Digital Project Guidelines and Information : Digital Forensics

Introduction - What is “Digital Forensics”?

Digital devices have become ubiquitous in our lives, and since the 1980’s computers have increasingly the document of record in many professional fields, including education. This means that increasingly the materials that will come into archives of all kinds will be in digital rather than paper form. When considering that a professional who was 25 years old in 1980 - when Seagate released the first 5.25-inch hard disk - will reach the age of 65 in the year 2020, it is easy to see how a potential deluge of obsolete media may be in the near future for many archives. As assumption that most people have managed their digital files responsibly by migrating over time to current data formats would be at best naive.
 
Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices...1  Most literature on digital forensics comes from the perspective of criminal investigations, where the priorities, such as admissibility of evidence in a court of law, may be different than when considering digital forensics for archival recovery and preservation.

Digital Forensics Workstations (DFWs)

A digital forensics workstation is part private eye, part technology museum, and part time machine! It is a computer workstation that has been retrofitted with obsolescent drives, readers, and software in order to be able to retrieve data from old media. One of the challenges of building a DFW is determining which outdated media and software will be most common in the collections that will be coming into our institutions, and one of the goals of this document is to be a place to gather those opinions - so please feel free to add to the lists (at the end of this document) of media and software that should be included in a WRLC-defined Digital Forensics Workstation Specification.

 

General Requirements

The first step in retrieving information from a digital device is creating a forensically sound duplicate “image” of the device. This is accomplished by duplicating, bit for bit, the entire device. This can be more complicated than might be thought, especially when considering that the simple act of inserting a disk into a drive, for example, has the potential to change data on that drive - data that may prove critical such as the date a file was modified, etc. Although some operating systems are better than others about not modifying data, it is essential to have a write blocking mechanism as a first line of protection for digital files. Write blockers can be in the form of hardware solutions or software solutions. The main advantage of using hardware based write-blockers is that there is less risk that the data contained on a device will be modified or corrupted, and the main disadvantage is that this solution requires physical access to the media (as opposed to remote access over a network).
 
While decisions must be made about what peripheral drives and software are necessary for a WRLC DFW, there are some core requirements that can be specified:

  1. Support for IDE
  2. Support for SCSI
  3. Ability to connect to a network
  4. Hardware based write-blocker
  5. Software based write-blocker
  6. The system must support duplication and analysis of these common file system types:
    1. NTFS
    2. FAT16/32
    3. HFS & HFS+ (Macintosh)
  7. If the decision is made to also equip a DFW with Unix/Linux capabilities than it must also support duplication and analysis of these file system types:
    1. Solaris UFS
    2. BSD UFS
    3. EXT2 (Linux)
    4. EXT3 (Linux)
    5. Swap for Solaris, BSD (“Berkeley Unix”), and Linux
  8. Ability to validate image and file integrity
  9. Ability to identify dates and times that files have been modified, accessed and created
  10. Ability to identify deleted files
  11. Ability to analyze allocated drive space
  12. Ability to isolate and analyze unallocated drive space
  13. The system must support removable media for storage and transportation of disk images, etc.

Specific Requirements

 
Hardware 

  1. 5.25” floppy drive
  2. 3.5” floppy drive
  3. Jaz drive
  4. Zip drive
  5. CD drive
  6. DVD drive
  7. Blu-ray drive?
  8. Laser disc drive?
  9. Flash memory multi reader for:
    1. SD cards (Secure Digital)
    2. CompactFlash
    3. Memory Stick
    4. etc.
  10. USB drive

 
Software 

  1. BitCurator? (http://www.bitcurator.net/)
  2. FTK Imager or similar (http://accessdata.com/support/adownloads)
  3. HView 2000 or similar (freeware available from multiple download sites)
  4. Duke Data Accessioner or similar (http://library.duke.edu/uarchives/about/tools/data-accessioner.html)
  5. Conversions Plus or other software capable of converting documents created in obsolete word processing formats
  6. Adobe Acrobat Pro for creating pdf and pdf/a documents
  7. Adobe Photoshop or other image manipulation software
  8. File renaming program such as Better File Rename
  9. Beyond Compare (or similar) comparison program
  10. Oxygen or other XML editor?

Documents

There are currently no attachments on this page.