Henry Lowood, Curator for History of Science & Technology Collections was interviewed by Trever Owens at the Library of Congress about a current project on preserving software from the Stephen M. Cabrinety Collection in the History of Microcomputing. Stanford University Libraries are collaborating with NIST’s National Software Reference Library to create disk images and digitize related materials for a large portion of the collection.
In June, I gave a talk at the Rare Books and Manuscripts conference in San Diego, California. The topic was about archiving and processing email collections and I was paired with two individuals from the Brakhage Center at the University of Colorado at Boulder. This was great for me, as the center collects and preserves experimental film archives, which we also collect. At the conclusion, we had as many questions for each other as the audience did for us. [Note: The accompanying PPT slides are available online.]
Here is the gist of my email presentation:
The Enigma of Email
I recently attended a workshop of the KEEP project (Keeping Emulation Environments Portable) in Rome. KEEP is an EU funded project to develop software that virtualizes old computer hardware and software environments. This allows you to run old operating systems and the applications that were designed for them on modern computers.
I’m currently imaging 3.5 inch diskettes using AccessData FTK Imager, and the process has involved a certain amount of déjà vu. I came of age in the 1990s, when 3.5 inch diskettes were the workhorses of logical storage. With the advent of flash drives and cloud storage, however, I’d forgotten some of the special quirks of dealing with floppies and floppy drives. I offer some tips here in the hopes that readers will find them useful.
Processing Born-Digital Materials in the STOP AIDS Project Records: Introduction and Preparation for Imaging
Introduction to the STOP AIDS Project Papers
On April 22, I conducted a 2-hour workshop on "Using FTK Imager and AccessData FTK to Capture and Process Born Digital Materials.” The purpose of the workshop was to give staff a hands-on experience in using FTK Imager and AccessData FTK. Eight colleagues from the Stanford University Libraries attended the workshop – primarily from Special Collections and University Archives and the Humanities and Social Sciences Group.
The workshop covered the following:
FTK Imager – how to:
1. Download and install the software (free software - http://accessdata.com/support/adownloads).
Jeremy Leighton John, Principal Investigator and Project Manager for Digital Lives, mentioned "Site Photography, Video Walks and Interview" as part of the Enhanced Curation for Personal Digital Archives in the PDA 2011 Conference. I think we should follow in his footsteps of capturing images of the creative space of the donor as part of our practice in collecting personal archives.
Video from the 2010 presentation at the Rare Books and Manuscripts Section of the American Library Association in Philidelphia. Moderators and presenters include:
Jennifer Schaffner, OCLC RLG Programs (moderator)
Laura Carroll, Emory University [slides]
Erika Farr, Emory University
Michael Olson, Stanford University [slides]
Ben Goldman, University of Wyoming [slides]
Abstract for the panel:
CBS has posted a very interesting article by Armen Keteyian on digital copiers and the secret documents that they may contain. See http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml.
Glynn Edwards, Peter Chan and I have finally finished our first working draft of a forensic lab workflow using floppy diskettes from the Stephen Jay Gould collection. This first workflow or use case has been very challenging to put together. Throughout this process we’ve endeavored to make our diagram easy to understand while still capturing the operational steps and software applications that are currently being utilized by our digital archivist. We’re still in the midst of evaluating software so it is expected that some of the listed applications will be replaced.
Our Digital Archivist (Peter) and I spent some time working with EnCase Forensic software and experimented with running a few search strings against a Robert Creeley computer disk. We added the words “reference” and “SSN” to the search script and were able to return ten hits across hundreds of files. All of the search hits found letters of reference Robert Creeley wrote on behalf of colleagues and students. The results were very interesting and I’m beginning to see how we might incorporate this sort of technology into the daily activities of our digital archivist.
Eric Kaltman has been working hard on cataloging and organizing Stanford's Stephen M. Cabrinety Collection. Eric has done excellent work and I highly recommend that those interested the history of computer software subscribe to his blog at http://www.stanford.edu/group/htgg/cgi-bin/drupal/?q=node/229 . Great work Eric and keep up the great work!
The final day of training focused on the Macintosh disk format and operating system. Mac’s use the HFS + disk format which is significantly different from NTFS and presents some interesting challenges to forensic examiners. The design of the HFS + makes it very unlikely that a forensic investigation will recover deleted files. In the digital archival community this fact is not necessarily a bad thing but I’ll need to muse on this in a future post. I’ll end with the most useful tidbit I learned in today’s training.
Today’s focus was encryption and hacking techniques. All of the tools we used today are freely available and the hardest part is figuring out when to use a particular tool. Another interesting crumb of knowledge I learned today is that the forensic community doesn’t have a solution for TrueCrypt (http://www.truecrypt.org/). This software is giving the community fits. This software allows one to create encrypted volumes that appear as other files. There are minimal clues for the forensic investigator. Techniques such as a file signature analysis won’t work.
The most recent issue of Speaking of Computers features an article on the new Digital Forensics Lab. This article is available at http://speaking.stanford.edu/highlights/New_Digital_Forensics_Lab.html.
The primary focus of today’s class was on the Windows registry and techniques for capturing and evaluating event logs. We spent a significant amount of time using different methods for pulling over a proprietary program from a target workstation and editing the registry on our forensic workstation to access the target data set. After going through this exercise I need to stress the importance of acquiring the computer. Registry editing is only one approach and the more we keep the more we will have to work with.
Congratulations Peter and welcome to our team! Please see the following URL announcing Peter's arrival.
Today I began a four day intensive training course to learn advanced techniques for Guidance Software’s EnCase Forensics software. Most of the day was spent on the NTFS files system with particular focus on the Master File Table. In short, it was a 32 hour course on NTFS compressed into 8 hours where we learned how to interpret the MTF by parsing various attribute values. The goal was to learn the fundamental methodologies and mathematics that the EnCase forensics uses to identify physical and logical structures on a hard drive.
We've recently begun using JIRA to submit and tracking requests for digital forensic services at SULAIR. JIRA is software designed facilitate project management of software development. SULAIR's Digital Library Systems and Services has successfully been using this software to manage, track and quantify requests for digitization of Special Collection materials. With the tracking of forensic service requests we are planning on using the statistics we're able to gather from JIRA to better understand digital forensic services.
Today our intern Crystal Rangel began processing the digital media in the Lynn Hershman Leeson collection. This collection documents the work of the American artist and filmmaker Lynn Hershman and contains approximately twenty 3 1/2" diskettes and a single one hundred megabyte Zip Disk. Crystal has generated tracking sheets for each of the diskettes using Metadata Toolkit XForm. The tracking sheets contain a unique identifier, a local identifier and a brief title. They are primarily used to generate unique filenames for each image and for tracking of the digital forensic imaging process.
A group of Stanford Special Collections staff just returned from a two day training course on computer forensics. The training was very intensive and focused on the DOS and Windows operating systems. I found the training excellent as we spent a large part of the course understanding how computer hardware and operating systems interact. More importantly, we were introduced to how forensic tools take advantage of operating system design. File allocation tables in DOS and Windows environments leave specific forensic trails.
Does your computer have a 3 1/2" floppy drive? If your workstation is less than 2 or 3 years old it is likely that it doesn't as most personal computers no longer ship with floppy drives. Floppy disk are rapidly becoming obsolete and it is increasingly difficult to find workstations with the hardware and chipsets to support them.
EPROM stands for Erasable Programmable Read-Only Memory. EPROM is an early form of flash memory chip that retains its data after the power supply has been terminated. The most common use for this type of memory chip is for storing computer BIOS (Basic Input Output System) that is used to bootstrap a computer's operating system. Another common use of this type of memory chip is in the development of video game cartridges. EPROMs contain a quartz window that allows for the erasure of the stored data.
During the past few weeks I've run into a number of my library friends and colleagues that have been asking, "why is SULAIR investing in a Digital Forensics Lab?" As a reply, I begin by highlighting the increasing volume of materials we acquire that are born digital. These materials have been created, edited and exist only in digital form. These library materials are ultimately just a series of binary digits (0s and 1s) that are written on carriers such as hard drives, CDs/DVDs and floppy disks.
Stanford University Libraries has just received notice that our Forensic Recovery of Evidence Devices (FREDs) are almost ready to ship. The expected shipping date for this lab equipment is slated for August 13th. The FREDS will be the keystone in SULAIR's new Digital Forensics Lab and will give us the capability to preserve and analyze born digital collection materials. The FREDS are configured to read all types of hand held media including hard drives, CDs/DVDs, 3 1/2" and 5 1/2" floppy disks, multiple tape formats and most types of consumer grade flash memory.