Digital forensics for archivists
Posted on 17 August 2011
Gareth Knight, Digital Curation Specialist at CeRch organised a training event on digital forensics for archivists in August. The event took place in the Anatomy Museum on the Strand and was aimed at staff working within the Archives & Information Management (AIM) service and IT Systems at King's College London. The aim was to provide them with an understanding of digital forensic tools and techniques and an overview of the JISC-funded Forensic Investigation of Digital Objects (FIDO) project.
Digital forensics is a branch of forensic science used in law enforcement that is concerned with the recovery and investigation of material found on digital devices. The forensic process may be used to collect and identify evidence for use by a court or employer, determine intent, and establish provenance of material. There has been considerable development in the past 30 years, resulting in the production of forensic tools and workflows that may assist an investigator.
The acquisition and analysis of large collections of diverse data is a challenge increasingly encountered by digital curators and archivists within the academic and cultural heritage sector. Rather than produce a set of papers, many researchers create digital content that cannot be rendered in analogue form without some loss of use. These research processes have implications for the approach adopted by archival institutions to acquire, analyse, and archive research material. However, by adopting tools developed by the law enforcement community for digital forensics, curators and archivists are able to manage digital material using methods that maintain their authenticity and integrity.
The event began with a talk by Lindsay Ould of AIM, who introduced digital forensics and described its value for processing digital collections within the archives. This was followed by presentations by Kate O'Brien, who outlined worked in the FIDO project to map forensic concepts onto archival principles, and Gareth Knight, who described forensic techniques for disk imaging and analysing a hard disk for relevant data.
Event participants were separated into four breakout groups. In the first session, staff were asked to discuss the practical and ethical issues to be considered when handling data obtained in four different scenarios. This was followed by a hands-on session, where participants were provide the opportunity to develop practical experience of forensic tools. OSForensics was used to analyse a laptop PC disk image, to identify data of potential value and determine the owner's data handling practices. These sessions were well received by archival staff, whom showed an enthusiasm for using the forensic techniques and tools in their own work.
Training material on data management and analysis produced by the FIDO project will be incorporated into future teaching sessions, workshops and seminar series organised by the Centre for e-Research.