How do these tools address archival concerns?

From BitCurator
Jump to: navigation, search

These descriptions are intended to be concise explanations of why an archivist might be interested in each tool. For more information on a given tool, follow the link to that tool's tutorial page (given in the first column of the table below).

Function Tool name (if any) Why use it?
Create disk images of your media Guymager Create a perfect capture of your device's file structure and all contents (including hidden files and fragments) PLUS package this image with information about the disk imaging process. When anyone accesses the disk image later on, they'll have information about who imaged the device, when the device was imaged, etc. as well as be able to explore the exact state of the device as it was when you imaged it.
Scan disk images to find potentially sensitive information Bulk Extractor Viewer and bulk_extractor Look for specific types of data such as social security numbers, GPS map coordinates, and email addresses, to protect the privacy of a donor before exposing a collection to the public, and to locate information for researchers (e.g, find email correspondence between an author and a particular editor). The Bulk Extractor Scanners page covers the different things you can scan for (and why you might want to scan for them) in detail.
Create a report on your disk image in Digital Forensics XML (DFXML) fiwalk Create an XML rendering of a file's structure. Read descriptions and examples of Digital Forensics XML tags here.
Link potentially sensitive information found by scanning your disk image to file names in the DFXML report Annotated Features Report Link potentially sensitive information found by scanning your disk image to file names in the DFXML report, bridging between the output from bulk_extractor and the DFXML report from fiwalk to create a report that not only locates if a feature (e.g. social security numbers) appears on your disk image, but also identifies the specific file(s) in which it can be found. This is a required step before generating the file BitCurator Forensics Reports because bulk_extractor locates features by scanning the bit stream, not the file system.
Generate human-friendly BitCurator Forensic Reports using the data produced by the tools above BitCurator Forensic Reports Generate human-friendly BitCurator Forensic Reports using the data produced by Guymager, the Bulk Extractor Viewer, fiwalk, and Annotated Features report to explore your born-digital materials completely (including hidden or partially deleted files and file fragments).
Run all of the reports above from a single tab (scan your disk image(s), generate DFXML, link the scan report and DFXML, and create the final human-friendly BitCurator Forensic Reports Run All tab Instead of using the previous four tools individually, run all of them at once from a single tab (scan your disk image(s), generate DFXML, link the scan report and DFXML, and create the final human-friendly BitCurator Forensic Reports). Imaging your disk, running Bulk Extractor, and using the Run All tab is the quickest way to forensically explore a device.
Safely mount collection media A front-end for mmls and icat, two programs provided by [The Sleuth Kit], along with file system ID and FUSE mounting code Have devices (e.g. USB drives, CD-ROMs) that you'd like to image and explore with BitCurator? Connect them so that BitCurator can see them, but safely: no worries about writing any data back to the device (e.g. last modified dates on viewed files won't be overwritten with the current date).
Share files to and from the BitCurator environment - Work with files outside the BitCurator virtual machine (e.g. save something from inside BitCurator to your computer's desktop, copy and paste text from a tutorial you're reading in your browser on your computer into the BitCurator environment). You can share a folder between your machine and the BitCurator environment, share the contents of your cut/copy/paste clipboard, and drag and drop files between your machine and the BitCurator environment.
Calculate and display checksums Nautilus script Ensure the authenticity of your media! A checksum is an identifier for the exact state of a file (such as a disk image) that can be compared to checksums calculate at later times to ensure that the file remains in its original state (e.g. not altered due to physical damage, bit rot, malicious intent, or accidental non-write-protected usage).
Display file types and info Nautilus script Quickly view available information about files (e.g. file format) to better understand them.
Open a file in hexadecimal notation Nautilus script Useful for accessing files trapped in defunct formats (e.g. written in a very old word processing program). A hexadecimal (hex) editor lets you view and edit any file, regardless of the format it was saved in.
Live search for files by name and content Nautilus script Search all the files currently in the BitCurator virtual environment (i.e. rather than searching from a collection of files that might not be updated to contain the latest state of your system).
Extract compressed files Nautilus script Turns compressed files (e.g. a .zip) into a folder containing the package's files.
Display E01 or AFF forensics disk image metadata Nautilus script After creating an AFF- or E01-format disk image (using BitCurator's Guymager tool, or some other way), this feature provides a quick way to view data about the disk image such as who performed the imaging and when it was performed.
Find and remove duplicate files - Use this tool to not archive any files that are exact duplicates of others, if you wish to save space this way (note that duplicate files may be interesting to the archivist due to their differing location and/or access metadata such as date last modified).
View, edit, and export metadata from graphic image files PyExifToolGUI Graphic image files (e.g. .exif, .jpg, other photo and visual image formats) can contain hidden information, such as the GPS coordinates of the location where a photo was taken.
View and export information from HFS-formatted disks HFS Explorer HFS is a proprietary Apple format you'll see used with Mac media (e.g. floppies written to from a Mac SE computer). This tool lets you view data in this format, as well as export it for exploration with other BitCurator tools.
Access files on your disk image File Access Want to open a document that's on your disk image, or otherwise export and access a file? This feature gives you access to files on your disk image, including hidden and partially deleted files.