The following three System Event log entries are created each time a particular ‘burning’ event happens:

  • 7035 – The IMAPI CDROM service has started
  • 7036 – The IMAPI CDROM service is running
  • 7036 – The IMAPI CDROM service has stopped.

The entire sequence lasts 10-15seconds or so.

I conducted the following test:

  1. Open the CD tray
  2. Insert a blank CD
  3. Close the tray
  4. This action generated the above three System Event logs
  5. Start up IBM Recordnow!
  6. This action generated the above three System Event logs
  7. Add a series of files to the burning program
  8. Click BURN
  9. This action generated the above three System Event logs
  10. The burn completed 10 minutes later
  11. No event logs were generated
  12. The CD Tray was opened by IBM RecordNow!
  13. No event logs were generated

 

Inserting the blank CD, firing up the CD burning tool, and clicking the burn button, all generated System Event logs. Unfortunately no other IMAPI CDROM events were recorded when the burn completed.

However, a series of repeated 7035,7036,7036 IMAPI System Event logs may be enough to indicate disc burning activity. To be sure of course, the investigator would have to test the exact system configuration and the installed disc burning software. One of the advantages of corporate investigations is that system builds are often standardized enough that these determinations can be tested ahead of time.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: