Digital Forensics: Advanced

Certificate Eligibility:

DAS

Credits:

10 ARC, 1.5 CEU

Length:

2 days

Format:

In-Person

Max Attendees:

35

Tier:

Tools and Services

ACE Category:

Preservation and Protection

Description:

Are you starting to receive disks as parts of collections or have you discovered disks in boxes of paper records? Caring for the records stored on removable storage media (e.g., floppy disks, hard drives, thumb drives, memory sticks, and CDs) requires archivists to extract whatever useful information resides on the medium while avoiding the accidental alteration of data or metadata. In this course, you’ll learn how to apply existing digital forensics methods and tools in order to recover, preserve, and ultimately provide access to born-digital records. We’ll explore the layers of hardware and software that allow bitstreams on digital media to be read as files, the roles and relationships of these layers, and tools and techniques for ensuring the completeness and evidential value of data. We’ll apply digital forensics tools and methods to test data in order to illustrate how and why they are used.

Note: This course includes exercises with open-source tools in the BitCurator environment. BitCurator is distributed both as a virtual machine and as an installable ISO image.

Students must be prepared to bring a laptop to the course with the following software already installed. (All software programs are free.) iPads and other tablet devices will NOT be able to perform the hands-on tasks, as these devices do not have adequate resources or allow the level of user control required to run the associated software.

Follow the appropriate downloads for your environment at:

VirtualBox: https://www.virtualbox.org/wiki/Downloads
BitCurator: http://wiki.bitcurator.net/

On certain PC laptops, when you first run the BitCurator VM, you may encounter an error message indicating that VT-x is not enabled or that you need to update your BIOS. If this happens, you will need to reboot the machine, enter the BIOS (usuallly by holding down the "Del", "Esc", or "ThinkPad" key), and enable the Intel Virtualization extensions. If your BIOS is locked, you will need the assistance of your local admin.

For Windows 7/8 users:

Hex editing software: Cygnus Hex Editor
ISO mounting software: OSFMount
Forensic imaging software: FTK Imager (be sure to use the free program called FTK IMAGER and NOT the full commercial suite of tools called FTK (Forensic Toolkit)
Cryptographic hashing (MD5/SHA) software: FileVerifier++

For Macintosh users:

Hex editing software: HexFiend
Learn how to mount an ISO in Mac
Forensic imaging software: FTK Imager GUI (Beta) or command-line version of FTK Imager (alternatively, run the BitCurator VM and use Guymager)
Cryptographic hashing (MD5/SHA) software: FF MD5Drop (or use the Mac OSX command-line utility "md5")
You can also run all the Windows tools on your Mac by using WINE or Windows in a virtual machine.

Learning Outcomes:

Explain the roles and relationships between the main layers of technology required to read a string of bits off of a physical storage medium and treat it as a file

Identify various forms of data that may be "hidden" on the physical storage medium

Use write blockers and create disk images in order to prevent accidental manipulation of volatile data

Identify and extract the data that a file system uses to manage files

Apply digital forensics tools and methods to collections of records

Identify and compare alternative strategies for providing public access to data from disk images

Who Should Attend:

Archivists, manuscript curators, librarians, and others who are responsible for acquiring or transferring collections of digital materials, particularly those that are received on removable media

What You Should Already Know:

Participants are expected to know basic archival practice and have intermediate knowledge of computers and digital records management.

This course builds on others in the Digital Archives Specialist (DAS) curriculum, including Basics of Managing Electronic Records, Electronic Records—The Next Step, Thinking Digital, Accessioning and Ingest of Electronic Records, and Metadata Overview for Archivists.

DAS Core Competency:

1. Explain the nature of digital records and their lifecycle.

3. Formulate strategies and tactics for appraising, acquiring, describing, managing, organizing, preserving, and delivering digital archives.

4. Incorporate technologies throughout the archival lifecycle.

6. Employ standards and best practices in the management of digital archives.

7. Design a defined set of services for designated community.

Instructor(s):

Christopher (Cal) Lee

Kam Woods

Martin Gengenbach

Matthew Farrell

Reviews:

"Understanding the underlying structure of data and BitCurator's role in data triage and digital forensics was thorough and greatly informative. Seeing both the small and big picture helped a lot."

"The hands-on experience working with BitCurator was really very valuable. While learning the computer science behind the forensics is a necessary basis, I really take these courses to learn how this is applicable to MY daily job. Especially with someone like Cal Lee there to offer first-hand instruction with the software, this was easily one of the most beneficial DAS courses I've taken."

"The ethical discussions at the end of the course were excellent. It allowed us to sink our teeth into what we had learned and discuss real world application. It was very useful to be introduced to the variety of tools available for download and to learn how we might use them."

Education