Digital forensics image ingest
Revision as of 15:47, 20 June 2013 by Courtney (talk | contribs) (→Forensics image transfer workflow)
Main Page > Development > Development documentation > Digital forensics image ingest
Related issues: #5265
Forensics image transfer type
- Archivematica transfer type: forensic image
- One or more images make up a transfer
- Repository makes image using outside imaging software prior to ingest
- Some metadata from ingest process will be included, first from FTK, but later from other tools like Guymager
- Forensic image types accepted: dd (Raw), ISO, AD1, BIN
Forensics image transfer workflow
- Users images external media outside the Archivematica workflow
- User uploads image(s) into the Archivematica transfer tab of the dashboard by browsing to the appropriate transfer source directory and selecting their image(s)
- User enters transfer name and accession number
- User selects MD entry template for entering MD about the imaging process
- User enters MD
- User saves MD and starts transfer processes
- Fiwalk with Fido completes the Characterize and extract metadata micro-service
- Transfer micro-services complete
- At Create SIP from Transfer micro-service, user selects one of two options:
- If the user is an archivist/curator ready to process the image through to storage and/or access, choose Create single SIP and continue processing
- If the user is uploading multiple images as part of one accession, for processing by an archivist/curator later, choose Send to backlog
- In the second scenario, once all images from an accession are in the backlog, user alerts archivist/curator that the accession is ready for further processing
- Archivist searches for the accession in the transfer backlog, selects the appropriate transfers, and selects Create SIP
- In ingest tab, user approves SIP creation
- Extract packages micro-service - User selects from drop-down: Extract objects from image, Do not extract objects from image, Reject
Forensic image transfer tools
fiwalk
- Characterize and extract metadata micro-service
- Use Mark Matienzo's github version which includes FIDO for format identification since fiwalk's format identification is libmagic (unsatisfactory for our purposes)
Sample fiwalk xml output:
<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
<metadata
xmlns='http://example.org/myapp/'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xmlns:dc='http://purl.org/dc/elements/1.1/'>
<dc:type>Disk Image</dc:type>
</metadata>
<creator>
<program>fiwalk</program>
<version>0.5.7</version>
<os>Darwin</os>
<library name="tsk" version="3.0.1"></library>
<library name="afflib" version="3.5.2"></library>
<command_line>fiwalk -x /dev/disk2</command_line>
</creator>
<source>
<imagefile>/dev/disk2</imagefile>
</source>
<!-- fs start: 512 -->
<volume offset='512'>
<Partition_Offset>512</Partition_Offset>
<block_size>512</block_size>
<ftype>2</ftype>
<ftype_str>fat12</ftype_str>
<block_count>5062</block_count>
<first_block>0</first_block>
<last_block>5061</last_block>
<fileobject>
<filename>README.txt</filename>
<id>2</id>
<filesize>43</filesize>
<partition>1</partition>
<alloc>1</alloc>
<used>1</used>
<inode>6</inode>
<type>1</type>
<mode>511</mode>
<nlink>1</nlink>
<uid>0</uid>
<gid>0</gid>
<mtime>1258916904</mtime>
<atime>1258876800</atime>
<crtime>1258916900</crtime>
<byte_runs>
<run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
</byte_runs>
<hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
<hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
</fileobject>
</volume>
<!-- end of volume -->
<!-- clock: 0 -->
<runstats>
<user_seconds>0</user_seconds>
<system_seconds>0</system_seconds>
<maxrss>1814528</maxrss>
<reclaims>546</reclaims>
<faults>1</faults>
<swaps>0</swaps>
<inputs>56</inputs>
<outputs>0</outputs>
<stop_time>Sun Nov 22 11:08:36 2009</stop_time>
</runstats>
</fiwalk>