Versions Compared

Old Version 10

changes.mady.by.user Creighton Barrett

Saved on

compared with

New Version Current

changes.mady.by.user Creighton Barrett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Introduction

...

  • This

...

  • page describes basic digital forensics workflows.

...

  •  

Data acquisition workflows

...

There are three basic workflows for acquiring data:

WorkflowDescriptionRationale
Workflow #1 – Forensic imaging for digital preservation backlog
  1. Add item to
Register of Digital Storage Devices
  1. register of digital storage devices.
  2. Create
forensic
  1. image.
  2. Transfer forensic image
into
  1. to digital backlog until further processing is scheduled.
  2. Delete image from local storage after transfer is validated.
Select this workflow
when forensic
in cases where processing is unscheduled. A secondary copy is not necessary if
forensic
processing is unscheduled. The primary image can
backed up in
be transferred to digital backlog and a copy can be transferred back to the Forensics Lab when processing is scheduled.

Workflow #2 – Forensic processing (small cases)

Create two copies of forensic image and keep both copies on forensic tower while processing one version of the image

  1. Add items to
Register of Digital Storage Devices
  1. register of digital storage devices.
  2. Create
forensic images
  1. image.
  2. Ingest images into FTK.
  3. Select files from forensic images.
  4. Export selected files.
  5. Package files and ingest into digital preservation system.
Select this workflow in cases where forensic processing is scheduled and
the
total storage requirements for primary
and secondary copies of
forensic images does
 
not
exceed
exceed 1 TB. A secondary copy is necessary anytime forensic processing takes place but, with cases that involve less than 500 GB of data, the secondary copy can usually be stored on local RAID storage until processing is complete. This protects the primary copy and reduces unnecessary data transfer.

Workflow #3 – Forensic processing (large cases)

  • Add items to Register of Digital Storage Devices.
  • Create forensic images.
  • Ingest images into FTK.
  • Select files from forensic images.
  • Export selected files.
    • Package files and ingest into digital preservation system.


    Create two copies of forensic image, transfer copy to digital backlog before processing​ primary image

    Select this workflow

     

    in cases where forensic processing is scheduled and the total storage requirements for primary and secondary copies of forensic images

    does not exceed

    exceeds 1 TB

    .

     A

     

    A secondary copy is necessary anytime forensic processing takes place but, with cases that involve more than 500 GB of data, the secondary copy will occupy too much space on local RAID storage.

    Forensic imaging for digital preservation backlog

    ...