Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

versions on machine as of 11/29/2017:

  • BitCurator 1.8.12
  • VirtualBox 5.2.2

Preparation

  1. Take a photograph of all sides of the disk that carry information; file these photos with the files that will be created below in a folder devoted to the single disk.
  2. Make log entry in tracking document (Excel or other):
    1. Jot down distinguishing characteristics of disk before beginning (e.g., color, title, dates, etc.)
    2. Check disk for write protection (the single or both tabs should be open to prevent writing)
    3. Affix removable ID label to disk using naming convention*
    4. Be sure the computer is not plugged into a network jack
    5. Be sure the disk drive is plugged into the computer

Disk imaging

  1. Open VirtualBox; the Oracle VM VirtualBox Manager window will open, showing all available instances of BitCurator in the left column
  2. Create a shared directory folder for your session's work (disk image and associated files, to be available both to the host machine and the virtual machine): go to Settings, then Shared Folders; if there isn't already one to use for this purpose, create a new folder by clicking on the small green plus-folder icon and choosing a location/path for it (select "auto-mount" but NOT "read-only")
  3. Select a version (usually the most recent) of BitCurator (if there is more than one) and open it
  4. As BitCurator opens (it takes a few moments and will show a black screen until it loads), it may display messages about "mouse pointer integration" and "auto capture keyboard" that can be ignored or closed
  5. On the resulting BC desktop, go to Imaging and Recovery: open Guymager
  6. Insert disk into disk drive; an icon for it should appear on the left bar of the Ubuntu desktop (it may take a few moments to recognize the media)
  7. In the resulting Guymager list of devices, select the disk (use size as an identifying feature), right click on it to "Acquire Image"
  8. Fill out the resulting form with metadata (this detail can be edited later in the .info file):
    1. increase "split" size by choosing larger unit (to avoid splitting of image)
    2. choose Expert Witness Format
    3. "case number" convention as assigned above
    4. "evidence number" convention as assigned above
    5. examiner (staff member) name
    6. description: of the disk (should match step #2a above)
    7. notes: about the process (e.g., retake, special conditions)
    8. Destination: should be the shared directory created above
    9. Image file name and info filename: should be the same as evidence number, and info filename auto-fills as you type in image filename
    10. Hash calculation/verification: select all
  9.  Click Start: list will show state of disk as "running", then "verifying", then "finished – verified & ok" (this typically takes about 2 minutes but can take significantly longer if bad sectors are present; after 3 minutes or 20 bad sectors, right click to abort process)
  10. Close Guymager
  11. Right click on disk icon (if one appeared) to safely remove disk, then remove it from disk drive, then unplug USB disk drive

Forensic reporting [this section is under development and only addresses a portion of BitCurator's reporting ability]

  1.  Go to the Forensic and Reporting folder, select BitCurator Reporting Tool, and launch BEViewer
  2.  From the Tools menu item, select Run Bulk Extractor
  3.  Fill in form to point to created disk image
  4.  Create output feature folder named "BEoutput" within disk image directory
  5.  Click "Submit run"; when done, close
  6.  Look at files if desired, then close Bulk Extractor Viewer
  7.  Return to BitCurator reporting tools, use "run all" tab
  8.  Fill in the form: point to image file, select BEoutput folder
  9.  Make new folder in output directory called BitCuratorReports
  10.  Then "Save" (NOT "create folder"), then "run"
  11.  Close.

 Go to desktop and navigate to reports to view 

  • No labels