Digital Forensics for Archivists

A few weeks ago I attended the Digital Forensics for Archivists course offered by the Society of American Archivists (SAA) at the University of Michigan. It was taught by Cal Lee and Kam Woods both of the School of Information and Library Science at the University of North Carolina, Chapel Hill. Overall, I thought  the class was a very informative and engaging introduction to the field of digital forensics.

The focus of this course is the application of forensic techniques to archival work. Digital forensics (or computer forensics) is “the process of identifying, preserving, analyzing, and presenting digital evidence in a manner that is legally acceptable” (Rodney McKemmish 1999). It is used to discover digital data, recover deleted, encrypted, or damaged file information, monitor live activity and detect violations of policies.

Archivists (and records managers) may be very good at dealing with paper, but may not have as much experience with processing and making available digital content that comes in the form of floppy disks, CDs, and hard drives. The field of digital forensics is very concerned with the same principles as archivists, including provenance, original order, and chain of custody, to apply to criminal and civil investigations. By applying the techniques, archivists are able to identify, extract, and document information from digital media about how it was created without altering the content. It also focuses on finding sensitive or personally identifiable information that may need to be redacted or protected from public access.

Forensic Recovery of Evidence Device with a removable hard drive on the imaging bay prior to forensic capture from Stanford University Libraries and Academic Information Resources (SULAIR)

As a two-day event, this course was particularly helpful because we got to perform hands-on exercises of the tools discussed in the class. These included:

  • BitCurator (includes a number of free, open-source tools to be incorporated into workflows)
  • FTK Imager (creates disk images)
  • Bulk Extractor (scans and extracts information such as credit card numbers, email addresses, or keywords)
  • Fiwalk (creates an output of files in Digital Forensics XML)
  • MD5summer (generates and verifies checksums)

While we may not be seizing evidence from crime scenes, archivists do receive many types of media that require special care to process. I would highly recommend either taking this course if it’s available to you or exploring the materials available on this topic. I myself am looking forward to continuing to explore these exciting developments. I think some of the available tools could have applications in the records management sphere that we should examine and consider. For further reading, check out the BitCurator project, the Forensics Wiki, and the recently released OCLC research report Walk This Way: Detailed Steps for Transferring Born-Digital Content from Media You Can Read In-house. I would be very interested to hear about applications of digital forensics in the records management side of the house!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s