Setup
Digital Forensics for Archives
- Digital forensics identifies a range of activities which aim to extract and preserve contextual information about digital content on external devices, like laptops, servers, drives, and even legacy devices like floppy disks and USB drives
- Digital forensics tools and techniques can help digital preservation work, particularly in maintaining information about original order, provenance, and chain of custody for digital objects
- Digital preservation workers, particularly archivists, have used digital forensics techniques and tools to record information about, process, and preserve digital content, and particularly to address content stored on legacy digital devices
Getting Started with BitCurator
- Use BitCurator as a helpful way to bundle together and run many tools useful to digital forensics that are appropriate to digital curation. That is, tools that assist in creating trustworthy digital copies, provenance information, contextual data, and chain of custody information.
- You can use
GuyMager
to make disk images. - BitCurator has things set up so you can use
GuyMager
as well as other tools that will document your transfer and copying processes.
Disk Imaging
- Digital forensic approaches can offer useful tools to digital curators in working with legacy removable media
- Important concepts include thinking beyond the file level and disk imaging
- BitCurator environment offers a useful bundle of tools that are of use to digital curators
Reporting
- Some reports may be needed for contextualizing and using the disc images in other programs (dfxml).
- Some reports may be more for risk management and analyzing PII.
- Some may be more for preservation planning (file types).
- Some may be for general description (dates of creation, titles/names of files, users, or other topical information).
The way you’d interpret any of these reports depends on the report on what you’re wanted to get out of it. Some reports, like the bulk_extractor reports, are easier to read through. The DFXML, while “harder” to read, gives you all the checksums and a listing of what’s on a disk image, which could be good for checking fixity, but also helping you to determine if you want to extract the files from the disk image.