Presentation is loading. Please wait.

Presentation is loading. Please wait.

Watching the Detectives Forensic Information in Digital Objects (FIDO)

Published bySamuel Munoz Modified over 10 years ago

Similar presentations

Presentation on theme: "Watching the Detectives Forensic Information in Digital Objects (FIDO)"— Presentation transcript:

1

2 Watching the Detectives Forensic Information in Digital Objects (FIDO)

3 KCL Facts 5 million archives (including artefacts, images, sound recordings and databases) 295,000 rare/special books Spans 6 centuries (most from 18 th Century onwards) Wide range of subjects, formats and languages Internationally and nationally recognised Whole collection valued at £81,000,000 Liddell Hart Centre for Military Archives and Foyle Special Collections library

4 Information Management Team Responsible for advice and support for: Content creation Active management during business use Retention for legal or business purposes Digital archiving and preservation

5 JISC FIDO Project 6 month project in 2011 Investigation of tools to aid data acquisition, file identification & process documentation Case study to report findings & lessons learnt Mapping of forensic terms to archival terms Address ethical issues of the approach Establish suitable computer hardware and tools to assist in newly defined digital acquisition process

6 Why digital forensics? Forensic investigation is an emerging profession developing tools that map user activity to legal admissibility standards Digital collections can be large and difficult to appraise – forensic tools can provide analysis of file characteristics and document what is done & when Forensic tools can provide contextual information such as a timeline or file types for initial appraisal Authenticity – Archivists need to capture authentic digital collections - forensic tools can support this process

7 Digital forensics vs Digital appraisal Different language – terms mean different things to each practitioner Confidence & skills – Digital archive skills are much closer to forensics or IT than traditional skills Forensics are dealing with potential crime scene – archivists work with the co-operation of the depositor Forensics want all available information including deleted documents & browser history whereas archivists may only have consent to take files defined by the donor

8 Ethical Issues Does the depositor know the collection? A forensic image will capture everything! Is e-mail included in the deposit? Do all family members agree to the deposit? Does the depositor own the copyright? Is there unpublished work that might be published after deposit? Are computers included or just their contents?

9 Technical Issues Data transfer or recovery Level of rights required for tasks Additional hardware/software familiarisation New skills for archives staff Redaction Finding new software for particular tasks

10 Data handling workflow Obtain data from depositor / donor Examine the acquired data to locate user generated content Appraise data to select data of potential value to the institution Transfer selected data into digital repository for curation & preservation

11 Data Acquisition Methods 1.File copy: Files are copied/moved from the donors media to AIM-owned storage, e.g. FTP, DVD-R, hard disk 2.Disk clone: Bit copy of files on source disk copied to mirror disk 3.Disk image: Bit copy of disk is created and stored as a file on other media. Different Hardware Different Media

12 12

13 13 Data held on digital media Types: –Operating system files, e.g. Windows has 30,000+ after fresh install –Software: Applications, utilities, games, etc. –Log data: Windows Registry, browser cache, cookies, temp files –User-generated content: Documents, images, sound, emails, etc. Data layers: 1.Active data: Information normally seen by Operating System 2.Inactive/residual data: deleted or modified data Deleted files located in unallocated space that have yet to be overwritten (retrieved using undelete application) Data fragments that contains information from a partially deleted file (retrieved through carving) Usefulness of Inactive data still to be seen

14 Active Data Analysis Common techniques: Navigate directory structure to get a feel for data files held on disk Search by: File name, e.g. *report* File type, e.g. *.doc, *.pdf, etc. Creation/modification date Content type, e.g. word usage File size Windows search does not identify everything investigation process leaves artefacts, e.g. thumbs.db behind

15 OS Forensic search interface for active files Sort by: Name, Folder, Size Type, Creation date, Modification date,

16 Recovering deleted files Recovering partial/complete files Undelete\File recovery software searches unallocated space and makes found files available. Recovering Data Fragments Data carving technique - raw bits of disk analysed to identify recognisable patterns that may indicate a data file, e.g. header/footer, semantic information. –Carving software designed to take a linear approach to locating data files – ineffective on fragmented disks –Creates Franken-Files! – incomplete files, large files containing info from multiple sources, extracts embedded images from PowerPoint's, etc

17

18 Keyword Search Scan the content of a disk, including all emails, documents and other text content, to locate a particular search term Commonly used by police to identify illegal content, e.g. bank numbers, telephone numbers Archival use: Does the disk contain reference to topic X? What trends may be identified in use of concept – when did term appear and disappear ?

19 Analysis of research behaviour Hard disk may contain other information: –Web sites visited/bookmarked for research –Chat logs indicating discussion with colleagues –Other digital media that may have been used to store data This may be useful for understanding researcher work process, but consider the ethical issues

20

21 Forensic Hardware 1) Desktop PC Intel Pentium Dual Core E5800 CPU (3.20Ghz) 2GB DDR 500GB HD Super multi DVD-RW (2) USB Write Blocker Prevents OS writing to connected devices (4) Kryoflux USB Floppy disk controller to enable attachment of disparate disk devices & forensic imaging (3) Drive enclosure Enables connection of internal ATA/SATA disks via USB

22 Access to digital collections Publication of summary guide Folder hierarchy to give overview of collection Ability of researchers to search across file lists/index to identify information Access to whole digital collection? Policy regarding number of files, what access, copies still to be determined

23 Next steps Working with desktop support to capture images Drafting new advice for depositors Encouraging depositors to deposit their digital records Working with College Senior staff to capture their personal papers and research data throughout their career Improving skills within the AIM team – especially Mac skills Preserving digital records in our collections

24 Thank you Lindsay Ould Information Manager and Digital Archivist E-mail: digital-archive@kcl.ac.uk

Download ppt "Watching the Detectives Forensic Information in Digital Objects (FIDO)"

Similar presentations

28 March 2003e-MapScholar: content management system The e-MapScholar Content Management System (CMS) David Medyckyj-Scott Project Director.

28 March 2003e-MapScholar: content management system The e-MapScholar Content Management System (CMS) David Medyckyj-Scott Project Director.
2 Forensic Information in Digital Objects (FIDO)

2 Forensic Information in Digital Objects (FIDO)
GETTING BITS OFF DISKS Using Open Source Tools to Prepare Born-Digital Materials for Long-Term Preservation and Access To connect to the audio portion.

GETTING BITS OFF DISKS Using Open Source Tools to Prepare Born-Digital Materials for Long-Term Preservation and Access To connect to the audio portion.
Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall

Copyright © 2014 Pearson Education, Inc. Publishing as Prentice Hall
File Management Chapter 3

File Management Chapter 3
Effective Discovery Techniques In Computer Crime Cases.

Effective Discovery Techniques In Computer Crime Cases.
E-Discovery for System Administrators Russell M. Shumway.

E-Discovery for System Administrators Russell M. Shumway.
An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.

An Introduction to Computer Forensics James L. Antonakos Professor Computer Science Department.
The art of effective persuasion - drafting a deposit agreement that covers born-digital material Simon Wilson, Acting University Archivist.

The art of effective persuasion - drafting a deposit agreement that covers born-digital material Simon Wilson, Acting University Archivist.
Guide to Computer Forensics and Investigations Fourth Edition

Guide to Computer Forensics and Investigations Fourth Edition
File Management Systems

File Management Systems
Computer & Network Forensics

Computer & Network Forensics
COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.

COS/PSA 413 Day 3. Agenda Questions? Blackboard access? Assignment 1 due September 3:35PM –Hands-On Project 1-2 and 2-2 on page 26 of the text Finish.
Application Software: Essentials for knowledge workers

Application Software: Essentials for knowledge workers
1 From Filing Cabinet to Desktop and Network: Records Management in N.C. State Government Ed Southern Government Records Branch N.C. Office of Archives.

1 From Filing Cabinet to Desktop and Network: Records Management in N.C. State Government Ed Southern Government Records Branch N.C. Office of Archives.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
1 The Vietnam Center and Archive Stephen Maxner, Ph.D.

1 The Vietnam Center and Archive Stephen Maxner, Ph.D.
Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.

Applying Digital Forensic techniques to AIM Gareth Knight, FIDO Project Manager Anatomy Theatre & Museum, King’s College London 15 th August 2011.
By Drudeisha Madhub Data Protection Commissioner Date: 12.08.14.

By Drudeisha Madhub Data Protection Commissioner Date:
August 14, 2015 Research data management – an introduction Slides provided by the DaMaRO Project, University of Oxford Research Services.

August 14, 2015 Research data management – an introduction Slides provided by the DaMaRO Project, University of Oxford Research Services.

Similar presentations

Ads by Google