functional access to forensic disk images in a web service. kam woods, christopher lee, oleg stobbe,...
Upload: 12th-international-conference-on-digital-preservation-ipres-2015
Post on 11-Jan-2017
141 views
TRANSCRIPT
![Page 1: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/1.jpg)
FunctionalAccesstoForensicDiskImagesinaWebServicePresenter:KamWoodsUNCSchoolofInformationandLibraryScience
Authors:KamWoods,CalLee, OlegStobbe,ThomasLiebetraut,KlausRechert
iPRES 2015November 3, 2015Chapel Hill, NC
TheAndrewW.MellonFoundation
1
![Page 2: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/2.jpg)
Capturingdiskimagesfromlegacydigitalmediaisanincreasinglycommonpracticeincollectinginstitutions
2
![Page 3: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/3.jpg)
Anotedcriticism:“Diskimagingonlyaddressesasliceoftheproblem,andmay‘maskout’otherpreservationissues”.
• Physicaldecayandobsolescence• Formatobsolescence• Formatidentificationand
verification• Renderingoldformatswith
moderntools• Identifyingandreportingon
privateandsensitiveinformation• Metadatamanagement• Storage• Providingaccess
3
Source: “Digital Forensics and creation of a narrative.” Da Blog: ULCC Digital Archives Blog. http://dablog.ulcc.ac.uk/2011/07/04/forensics/
![Page 4: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/4.jpg)
Simplifyingaccesssupportshighqualitypreservationoutcomes
4
• Forensicallypackageddiskimagesincludeprotectionsagainstbit-rotandpackagemetadatathatsupportrecordsofprovenance andfixity
– Yetmanycommonfilesystemprocessingtoolscan’ttalktotheseimagesdirectly
– Redactingorlimitingaccesstospecificitemswithindiskimagesmayalsoberequired
![Page 5: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/5.jpg)
Forensicdiskimagingandmetadataextractionprovidesclearprovenanceforredactedaccesscopies
5
Acquiredisk imagefromoriginalmedia
Identifyitemstoredact
Generateredacteddiskimageand/orfiles
Reportonredacteditemsforpreservationrecord
Access
![Page 6: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/6.jpg)
Accesscopiesmaynotalwaysbetheright(ormostdesirable)approach
6
Originalfile(unredacted indiskimage)
Fileobject identifiedindiskimageandrecordedinaforensicmetadataformat(DFXML)
Redactedaccess views
PIIidentified atbyteoffsets
![Page 7: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/7.jpg)
Twomethodsofaccess
7
Browsing theunmounted diskimage(includingnon-filesystemelements)inawebinterface
Interactingwithbootable/mountablefilesystemsviaEaaS inawebinterface
![Page 8: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/8.jpg)
Twomethodsofaccess
8
• bwFLA – EmulationasaServiceimplementsaQEMUblock-leveldrivertoaccessEWF-formatimages(acommonforensicpackagingformat)– Alterationstothebootedormountedimage
arewrittentoanoverlayanddiscardedafterthesession
– Readoperationsmaybesimilarlyinterceptedbythisoverlay,preventingaccesstospecificfilesandfilesystemcontents
– DeploymentviaDocker orbaremetal
• BitCurator AccessWebtools usesanopensourceforensicimageaccesslibrarytosynthesizeaviewintofilesystemandotherdatacontainedwithinthediskimage,selectivelyallowingaccess– DeploymentviaVagrantorbaremetal
![Page 9: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/9.jpg)
EmulationasaService(bwFLA)
9
![Page 10: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/10.jpg)
EmulationasaService(bwFLA)
10
![Page 11: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/11.jpg)
EmulationasaService(bwFLA)
11
![Page 12: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/12.jpg)
EmulationasaService(bwFLA)
12
• EachdiskimageisdescribedinanassociatedXMLmetadatadocument:
<emulationEnvironment xmlns="http://bwfla.bwl.de/common/datatypes"> <id>2010</id> <description><title>Microsoft DOS 6.20 (CD-ROM)
E01</title></description><arch>i386</arch> <emulator bean="Qemu” >
…<drive>
<data></data> <iface>ide</iface> <bus>0</bus> <unit>1</unit> <type>cdrom</type> <boot>false</boot> <filesystem>ISO</filesystem>
</drive…<binding id="main_hdd">
<url>imagearchive:qemu-i386-DOS_6.20_CDROM.E01</url> <access>cow</access>
</binding> </emulationEnvironment>
![Page 13: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/13.jpg)
EmulationasaService(bwFLA)
13
![Page 14: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/14.jpg)
Webaccesstodiskimages:(bca-webtools)
14
Usinglightweightwebservicetoolsalongwithdigitalforensicslibrariestoproduceeasy-to-usenavigationandmanagementinterfacesfordiskimagesviaawebbrowser.
![Page 15: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/15.jpg)
Webaccesstodiskimages:(bca-webtools)
15
![Page 16: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/16.jpg)
Webaccesstodiskimages:(bca-webtools)
16
![Page 17: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/17.jpg)
Synthesizingfilesystemviewstopresentredactedcontentswithoutalteringtheoriginalfilesystem
17
Acquisition andforensicprocessing
Sensitiveinformationlinkedtofileswithinfilesystem
Webpagedisplaysfilesystemview;linkstoredactedmaterials
downloadfromalternatestorage
![Page 18: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/18.jpg)
Findoutmoreaboutbw-FLA/Eaas andBitCurator Accessonline
BitCurator Access software and documentation
http://access.bitcurator.net/
https://github.com/bitcurator/bca-webtools
18
bwFLA / EaaS software and documentation
http://bw-fla.uni-freiburg.de/
https://github.com/eaas-framework
![Page 19: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/19.jpg)
Questions
19
?
![Page 20: Functional Access to Forensic Disk Images in a Web Service. Kam Woods, Christopher Lee, Oleg Stobbe, Thomas Liebetraut and Klaus Rechert](https://reader031.vdocuments.net/reader031/viewer/2022030304/58762cc91a28ab8b7b8b6e17/html5/thumbnails/20.jpg)
20
Bca-webtools aprototypetodemonstrateintegratingdigitalforensicsforensicssoftwarelibrariesandlightweightwebservices tools.Dropyourdiskimagesinalocalornetwork-accessiblelocation,startuptheservice,andstartbrowsing.
https://github.com/bitcurator/bca-webtools
• Mostanalysisrunsserver-side (viaSleuthkit andDFXMLPythonbindings,amongothers)
• Serviceisdatabase-agnostic(weusepostgres)
• Automaticmetadataproduction (DFXML,PREMIS,others)