Digital Forensics: Advanced

Are you starting to receive disks as parts of collections or have you discovered disks in boxes of paper records? Caring for the records stored on removable storage media (e.g., floppy disks, hard drives, thumb drives, memory sticks, and CDs) requires archivists to extract whatever useful information resides on the medium while avoiding the accidental alteration of data or metadata. In this course, you’ll learn how to apply existing digital forensics methods and tools in order to recover, preserve, and ultimately provide access to born-digital records. We’ll explore the layers of hardware and software that allow bitstreams on digital media to be read as files, the roles and relationships of these layers, and tools and techniques for ensuring the completeness and evidential value of data. We’ll apply digital forensics tools and methods to test data in order to illustrate how and why they are used.

Note: This course includes exercises with open-source tools in the BitCurator environment. BitCurator is distributed both as a virtual machine and as an installable ISO image.

______________________________________________________________________________

Students must be prepared to bring a laptop to the course with the following software already installed. (All software programs are free.) iPads and other tablet devices will NOT be able to perform the hands-on tasks, as these devices do not have adequate resources or allow the level of user control required to run the associated software.

Follow the appropriate downloads for your environment (Windows, macOS, or Linux) at:

• VirtualBox: https://www.virtualbox.org/wiki/Downloads
• Important - after downloading and installing VirtualBox, you must return to the link above, download the “VirtualBox Extension Pack”, and double-click on the downloaded file to install it.
• BitCurator: https://github.com/BitCurator/bitcurator-distro/wiki/Releases (scroll down to “Pre-Built VirtualBox VM” and click on the “BitCurator Virtual Machine” link to download). The page linked above contains a link to the BitCurator 2.2.x Quick Start Guide which provides detailed instructions on extracting and starting the virtual machine.

On certain PC laptops, when you first run the BitCurator VM, you may encounter an error message indicating that VT-x is not enabled or that you need to update your BIOS. If this happens, you will need to reboot the machine, enter the BIOS (usually by holding down "Del", "Esc", or a specific function key), and enable the Intel Virtualization extensions. If the BIOS is locked on your work laptop, you will need assistance from your local admin. It is important to ensure you are able to successfully boot the BitCurator VM prior to attending the course. For online courses, the time available to diagnose hardware and software issues during the session will be extremely limited.

For Windows 10 and Windows 11 users:

• Hex editing and hash generation software: HexEd.it (online, no install required)
• ISO mounting software: OSFMount
• Forensic imaging software: FTK Imager (be sure to use the free program called FTK IMAGER and NOT the full commercial suite of tools called FTK (Forensic Toolkit)
• Optional additional cryptographic hashing (MD5/SHA) software: FileVerifier++

For Macintosh users:

• Hex editing and hash generation software: HexEd.it (online, no install required)
• How to mount an ISO in macOS
• Forensic imaging software: Run the BitCurator VM and use Guymager
• Optional additional cryptographic hashing (MD5/SHA) software: Quickhash-GUI (or use the Mac OSX command-line utility "md5")
• You can also run all the Windows tools on your Mac by using WINE or Windows in a virtual machine; this is optional, and not required for successful completion of the course.

This course builds on others in the Digital Archives Specialist (DAS) curriculum, including Basics of Managing Digital Records, Digital Records—The Next Step, Thinking Digital, Accessioning and Ingest of Digital Records, and Metadata Overview for Archivists.