UM Forensic image transfer 1.2
Jump to navigation Jump to search
This page documents the workflow for processing digital forensic disk images.
Preconfigured workflow choices
- If you are processing disk images, you will want to adjust the Archivematica default configuration options in the Administration tab of the dashboard for some decision points in the workflow. Archivematica default is to extract content from any packages, which includes forensic image formats as well as compressed content like zip files, and to then delete the package itself (though the metadata and logs for the package are retained in the metadata and logs). To make these decisions in the dashboard processing workflow:
- Deselect 'Extract packages' - If you find you are selecting YES or NO most of the time, you can preconfigure this choice accordingly to YES or NO in the administration tab of the dashboard instead.
- Deselect 'Examine contents' - If you find you are selecting YES or NO most of the time, you can preconfigure this choice accordingly to YES or NO in the administration tab of the dashboard instead.
- Deselect 'Delete packages after extraction' - If you find you are selecting YES or NO most of the time, you can preconfigure this choice accordingly to YES or NO in the administration tab of the dashboard instead.
Upload image to dashboard
- Select Disk Image type from the drown-down menu on the Transfer tab of the dashboard.
- Add metadata from the imaging process if desired. You may begin entering metadata for the next image loading to the dashboard by clicking on the Add Next button to the right of Start Transfer. After an image is loaded, you can add or edit that metadata using the icon next to the loaded image below the transfer upload form. If you are loading multiple images at once, the Add Next button will apply to the next current upload. This metadata is included as another dmdsec in the transfer METS.xml.
- Once all images are loaded to the dashboard and all metadata is added, select Start Transfer.
- Continue though regular Transfer workflow. We recommend selecting FIDO for format identification as some images from Kryoflux and raw disk images can have generic extensions. You can preconfigure Archivematica to choose FIDO for identification in the Administration tab of the dashboard when you are signed in as a administrative user.
- At the Extract packages micro-service, you can choose YES to extract content objects from the image. You can choose NO if you would like to continue processing the image itself without extract its content for automated analysis. Format policy rules for extraction are set using the Format Policy Registry in the Preservation Planning tab of the dashboard.
- If you choose YES, Archivematica will also ask you if you'd like to delete the package itself once extraction of its contents is complete. Here, you can choose YES or NO.
- During this workflow, some deviations from standard micro-service behaviors occur:
- The Characterize and extract metadata micro-service runs a tool called fiwalk on digital forensic images.
- The Examine contents micro-service allows you to choose whether you would like to run a tool called bulk extractor, which identifies and outputs text reports about PII information contained in the set of objects. These reports can be analyzed later using other tools such as BitCurator. In Archivematica, the reports are contained in the logs folder of the transfer, and later the logs folder for each SIP that all or part of the transfer is contained within. [Note that this micro-service can be run effectively on ALL transfer types, they do not have to be digital forensic disk images.]
- For simple image transfers, continue directly into the Ingest workflow and finish processing using the standard Archivematica processing instructions.
- For compound images, send each transfer part to the Transfer backlog at the end of the transfer workflow. Then, create your SIP from the parts using the transfer backlog search functionality combined with the SIP arrange workflow. Once you've selected your SIP and entered the Ingest workflow, finish processing using the standard Archivematica processing instructions.