Forensic CD

CnW Recovery software has several features to help forensic investigation of CDs.

For multi-session ISO9660 and Joliet disks, each session is shown as a separate track. Typically, a user will only see the last, or final track, but CnW Recovery shows every track. Each track may be restored independently which allows an investigator to see how files were added, and possibly deleted. The job log also gives the date and time that each track was created, enabling one to track the history of the CD.

The same option is also available for UDF CDs and DVDs. With this format, each session has a virtual allocation table (VAT) stored at the end of the disk session. By searching through the disk and finding these sessions, the files present on each session can be reconstructed and recovered. Forensically this will track down files that may have been deleted in later sessions, or changed.


To enable to scanning of all sessions (for UDF disks only) the ‘Scan all sessions’ option shown above must be selected. When recovery is performed, all sessions will be displayed as separate tracks and so differences can be detected. Also, the log DeDup feature can be used to remove identical copies, leaving just files which have been changed, or are unique

For a straight recovery situation, it is often the straw that breaks the camels back, in other words, it is appending a session that may make the disk unreadable. By trying to recover just the penultimate session and good recovery of all files up to that date may be achieved. Different techniques may then be applied to the remaining portion of the disk, the sector range will be calculable from data in the log.