School of Information and Library Science
University of North Carolina, Chapel Hill
INLS 690-141 - Digital Forensics for Curation of Digital Collections
[Last Updated: 2013-10-9]
Meeting Time: Wednesday, 12:30-3:15
Location: Manning 117
Instructors: Cal Lee and Kam Woods
Office: 212 Manning (Cal); 309 Manning (Kam)
Phone: 919-962-7024 (Cal); 919-966-3589 (Kam)
E-Mail: callee [at] ils [dot] unc [dot] edu (Cal); kamwoods [at] email [dot] unc [dot] edu (Kam)
Office Hours:: Cal: Wednesday, 3:15-4:00; or by appointment; Kam: Thursday, 2:00-3:00, or by appointment
Course Web Site: https://sakai.unc.edu/portal/site/inls690-2013-fall-lee-woods
Students will learn about hardware, software, principles and methods for capturing and curating digital data that have been stored on removable media (ie: hard drives, floppy disks, USB memory sticks). This course addresses common storage devices and interfaces; write-blocking equipment and its role in acquisition of data; levels of representation; basic filesystem structures; role and importance of hash values and hex views of bitstreams; software used to conduct forensics tasks; considerations for incorporating forensics into curation workflows; and legal and ethical issues. Students will have the opportunity to use a range of state-of-the-art digital forensics hardware and (commercial and open-source) software and explore ways that they can be applied by information professionals in a variety of collecting contexts.
Special Needs: If you feel that you may need an accommodation for a disability or have any other special need, please make an appointment to discuss this with one or both of the instructors. We will best be able to address special circumstances if we know about them early in the semester. Our office hours and contact information are listed at the beginning of this syllabus.
"In support of the University’s diversity goals and the mission of the School of Information and Library Science, SILS embraces diversity as an ethical and societal value. We broadly define diversity to include race, gender, national origin, ethnicity, religion, social class, age, sexual orientation and physical and learning ability. As an academic community committed to preparing our graduates to be leaders in an increasingly multicultural and global society we strive to:
The statement represents a commitment of resources to the development and maintenance of an academic environment that is open, representative, reflective and committed to the concepts of equity and fairness."
- The faculty of the School of Information and Library Science (http://sils.unc.edu/about/diversity)
It is very important that you both attribute your sources and avoid excessive use of quotes (see separate handout called "In Your Own Words"). Be aware of the University of North Carolina policy on plagiarism. Your written work must be original. Ask if you have any doubts about what this means.
All cases of plagiarism (unattributed quotation or paraphrasing) of anyone else's work, whether from someone else's answers to homework or from published materials, will be officially reported and dealt with according to UNC policies (Instrument of Student Judicial Governance, Section II.B.1. and III.D.2, http://instrument.unc.edu).
The most important measures of your performance in this and all other classes at SILS will be your ability to engage in challenging materials with your fellow students; your reputation for insights and professionalism among your peers and with your instructor; your integration of course material with the other things you are learning both inside and outside the classroom; and your ability to apply what you’ve learned in your future career. However, the conventions of academia dictate that I also assign labels (called grades) to your work on assignments and for the course as a whole.
Based on UNC Registrar Policy for graduate-level courses (http://regweb.unc.edu/resources/rpm24.php), both assignment and semester grades will be H, P, L or F. Few students will obtain an "H," which signifies an exceptionally high level of performance (higher than an "A" in an A-F systems). The following is a more detailed breakdown:*
|H||Superior work: complete command of subject, unusual depth, great creativity or originality||P+||Above average performance: solid work somewhat beyond what was required and good command of the material||P||Satisfactory performance that meets course requirements (expected to be the median grade of all students in the course)||P-||Acceptable work in need of improvement||L||Unacceptable graduate performance: substandard in significant ways||F||Performance that is seriously deficient and unworthy of graduate credit|
*Note: The above breakdown is for individual assignments. Final grades in the course will not reflect + or - designations (i.e. there will be Ps but no P+s or P-s).
According to UNC Registrar Policy, undergraduate grades are based on the following definitions:
Mastery of course content at the highest level of attainment that can reasonably be expected of students at a given stage of development. The A grade states clearly that the students have shown such outstanding promise in the aspect of the discipline under study that he/she may be strongly encouraged to continue.
Strong performance demonstrating a high level of attainment for a student at a given stage of development. The B grade states that the student has shown solid promise in the aspect of the discipline under study.
A totally acceptable performance demonstrating an adequate level of attainment for a student at a given stage of development. The C grade states that, while not yet showing unusual promise, the student may continue to study in the discipline with reasonable hope of intellectual development.
A marginal performance in the required exercises demonstrating a minimal passing level of attainment. A student has given no evidence of prospective growth in the discipline; an accumulation of D grades should be taken to mean that the student would be well advised not to continue in the academic field.
For whatever reason, an unacceptable performance. The F grade indicates that the student's performance in the required exercises has revealed almost no understanding of the course content. A grade of F should warrant an advisor's questioning whether the student may suitably register for further study in the discipline before remedial work is undertaken.
Absent from final examination, but could have passed if exam taken. This is a temporary grade that converts to an F* after the last day of class for the next regular semester unless the student makes up the exam.
Failed and absent from exam. The FA grade is given when the undergraduate student did not attend the exam, and could not pass the course regardless of performance on the exam. This would be appropriate for a student that never attended the course or has excessive absences in the course, as well as missing the exam.
Work incomplete. This is a temporary grade that converts to F at the end of eight weeks into the next semester unless the student makes up the incomplete work.
Withdrew passing. Entered when a student drops after the six-week drop period.
SILS Reserves: Copies of the following books are available from the SILS Library on the first floor of Manning Hall (behind the SILS Library help desk):
Altheide, Cory, Harlan Carvey and Ray Davidson. Digital Forensics with Open Source Tools. Waltham, MA: Syngress, 2011.
Casey, Eoghan. Handbook of Digital Forensics and Investigation. Boston: Academic, 2010.
Doherty, Eamon P. Digital Forensics for Handheld Devices. Boca Raton, FL: CRC Press, 2013.
Jones, Andy and Craig Valli. Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility. Burlington, MA: Butterworth-Heinemann and Syngress Publishing, Inc., 2009.
Jones, Keith J., Richard Bejtlich, Curtis W. Rose, Dan Farmer, Wietse Venema, and Brian Carrier. Computer Forensics Library Boxed Set. Upper Saddle River, NJ: Addison-Wesley, 2007. Includes:
Sammons, John. The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics. Boston: Syngress, 2012.
For the weekly readings, the following labels indicate where specific course readings can be located:
R = Reserves at SILS Library in Manning Hall
S = Course site in Sakai (https://sakai.unc.edu/), where copies of some readings are available (under Resources > Readings)
O = Online through UNC license. NOTE: Accessing these materials can require you either to use a computer with a UNC IP address (generally, a SILS or UNC Library computer) or visit the associated sites through a UNC proxy server. See: http://proxy.lib.unc.edu/setupinfo.html
W = Publicly accessible Web
S - Garfinkel, Simson. "Digital Forensics." American Scientist 101 (2013): 370-377.
W - Installing BitCurator as a Virtual Machine using VirtualBox. http://www.youtube.com/watch?v=DGrDLjFz6sI
W - Kirschenbaum, Matthew G., Richard Ovenden, and Gabriela Redwine. "Digital Forensics and Born-Digital Content in Cultural Heritage Collections." Washington, DC: Council on Library and Information Resources, 2010. http://www.clir.org/pubs/reports/pub149/pub149.pdf
R - Carrier, Brian. "Digital Investigation Foundations." In File System Forensic Analysis, 3-16. Boston, MA: Addison-Wesley, 2005.
S, R - Jones, Andy and Craig Valli. "An Introduction to Digital Forensics." In Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility, 6-18. Burlington, MA: Butterworth-Heinemann and Syngress Publishing, Inc., 2009.
W - Lee, Christopher A., Matthew Kirschenbaum, Alexandra Chassanoff, Porter Olsen, and Kam Woods. "BitCurator: Tools and Techniques for Digital Forensics in Collecting Institutions." D-Lib Magazine 18, No. 5/6 (May/June 2012). http://www.dlib.org/dlib/may12/lee/05lee.html
W - Ross, Seamus and Ann Gow. "Digital Archaeology: Rescuing Neglected and Damaged Data Resources." London: British Library, 1999. http://www.ukoln.ac.uk/services/elib/papers/supporting/pdf/p2.pdf
S, R - Carrier, Brian. "File System Analysis." In File System Forensic Analysis, 173-210. Boston, MA: Addison-Wesley, 2005.
S, R - Farmer, Dan, and Wietse Venema. "The Spirit of Forensic Discovery." In Forensic Discovery, 3-15. Upper Saddle River, NJ: Addison-Wesley, 2005.
R - Carrier, Brian. "FAT Concepts and Analysis" (211-252), "NTFS Concepts" (273-299), and "Ext2 and Ext3 Concepts and Analysis" (397-?)."File System Analysis." In File System Forensic Analysis, 173-210. Boston, MA: Addison-Wesley, 2005.
R - Farmer, Dan, and Wietse Venema. "File System Basics." In Forensic Discovery, 39-58. Upper Saddle River, NJ: Addison-Wesley, 2005. [focus is on Unix filesystems]
S - "FAT File System." In EnCase Computer Forensics I, 269-286. Pasadena, CA: Guidance Software, 2009
S, R - Petzold, Charles. Code: The Hidden Language of Computer Hardware and Software. Redmond, WA: Microsoft Press, 1999. [Bytes and Hex (180-189)]
W - Friedl, Steve. "An Illustrated Guide to Cryptographic Hashes." 2005. http://www.unixwiz.net/techtips/iguide-crypto-hashes.html
W - "Magic Number Definition." Linux Information Project (LINFO). http://www.linfo.org/magic_number.html
S, R - Carrier, Brian. "Computer Foundations." In File System Forensic Analysis, 17-45. Boston, MA: Addison-Wesley, 2005.
W - "Use Guide for the FC5025 Floppy Disk Controller." Maryland Institute for Technology in the Humanities. http://mith.umd.edu/vintage-computers/fc5025-operation-instructions
S - White, Ron and Timothy Edward Downs. How Computers Work. 9th Edition. How It Works Series. Indianapolis, IN: Que, 2007. [Data Storage (158-75, 182-3, 186-7)]
W - BitCurator Quick Start Guide, v0.3.4 Last updated: September 8, 2013. http://wiki.bitcurator.net/downloads/BitCurator-Quickstart-v0.3.4.pdf
S, R - Jones, Keith J., Richard Bejtlich, and Curtis W. Rose. "Forensic Tool Analysis: An Introduction Using Linux for Analyzing Files of Uknown Origin" (301-343) and "An Introduction to Perl" (625-636). In Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison-Wesley, 2006.
S, R - Nelson, Bill, Amelia Phillips, and Christopher Steuart. Current Computer Forensics Tools.."In Guide to Computer Forensics and Investigation, 260-284. Fourth Edition. Boston, MA: Cengage Learning, 2010.
LAB - create disk image and view disk image in two ways: 1) mount using MagicDisk and 2) view forensically with FTK Imager and BitCurator (TSK)
S, R - Jones, Keith J., Richard Bejtlich, and Curtis W. Rose. "Part 3: Acquiring a Forensic Duplication" (Before you Jump Right In..." (163-169), "Commercial-Based Forensic Duplications" (171-185), and "Noncommercial-Based Forensic Duplications" (187-204). In Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison-Wesley, 2006.
W - Creating a Disk Image using Guymager in BitCurator. http://www.youtube.com/watch?v=MshOHXIPIUY
S, R - Nelson, Bill, Amelia Phillips, and Christopher Steuart. Guide to Computer Forensics and Investigation. Fourth Edition. Boston, MA: Cengage Learning, 2010. [Excerpt on write-settings in Windows (p. 106-109)]
R - Carrier, Brian. "Hard Disk Data Acquisition" (47-66), "Volume Analysis" (69-80), and "PC-Based Partitions" (81-110). In File System Forensic Analysis. Boston, MA: Addison-Wesley, 2005.
S - "EnCase Concepts." In EnCase Computer Forensics I, 45-47. Pasadena, CA: Guidance Software, 2009.
W - Garfinkel, Simson L. "AFF: A New Format for Storing Hard Drive Images." Communications of the ACM 49, no. 2 (2006): 85-87. http://simson.net/clips/academic/2006.CACM.AFF.pdf
S, R - Jones, Andy and Craig Valli. "Management of the Collection of Evidence." In Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility, 128-137. Burlington, MA: Butterworth-Heinemann and Syngress Publishing, Inc., 2009.
LAB - fiwalk and BitCurator reporting tools; exporting metadata using FTK
W - DFXML Tag Library 2013. http://www.bitcurator.net/2013/02/06/dfxml-tag-library/
W - Garfinkel, Simson. "Digital Forensics XML and the DFXML Toolset." Digital Investigation 8, (2012): 161-174.
S - Woods, Kam, Alexandra Chasanoff, and Christopher A. Lee. "Managing and Transforming Digital Forensics Metadata for Digital Collections." In Proceedings of iPRES 2013 (Forthcoming).
W - Woods, Kam, Christopher Lee, and Sunitha Misra. “Automated Analysis and Visualization of Disk Images and File Systems for Preservation.” In Proceedings of Archiving 2013 (Springfield, VA: Society for Imaging Science and Technology, 2013), 239-244.
LAB - Bulk Extractor and identify_file_names to generate annotated feature files
S, R - Farmer, Dan, and Wietse Venema. "The Persistence of Deleted File Information.." In Forensic Discovery, 145-60. Upper Saddle River, NJ: Addison-Wesley, 2005.
W - Garfinkel, Simson Simson, Digital media triage with bulk data analysis and bulk_extractor. Computers and Security 32: 56-72 (2013) http://simson.net/clips/academic/2013.COSE.bulk_extractor.pdf
W - Garfinkel, Simson L. and Abhi Shelat. "Remembrance of Data Passed: A Study of Disk Sanitization Practices." IEEE Security and Privacy 1, (2003): 17-27. http://www.myoops.org/twocw/harvard/distribution/lectures/8/articles8.pdf
W - Locating Personally Identifiable Information with bulk_extractor. http://www.youtube.com/watch?v=coDc9lxxMak
W - "Bulk Extractor." Forensics Wiki. http://www.forensicswiki.org/wiki/Bulk_extractor
W - Garfinkel, Simson L. "Forensic Feature Extraction and Cross-Drive Analysis." Digital Investigation 3S (2006): S71-81. http://simson.net/clips/academic/2006.DFRWS.pdf [See especially: Sections 1-3, p.S71-75]
W - Garfinkel, Simson L. "Using bulk_extractor for digital forensics triage and cross-drive analysis." Tutorial at Digital Forensics Research Workshop. August 8th, 2012. http://simson.net/ref/2012/2012-08-08%20bulk_extractor%20Tutorial.pdf [Very detailed (130 slides)]
LAB - exiftool, FITS, DROID, JHOVE, file (Unix command)
W - Garfinkel, Simson L. and James Migletz. "New XML Office Document Files: Implications for Forensics." IEEE Security and Privacy (March/April 2009): 38-44. http://simson.net/clips/academic/2009.IEEE.DOCX.pdf
W - Banerjee, Kyle and Maija Anderson. "Batch metadata assignment to archival photograph collections using facial recognition software." Code4Lib Journal 21 (2013). http://journal.code4lib.org/articles/8486
S, R - Nelson, Bill, Amelia Phillips, and Christopher Steuart. "E-Mail Investigations." In Guide to Computer Forensics and Investigation, 452-487. Fourth Edition. Boston, MA: Cengage Learning, 2010.
S, R - Nelson, Bill, Amelia Phillips, and Christopher Steuart. "Recovering Graphics Files." In Guide to Computer Forensics and Investigation, 382-415. Fourth Edition. Boston, MA: Cengage Learning, 2010.
W - Farid, Hany. "Digital Image Forensics." Dartmouth College. http://cs.darthmouth.edu/farid/downloads/tutorials/digitalimageforensics.pdf
O - Memon, Nasir D. and Husrev T. Sencar, ed. Digital Image Forensics: There Is More to a Picture Than Meets the Eye. New York, NY: Springer, 2013. http://search.lib.unc.edu/search?R=UNCb7233136.
Migletz, James J. "Automated Metadata Extraction." Master's Thesis, Naval Postgraduate School, 2008.
W - Schroader, Amber. Paraben Corporation. http://www.techsec.com/pdf/Monday/Amber%20Schroader%20-%20E-Mail%20Forensics.pdf
S, R - Pittman, Ryan D. and Dave Shaver. "Windows Forensic Analysis." In Handbook of Digital Forensics and Investigation,, edited by Eoghan Casey, 209-300. Boston: Academic, 2010.
S, R - Jones, Keith J., Richard Bejtlich, and Curtis W. Rose. "Microsoft Windows Registry Reconstruction." In Real Digital Forensics: Computer Security and Incident Response, 291-299. Upper Saddle River, NJ: Addison-Wesley, 2006.
S, R - Kokocinski, Anthony. "Macintosh Forensic Analysis." In Handbook of Digital Forensics and Investigation,, edited by Eoghan Casey, 353-382. Boston: Academic, 2010.
S, R - Nelson, Bill, Amelia Phillips, and Christopher Steuart. "Understanding the Windows Registry."In Guide to Computer Forensics and Investigation, 230-237. Fourth Edition. Boston, MA: Cengage Learning, 2010.
W - Garfinkel, Simson and David Cox. "Finding and Archiving the Internet Footprint." In First Digital Lives Research Conference: Personal Digital Archives for the 21st Century. London, UK, 2009. http://simson.net/clips/academic/2009.BL.InternetFootprint.pdf
O - Gessiou, E., Volanis, S., Athanasopoulos, E., Markatos, E.P., Ioannidis, S. "Digging Up Social Structures from Documents on the Web." In Proceedings of the Global Communications Conference (GLOBECOM). IEEE, 2012: 744-750. http://dx.doi.org/10.1109/GLOCOM.2012.6503202
S, R - Jones, Keith J., Richard Bejtlich, and Curtis W. Rose. "Web Browsing Activity Reconstruction" (247-271) and "E-Mail Activity Reconstruction" (273-289). In Real Digital Forensics: Computer Security and Incident Response. Upper Saddle River, NJ: Addison-Wesley, 2006.
W - "Facebook Forensics." Valkyrie-X Security Research Group, July 5, 2011. http://www.fbiic.gov/public/2011/jul/facebook_forensics-finalized.pdf
W - AIMS Work Group, “AIMS Born-Digital Collections: An Inter-Institutional Model for Stewardship,” January 2012. http://www2.lib.virginia.edu/aims/whitepaper/AIMS_final.pdf
W - Erway, Ricky. "Swatting the Long Tail of Digital Media: A Call for Collaboration." Dublin, OH: OCLC Research, 2012. http://www.oclc.org/content/dam/research/publications/library/2012/2012-08.pdf
W - Gengenbach, Martin J. “'The Way We Do it Here': Mapping Digital Forensics Workflows in Collecting Institutions.” A Master’s Paper for the M.S. in L.S degree. August, 2012. http://digitalcurationexchange.org/system/files/gengenbach-forensic-workflows-2012.pdf
S, R - Jones, Andy and Craig Valli. "Workload Management and the Outsourcing Option." In Building a Digital Forensic Laboratory: Establishing and Managing a Successful Facility, 220-232. Burlington, MA: Butterworth-Heinemann and Syngress, 2009.
W - Kirschenbaum, Matthew G., Erika L. Farr, Kari M. Kraus, Naomi Nelson, Catherine Stollar Peters, Gabriela Redwine and Doug Reside. "Digital Materiality: Preserving Access to Computers as Complete Environments." In Proceedings of the Sixth International Conference on Digital Preservation (iPRES), San Francisco, California, October 5-6, 2009, 105-112: California Digital Library, 2009. http://escholarship.org/uc/item/7d3465vg
W - Gumshoe Jr. Created by Don Mennerich at the New York Public Library. http://electronicrecords.net:8080 (Login = guest/password) [Visit the site, navigate, search, and bring your observations to class. Would you want to use this? How would you want to improve it?]
W - Woods, Kam and Geoffrey Brown. "From Imaging to Access - Effective Preservation of Legacy Removable Media." In Archiving 2009: Preservation Strategies and Imaging Technologies for Cultural Heritage Institutions and Memory Organizations: Final Program and Proceedings, 213-218. Springfield, VA: Society for Imaging Science and Technology, 2009. http://www.digpres.com/publications/woodsbrownarch09.pdf
W - Forstrom, Michael, Nancy Kuhl, Susan Thomas, Jeremy Leighton John, Megan Barnard, Gabriela Redwine, Kate Donovan, Erika Farr, Will Hansen, Seth Shaw. Born Digital: Guidance for Donors, Dealers, and Archival Repositories. 2013. http://mediacommons.futureofthebook.org/mcpress/borndigital/
W - Hilton, Christopher, Dave Thompson, and Natalie Walters. "Trust Me, I'm an Archivist: Experiences with Digital Donors." Ariadne 65 (2010). http://www.ariadne.ac.uk/issue65/hilton-et-al/
W - Lee, Christopher A. "Computer-Supported Elicitation of Curatorial Intent." In Dagstuhl Seminar Proceedings 10291, Automation in Digital Preservation, edited by Andreas Rauber, Jean-Pierre Chanod, Seamus Ross, and Milena Dobreva. 2010. http://www.dagstuhl.de/Materials/Files/10/10291/10291.LeeCal.Paper.pdf
S - Nelson, Naomi L, et al. "Gift/Purchase Agreements." In Managing Born-Digital Special Collections and Archival Materials, 122-126. SPEC Kit 329. Washington, DC: Association of Research Libraries, 2012. [Includes three short documents: donor agreements and policies from Duke University, Bentley Historical Library, and Beinecke Rate Book and Manuscript Library]
W - Pyatt, Timothy D. "Deed of Gift Addenda for Collections with Electronic Records." Pennsylvania State University. 2012. https://scholarsphere.psu.edu/files/0k225b067
W - Bell, Graeme B. and Richard Boddington. "Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery?" Journal of Digital Forensics, Security and Law 5, no. 3 (2010). http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf
S, R - Doherty, Eamon P. "The Cell Phone." In Digital Forensics for Handheld Devices, 1-40. Boca Raton, CRC Press, 2013.
W - Garfinkel, Simson L. "Digital forensics research: The next 10 years." Digital Investigation 7 (2010): S64-73. http://dfrws.org/2010/proceedings/2010-308.pdf
S, R - Nelson, Bill, Amelia Phillips, and Christopher Steuart. "Cell Phone and Mobile Device Forensics." In Guide to Computer Forensics and Investigation, 496-509. Fourth Edition. Boston, MA: Cengage Learning, 2010.