Versions Compared

Old Version 6

changes.mady.by.user Creighton Barrett

Saved on

compared with

New Version Current

changes.mady.by.user Creighton Barrett

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

There are two primary workflows for digital forensics

Table of Contents

Introduction

...

  • This page describes basic digital forensics workflows. 

Data acquisition workflows

...

There are three basic workflows for acquiring data:

WorkflowDescription
Bulk forensic
Rationale
Workflow #1 – Forensic imaging for digital preservation backlog
Create forensic images to support acquisition and preservation of born-digital archives. Transfer forensic images into
  1. Add item to register of digital storage devices.
  2. Create image.
  3. Transfer forensic image to digital backlog until further processing is scheduled
.

Collection-based forensics for archival processing and monetary appraisal

Create forensic images to support acquisition and archival processing of born-digital archives. Select files from forensic images and transfer files to ingest storage for transfer into digital preservation system.

...

  1. .
  2. Delete image from local storage after transfer is validated.
Select this workflow in cases where processing is unscheduled. A secondary copy is not necessary if processing is unscheduled. The primary image can be transferred to digital backlog and a copy can be transferred back to the Forensics Lab when processing is scheduled.

Workflow #2 – Forensic processing (small cases)

Create two copies of forensic image and keep both copies on forensic tower while processing one version of the image

  1. Add items to register of digital storage devices.
  2. Create image.
  3. Ingest images into FTK.
  4. Select files from forensic images.
  5. Export selected files.
  6. Package files and ingest into digital preservation system.
Select this workflow in cases where forensic processing is scheduled and total storage requirements for primary forensic images does not exceed 1 TB​. A secondary copy is necessary anytime forensic processing takes place but, with cases that involve less than 500 GB of data, the secondary copy can usually be stored on local RAID storage until processing is complete. This protects the primary copy and reduces unnecessary data transfer.

Workflow #3 – Forensic processing (large cases)


Create two copies of forensic image, transfer copy to digital backlog before processing​ primary image

Select this workflow in cases where forensic processing is scheduled and the total storage requirements for primary and secondary copies of forensic images exceeds 1 TB. 

A secondary copy is necessary anytime forensic processing takes place but, with cases that involve more than 500 GB of data, the secondary copy will occupy too much space on local RAID storage.

Forensic imaging for digital preservation backlog

...

  1. Add item to register of digital storage devices.

  2. Prepare item for forensic imaging.

  3. Use FTK Imager to create forensic disk image of item.

  4. Transfer forensic disk images image to Libraries' digital backlog storage for preservation until further processing.

  5. Delete local copy of forensic disk image after transfer validation.

  6. Update entry in register of digital storage devices.

...

Forensic processing (small cases)

...

  1. Add item to register of digital storage devices.

  2. Prepare item for forensic imaging.

  3. Use FTK Imager to create forensic image of item and create a secondary (i.e., local backup) copy of the forensic image.

  4. Update entry in register of digital storage devices.

  5. Create case in FTK.
    Load forensic image(s) into FTK
  6. Select an evidence processing profile.
  7. Add forensic image to case.

  8. Run additional analysis processing. Use a combination of tools to identify confidential and personal information.

  9. Create filters as necessary.

  10. Create labels to support archival appraisal decisions. For example: 

    1. Delete 
    2. Review for deletion
    3. Review for selection
    4. Review for selection (contains PII)
    5. Select for retention
    6. Select for retention (contains PII)

  11. Create
    12. word list based on selection criteria.
    Create
  12. hierarchical set of bookmarks to support archival arrangement:

    1. Fonds title
      1. Series title
        1. Sub-series title
      2. Series title

  13. Create word list based on archival appraisal guidelines.

  14. Use a combination of filters, searching, and browsing to identify select and select organize records for retention. Use labels and bookmarks to facilitate this process.
    Use a combination of tools to identify confidential and personal information.
  15. Use labels and bookmarks to facilitate this process.Use bookmarks to export files and metadata from FTK.

    1. Export files option
    2. Report option
    Transfer package to


  16. Package files into one or more "bags" that conform to the BagIt specification.

  17. Upload bag(s) to the Libraries' ingest storage for transfer .

  18. Transfer bag(s) into digital preservation system.

  19. Process transfer and generate AIPs. 

  20. Delete local backup data and FTK case after successful generation of AIPs.

Forensic processing (large cases)

...

Coming soon.

Workflows at other institutions

...

Princeton University Library, Department of Rare Books and Special Collections, "Born-Digital University Archives Workflows." https://rbsc.princeton.edu/workflows/born-digital/university-archives.