Digital Forensics: Fundamentals

The field of digital forensics often evokes imagery of prime-time television crime dramas. But what is it, and how can archivists put digital forensics tools and processes to use in their home institutions? Archivists are more likely than ever to be confronted with collections containing removable storage media (e.g., floppy disks, hard drives, thumb drives, memory sticks, and CDs). Storage media analysis and disk imaging using digital forensics methods can help us transfer, accession, appraise, describe, and even provide access to digital archives, depending on the nature of the content. Digital forensics techniques allow archivists to extract whatever useful information resides on the medium while avoiding the accidental alteration of data or metadata, providing information that can be used throughout the processing workflow. They allow archivists to appraise content that is not compatible with modern operating systems and computers. They allow curators to capture an artist or donor’s working environment, and to replay this environment back to users via emulation.

A basic understanding of how computers store data, what a file system is, and when to use forensics techniques are necessary foundations for getting started. In this course, you’ll explore the layers of hardware and software that allow bitstreams on digital media to be read as files, the roles and relationships of these layers, and interactive tools and techniques for interacting with files at each layer. You’ll learn about what disk imaging is, when you might use it, and tools that you can use.

This course is specifically designed as a precursor and prerequisite to the two-day Digital Forensics for Archivists: Advanced DAS course. Creating a disk image, along with troubleshooting and other activities that build on this knowledge, occur in the Advanced course. Students will not need any special software to complete this course.