Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Open VirtualBox; the Oracle VM VirtualBox Manager window will open, showing all available instances of BitCurator in the left column
  2. Create a shared directory folder for your session's work (disk image and associated files, to be available both to the host machine and the virtual machine): go to Settings, then Shared Folders; if there isn't already one to use for this purpose, create a new folder by clicking on the small green plus-folder icon and choosing a location/path for it (select "auto-mount" but NOT "read-only")
  3. Select a version (usually the most recent) of BitCurator (if there is more than one) and open it
  4. As BitCurator opens (it takes a few moments and will show a black screen until it loads), it may display messages about "mouse pointer integration" and "auto capture keyboard" that can be ignored or closed
  5. On the resulting BC desktop, go to Imaging and Recovery: open Guymager
  6. Insert disk into disk drive; an icon for it should appear on the left bar of the Ubuntu desktop (it may take a few moments to recognize the media)
  7. In the resulting Guymager list of devices, select the disk (use size as an identifying feature), right click on it to "Acquire Image"
  8. Fill out the resulting form with metadata (this detail can be edited later in the .info file):
    1. increase "split" size by choosing larger unit (to avoid splitting of image)
    2. choose Expert Witness Format
    3. "case number" convention as assigned above
    4. "evidence number" convention as assigned above
    5. examiner (staff member) name
    6. description: of the disk (should match step #2a above)
    7. notes: about the process (e.g., retake, special conditions)
    8. Destination: should be the shared directory created above
    9. Image file name and info filename: should be the same as evidence number, and info filename auto-fills as you type in image filename
    10. Hash calculation/verification: select all
  9.  Click Start: list will show state of disk as "running", then "verifying", then "finished – verified & ok" (this typically takes about 2 minutes but can take significantly longer if bad sectors are present; after 3 minutes or 20 bad sectors, right click to abort process)
  10. Close Guymager
  11. Right click on disk icon (if one appeared) to safely remove disk, then remove it from disk drive, then unplug USB disk drive

Forensic reporting [this section is under development and only addresses a portion of BitCurator's reporting ability]

  1.  Go to the Forensic and Reporting folder, select BitCurator Reporting Tool, and launch BEViewer
  2.  From the Tools menu item, select Run Bulk Extractor
  3.  Fill in form to point to created disk image
  4.  Create output feature folder named "BEoutput" within disk image directory
  5.  Click "Submit run"; when done, close
  6.  Look at files if desired, then close Bulk Extractor Viewer
  7.  Return to BitCurator reporting tools, use "run all" tab
  8.  Fill in the form: point to image file, select BEoutput folder
  9.  Make new folder in output directory called BitCuratorReports
  10. 10.  Then "Save" (NOT "create folder"), then "run"
  11. 11.  Close.

 Go to desktop and navigate to reports to view