Embed Size (px)
Citation preview
FunctionalAccesstoForensicDiskImagesinaWebServicePresenter:KamWoodsUNCSchoolofInformationandLibraryScience
Authors:KamWoods,CalLee, OlegStobbe,ThomasLiebetraut,KlausRechert
iPRES 2015November 3, 2015Chapel Hill, NC
TheAndrewW.MellonFoundation
1
Capturingdiskimagesfromlegacydigitalmediaisanincreasinglycommonpracticeincollectinginstitutions
2
Anotedcriticism:“Diskimagingonlyaddressesasliceoftheproblem,andmay‘maskout’otherpreservationissues”.
• Physicaldecayandobsolescence• Formatobsolescence• Formatidentificationand
verification• Renderingoldformatswith
moderntools• Identifyingandreportingon
privateandsensitiveinformation• Metadatamanagement• Storage• Providingaccess
3
Source: “Digital Forensics and creation of a narrative.” Da Blog: ULCC Digital Archives Blog. http://dablog.ulcc.ac.uk/2011/07/04/forensics/
Simplifyingaccesssupportshighqualitypreservationoutcomes
4
• Forensicallypackageddiskimagesincludeprotectionsagainstbit-rotandpackagemetadatathatsupportrecordsofprovenance andfixity
– Yetmanycommonfilesystemprocessingtoolscan’ttalktotheseimagesdirectly
– Redactingorlimitingaccesstospecificitemswithindiskimagesmayalsoberequired
Forensicdiskimagingandmetadataextractionprovidesclearprovenanceforredactedaccesscopies
5
Acquiredisk imagefromoriginalmedia
Identifyitemstoredact
Generateredacteddiskimageand/orfiles
Reportonredacteditemsforpreservationrecord
Access
Accesscopiesmaynotalwaysbetheright(ormostdesirable)approach
6
Originalfile(unredacted indiskimage)
Fileobject identifiedindiskimageandrecordedinaforensicmetadataformat(DFXML)
Redactedaccess views
PIIidentified atbyteoffsets
Twomethodsofaccess
7
Browsing theunmounted diskimage(includingnon-filesystemelements)inawebinterface
Interactingwithbootable/mountablefilesystemsviaEaaS inawebinterface
Twomethodsofaccess
8
• bwFLA – EmulationasaServiceimplementsaQEMUblock-leveldrivertoaccessEWF-formatimages(acommonforensicpackagingformat)– Alterationstothebootedormountedimage
arewrittentoanoverlayanddiscardedafterthesession
– Readoperationsmaybesimilarlyinterceptedbythisoverlay,preventingaccesstospecificfilesandfilesystemcontents
– DeploymentviaDocker orbaremetal
• BitCurator AccessWebtools usesanopensourceforensicimageaccesslibrarytosynthesizeaviewintofilesystemandotherdatacontainedwithinthediskimage,selectivelyallowingaccess– DeploymentviaVagrantorbaremetal
EmulationasaService(bwFLA)
9
EmulationasaService(bwFLA)
10
EmulationasaService(bwFLA)
11
EmulationasaService(bwFLA)
12
• EachdiskimageisdescribedinanassociatedXMLmetadatadocument:
<emulationEnvironment xmlns="http://bwfla.bwl.de/common/datatypes"> <id>2010</id> <description><title>Microsoft DOS 6.20 (CD-ROM)
E01</title></description><arch>i386</arch> <emulator bean="Qemu” >
…<drive>
<data></data> <iface>ide</iface> <bus>0</bus> <unit>1</unit> <type>cdrom</type> <boot>false</boot> <filesystem>ISO</filesystem>
</drive…<binding id="main_hdd">
<url>imagearchive:qemu-i386-DOS_6.20_CDROM.E01</url> <access>cow</access>
</binding> </emulationEnvironment>
EmulationasaService(bwFLA)
13
Webaccesstodiskimages:(bca-webtools)
14
Usinglightweightwebservicetoolsalongwithdigitalforensicslibrariestoproduceeasy-to-usenavigationandmanagementinterfacesfordiskimagesviaawebbrowser.
Webaccesstodiskimages:(bca-webtools)
15
Webaccesstodiskimages:(bca-webtools)
16
Synthesizingfilesystemviewstopresentredactedcontentswithoutalteringtheoriginalfilesystem
17
Acquisition andforensicprocessing
Sensitiveinformationlinkedtofileswithinfilesystem
Webpagedisplaysfilesystemview;linkstoredactedmaterials
downloadfromalternatestorage
Findoutmoreaboutbw-FLA/Eaas andBitCurator Accessonline
BitCurator Access software and documentation
http://access.bitcurator.net/
https://github.com/bitcurator/bca-webtools
18
bwFLA / EaaS software and documentation
http://bw-fla.uni-freiburg.de/
https://github.com/eaas-framework
Questions
19
?
20
Bca-webtools aprototypetodemonstrateintegratingdigitalforensicsforensicssoftwarelibrariesandlightweightwebservices tools.Dropyourdiskimagesinalocalornetwork-accessiblelocation,startuptheservice,andstartbrowsing.
https://github.com/bitcurator/bca-webtools
• Mostanalysisrunsserver-side (viaSleuthkit andDFXMLPythonbindings,amongothers)
• Serviceisdatabase-agnostic(weusepostgres)
• Automaticmetadataproduction (DFXML,PREMIS,others)
