SlideShare a Scribd company logo

fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software

Mark Matienzo, profile picture
Mark Matienzo

This document discusses using open source digital forensics software to develop pre-ingest workflows for processing born-digital archival records. It proposes applying the digital investigation process model to analyze volume and file system metadata during accessioning. Specific tools mentioned include dd, AFF, The Sleuth Kit, and related utilities for disk imaging, extracting metadata and files to mitigate risks and support long-term preservation of digital records.

News & PoliticsTechnology
Related topics:
Digital Forensics
1 of 40
Downloaded 53 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software Mark A. Matienzo, Yale University Library Code4lib 2011 mark@matienzo.org http://matienzo.org/ @anarchivist
Disclaimer The following presentation expresses opinions of my own and not of my employer, my coworkers, etc.
Digital forensics? http://www.flickr.com/photos/freeparking/480863346/
http://www.flickr.com/photos/johnjack/3449280414
Locard’s exchange principle
Key Works urn:isbn:978-0201634976 urn:isbn:978-0321268174 urn:isbn:978-1932326376
http://www.flickr.com/photos/bjornmeansbear/4662232392/
Design Principles •Use digital forensics software and methodology to support accessioning of born-digital archival records •Mitigate risk of media deterioration and obsolescence •Prefer open source solutions whenever possible •Integrate into a larger, but yet-to-be-defined workflow •Use curation micro-services a guiding philosophy for implementation and further analysis
Applied Methodology •Use Carrier’s (2005) model of the digital investigation process: Preservation Searching Reconstruction •Volume and file system as main areas for analysis •Assume much of the state is already lost •Methods should approach or intend forensic soundness •Ethical issues (as raised in CLIR report) are out of scope
Mitigate Risk http://www.flickr.com/photos/moparx/4013824025/
A Larger Workflow Phys. format inventory Detailed inventory Create desc metadata Enforce restrictions Document rcrdkeeping Disk imaging Intellectual/phys. arr. Add supplemental systems File format survey Lump/split dig.objects desc./annotations Draft submission agmt Assess access reqmts Declare rights/access Use viewers as needed Gather contextual info Complete submission restrictions Log use/access agreement w/ source Develop access tools Assess preserv. needs Migrate selected recs Collection Selection Selection Arrangement & Selection Accessioning Access development description Preservation Migrate objects/files JHOVE/DROID reports Checksum verification Emulation/virt. env. Physical & network media Preservation Dissemination Working storage storage storage
Open Source Forensics •Digital forensics is a high-stakes market •Proprietary forensics software is not easily extensible •Proprietary forensics software is often platform-specific •Cultural heritage institutions are still an emerging market for digital forensics •Our needs are different and still being defined
Microservices as Philosophy http://www.flickr.com/photos/gregmote/2797330534
Principles Preferences Practices • Granularity • Small and simple over • Define, decompose, large and complex recurse • Orthogonality • Minimally sufficient over • Top down design, bottom feature-laden up implementation • Parsimony • Configurable over the • Code to interfaces prescribed • Evolution • The proven over the • Sufficiency through a merely novel series of incrementally necessary steps • Outcomes over means UC Curation Center/California Digital Library, “UC3 Curation Foundations” https://confluence.ucop.edu/download/attachments/13860983/UC3-Foundations-latest.pdf
Accessioning Workflow Start accessioning Write-protect media Verify image process Media Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata metadata Transfer package Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest Media FS/File Document Disk MD MD accessioning image process End accessioning process
Implementation http://www.flickr.com/photos/generated/2084287794/
Disk Imaging •dd: creates raw images •Related implementations: dc3dd, dcfldd, dd_rescue •Fast, but no mechanism to store imaging metadata •Advanced Forensic Format (AFF)/AFFLib •Cross platform, reasonably fast •Can store arbitrary metadata •Plenty of GUI-based imaging tools
AFF File Structure Garfinkel et al. 2006 (http://nrs.harvard.edu/urn-3:HUL.InstRepos:2829932), p. 27
Accessioning Workflow Start accessioning Write-protect media Verify image F process Media AF Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data F media as metadata metadata Transfer package AF Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest F AF Media FS/File Document Disk MD MD accessioning image process End accessioning process
The Sleuth Kit •Open source C library, command line tools, and browser- based Perl application (Autopsy) for forensic analysis •Supports analysis of NTFS, FAT, HFS+, Ext2/3, UFS1/2 •Splits tools into layers: volume system, file system, file name, metadata, data unit (“block”) •Additional utilities to sort and post-process extracted metadata
Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat 2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
Accessioning Workflow Start accessioning Write-protect media Verify image K process Media TS Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata K metadata Transfer package TS Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest Media FS/File Document Disk MD MD accessioning image process End accessioning process
fiwalk •C++ program with Python module for processing images •Outputs results in plain text key/value pairs, XML, CSV, or ARFF (for Weka data mining software) •Developed to support automated forensic processing by breaking it into three steps: extract, represent, process •Pluggable file-level metadata extraction (expects key/ value pairs) •Makes development easy and fast
Sample fiwalk Output <?xml version='1.0' encoding='UTF-8'?> <fiwalk xmloutputversion='0.3'> <metadata> <!-- metadata about the disk image --> <creator> <!-- fiwalk provenance metadata (runtime environment, etc.) --></creator> <source> <image_filename>2004-M-008.dd-0018.001</image_filename> </source> <!-- fs start: 0 --> <volume offset='0'> <!-- volume metadata --> <fileobject> <filename>_ublist1.wpd</filename> <!-- more metadata about specific files within the image --> </fileobject> <fileobject/><!-- one for each file --> </volume> <runstats> <!-- runtime statistics --> </runstats> </fiwalk>
Sample fiwalk Output <fileobject> <filename>_ublist1.wpd</filename> <partition>1</partition> <id>1</id> <name_type>r</name_type> <filesize>202152</filesize> <unalloc>1</unalloc> <used>1</used> <inode>3</inode> <meta_type>1</meta_type> <mode>511</mode> <nlink>0</nlink> <uid>0</uid> <gid>0</gid> <mtime>982881052</mtime> <atime>982818000</atime> <crtime>982881114</crtime> <libmagic>(Corel/WP)</libmagic> <byte_runs> <run file_offset='0' fs_offset='16896' img_offset='16896' len='512'/> </byte_runs> <hashdigest type='md5'>d7bc22242c0a88fd8b68712980d5ab28</hashdigest> <hashdigest type='sha1'>64bf2bdf82e33fcda50158804483ac611e753db5</hashdigest> </fileobject>
Accessioning Workflow Start accessioning Write-protect media Verify image process Media Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata al k metadata Transfer package fiw Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest Media FS/File Document Disk MD MD accessioning image process End accessioning process
Why fiwalk? •Faster (and more forensically sound) to extract metadata once rather than having to keep processing an image •Develop better assessments during accessioning process (directory structure significant? timestamps accurate?) •fiwalk’s output is something like a METS structMap •Building non-invasive assessment tools takes less time
http://www.flickr.com/photos/cdrummbks/4574882817/
Gumshoe •Prototype application •Blacklight (Ruby on Rails + Solr) & Python indexing code •Indexing code works with fiwalk output or directly over a disk image (using fiwalk’s Python bindings) •Populates Solr index with all file-level metadata from fiwalk and text strings extracted from files •Code at http://github.com/anarchivist/gumshoe •Demo at http://xgumshoex.heroku.com/
Future Directions http://www.flickr.com/photos/87913776@N00/5129662279/
AFF4 •Emerging format, with tools still under development •Better for a distributed environment •Friendlier to micro-services philosophy •Clearer object and metadata model (RDF-based) •Container format is Zip64 •Cohen and Schatz 2010 (doi:10.1016/j.diin.2010.05.015) show hash based imaging as a more efficient alternative
Sample AFF4 Metadata @prefix D1: <urn:aff4:652e4027-27fab2941> @prefix G1: <urn:aff4:19857a87-a190b2f87> @prefix G2: <urn:aff4:0a1fc78a-927bfacef> @prefix S1: <urn:aff4:652e4027-ffff01199> @prefix I1: <urn:aff4:9003027a-11199ffff> @prefix aff4: <http://afflib.org/2009/aff4/#> @prefix dcterms: <http://purl.org/dc/terms/> G1: { D1: aff4:serialNumber "zx322o91" D1: aff4:hash "3897450fa18094b13"^^aff4:md5 } G2: { S1: aff4:name "aff4imager" S1: aff4:vendor <http://aff.org/> S1: aff4:asserts G1: S1: aff4:type aff4:AcquisitionTool. S1: aff4:version "0.2" I1: aff4:type aff4:Image. I1: aff4:hash "3897450fa18094b13"^^aff4:md5 I1: dcterms:creator S1: } Adapted from Schatz and Cohen 2010 (doi:10.1007/978-3-642-15506-2_16), pp. 234-236
Accessioning Workflow Start accessioning Write-protect media Verify image F 4 process Media AF Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata metadata Transfer package F 4 AF Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest F 4 F 4 F 4 AF AF AF Media FS/File Document Disk MD MD accessioning image process End accessioning process
Further Toolsets http://www.flickr.com/photos/oskay/5369749968/
fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software
Thank You mark@matienzo.org http://matienzo.org/ twitter: @anarchivist This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.

More Related Content

PDF
Digital Forensics for Digital Archives
Mark Matienzo
 
PDF
Using and Developing with Open Source Digital Forensics Software in Digital A...
Mark Matienzo
 
PDF
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Mark Matienzo
 
PDF
ArchivesSpace: Building a Next-Generation Archives Management Tool
Mark Matienzo
 
PDF
Secure multimedia
ambitlick
 
PPTX
Electronic Records
Michelle Belden
 
PDF
Oracle Distributed Document Capture
guest035a27
 
PPT
PRESERVATION Web archiving
Essam Obaid
 
Digital Forensics for Digital Archives
Mark Matienzo
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
Mark Matienzo
 
Accessioning-Based Metadata Extraction and Iterative Processing: Notes From t...
Mark Matienzo
 
ArchivesSpace: Building a Next-Generation Archives Management Tool
Mark Matienzo
 
Secure multimedia
ambitlick
 
Electronic Records
Michelle Belden
 
Oracle Distributed Document Capture
guest035a27
 
PRESERVATION Web archiving
Essam Obaid
 

What's hot (15)

PDF
Scanning & document management
Gautam Ganguly
 
PDF
Hardware
prudent86
 
PDF
Data Loss Prevention de RSA
AEC Networks
 
PDF
Iw2415551560
IJERA Editor
 
PDF
Ronnie Oomen (EMC)
Evy Van Rompay
 
KEY
Advanced modelling made simple with the Gmodel metalanguage
Jorn Bettin
 
PDF
UML Profile for DDS
Angelo Corsaro
 
PDF
SANsymphony V
TTEC
 
PPTX
Linked data and the LOCAH project ILI2011
Bethan Ruddock
 
PPTX
NCompass Live: Digital Preservation, Part 2: Storage and Protection
Nebraska Library Commission
 
PDF
IBM Tivoli Storage Productivit Center overview and update
Tony Pearson
 
PPTX
Eudat user forum-london-11march2013-biovel-v3
Alex Hardisty
 
PDF
Lec7
Tin Quang
 
PDF
Dig c curr
National Library of Australia
 
PPT
Ch12
NagellaRanjithKumar
 
Scanning & document management
Gautam Ganguly
 
Hardware
prudent86
 
Data Loss Prevention de RSA
AEC Networks
 
Iw2415551560
IJERA Editor
 
Ronnie Oomen (EMC)
Evy Van Rompay
 
Advanced modelling made simple with the Gmodel metalanguage
Jorn Bettin
 
UML Profile for DDS
Angelo Corsaro
 
SANsymphony V
TTEC
 
Linked data and the LOCAH project ILI2011
Bethan Ruddock
 
NCompass Live: Digital Preservation, Part 2: Storage and Protection
Nebraska Library Commission
 
IBM Tivoli Storage Productivit Center overview and update
Tony Pearson
 
Eudat user forum-london-11march2013-biovel-v3
Alex Hardisty
 
Lec7
Tin Quang
 
Dig c curr
National Library of Australia
 
Ch12
NagellaRanjithKumar
 
Ad

Viewers also liked (20)

PPTX
DiscoveringDH_ManagingDigitalProjects
Florida State University
 
PPTX
Let's Get Small: A Microservices Approach to Library Websites
MrDys
 
PDF
[Dpf manager] berlin workshop
TECNIO Centre EASY & Smart Cities Master
 
PDF
Adding MediaConch to Archivematica for mkv/ffv1 checking
Artefactual Systems - Archivematica
 
DOCX
cv (2)
ARUN GATTU
 
PPTX
Progress with FITS for analyzing video
prwheatley
 
PPT
Digital Preservation
Michael Day
 
PPTX
SHAREmodule3
Lynne Thomas
 
PPTX
HNI leeromgeving 05
fneggers
 
PPTX
HNI leeromgeving 04
fneggers
 
PPTX
Rebecca Grant - Collection creation, management and ingest
dri_ireland
 
PPTX
The lifecycle of a short story
Lynne Thomas
 
PPTX
HNI leeromgeving 02
fneggers
 
PPTX
Cultural heritage collections in a web 2
Lynne Thomas
 
PPT
Challenges & opportunities in the preservation of (digital) information: the ...
LIBER Europe
 
PPTX
Mapping the Digital Preservation Wilderness: What you need to know
Jody DeRidder
 
PPT
ENArC- international cooperation, current and past project activities - statu...
ICARUS - International Centre for Archival Research
 
PPTX
CNZ2013 Keynote | Trust in Digital Preservation | Natalie Harrower
dri_ireland
 
PPTX
SHAREmodule2
Lynne Thomas
 
PPTX
Character profiles
EllenorHandy
 
DiscoveringDH_ManagingDigitalProjects
Florida State University
 
Let's Get Small: A Microservices Approach to Library Websites
MrDys
 
[Dpf manager] berlin workshop
TECNIO Centre EASY & Smart Cities Master
 
Adding MediaConch to Archivematica for mkv/ffv1 checking
Artefactual Systems - Archivematica
 
cv (2)
ARUN GATTU
 
Progress with FITS for analyzing video
prwheatley
 
Digital Preservation
Michael Day
 
SHAREmodule3
Lynne Thomas
 
HNI leeromgeving 05
fneggers
 
HNI leeromgeving 04
fneggers
 
Rebecca Grant - Collection creation, management and ingest
dri_ireland
 
The lifecycle of a short story
Lynne Thomas
 
HNI leeromgeving 02
fneggers
 
Cultural heritage collections in a web 2
Lynne Thomas
 
Challenges & opportunities in the preservation of (digital) information: the ...
LIBER Europe
 
Mapping the Digital Preservation Wilderness: What you need to know
Jody DeRidder
 
ENArC- international cooperation, current and past project activities - statu...
ICARUS - International Centre for Archival Research
 
CNZ2013 Keynote | Trust in Digital Preservation | Natalie Harrower
dri_ireland
 
SHAREmodule2
Lynne Thomas
 
Character profiles
EllenorHandy
 
Ad

Similar to fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software (20)

PDF
Workshop 1 revised
peterchanws
 
PPT
Bit Level Preservation
Micah Altman
 
PDF
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Novell
 
PDF
Wewebu customer success story California Dept. of Public Health
WeWebU Software AG
 
PDF
Tackling File Characterization and Analysis in Archivematica
Courtney Mumma
 
PPTX
Building a Data Discovery Network for Sustainability Science
Robert H. McDonald
 
PDF
Preservation Planning: Choosing a suitable digital preservation strategy
GarethKnight
 
PPTX
Lessons learned from the Digital Trenches: the experiences of two archivists ...
samalanmeister
 
PPTX
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
jmical
 
PDF
OSS Presentation Keynote by Hal Stern
OpenStorageSummit
 
PDF
January 2006 Document Scanning Considerations Presentation
John Wang
 
PPTX
Open Digital Education Software Kit
ischool webboard
 
PPTX
Introduction to Pig
Prashanth Babu
 
PPT
354 ch1
Amanda Winona Batayola
 
PPTX
Resource space
Hai Dinh Tuan
 
PPT
KeepIt Course 4: Putting storage, format management and preservation planning...
JISC KeepIt project
 
PPSX
Saadallah vtls
Johannes Phaladi
 
PPTX
Pain points for preservation services / workflows in repositories
prwheatley
 
PDF
C P Doc Rev Story
Cp Docrev
 
PPTX
What to curate? Preserving and Curating Software-Based Art
neilgrindley
 
Workshop 1 revised
peterchanws
 
Bit Level Preservation
Micah Altman
 
Securing Your Endpoints Using Novell ZENworks Endpoint Security Management
Novell
 
Wewebu customer success story California Dept. of Public Health
WeWebU Software AG
 
Tackling File Characterization and Analysis in Archivematica
Courtney Mumma
 
Building a Data Discovery Network for Sustainability Science
Robert H. McDonald
 
Preservation Planning: Choosing a suitable digital preservation strategy
GarethKnight
 
Lessons learned from the Digital Trenches: the experiences of two archivists ...
samalanmeister
 
CYBER INTELLIGENCE &amp; RESPONSE TECHNOLOGY
jmical
 
OSS Presentation Keynote by Hal Stern
OpenStorageSummit
 
January 2006 Document Scanning Considerations Presentation
John Wang
 
Open Digital Education Software Kit
ischool webboard
 
Introduction to Pig
Prashanth Babu
 
354 ch1
Amanda Winona Batayola
 
Resource space
Hai Dinh Tuan
 
KeepIt Course 4: Putting storage, format management and preservation planning...
JISC KeepIt project
 
Saadallah vtls
Johannes Phaladi
 
Pain points for preservation services / workflows in repositories
prwheatley
 
C P Doc Rev Story
Cp Docrev
 
What to curate? Preserving and Curating Software-Based Art
neilgrindley
 

More from Mark Matienzo (11)

PDF
To Hell With Good Intentions: Linked Data and the Power to Name
Mark Matienzo
 
PDF
Linked Data and the Semantic Web in the Archival Context
Mark Matienzo
 
PPTX
Archival Sensemaking: Personal Digital Archiving as an Iteration
Mark Matienzo
 
PDF
Findability in the Flow: Discovery through Linking
Mark Matienzo
 
PDF
Learning to Take, Learning to Give: Linking as Repurposing Metadata
Mark Matienzo
 
PDF
EAD and MARC sitting in a tree: D-R-U-P-A-L
Mark Matienzo
 
ZIP
Online Presence and Participation
Mark Matienzo
 
PDF
Linked Data and Archival Description: Confluences, Contingencies, and Conflicts
Mark Matienzo
 
PDF
Cheeseburgers With Everything: Context, Content, and Connections in Archival ...
Mark Matienzo
 
PDF
Archives & the Semantic Web
Mark Matienzo
 
PDF
How I failed to present on using DVCS to control archival metadata
Mark Matienzo
 
To Hell With Good Intentions: Linked Data and the Power to Name
Mark Matienzo
 
Linked Data and the Semantic Web in the Archival Context
Mark Matienzo
 
Archival Sensemaking: Personal Digital Archiving as an Iteration
Mark Matienzo
 
Findability in the Flow: Discovery through Linking
Mark Matienzo
 
Learning to Take, Learning to Give: Linking as Repurposing Metadata
Mark Matienzo
 
EAD and MARC sitting in a tree: D-R-U-P-A-L
Mark Matienzo
 
Online Presence and Participation
Mark Matienzo
 
Linked Data and Archival Description: Confluences, Contingencies, and Conflicts
Mark Matienzo
 
Cheeseburgers With Everything: Context, Content, and Connections in Archival ...
Mark Matienzo
 
Archives & the Semantic Web
Mark Matienzo
 
How I failed to present on using DVCS to control archival metadata
Mark Matienzo
 

Recently uploaded (20)

DOC
证书结业SU毕业证,莫道克大学毕业证假学位证
enmytc
 
PDF
Mathura Sridharan's Appointment as Ohio Solicitor General Sparks Racist Backl...
New India Abroad
 
PDF
Conflict, Narrative and Media -An Analysis of News on Israel-Palestine Confli...
Md Miraj Hossain
 
PPTX
PPT on SardarPatel and Popular Media.pptx
SatishItagi2
 
PDF
Regional Media Representation of Kuki-Meitei Conflict - An Analysis of Peace ...
Md Miraj Hossain
 
PPTX
ASEANOPOL: The Multinational Police Force
DebbieArado2
 
PDF
The Blogs_ Hamas’s Deflection Playbook _ Andy Blumenthal _ The Times of Israe...
Andy (Avraham) Blumenthal
 
PDF
The Most Dynamic Lawyer to Watch 2025.pdf
lawoutlookmagazine
 
PDF
Theories of federalism showcasing india .pdf
saurabhbed31
 
PPTX
opher bryers alert -How Opher Bryer’s Impro.ai Became the Center of Israel’s ...
nathaniel leonard
 
PDF
JUDICIAL_ACTIVISM_CRITICAL_ANALYSIS in india.pdf
SaurabhGautam970232
 
PPTX
Bridging Horizons_ Indo-Thai Cultural and Tourism Synergy in a Competitive Asia.
hepburnindia
 
PDF
Executive an important link between the legislative and people
SaurabhGautam970232
 
PDF
05082025_First India Newspaper Jaipur.pdf
FIRST INDIA
 
DOCX
Breaking Now – Latest Live News Updates from GTV News HD
aawaz institute of media & management sciences
 
PDF
62 America is Mentally Ill 20.pdf Politicians Promoting Violence
Gerald Furnkranz
 
PPTX
Sir Creek Conflict: History and its importance
syedalaibabukhari9
 
PPTX
Precised New Precis and Composition 2025.pptx
MuhammadZahid846522
 
PPTX
Indian ancient knowledge system, ancient geopolitics
KushalK27
 
PDF
Role of federalism in the indian society
SaurabhGautam970232
 
证书结业SU毕业证,莫道克大学毕业证假学位证
enmytc
 
Mathura Sridharan's Appointment as Ohio Solicitor General Sparks Racist Backl...
New India Abroad
 
Conflict, Narrative and Media -An Analysis of News on Israel-Palestine Confli...
Md Miraj Hossain
 
PPT on SardarPatel and Popular Media.pptx
SatishItagi2
 
Regional Media Representation of Kuki-Meitei Conflict - An Analysis of Peace ...
Md Miraj Hossain
 
ASEANOPOL: The Multinational Police Force
DebbieArado2
 
The Blogs_ Hamas’s Deflection Playbook _ Andy Blumenthal _ The Times of Israe...
Andy (Avraham) Blumenthal
 
The Most Dynamic Lawyer to Watch 2025.pdf
lawoutlookmagazine
 
Theories of federalism showcasing india .pdf
saurabhbed31
 
opher bryers alert -How Opher Bryer’s Impro.ai Became the Center of Israel’s ...
nathaniel leonard
 
JUDICIAL_ACTIVISM_CRITICAL_ANALYSIS in india.pdf
SaurabhGautam970232
 
Bridging Horizons_ Indo-Thai Cultural and Tourism Synergy in a Competitive Asia.
hepburnindia
 
Executive an important link between the legislative and people
SaurabhGautam970232
 
05082025_First India Newspaper Jaipur.pdf
FIRST INDIA
 
Breaking Now – Latest Live News Updates from GTV News HD
aawaz institute of media & management sciences
 
62 America is Mentally Ill 20.pdf Politicians Promoting Violence
Gerald Furnkranz
 
Sir Creek Conflict: History and its importance
syedalaibabukhari9
 
Precised New Precis and Composition 2025.pptx
MuhammadZahid846522
 
Indian ancient knowledge system, ancient geopolitics
KushalK27
 
Role of federalism in the indian society
SaurabhGautam970232
 

fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software

  • 1. fiwalk With Me: Building Emergent Pre-Ingest Workflows for Digital Archival Records using Open Source Forensic Software Mark A. Matienzo, Yale University Library Code4lib 2011 mark@matienzo.org http://matienzo.org/ @anarchivist
  • 2. Disclaimer The following presentation expresses opinions of my own and not of my employer, my coworkers, etc.
  • 3. Digital forensics? http://www.flickr.com/photos/freeparking/480863346/
  • 6. Key Works urn:isbn:978-0201634976 urn:isbn:978-0321268174 urn:isbn:978-1932326376
  • 8. Design Principles •Use digital forensics software and methodology to support accessioning of born-digital archival records •Mitigate risk of media deterioration and obsolescence •Prefer open source solutions whenever possible •Integrate into a larger, but yet-to-be-defined workflow •Use curation micro-services a guiding philosophy for implementation and further analysis
  • 9. Applied Methodology •Use Carrier’s (2005) model of the digital investigation process: Preservation Searching Reconstruction •Volume and file system as main areas for analysis •Assume much of the state is already lost •Methods should approach or intend forensic soundness •Ethical issues (as raised in CLIR report) are out of scope
  • 11. A Larger Workflow Phys. format inventory Detailed inventory Create desc metadata Enforce restrictions Document rcrdkeeping Disk imaging Intellectual/phys. arr. Add supplemental systems File format survey Lump/split dig.objects desc./annotations Draft submission agmt Assess access reqmts Declare rights/access Use viewers as needed Gather contextual info Complete submission restrictions Log use/access agreement w/ source Develop access tools Assess preserv. needs Migrate selected recs Collection Selection Selection Arrangement & Selection Accessioning Access development description Preservation Migrate objects/files JHOVE/DROID reports Checksum verification Emulation/virt. env. Physical & network media Preservation Dissemination Working storage storage storage
  • 12. Open Source Forensics •Digital forensics is a high-stakes market •Proprietary forensics software is not easily extensible •Proprietary forensics software is often platform-specific •Cultural heritage institutions are still an emerging market for digital forensics •Our needs are different and still being defined
  • 13. Microservices as Philosophy http://www.flickr.com/photos/gregmote/2797330534
  • 14. Principles Preferences Practices • Granularity • Small and simple over • Define, decompose, large and complex recurse • Orthogonality • Minimally sufficient over • Top down design, bottom feature-laden up implementation • Parsimony • Configurable over the • Code to interfaces prescribed • Evolution • The proven over the • Sufficiency through a merely novel series of incrementally necessary steps • Outcomes over means UC Curation Center/California Digital Library, “UC3 Curation Foundations” https://confluence.ucop.edu/download/attachments/13860983/UC3-Foundations-latest.pdf
  • 15. Accessioning Workflow Start accessioning Write-protect media Verify image process Media Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata metadata Transfer package Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest Media FS/File Document Disk MD MD accessioning image process End accessioning process
  • 17. Disk Imaging •dd: creates raw images •Related implementations: dc3dd, dcfldd, dd_rescue •Fast, but no mechanism to store imaging metadata •Advanced Forensic Format (AFF)/AFFLib •Cross platform, reasonably fast •Can store arbitrary metadata •Plenty of GUI-based imaging tools
  • 18. AFF File Structure Garfinkel et al. 2006 (http://nrs.harvard.edu/urn-3:HUL.InstRepos:2829932), p. 27
  • 19. Accessioning Workflow Start accessioning Write-protect media Verify image F process Media AF Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data F media as metadata metadata Transfer package AF Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest F AF Media FS/File Document Disk MD MD accessioning image process End accessioning process
  • 20. The Sleuth Kit •Open source C library, command line tools, and browser- based Perl application (Autopsy) for forensic analysis •Supports analysis of NTFS, FAT, HFS+, Ext2/3, UFS1/2 •Splits tools into layers: volume system, file system, file name, metadata, data unit (“block”) •Additional utilities to sort and post-process extracted metadata
  • 21. Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat 2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
  • 22. Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
  • 23. Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
  • 24. Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
  • 25. Extracting Metadata & Files $ fls -m A: -a -f fat 2004-M-008.0018.aff 0|A:/_ublist1.wpd (deleted)|3|r/rrwxrwxrwx|0|0|202152|982818000|982881052|0|982881114 0|A:/publist.wpd|4|r/rrwxrwxrwx|0|0|202119|1285041600|982963054|0|982963226 0|A:/publistwkg.wpd|7|r/rrwxrwxrwx|0|0|205607|1285041600|982963038|0|982963237 0|A:/$MBR|45779|v/v---------|0|0|512|0|0|0|0 0|A:/$FAT1|45780|v/v---------|0|0|4608|0|0|0|0 0|A:/$FAT2|45781|v/v---------|0|0|4608|0|0|0|0 0|A:/$OrphanFiles|45782|d/d---------|0|0|0|0|0|0|0 $ fls -m A: -a -f fat ~/Desktop/2004-M-008/data/2004-M-008.0018.aff | mactime Wed Dec 31 1969 19:00:00 202152 ..c. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) 202119 ..c. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 ..c. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Thu Feb 22 2001 00:00:00 202152 .a.. r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:30:52 202152 m... r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Thu Feb 22 2001 17:31:54 202152 ...b r/rrwxrwxrwx 0 0 3 A:/_ublist1.wpd (deleted) Fri Feb 23 2001 16:17:18 205607 m... r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Fri Feb 23 2001 16:17:34 202119 m... r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:26 202119 ...b r/rrwxrwxrwx 0 0 4 A:/publist.wpd Fri Feb 23 2001 16:20:37 205607 ...b r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd Tue Sep 21 2010 00:00:00 202119 .a.. r/rrwxrwxrwx 0 0 4 A:/publist.wpd 205607 .a.. r/rrwxrwxrwx 0 0 7 A:/publistwkg.wpd $ icat 2004-M-008.0018.aff 4 | fido.sh - OK,110,x-fmt/44,WordPerfect for MS-DOS/Windows Document,WordPerfect for Windows 6.x - 12,202119,"STDIN" $ icat 2004-M-008.018.aff 4 > publist.wpd
  • 26. Accessioning Workflow Start accessioning Write-protect media Verify image K process Media TS Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata K metadata Transfer package TS Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest Media FS/File Document Disk MD MD accessioning image process End accessioning process
  • 27. fiwalk •C++ program with Python module for processing images •Outputs results in plain text key/value pairs, XML, CSV, or ARFF (for Weka data mining software) •Developed to support automated forensic processing by breaking it into three steps: extract, represent, process •Pluggable file-level metadata extraction (expects key/ value pairs) •Makes development easy and fast
  • 28. Sample fiwalk Output <?xml version='1.0' encoding='UTF-8'?> <fiwalk xmloutputversion='0.3'> <metadata> <!-- metadata about the disk image --> <creator> <!-- fiwalk provenance metadata (runtime environment, etc.) --></creator> <source> <image_filename>2004-M-008.dd-0018.001</image_filename> </source> <!-- fs start: 0 --> <volume offset='0'> <!-- volume metadata --> <fileobject> <filename>_ublist1.wpd</filename> <!-- more metadata about specific files within the image --> </fileobject> <fileobject/><!-- one for each file --> </volume> <runstats> <!-- runtime statistics --> </runstats> </fiwalk>
  • 29. Sample fiwalk Output <fileobject> <filename>_ublist1.wpd</filename> <partition>1</partition> <id>1</id> <name_type>r</name_type> <filesize>202152</filesize> <unalloc>1</unalloc> <used>1</used> <inode>3</inode> <meta_type>1</meta_type> <mode>511</mode> <nlink>0</nlink> <uid>0</uid> <gid>0</gid> <mtime>982881052</mtime> <atime>982818000</atime> <crtime>982881114</crtime> <libmagic>(Corel/WP)</libmagic> <byte_runs> <run file_offset='0' fs_offset='16896' img_offset='16896' len='512'/> </byte_runs> <hashdigest type='md5'>d7bc22242c0a88fd8b68712980d5ab28</hashdigest> <hashdigest type='sha1'>64bf2bdf82e33fcda50158804483ac611e753db5</hashdigest> </fileobject>
  • 30. Accessioning Workflow Start accessioning Write-protect media Verify image process Media Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata al k metadata Transfer package fiw Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest Media FS/File Document Disk MD MD accessioning image process End accessioning process
  • 31. Why fiwalk? •Faster (and more forensically sound) to extract metadata once rather than having to keep processing an image •Develop better assessments during accessioning process (directory structure significant? timestamps accurate?) •fiwalk’s output is something like a METS structMap •Building non-invasive assessment tools takes less time
  • 33. Gumshoe •Prototype application •Blacklight (Ruby on Rails + Solr) & Python indexing code •Indexing code works with fiwalk output or directly over a disk image (using fiwalk’s Python bindings) •Populates Solr index with all file-level metadata from fiwalk and text strings extracted from files •Code at http://github.com/anarchivist/gumshoe •Demo at http://xgumshoex.heroku.com/
  • 35. AFF4 •Emerging format, with tools still under development •Better for a distributed environment •Friendlier to micro-services philosophy •Clearer object and metadata model (RDF-based) •Container format is Zip64 •Cohen and Schatz 2010 (doi:10.1016/j.diin.2010.05.015) show hash based imaging as a more efficient alternative
  • 36. Sample AFF4 Metadata @prefix D1: <urn:aff4:652e4027-27fab2941> @prefix G1: <urn:aff4:19857a87-a190b2f87> @prefix G2: <urn:aff4:0a1fc78a-927bfacef> @prefix S1: <urn:aff4:652e4027-ffff01199> @prefix I1: <urn:aff4:9003027a-11199ffff> @prefix aff4: <http://afflib.org/2009/aff4/#> @prefix dcterms: <http://purl.org/dc/terms/> G1: { D1: aff4:serialNumber "zx322o91" D1: aff4:hash "3897450fa18094b13"^^aff4:md5 } G2: { S1: aff4:name "aff4imager" S1: aff4:vendor <http://aff.org/> S1: aff4:asserts G1: S1: aff4:type aff4:AcquisitionTool. S1: aff4:version "0.2" I1: aff4:type aff4:Image. I1: aff4:hash "3897450fa18094b13"^^aff4:md5 I1: dcterms:creator S1: } Adapted from Schatz and Cohen 2010 (doi:10.1007/978-3-642-15506-2_16), pp. 234-236
  • 37. Accessioning Workflow Start accessioning Write-protect media Verify image F 4 process Media AF Record identifying Extract filesystem- Disk Meta- Retrieve media characteristics of and file-level images data media as metadata metadata Transfer package F 4 AF Package images Assign identifiers to Ingest transfer Create image and metadata for media package ingest F 4 F 4 F 4 AF AF AF Media FS/File Document Disk MD MD accessioning image process End accessioning process
  • 38. Further Toolsets http://www.flickr.com/photos/oskay/5369749968/
  • 40. Thank You mark@matienzo.org http://matienzo.org/ twitter: @anarchivist This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.