Presentation is loading. Please wait.

Presentation is loading. Please wait.

Creighton Barrett Dalhousie University Archives

Published byShawn Barton Modified over 6 years ago

Similar presentations

Presentation on theme: "Creighton Barrett Dalhousie University Archives"— Presentation transcript:

1 Accessing the inaccessible: digital forensics at the Dalhousie University Archives
Creighton Barrett Dalhousie University Archives Council of Nova Scotia Archives Conference May 11, 2017

2 Overview Introduction to digital forensics in archival repositories
Development of Dalhousie’s digital forensics lab Forensic images Digital forensics tools and workflows Free digital forensics tools Ask questions any time! Digital forensics at the Dalhousie University Archives

3 What is digital forensics?
Forensic science – recovery and investigation of data found in digital storage devices Primarily used in criminal investigations, corporate investigations Archives are adopting digital forensics techniques to support acquisition, accessioning, preservation, and access Acquisition Identification Evaluation Admission Source: Infosec Institute, Digital Forensic Models (January 25, 2016): Digital forensics at the Dalhousie University Archives

4 Why have a digital forensics lab?
Source: Baker, M. (2017, May 2). Disks back from the dead. Nature, 545 (7652), 117–118. Digital forensics at the Dalhousie University Archives

5 Why have a digital forensics lab?
Archivists are now working with a wide variety of: Digital storage devices Computer file systems, operating systems, and software File formats Digital storage devices are unstable and data is at risk Supports archival mission to preserve authenticity and integrity of records Digital forensics at the Dalhousie University Archives

6 How are archives doing digital forensics work?
Use write-blockers to create forensic images Adopt forensic software (BitCurator or FTK or EnCase) Incorporate digital forensics tools and techniques into core archival functions New policy decisions (e.g., preserve forensic image or extract files?) Archival functions become blurred (e.g., files can be arranged before they are accessioned) Digital forensics at the Dalhousie University Archives

7 Timeline at Dalhousie February 2016 – Acquire forensic workstation
May – November 2016 – Digital archives collection assessment project: January 2017 – Install BitCurator and Forensic Toolkit (FTK) software February 2017 – Advanced computer forensics training May 2017 – Launch digital forensics lab April 2017 – Dal’s first time at BitCurator Users Forum Digital forensics at the Dalhousie University Archives

8 Digital forensics at the Dalhousie University Archives

9 Components of Digital Forensics Lab
Forensic tower Dual Intel Xeon processors 64 GB RAM Tableau T35689iu write-blocker AFT EX-S3 forensic card reader FTK software BitCurator software Digital forensics at the Dalhousie University Archives

10 Forensic images

11 What is a forensic image?
Complete (i.e., bit-level) copy of a hard drive or other digital storage media Includes unallocated space and slack space Includes operating system and file system Includes computer registry files, browser history, and other contextual information about how the computer was used Includes all files on the hard drive Digital forensics at the Dalhousie University Archives

12 Preserve information about the operating system and file system
Source: Power Data Recovery: The Volume does not contain a recognized file system – how to fix : Digital forensics at the Dalhousie University Archives

13 Preserve data in slack space / unallocated space
Overwrite zero with one = more like 0.95 Overwrite one with one = more like 1.05 Normal equipment will read both values as a one Digital forensics equipment makes it possible to determine what data exists in “slack space” and “unallocated space.” Digital forensics at the Dalhousie University Archives

14 Some differences between forensic and logical images
Forensic image Logical image Recovers operating system and file system Does not recover operating system and file system Potential for password recovery, decryption, etc. Almost no potential for password recovery, decryption, etc. Recover Internet search queries and form data Cannot recover Internet search queries and form data Size of entire hard drive, regardless of how many files are stored Size of files on hard drive Digital forensics at the Dalhousie University Archives

15

16 Digital forensics tools

17 Digital forensics at the Dalhousie University Archives

18 Digital forensics at the Dalhousie University Archives

19 Digital forensics at the Dalhousie University Archives

20

21

22

23

24 Digital forensics at the Dalhousie University Archives

25 Digital forensics workflows

26 Abstract digital forensics model
Identification Preparation Approach Strategy Preservation Collection Examination Analysis Presentation Returning Evidence Source: Infosec Institute, Digital Forensic Models (January 25, 2016): Digital forensics at the Dalhousie University Archives

27 Penn State University workflow
Digital forensics at the Dalhousie University Archives

28 Dalhousie University workflow (draft)
Very premature Does not factor staffing, roles and responsibilities, etc. Relates to other workflows in development (e.g., acquisitions, accessioning) Digital forensics at the Dalhousie University Archives

29 Forensic imaging workflow (BitCurator)
Digital forensics at the Dalhousie University Archives

30 Identify privacy concerns
Digital forensics at the Dalhousie University Archives

31 Bill Freedman fonds filtered in FTK
Description # of files Size Unfiltered All files in case 26,651,084 3,568 GB Primary status Duplicate File indicator IS “Primary” 731,417 83.48 GB Secondary status Duplicate File indicator IS “Secondary” 16,569,218 271.5 GB KFF Ignore Match all files where KFF status IS “Ignore” 2,548,119 44.29 GB No KFF Ignore Match all files where KFF status IS NOT “Ignore” + KFF status IS “Not checked” 24,102,965 3524 GB Primary status + No KFF Ignore Match all files where duplicate file indicator IS “Primary” + KFF status IS NOT “Ignore” 626,351 71.95 GB Actual files + Primary status + No KFF Ignore Match all disk-bound files where duplicate file indicator IS “Primary” + KFF status IS NOT “Ignore” 103,412 61.81 GB Digital forensics at the Dalhousie University Archives

32 Free digital forensics tools and resources – FTK Imager, BitCurator, and SleuthKit

33 FTK Imager (free download)
Create forensic images of source media Intended for use with hardware write blocker Preview, triage, and image Export, hash, convert Preview data Triage Create forensic images Export Hash Convert Digital forensics at the Dalhousie University Archives

34 FTK Imager (free download)
Imaging tool – create forensic images of mounted Preview tool – preview evidence to determine if further analysis is needed Export tool – quickly select and export files prior to performing full analysis of the disk image FTK Imager can open mounted drive, contents of a folder, or a forensic image FTK Imager cannot create image of a networked drive Digital forensics at the Dalhousie University Archives

35 FTK Imager – Create Image
Digital forensics at the Dalhousie University Archives

36 SleuthKit + Autopsy Images source: https://www.sleuthkit.org/
Digital forensics at the Dalhousie University Archives

37 SleuthKit + Autopsy SleuthKit is a collection of command line tools to investigate disk images Tools support the analysis of volume and file system data Autopsy is graphical user interface to SleuthKit and other digital forensics tools Digital forensics at the Dalhousie University Archives

38 Free resources Forensics wiki: http://forensicswiki.org/wiki/Main_Page
List of digital forensics tools: ools BitCurator wiki: Digital forensics at the Dalhousie University Archives

Download ppt "Creighton Barrett Dalhousie University Archives"

Similar presentations

Watching the Detectives Forensic Information in Digital Objects (FIDO)

Watching the Detectives Forensic Information in Digital Objects (FIDO)
GETTING BITS OFF DISKS Using Open Source Tools to Prepare Born-Digital Materials for Long-Term Preservation and Access To connect to the audio portion.

GETTING BITS OFF DISKS Using Open Source Tools to Prepare Born-Digital Materials for Long-Term Preservation and Access To connect to the audio portion.
Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.

Microsoft ® Official Course First Look Clinic Overview of Windows 8 By Ragowo Riantory, S.Kom, MCP.
Computer Forensics.

Computer Forensics.
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
Transformations at GPO: An Update on the Government Printing Office's Future Digital System George Barnum Coalition for Networked Information December.

Transformations at GPO: An Update on the Government Printing Office's Future Digital System George Barnum Coalition for Networked Information December.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
Computer & Network Forensics

Computer & Network Forensics
X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.

X-Ways Trace Prepared By: Leen F. Arikat Supervisor: Dr. Lo’ai Tawalbeh.
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.

COS/PSA 413 Day 16. Agenda Lab 7 Corrected –2 A’s, 1 B and 2 F’s –Some of you need to start putting more effort into these labs –I also expect to be equal.
COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.

COS/PSA 413 Day 15. Agenda Assignment 3 corrected –5 A’s, 4 B’s and 1 C Lab 5 corrected –4 A’s and 1 B Lab 6 corrected –A, 2 B’s, 1 C and 1 D Lab 7 write-up.
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
I have lost all my vacation pictures due to memory card corruption. Can I get them back? I have accidently deleted some important Photos, Music files.

I have lost all my vacation pictures due to memory card corruption. Can I get them back? I have accidently deleted some important Photos, Music files.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
Data Acquisition Chao-Hsien Chu, Ph.D.

Data Acquisition Chao-Hsien Chu, Ph.D.
COEN 252 Computer Forensics

COEN 252 Computer Forensics

Similar presentations

Ads by Google