1 / 29

Computer Forensics and Cultural Heritage

Computer Forensics and Cultural Heritage. Matthew Kirschenbaum University of Maryland. sponsored by the Andrew W. Mellon Foundation.

afya
Download Presentation

Computer Forensics and Cultural Heritage

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Computer Forensics and Cultural Heritage Matthew Kirschenbaum University of Maryland

  2. sponsored by the Andrew W. Mellon Foundation

  3. "Despite its origins in law enforcement, security and other areas seemingly far removed from the cultural heritage sector, we saw an amazing degree of convergence between the professional forensics community and attendees charged with the stewardship of born digital materials from arts, humanities, and personal archives.” Seamus Ross Luciana Duranti Stephen Eniss Cal Lee Brad Glisson Patricia Galloway Susan Thomas Peter Hornsby Michael Olson Jeremy Leighton John Simson Garfinkel Barbara Guttman Leo Scanlon Leslie Johnston Amy Friedlander Cliff Lynch

  4. sponsored by the Andrew W. Mellon Foundation

  5. Authors • Matthew Kirschenbaum • Associate Professor of English and Associate Director, Maryland Institute for Technology in the Humanities, University of Maryland • Richard Ovenden • Associate Director, Bodleian Library, Oxford • Gabriela Redwine • Archivist and Electronic Records Specialist, Harry Ransom Center, The University of Texas at Austin • Rachel Donahue (Research Assistance) • Doctoral Candidate, University of Maryland College of Information Studies

  6. Consultants • Luciana Duranti • Professor, School of Library, Archival and Information Studies, University of British Columbia • Bradley Glisson • Director and Lecturer, Computer Forensics and e-Discovery, Humanities Advanced Technology and Information Institute, University of Glasgow • Cal Lee • Assistant Professor, School of Information and Library Science, University of North Carolina, Chapel Hill • Rob Maxwell • Lead Incident Handler, Office of Information Technology and Founder, Digital Forensic Lab, University of Maryland • Doug Reside • Associate Director, Maryland Institute for Technology in the Humanities • Susan Thomas • Digital Archivist, Bodleian Library, Oxford

  7. Timeline • Proposed to Mellon early 2009 • Funded July 2009 • Research and Writing through April 2010 • Symposium May 2010 • Revisions June-August 2010 • Submission to CLIR August 2010 • Publication late 2010

  8. Audience • Archives and Cultural Heritage Professionals (Manuscript Repositories) • Technical Forensics Community • Textual Scholars • Funders • Donors

  9. Purpose(s) • Introduce Computer Forensics to Cultural Heritage Community • Identify Points of Convergence • Create Basis for Further Contact and Collaboration

  10. Table of Contents • Introduction • Purpose and Audience • Terminology and Scope • Organization • Background and Assumptions • Prior Work • About this Document • Acknowledgements • Challenges • Legacy Formats • Unique and Irreplaceable • Trustworthiness • Authentication • Data Recovery • Costing • Ethics • Archival • Scholarly • Privacy • Working with Data Creators • Conclusions and Recommendations Appendices • References • Forensic Software • Forensic Hardware

  11. A definition “Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer data.” –Kruse and Heiser, Computer Forensics: Incident Response Essentials (2002)

  12. Not CSI “It’s not at all like what you see on “CSI.” Computer forensics can be tiresome, dreary, boring, and downright drudgery. Performing a competent analysis can take days, weeks, or even months depending upon the subject, the condition and state of the hard drive, or the importance of the case. For that time period, the examiner is literally trying on the subject’s life, wearing it like a costume for eight or more hours a day. Everything someone likes, hates, is interested in, fantasizes about, or fetishes goes through his or her keyboard at one point or another. Think about every email message you’ve ever written…every chat you’ve ever typed…every website you’ve ever visited…every phrase you’ve ever searched for online. “Seriously…think about it. I’ll give you a moment. “Now think about me reading and seeing it all. That should scare you a little bit, and if it didn’t, you’re probably lying to yourself. It’s okay. Most people do.” http://www.forensicfocus.com/the-darker-side-of-computer-forensics

  13. Precedents Diplomatics Questioned Document Examination Analytical and Descriptive Bibliography

  14. Locard’s Exchange Principle: “Every Contact Leaves a Trace” “Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.” —Paul L. Kirk. 1953. Crime investigation: physical evidence and the police laboratory. Interscience Publishers, Inc.: New York.

  15. Computer as Crime Scene “The first step is preservation, where we attempt to preserve the crime scene so that the evidence is not lost. In the physical world, yellow tape is wrapped around the scene. In a digital world, we make a copy of memory, power the computer off, and make a copy of the hard disk. In some cases, the computer cannot be powered off and instead suspicious processes are killed and steps are taken to ensure that known evidence is copied and preserved.” --Brian Carrier http://www.digital-evidence.org/di_basics.html

  16. Types File System Forensics Network Forensics Incident Response Intrusion Detection Web Forensics Mobile Forensics

  17. Remanence “Data remanence is the residual physical representation of data that has been in some way erased.” --A Guide to Understanding Data Remanence in Automated Information Systems http://www.fas.org/irp/nsa/rainbow/tg025-2.htm

  18. File System

  19. Forensic and Formal Materiality

  20. Little wonder then . . . “Secure file deletion on Windows platforms is a major exercise, and can only be part of a secure ‘wipe’ of one’s entire hard disk. Anything less than that is likely to leave discoverable electronic evidence behind.” -- Michael Caloyannides, Computer Forensics and Privacy (Norwood, MA: Artech House, 2001), 28

  21. From Garfinkel and Shelat, “Remembrance of Data Past”

  22. Mystery_House.dsk

  23. Mystery_House.dsk

  24. Slack Space and Data Carving

  25. Registry

  26. What computer forensics can do for archives . . . Authenticity and Integrity Discovery Redaction Data recovery

  27. Some Current Venues British Library Bodleian Stanford Emory UT Austin (and Ransom Center) MITH at Maryland

  28. Cautions Terminology Expense Training “Smoking Gun” Fallacy Ethics

  29. Thank You mgk@umd.edu http://mith.info/forensics

More Related