Digital forensics image ingest

From Archivematica
Jump to navigation Jump to search

Main Page > Development > Development documentation > Digital forensics image ingest


Related issues: #5265


Forensics image transfer type

  • Archivematica transfer type: forensic image
    • One or more images make up a transfer
    • Repository makes image using outside imaging software prior to ingest
    • Some metadata from ingest process will be included, first from FTK, but later from other tools like Guymager (see metadata requirements below)
  • Forensic image types accepted: dd (Raw), ISO, AD1, BIN

Forensics image transfer workflow

  • User images external media outside the Archivematica workflow
  • User uploads image(s) into the Archivematica transfer tab of the dashboard by browsing to the appropriate transfer source directory and selecting a directory containing their image(s)
  • User enters transfer name and accession number
  • User selects MD entry template for entering MD about the imaging process
    • User enters MD (see MD requirements below)
    • User saves MD and starts transfer processes
  • Fiwalk with Fido completes the Characterize and extract metadata micro-service
  • Archivematica runs Bulk Extractor (Examine contents micro-service) and indexes output (this is to allow for reporting and visualization in the transfer backlog search for SIP creation and/or the AIP advanced search to allow for minimal description)
  • Transfer micro-services complete
  • At Create SIP from Transfer micro-service, user selects one of two options:
    • If the user is an archivist/curator ready to process the image through to storage and/or access, choose Create single SIP and continue processing
    • If the user is uploading multiple images as part of one accession, for processing by an archivist/curator later, choose Send to backlog
      • In the second scenario, once all images from an accession are in the backlog, user alerts archivist/curator that the accession is ready for further processing
    • Archivist searches for the accession in the transfer backlog, selects the appropriate transfers, and selects Create SIP
  • In ingest tab, user approves SIP creation
  • In ingest tab, there is a decision point at Extract packages micro-service - User selects from drop-down: Extract objects from image, Do not extract objects from image, Reject
    • If user chooses not to extract objects, then skip micro-service decision about tool output to base normalization on, choose normalization for preservation only, and continue standard micro-services to store AIP.
    • If user chooses to extract objects, continue with standard workflow, except that FITS must be run at decision point about which tool to base normalization path on, but FIDO output can come from transfer MD since we ran Fido during transfer. User can then choose any of the normalization options and continue processing to storage and/or access.
    • Note that user can also choose to do manual normalization in their local system

Metadata requirements

  • Template for manual data entry
  • Import from imaging tool FTK

Forensic image transfer tools

fiwalk

  • Characterize and extract metadata micro-service
  • Use Mark Matienzo's github version which includes FIDO for format identification since fiwalk's format identification is libmagic (unsatisfactory for our purposes)

Sample fiwalk xml output: 


<?xml version='1.0' encoding='ISO-8859-1'?>
<fiwalk xmloutputversion='0.2'>
  <metadata 
  xmlns='http://example.org/myapp/' 
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' 
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
    <dc:type>Disk Image</dc:type>
  </metadata>
  <creator>
    <program>fiwalk</program>
    <version>0.5.7</version>
    <os>Darwin</os>
    <library name="tsk" version="3.0.1"></library>
    <library name="afflib" version="3.5.2"></library>
    <command_line>fiwalk -x /dev/disk2</command_line>
  </creator>
  <source>
    <imagefile>/dev/disk2</imagefile>
  </source>
<!-- fs start: 512 -->
  <volume offset='512'>
    <Partition_Offset>512</Partition_Offset>
    <block_size>512</block_size>
    <ftype>2</ftype>
    <ftype_str>fat12</ftype_str>
    <block_count>5062</block_count>
    <first_block>0</first_block>
    <last_block>5061</last_block>
    <fileobject>
      <filename>README.txt</filename>
      <id>2</id>
      <filesize>43</filesize>
      <partition>1</partition>
      <alloc>1</alloc>
      <used>1</used>
      <inode>6</inode>
      <type>1</type>
      <mode>511</mode>
      <nlink>1</nlink>
      <uid>0</uid>
      <gid>0</gid>
      <mtime>1258916904</mtime>
      <atime>1258876800</atime>
      <crtime>1258916900</crtime>
      <byte_runs>
       <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
      </byte_runs>
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
    </fileobject>
  </volume>
<!-- end of volume -->
<!-- clock: 0 -->
  <runstats>
    <user_seconds>0</user_seconds>
    <system_seconds>0</system_seconds>
    <maxrss>1814528</maxrss>
    <reclaims>546</reclaims>
    <faults>1</faults>
    <swaps>0</swaps>
    <inputs>56</inputs>
    <outputs>0</outputs>
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
  </runstats>
</fiwalk>

Bulk Extractor

Retrieved from "https://wiki.archivematica.org/index.php?title=Digital_forensics_image_ingest&oldid=8535"