Since scanning and eliminating viruses has turned out to be a trickier proposition than we had initially anticipated, this post will cover our experience creating disk images of 3.5 inch floppy disks, zip disks, and CD-ROMs from the STOP AIDS Project records. Here is a link to the first blog post in the series, with background on the STOP AIDS Project and the pre-imaging process. The next post will discuss imaging hard drives.
Before beginning the imaging process, we had to answer two questions: what kind of image do we want, and how will we get it?
There are two general types of disk images, each with their own purpose. A forensic image is a bit-by-bit copy of a storage medium or device, such as a hard drive, SSD (solid state drive), floppy disk, CD/DVD/BD, or flash memory device. The image can be stored in one or more files. Deleted files, if any, may be copied in this process. This is generally the type of image taken if emulation of the full computing environment is a future goal, or if you want to recover deleted files and/or passwords. A logical disk image is a copy of the files in the directory or folder specified during the imaging process. The full path of each file is recorded and the files are embedded in one or more files in AD1 format (a file format for logical disk images). Since deleted files and un-partitioned space are not represented in a directory, they are not copied in the process. To create the image, we used AccessData FTK Imager as our imaging software. After a review of the available solutions, Stanford chose to use the AccessData suite (Imager and Forensic Toolkit) as our imaging and processing software, since Imager provides automatic image verification with two checksums and is compatible with the powerful processing provided by FTK (which we will discuss in a future post about processing). Another reason we are currently using Imager is that the PC version has a Graphical User Interface that is easy to use and doesn’t require processing archivists to run the process at the command line. This software was originally developed for forensic analysis of digital storage media by law enforcement, but Digital Archivist Peter Chan has developed procedures to make it viable for use by archivists as well. The hardware we used to create images of the STOP AIDS Project computer media were 3 PCs running Windows 7 and its built in DVD drive, a Macintosh laptop and its built in DVD drive, a Write Blocker portable USB 3.5 inch floppy disk drive, and an iOmega portable zip drive.
The Imaging Process
3.5 inch floppies and zip disks are imaged the same way, so they will be discussed together here. It is important to note that one cannot make a logical copy of an Apple-formatted 3.5 inch floppy or zip disk using FTK Imager in a Windows platform. Therefore, there are two imaging processes for these types of disks: one for PC and one for Apple.
For PC-formatted disks, we use FTK Imager’s Graphical User Interface, which allows you to select the type of image you wish to make (logical or forensic), the format, and add notes to the text file that is generated with each image. We make images in the Raw (dd) format, a commonly used disk image format created by the UNIX command dd.
On Apple computers, FTK Imager is a command line terminal program. In order to use it, you must know the name of the disk storage device that contains the disk you want to image so that you can unmount the disk and include the device name in the image command. The image command includes assigning a name to the image file according to your convention. You can also include a verify command in the imaging command, which runs two checksums to ensure that the original and the disk image are identical. The calculated time elapsed while imaging appears in the terminal, as does the checksum verification. Two new icons with the name of the image will appear on the desktop when imaging is complete.
It takes about 1 minute to image 3.5 inch floppies, and about 6 minutes to image zip disks. Imaging time is dependent on how much material is on the disk; the more material, the longer the imaging time.
Common issues with 3.5 in floppy disks and zip disks
Disks are not always labeled as Apple or PC formatted. You may need to experiment with different drives to see which can read the disk -- sometimes one PC machine may not be able to read what another PC machine can. It is helpful to have a number of computers available.
There are times when the disk does not read. There will be no error message on Apple computers. The disk icon simply will not appear on the desktop. On PCs, there will be a dialog box informing you that the disk is either not formatted or is formatted incorrectly, and it will ask if you want to reformat the disk.
There are times when the disk does not image. There is no error message when the disk does not image properly. Have the location to which you are saving the image open. If there are multiple imaging attempts (the disk image appears in the space, then disappears, many times in rapid succession), the program is very likely hung up. You should terminate imaging, close FTK Imager, and try again.
Since all CDs use the same file formatting system (Compact Disk File System, in accordance with ISO 9660), we used PCs to image all CDs in the STOP AIDS Project records. We followed the same procedure as for PC 3.5 inch disks, except the option to verify images and add evidence item information will not appear. We saved these images in CUE format. It took about 5 minutes to image each CD. The main problem with CDs is that there are times when the disk will not read; the error message is the same as for 3.5 inch disks and zip disks on PCs.
Next: Imaging Hard Drives