Difference between revisions of "Digital forensics image ingest"

From Archivematica
Jump to navigation Jump to search
Line 15: Line 15:
  
 
== Forensics image transfer workflow ==
 
== Forensics image transfer workflow ==
 +
 +
* Users images external media outside the Archivematica workflow
 +
* User uploads image(s) into the Archivematica transfer tab of the dashboard by browsing to the appropriate transfer source directory and selecting their image(s)
 +
* User enters transfer name and accession number
 +
* User selects MD entry template for entering MD about the imaging process
 +
** User enters MD
 +
** User saves MD and starts transfer processes
 +
* Fiwalk with Fido completes the Characterize and extract metadata micro-service
 +
* Transfer micro-services complete
 +
* At Create SIP from Transfer micro-service, user selects one of two options:
 +
** If the user is an archivist/curator ready to process the image through to storage and/or access, choose Create single SIP and continue processing
 +
** If the user is uploading multiple images as part of one accession, for processing by an archivist/curator later, choose Send to backlog
 +
*** In the second scenario, once all images from an accession are in the backlog, user alerts archivist/curator that the accession is ready for further processing
 +
** Archivist searches for the accession in the transfer backlog, selects the appropriate transfers, and selects Create SIP
 +
* In ingest tab, user approves SIP creation
 +
* '''Extract packages''' micro-service - User selects from drop-down: Extract objects from image, Do not extract objects from image, Reject
  
 
==Forensic image transfer tools ==
 
==Forensic image transfer tools ==

Revision as of 15:47, 20 June 2013

Main Page > Development > Development documentation > Digital forensics image ingest


Related issues: #5265


Forensics image transfer type

  • Archivematica transfer type: forensic image
    • One or more images make up a transfer
    • Repository makes image using outside imaging software prior to ingest
    • Some metadata from ingest process will be included, first from FTK, but later from other tools like Guymager
  • Forensic image types accepted: dd (Raw), ISO, AD1, BIN

Forensics image transfer workflow

  • Users images external media outside the Archivematica workflow
  • User uploads image(s) into the Archivematica transfer tab of the dashboard by browsing to the appropriate transfer source directory and selecting their image(s)
  • User enters transfer name and accession number
  • User selects MD entry template for entering MD about the imaging process
    • User enters MD
    • User saves MD and starts transfer processes
  • Fiwalk with Fido completes the Characterize and extract metadata micro-service
  • Transfer micro-services complete
  • At Create SIP from Transfer micro-service, user selects one of two options:
    • If the user is an archivist/curator ready to process the image through to storage and/or access, choose Create single SIP and continue processing
    • If the user is uploading multiple images as part of one accession, for processing by an archivist/curator later, choose Send to backlog
      • In the second scenario, once all images from an accession are in the backlog, user alerts archivist/curator that the accession is ready for further processing
    • Archivist searches for the accession in the transfer backlog, selects the appropriate transfers, and selects Create SIP
  • In ingest tab, user approves SIP creation
  • Extract packages micro-service - User selects from drop-down: Extract objects from image, Do not extract objects from image, Reject

Forensic image transfer tools

fiwalk

  • Characterize and extract metadata micro-service
  • Use Mark Matienzo's github version which includes FIDO for format identification since fiwalk's format identification is libmagic (unsatisfactory for our purposes)

Sample fiwalk xml output:


<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>