Editing Workflow:Archival Forensics workflow (storage media deposit)

Jump to navigation Jump to search

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 1: Line 1:
 
{{Infobox COW
 
{{Infobox COW
 
|status=Experimental
 
|status=Experimental
|tools=Archivists' Toolkit, Audacity, BitCurator, Duke Data Accessioner, FTK (Forensic Toolkit), Karen's Directory Printer, TeraCopy, TreeSize, VLC Media Player, VirtualBox, WinMerge
+
|tools=BitCurator, FTK (Forensic Toolkit)
 
|input=Request to forensically process a digital deposit (storage media) to the University of Glasgow Archives & Special Collections, as part of of the Digital Archiving workflow (see Further Information).
 
|input=Request to forensically process a digital deposit (storage media) to the University of Glasgow Archives & Special Collections, as part of of the Digital Archiving workflow (see Further Information).
 
|output=A verified, authentic copy of storage media content exported as a logical or physical image file, with or without forensic processing.
 
|output=A verified, authentic copy of storage media content exported as a logical or physical image file, with or without forensic processing.
Line 18: Line 18:
 
: A request to forensically process a digital deposit (storage media) to the University of Glasgow Archives & Special Collections, as part of of the [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow.] <br/>
 
: A request to forensically process a digital deposit (storage media) to the University of Glasgow Archives & Special Collections, as part of of the [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow.] <br/>
  
; PREPARATION
+
; PRE-ACQUISITION APPRAISAL
: Obtain supporting resources and materials to forensically process digital storage media.
+
: Processes for evaluating whether a deposit request will be accepted by the University Archives.
# Consult the physical conservation and preservation report, documenting all actions on the acquired media and produced during Acquisition in the [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow].
+
# Check the deposit request against the [https://www.gla.ac.uk/myglasgow/archivespecialcollections/collectionsdevelopmentpolicy/ Archives & Special Collections collection development policy] - does the request align with the core collecting areas?
# Retrieve the unique accession number generated for the media to be processed from the Collections Management System. Use the accession number as reference in all forensic processing actions.
+
# Prepare a records survey and/or pre-accession assessment of the proposed deposit.
# Update the conservation and preservation logs on the Collections Management System relating to the storage media, including:
+
# Evaluate the results of the records survey against the Appraisal & Retention policy, which:
#* photographic records of the storage media before processing, clearly showing state, serial number(s) and any other relevant information recorded on the media (e.g. labels).
+
#* addresses issues pertaining to selection and long-term retention of digital objects
#* Documentation of media characteristics, such as technology, type, brand, model, serial number.
+
#* extends the collections development policy
#* Documentation of any hardware setup or configuration necessary to process the storage medium.
+
#* ensures that retention decisions are balanced between value and capacity to preserve for the long-term; and
# Proceed to Imaging.
+
#* provides clarity to avoid assumptions over digital storage costs and availability.
 +
# Decide whether the requested deposit aligns with policies:
 +
#* If not, re-evaluate acquisition and/or reject deposit.
 +
#* If yes, proceed to Acquisition.
  
; IMAGING
+
; ACQUISITION
: Create an exact copy of storage media, encapsulating contents and structures in a single file (a disk image).  
+
: Processes for acquiring digital materials by transfer, donation, or purchase.
# Use write-blocking tools (software or hardware) to only permit read-only access to storage media, so as to avoid compromising the integrity of the data; and protect the data chain of custody.
+
# Follow the methodology in the Space data and information transfer systems — Producer-archive interface — Methodology abstract standard (PAIMAS) ISO 20652:2006 standard. The standard "identifies, defines and provides structure to the relationships and interactions between an information producer and an archive. It defines the methodology for the structure of actions that are required from the initial time of contact between the producer and the archive until the objects of information are received and validated by the archive." ([https://www.iso.org/standard/39577.html ISO]). For more information, see [https://www.dpconline.org/handbook/organisational-activities/acquisition-and-appraisal Acquisition and appraisal, Digital Preservation Handbook (DPC)].
# Use disk imaging software to generate a forensic image file, which can either be:  
+
# Follow the Accepted file formats/media procedure, which:
#* a physical image, which is a bit-by-bit (exact) copy of the storage medium and includes active (used) and free space. Any deleted data or file fragments will be copied into the image file.
+
#* Specifies decisions on file formats and/or storage media that the University Archives will accept.  
#* A logical image, which captures active data on the device but not any deleted space, deleted files or fragments.
+
#* Aligns with preservation planning decisions for format normalisation; and capability to access storage media (esp. legacy media, e.g. floppy or zip disks).
#* A selection of specific files and directories, also known as a targeted collection.
+
#* For a summary table of options, see the Acquisition workflow section in [https://www.dpconline.org/handbook/organisational-activities/acquisition-and-appraisal Acquisition and appraisal, Digital Preservation Handbook (DPC)].
# Instruct the disk imaging software to create a complete file and directory listing; and verify the integrity of the generated image file by comparing hashes:
+
# For acquisitions deposited in physical storage media:
#* If verification fails and attempts at re-imaging are unsuccessful, create a "failed imaging" report in the Collections Management System logs.
+
#* Place all incoming items in quarantine area on arrival, inspect for pest infestation and mould; and follow handling and moving procedures.
#* If verification is successful, store the image in process store.
+
#* Create physical conservation and preservation report, documenting all actions on the acquired media.
# Is further forensic processing and analysis required?
+
#* Proceed to Accessioning.
#* If no, submit the verified disk image to the [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow]. OR
+
# For acquisitions deposited digitally (e.g. file transfer):
#* If yes, proceed to Processing.
+
#* Proceed to Accessioning.
  
; PROCESSING
+
; ACCESSIONING
: Extract and manage information from the data in storage media, and make it available for analysis.
+
:Process of formally registering deposit into the University Archives, which enables intellectual control over the digital materials.  
# Collate sources for processing, by selecting specific folders/files to review and - where appropriate - aggregating data from multiple storage media.
+
# Generate a unique accession number, based on the University Archives' archival processing guidelines.
# Perform virus and malware detection checks on the collated sources.
+
# Compare the file manifests generated during Acquisition to make sure that the transfer includes everything that was deposited by the source.
# Use forensic software to identify and, if possible, remove irrelevant or redundant files from processing. Examples may include operating systems, system files, or user-defined files that have been deemed as irrelevant.
+
# List the accession number into the University's Collections Management System for cataloguing. Cataloguing processes include decisions over the system of arrangement and level of description that will be used for the deposited materials; definition of access and reproduction conditions; and documentation via descriptive metadata.
# Use forensic software to process the data, including hash generation for files; expanding compound files (e.g. zip archives); format identification and validation; creating search text indices; and preparing audiovisual, web and email data for analysis.
+
# Decide whether archival forensic processing is required:
# Proceed to Analysis.
+
#* If Yes, follow the Archival Forensics workflow.
 +
# Proceed to Transfer.
 
 
; ANALYSIS
+
; TRANSFER
: Use digital forensics methods to search, categorise, review, interpret and curate data in storage media, so as to aid selection and appraisal processes.
+
: Processes for transferring digital materials to the University Archives.
# Review the agreement(s) under which the records were donated, in order to identify permissible actions (e.g. whether restoring deleted files is allowed).
+
# Choose a method for transferring files:
# Depending on the nature of the data and on archival needs, use forensic software to identify records of interest, and make them available for appraisal. Analysis methods may include:
+
#* Copy files from source media. OR
#* Data carving, for restoring data that was deleted or lost from the file system.
+
#* Create a disk image from source storage media. OR
#* Decrypting encrypted files and recovering passwords for password-protected files.
+
#* Request that digital materials are submitted as a BagIt container.
#* Viewing and exporting geolocation data from files that have geolocation information associated with them.
+
# Check digital materials for viruses. See [https://www.nationalarchives.gov.uk/archives-sector/projects-and-programmes/plugged-in-powered-up/digital-preservation-workflows/1-select-and-transfer/ Select and transfer workflow in the TNA guide] (section 1.3) for a reasonable process. Depending on the results of virus checks:
#* Analysing document content to explore terms/words of interest; and automate the identification of personal information, such as names, phone numbers, credit card and social security numbers.
+
#* if virus is found, quarantine and attempt removal; and/or request clean versions from source. If all these fail, prepare a report documenting actions and re-evaluate acquisition.
#* Identifying the language in which documents are written.
+
#* if virus-free, proceed with transfer.
#* Generating thumbnails from images and videos; and extracting metadata from multimedia files.
+
# Generate checksums to verify data integrity during transmission and/or storage:
#* Flagging duplicate files.
+
#* For digital acquisitions <i>in situ</i>, it might be appropriate to first store files in a temporary location for virus and/or integrity checks, before transferring to process store. Not applicable to all scenarios.
#* Discovering information (including documents and email communications) relating to pre-defined lists of persons of interest.
+
#* Transfer digital materials to Process store (e.g. network drive).
# Once all analyses have been completed, consolidate the resulting data into an appropriate file/folder structure.  
+
# Use tools to identify file types and validate file formats (e.g. DROID, JHOVE), then proceed to Appraisal.
# Proceed to Exporting.
 
 
 
; EXPORTING
 
: Export the forensically analysed contents of storage media as logical disk images, alongside relevant processing reports, filters and labels.
 
# Export any custom filters and labels created to manage the data, which can be useful for other digital archiving processes. Filters help locate items of interest quickly; and labels allow for grouping files in customised ways (e.g. flagging content that requires archivist attention; or records associated with a specific individual).
 
# Export any reports generated during processing and analysis, such as file hashes, virus and malware detection reports, search index terms and geolocation data.
 
# Export the forensically curated contents of processed storage media into a logical disk image.
 
# Submit the logical disk image to the [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow].
 
  
  
 
==Purpose, Context and Content==
 
==Purpose, Context and Content==
 
<!-- Describe what your workflow is for - i.e. what it is designed to achieve, what the organisational context of the workflow is, and what content it is designed to work with -->
 
<!-- Describe what your workflow is for - i.e. what it is designed to achieve, what the organisational context of the workflow is, and what content it is designed to work with -->
The workflow is meant to describe the steps and processes involved in an archival forensics examination of digital records submitted in storage media to University Archives at the University of Glasgow. Although the workflow can operate as stand-alone, it has been designed to align with and extend the [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow].
+
 
 +
==Evaluation/Review==
 +
<!-- How effective was the workflow? Was it replaced with a better workflow? Did it work well with some content but not others? What is the current status of the workflow? Does it relate to another workflow already described on the wiki? Link, explain and elaborate -->
  
 
==Further Information==
 
==Further Information==
 
<!-- Provide any further information or links to additional documentation here -->
 
<!-- Provide any further information or links to additional documentation here -->
* [https://www.gla.ac.uk/myglasgow/it/policy/digitalpreservation/ Digital Preservation policy, University of Glasgow]
 
* [https://coptr.digipres.org/index.php/Workflow:Digital_archiving_workflow_(high-level) Digital Archiving workflow, University of Glasgow]
 
* [https://www.nationalarchives.gov.uk/archives-sector/projects-and-programmes/plugged-in-powered-up/digital-preservation-workflows/ Digital preservation workflows, The National Archives]
 
  
 
<!-- Add four tildes below ("~~~~") to create an automatic signature, including your wiki username. Ensure your user page (click on your username to create it) includes an up to date contact email address so that people can contact you if they want to discuss your workflow -->
 
<!-- Add four tildes below ("~~~~") to create an automatic signature, including your wiki username. Ensure your user page (click on your username to create it) includes an up to date contact email address so that people can contact you if they want to discuss your workflow -->
[[User:Lkon115|Leo Konstantelos]] ([[User talk:Lkon115|talk]]) 12:13, 26 May 2023 (UTC)
 
  
 
<!-- Note that your workflow will be marked with a CC3.0 licence -->
 
<!-- Note that your workflow will be marked with a CC3.0 licence -->

Please note that all contributions to COPTR are considered to be released under the Attribution-ShareAlike 3.0 Unported (see COPTR:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page:

Retrieved from ‘https://coptr.digipres.org/index.php/Workflow:Archival_Forensics_workflow_(storage_media_deposit)