CDFS
Supported formats
ISO9660, UDF
Description
This backend extracts files and metadata from popular CD, DVD, and similar images.
info
Available in Contextal Platform 1.0 and later.
Features
ISO9660 support
Canonical (typically .iso) and raw (.raw, .img, .bin, .nrg) formats with or without a custom header are supported. The header presence and the raw sector size are autodetected; Joliet extensions are supported.
UDF support
All valid block sizes are supported and automatically detected.
Symbols
Object
UDF→ the image contains an UDF file systemISO9660→ the image contains an ISO9660 (or simply ISO) file systemLIMITS_REACHED→ limits triggered while processing the image
Children
CORRUPTED→ this child object is arranged in illegals ways or it's partially out of reachTRUNCATED→ the actual length of the data is lesser than the one declared/expectedTOOBIG→ this child object was not extracted as it exceeds the limits
Example Metadata
"org": "ctx",
"object_id": "b087012cc7a352a538312351d3c22bb1098c5b64107c8dca18645320e58fd92f",
"object_type": "CDFS",
"object_subtype": null,
"recursion_level": 1,
"size": 1155072,
"hashes": {
"md5": "23693d7b4009938f30bce15b1c23c5f4",
"sha512": "bf2c141b44feb028506b4225f8fae9df3a3f48773396df60317b3b99d37c352998209d7ab3d0988c152ecfb6e633d07f74f2f40199d5c10c6daf3dae6939d275",
"sha1": "c0a12e0293a2414de94bb4b079920e8558af9f3c",
"sha256": "b087012cc7a352a538312351d3c22bb1098c5b64107c8dca18645320e58fd92f"
},
"ctime": 1726169806.977861,
"ok": {
"symbols": [
"ISO9660"
],
"object_metadata": {
"_backend_version": "1.0.0",
"iso9660": {
"bad_chains": false,
"bootable": false,
"has_loops": false,
"num_vols": 1,
"offset": 0,
"partitioned": false,
"sector_size": 2048,
"volumes": [
{
"abstract_file": "",
"application": "OSCDIMG 2.56 (01/01/2005 TM)",
"bibliographic_file": "",
"block_size": 2048,
"copyright_file": "",
"creation_dt": "<INVALID>",
"desc_type": "Primary",
"effective_dt": "",
"expiration_dt": "",
"flags": 0,
"fs_ver": 1,
"id": "CD_ROM",
"joliet": false,
"modification_dt": "",
"preparer": "MICROSOFT CORPORATION, ONE MICROSOFT WAY, REDMOND WA 98052, (425) 882-8080",
"publisher": "MICROSOFT CORPORATION",
"seq": 1,
"set": "CD_ROM",
"set_size": 1,
"space_size": 564,
"system": "",
"version": 1
}
]
}
},
"children": [
{
"org": "ctx",
"object_id": "81bed342f8aca6f1ae4ba461471f0e99604bff7a2e3a41f02cb3b564af9330ad",
"object_type": "LNK",
"object_subtype": null,
"recursion_level": 2,
"size": 991,
"hashes": {
"sha256": "81bed342f8aca6f1ae4ba461471f0e99604bff7a2e3a41f02cb3b564af9330ad",
"sha512": "21c44025737baba604bc49930a0a2bb6fcdc4511f66b95e9a279ccdbff8138e64ad9277c570a05467cb3a64bbd10c140f3d2bca244d1f5ccbe24f9f9bf7c0a51",
"sha1": "094a633a336009e8331a8e3751dc227b0cac59c0",
"md5": "d70f9c0e3035bfe0db5624568e56c44e"
},
"ctime": 1726169806.977861,
"relation_metadata": {
"interleaved": false,
"iso_vol": 0,
"name": "/Socialize.lnk",
"ord": 0,
"t": "2021-06-10 21:15:41.0 -08:00:00"
},
[...]
Example Queries
object_type == "CDFS"
&& size < 3145728
&& @match_object_meta($iso9660.volumes[0].publisher iregex("microsoft"))
- This query matches a
CDFSobject, which is smaller than3MBand contains amicrosoftsubstring (case insensitive) in the publisher field.
object_type == "CDFS"
&& @count_children() < 20
&& @has_child(object_type == "LNK")
&& @has_child(object_type == "PE" && @has_symbol("ISSUES"))
- This matches a
CDFS, from which less than 20 children objects were extracted, and one of them was aLNKobject, and one was aPEobject, in which potentially suspicious issues were detected.
Configuration Options
max_processed_size→ maximum size of the input object that will be processed (default: 262144000)max_children→ maximum number of children objects to create (default: 100)max_child_output_size→ maximum size of a single output children object (default: 41943040)