Home

UDF is typically used to record onto CDs and DVDs. However, it can be used on any media, and this includes Iomega Rev Disks. There are several principal versions, V1.02, V1.50, V2.50 and V2.60.  Full specs are downloadable from the web.  Large elements are also based on Ecma 167 standard.

UDF can be used on both write once, and read/write disks (eg CD-RW).

Forensically, write once disks are interesting because it is possible to in effect delete files, or edit files. Being write once, this is done by a slight of hand, which is virtual directories. Each time a writting session is finished, a table is stored at the end of the current data, which sets a logical map to the directory. This is the method that new directory entries may be made having new pointers to extisting, or new files.  Each new directory could be completely different, or only a minor change to previous directories, but can incorporate new files, or delete existing files. CnW Recovery software can reconstruct each session, showing which files were written, and when.

In order to view each session, the option box Scan all sessions should be selected - this is actually only enabled for UDF disks.  The program will then search through the disk sequentially and find each UDF VAT (Virtual allocation table) and then will do a disk directory for each session.  On a well used disk there may therefore be the equivalent of maybe 80 tracks.  Each track could be recovered on its own so file differences could be seen.

If all files are recovered then a significant amount of disk space may be required.  At the end though, the DeDup function could be used to remove identical instances of any file.