Born-digital Processing
FTK Analysis and File Export
(A) Logging into FRED and Mapping Network Drives
- Go to This PC and click Map Network Drive on the ribbon menu
- For Drive choose N: from the drop down menu
- For Folder enter the following exactly: \\research.files.med.harvard.edu\countway
- Click Finish
- You may be prompted to enter your own eCommons login again - if so, please do.
(B) Add Additional Subfolders to E_Proc
Create a folder structure for the FTK analysis and documentation. In N:\E_Proc, in the appropriate creator folder you created during the disk imaging process, create a folder under the Documentation folder entitled: _FTK_Metadata_All_Images
NOTE: No metadata from the 1st Pass will be retained.
(C) FTK: Logging in and Creating New Case
- Double-click on FTK 6.0 shortcut on desktop
**If you receive an error message, reboot the FRED. The database should then be accessible. - A pop-up window labeled Please Authenticate will appear – enter the following information:
- User Name: DbAdmin
- Password: Obsolete2016
- Create a new case within FTK:
- Go to Case > New
- Fill out the New Case Options pop-up box:
- Case Name = creator name (e.g. Folkman, M. Judah; HMS Office of the Dean)
- If this is an accrual to a collection, append the accession number to the creator name (e.g. Folkman, M. Judah_Acc. 2017-001)
- Reference = collection number or series number
- Description
- Specify if all images from a collection are being added or if it’s a selection, or if it’s just an accrual
- Enter examiner’s name (e.g. All images from H MS c365 added to case. Examiner: Kerr, Meghan)
- Description File = skip
- Case Folder Directory = defaults to E:\Cases, which is the correct location. FTK will create a subfolder under Cases on the E: Drive (labeled Data) that is labeled the same name you gave in the Case Name field. All metadata, analyses, file exports, and case reports are saved in the case folder on the E: drive.
- Database Location = skip
- Processing Options > User Templates = defaults to CHoM: 1st Pass.
- Click Create
- Uncheck dtSearch
- Uncheck Registry Reports
- Click OK
- Now the User Templates will say Custom
- Case Name = creator name (e.g. Folkman, M. Judah; HMS Office of the Dean)
- Click OK
(D) Adding Evidence to Case
- Window will pop up labeled Manage Evidence
- Click Add > Acquired Image(s) > OK
- Navigate to where the collections’ disk images are saved and select the images, then click Open
NOTE: If you end up with a .cue file in addition to the .iso file, choose only the .cue file. FTK will know to pull the rest of the files. - ID/Name: enter the collection or series number
- Description: skip
- Click OK
A window labeled Data Processing Status: 6.0.0.52 will appear showing status of evidence being added to the case.
The process of adding evidence will be completed when in the pop-up window it says: Process State: Finished. When processing has completed, click Close.
Note: Based on testing, it took roughly 11 minutes for 14 disk images consisting of about 12GB of data to be added to a case. If on the Second Pass, all disk images you are adding say (Processed) next to it, but that it doesn’t say Finished next to Process State, and the original amount of time it took to complete the First Pass has been surpassed, exit out of the Add Evidence window – you should still be able to proceed with the analysis.
WARNING: Once you add evidence to the case, do not change any of the of the folder names in the hierarchy where you are pulling the images from. If you change the any folder names after you've added evidence to the case, the file path will be altered and FTK will not recognize the new file path.
(E) First Pass File Examination – Things to Check
- Explicit Images Review
- Go to Filter in the task bar and from the drop down menu, select Explicit images folder (high score).
- If FTK has flagged any files as explicit, review the contents of these files to determine whether or not they need to be acted upon.
- After reviewing the high score folder, next select from the same drop down menu Explicit images folder (medium score). Review the files as you did in the previous step.
- If after reviewing the flagged files it is deemed that they are not be further acted upon, create a Readme file labeled Readme_Explicit_File_Review in Documentation > _FTK_Metadata_All_Images explaining that after reviewing the contents of the files FTK flagged as explicit, the files are not considered explicit and why.
- If explicit files are discovered, contact your supervisor.
- Encrypted Files
- Go to Filter in the task bar and from the drop down menu, select navigate to Encrypted Files
- Scroll down to Encrypted Files and see if the FTK flagged any files as being encrypted.
- Determine whether or not these files have been deleted. If so, they will need to be decrypted using PRTK. [Need to add PRTK instructions and that a lot of executable files and programming files come up as encrypted]
- If the encrypted files have not been deleted, do not decrypt them until the 2nd Pass.
(F) Deleting a Case after Completing 1st Pass
After you have reviewed the evidence to make sure there are no encrypted files or explicit images, go back and delete the case from the database:
- From the main FTK screen, Right Click on the case > Select Delete > Click Yes
- A Warning screen will then appear – click Yes
If you receive an error message saying you need to manually delete the case:
- Go to E:drive > Cases > [case name] and delete the case manually
- Navigate to Recycle Bin on FRED desktop, and permanently delete the case here as well.
(G) Running 2nd Pass
Next, re-run the same case, but this time using the CHoM: 2nd Passprocessing profile:
- Create a new case within FTK:
- Go to Case > New
- Fill out the New Case Options pop-up box:
- Case Name = creator name (e.g. Folkman, M. Judah; HMS Office of the Dean)
- Reference = collection number or series number
- Description = specify if all images from a collection are being added or if it’s a selection, or if it’s just an accrual. Also enter examiner’s name. (e.g. All images from H MS c365 added to case. Examiner: Kerr, Meghan)
- Description File = skip
- Case Folder Directory = defaults to E:\Cases, which is the correct location. FTK will create a subfolder under Cases on the E: Drive (labeled Data) that is labeled the same name you gave in the Case Name field. All metadata, analyses, file exports, and case reports are saved in the case folder on the E: drive.
- Database Location = skip
- Processing Options > User Templates
- The template defaults to CHoM: 1st Pass. In the drop-down menu, choose CHoM: 2nd Pass
- Click Create
- Uncheck dtSearch
- Uncheck Registry Reports
- Uncheck Explicit Images Detection only if NO explicit images were detected in the 1st Pass. Otherwise, keep checked.
- Click OK
- Now the User Templates will say Custom
- Click OK
NOTE: Explicit Images Detection is included in the 2nd Pass Profile even if the content found has been reviewed and not deemed inappropriate. Including it in the 2nd Pass makes it easier for the processor to bookmark or label these files as restricted. - Adding Evidence to Case
- Window will pop up labeled Manage Evidence
- Click Add > Acquired Image(s) > OK
- Navigate to where the collections’ disk images are saved and select the images, then click Open
NOTE: If you end up with a .cue file in addition to the .iso file, choose only the .cue file. FTK will know to pull the rest of the files. - ID/Name: enter the collection or series number
- Description: skip
- Click OK
WARNING: Once you add evidence to the case, do not change any of the of the folder names in the hierarchy where you are pulling the images from. If you change the any folder names after you've added evidence to the case, the file path will be altered and FTK will not recognize the new file path.
(H) 2nd Pass Metadata to Save to _FTK_Metadata_All_Images
Only certain automatically generated metadata files will be saved to the _FTK_Metadata_All_Images folder you created earlier in the process.
- Go to Computer > Data (E:) > Cases > [case name]
- Copy and paste the following files into the _FTK_Metadata_All_Images folder:
- The first Excel file in the long list of Excel files at top level. File name begins with FileListing which is followed by the date and a series of numbers and letters: e.g. FileListing_2017-02-01….
- Got to Jobs > AE
- Open the first folder. Copy and paste the following file: JobInformation.log
- The first Excel file in the long list of Excel files at top level. File name begins with FileListing which is followed by the date and a series of numbers and letters: e.g. FileListing_2017-02-01….
(I) 2nd Pass: Exporting Files
- Click Explore tab so you see all of the disk images in the case
- You will need to export files from each disk image individually.
- Navigate to the first disk image and click + sign next to disk image
- Navigate to 2nd highest level in the hierarchy – e.g. highest level is 161.aff, therefore NONAME [FAT12] would be the 2nd level.
NOTE: If you end up with multiple system file systems (in the case of CDs), navigate to Joliet and only export files from this file system.
- Right-click the 2nd highest level in the hierarchy and click Export
- An Export window will appear, select the following:
- Append extension to filename if bad/absent
- Export children
- Preserve Folder Hierarchy
- Exclude slack space children files
- Create manifest files
- Include original path
- Items to Include
- All Highlighted
- Destination base bath: N:\E_Proc\[creator or office name]\UseCopies\[image folder]
- Click Ok
- In addition to the extracted files, FTK will also create a text file containing export errors. This text file will be located in the main N: drive electronic records folder for that collection.
- For example: N:\E_Proc\FolkmanJudah
- The file will be labeled: FTKExportSummary.[case name]_Export
- Review the contents of FTKExportSummary.[case name]_Export to determine whether or not it should be retained.
- Delete the file if it contains only the following types of common errors:
- Object type (File System) is invalid for export
- ([unallocated space]) Error getting stream
- (ObjectPool) Error getting stream
- Save the file to that image’s Documentation folder if it contains errors related to actual files.
- Delete the file if it contains only the following types of common errors:
- After exporting all of the files in the case, right click on the UseCopies folder and select Scan with ESET Endpoint Antivirus
(J) IMPORTANT
- DO NOT delete the 2nd Pass case until you have consulted with the CSA
- ONLY copy and paste the file EvidenceHistory.log into _FTK_Metadata_All_Images if you have fully processed the case and are going to delete the 2nd Pass case.
- FAT32 *
- NTFS
- exFAT
* One drawback of FAT32 is that it is more limited in terms of maximum size (Single file < 4 GB; single volume < 8 TB). For this reason, you should compare the total size of files within the FAT32 folder and the NTFS folders (just by checking Properties); if the NTSF is greater, then keep both FAT32 and NTSF in the RefCopies folder.
- Joliet
- UDF (Universal Disk Format)
- ISO
Surveying digital files:
After imaging and extracting the contents, the processor should try to open at least one file from every file format present. If the media only contains one file type, for example Microsoft Word documents, sample several. View the files in QuickView, or if they contain video, in FTK. Try to get an idea if the files are correspondence, research data, manuscripts, notes, etc., as well as a date range and any potentially restricted information. Add further guidance following restriction screening recommendations. Add guidance on using FTK tools for high-level analysis, file manifests, folder directories, etc.
How to label and arrange documentation and use copies on N drive Insert guidance - clearing digital detritus/system files/unnecessary parent folders, when and how to add series-level folders, do we always keep the e-media labeled folder? etc. (Sedg)
E-media: now what?
For media you successfully imaged but determined to be blank (or to contain only "unallocated space" or system files), please discard and delete the corresponding images and use-copies:
- Note the type and number of pieces of blank media to be discarded in the latest version of your processing plan, and include a similar statement in the finding aid Processing Note.
- Note that the media was discarded in the E-media log.
- Discard media by using the secure data shredding bin on the 2nd floor in the Access Services area.
- Note the type and number of pieces of media you were unable to image in the latest version of your processing plan, and include a similar statement in the finding aid Processing Note.
- Also note the media that failed to image in the e-media log.
- Do not count the "digital space" on the media towards the final collection digital extent.
- Do not list the unimaged disks in the finding aid inventory.
Copyright © 2024 The President and Fellows of Harvard College * Accessibility * Support * Request Access * Terms of Use