Tuesday 30 August 2011

Forensic Workstation pt3

A guest posting from Nicola Herbert, Digital Project Preservation Assistant at Hull University Archives

Once we had the forensic workstation up and running (see part 1 and part 2 in this on-going series) we installed MS Office and Mozilla Thunderbird (for working with Outlook .pst files). We also installed FTK Imager, Karen’s Directory Printer, DROID and the MUSE e-mail visualisation tool (in beta, but provides a very interesting perspective on the data). We are also planning to purchase Quickview Plus, a piece of software that enables viewing a range of file formats without requiring the original software on your PC.

We had already played around with these tools on our normal PCs and had run them on files copied from digital media prior to setting up the workstation.

Having received our two Tableau write-blockers we were eager to combine the separate processes we had developed into an integrated workflow. We have two write-blockers, one for USB devices (T8-R2) and one for internal hard drives from PCs and laptops (T35es). Simon’s visit to Jeremy John at the British Library had whetted our appetite for getting our mini digital forensics lab in operation.

USB devices
After a thorough read-through of the instructions we tested out the USB write-blocker first. Setting it up is relatively simple; the vital thing is to make the connections between device and write-blocker, write-blocker and forensic PC before switching on power to the write-blocker. The forensic workstation recognises the USB device as normal, and off you go.

We then run FTK Imager to create a logical image of the device. We tested the various formats and settings available and eventually decided that creating true forensic images would raise too many trust issues with potential depositors with regard to us being able to restore deleted files. For this reason we will create ‘Folder contents only’ forensic images which recreate the device as it would appear in normal use. From here we are exploring our options for exporting the files from the disk image, but we have found that the exported files display an altered Accessed date – any comments/suggestions on this issue would be gratefully received.

We also create directory listings of the contents with MD5 and SHA-1 checksums. From the disk image and directory listing we can start to consider the arrangement for the collection, using Quickview Plus to preview file contents.

Our second write-blocker can be used with IDE and SATA hard drives...but more of this in part 4!
Posted by Hull History Centre at 15:58
Labels: , , ,

3 comments:

  1. Anonymous29 September 2011 at 10:15

    Hi Simon,

    I like the articles as they are very informative and I am interested to understand why you are using MD5 and SHA-1 checksums for directory listings of contents.

    Regards,
    Carl

    ReplyDelete
  2. Hull History Centre30 September 2011 at 06:48

    Carl

    thanks for the comments, glad you are enjoying the series, hopefully part 4 will be out in a few weeks!

    Just to clarify we generate the checksums for each file in the collection, with a view to using this information to allow us to verify the authenticity of the file and that the contents are exactly the same as we originally received it as any changes would produce a different hash value

    Simon

    ReplyDelete
  3. Anonymous9 April 2012 at 15:50

    Hello Simon,

    Thank you for sharing your experiences. Have you addressed the issue where files exported from the image in FTK Imager have an altered access date? I'm currently attempting to address this issue as well.

    Regards,
    Tracy

    ReplyDelete

Subscribe to: Post Comments (Atom)