versions on machine as of 11/29/2017:
- BitCurator 1.8.12
- VirtualBox 5.2.2
Preparation
- Take a photograph of all sides of the disk that carry information; file these photos with the files that will be created below in a folder devoted to the single disk.
- Make log entry in tracking document (Excel or other):
- Jot down distinguishing characteristics of disk before beginning (e.g., color, title, dates, etc.)
- Check disk for write protection (the single or both tabs should be open to prevent writing)
- Affix removable ID label to disk using naming convention*
- Be sure the computer is not plugged into a network jack
- Be sure the disk drive is plugged into the computer
Disk imaging
- Open VirtualBox; the Oracle VM VirtualBox Manager window will open, showing all available instances of BitCurator in the left column
- Create a shared directory folder for your session's work (disk image and associated files, to be available both to the host machine and the virtual machine): go to Settings, then Shared Folders; if there isn't already one to use for this purpose, create a new folder by clicking on the small green plus-folder icon and choosing a location/path for it (select "auto-mount" but NOT "read-only")
- Select a version (usually the most recent) of BitCurator (if there is more than one) and open it
- As BitCurator opens (it takes a few moments and will show a black screen until it loads), it may display messages about "mouse pointer integration" and "auto capture keyboard" that can be ignored or closed
- On the resulting BC desktop, go to Imaging and Recovery: open Guymager
- Insert disk into disk drive; an icon for it should appear on the left bar of the Ubuntu desktop (it may take a few moments to recognize the media)
- In the resulting Guymager list of devices, select the disk (use size as an identifying feature), right click on it to "Acquire Image"
- Fill out the resulting form with metadata (this detail can be edited later in the .info file):
- increase "split" size by choosing larger unit (to avoid splitting of image)
- choose Expert Witness Format
- "case number" convention as assigned above
- "evidence number" convention as assigned above
- examiner (staff member) name
- description: of the disk (should match step #2a above)
- notes: about the process (e.g., retake, special conditions)
- Destination: should be the shared directory created above
- Image file name and info filename: should be the same as evidence number, and info filename auto-fills as you type in image filename
- Hash calculation/verification: select all
- Click Start: list will show state of disk as "running", then "verifying", then "finished – verified & ok" (this typically takes about 2 minutes but can take significantly longer if bad sectors are present; after 3 minutes or 20 bad sectors, right click to abort process)
- Close Guymager
- Right click on disk icon (if one appeared) to safely remove disk, then remove it from disk drive, then unplug USB disk drive
Forensic reporting [this section is under development and only addresses a portion of BitCurator's reporting ability]
- Go to the Forensic and Reporting folder, select BitCurator Reporting Tool, and launch BEViewer
- From the Tools menu item, select Run Bulk Extractor
- Fill in form to point to created disk image
- Create output feature folder named "BEoutput" within disk image directory
- Click "Submit run"; when done, close
- Look at files if desired, then close Bulk Extractor Viewer
- Return to BitCurator reporting tools, use "run all" tab
- Fill in the form: point to image file, select BEoutput folder
- Make new folder in output directory called BitCuratorReports
- 10. Then "Save" (NOT "create folder"), then "run"
- 11. Close.
Go to desktop and navigate to reports to view