1 / 24

Embracing Digital Forensics for E-Records Management

Learn how the Provincial Archives of New Brunswick adopted digital forensics as a solution to manage and preserve digital records effectively.

zawacki
Download Presentation

Embracing Digital Forensics for E-Records Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Challenge of E-Records: Adopting Digital Forensics as a Solution William Vinh-Doyle November 5, 2015

  2. The beginning… • The Provincial Archives of New Brunswick (PANB) was established in 1967. • Under provincial legislation the Archives has the responsibility to assemble, and to make available for research, records bearing upon the history of New Brunswick. • “Records” is defined as: • Correspondence, memoranda, forms and other papers and books; • Maps, plans and charts; • Photographs, prints and drawings; • Motion picture films, microfilms and video tapes; • Sound recordings, magnetic taps, computer cards, and other machine readable records; • All other documentary materials regardless of physical form or characteristics.

  3. Fast Forward… • 1980s – Sound and Moving Images unit is established at PANB to preserve audio and film collection. • 1990 to 2010 – Archival community expresses concerns about digital born records being preserved, but little action is taken. • Records are transferred to PANB on external media and placed in repository along with paper records for storage. • Archives unaware of the digital records in its custody and control. Little intellectual control. • 2010 – Archives reallocates resources to commit one FTE to establish a digital preservation program.

  4. Digital Preservation Unit (DPU) • Develop policies, standards, procedures, and guidelines applicable to digital records. • GNB Transfer Standard • GNB Digitization Standard • Managing and Capturing Social Media for Long-Term Preservation (DRAFT) • Guidelines for Preserving Digital Records in Small Archival Institutions (DRAFT) • Acquire digital born and digital made records. • Appraise digital records (selection). • Preserve digital records.

  5. Previous State Limited in ability to capture records in a secure way. Risk that software or operating system would inadvertently change the original media, including adding, deleting, or modifying information. Searching was limited to Windows Explorer (minutes to hours to complete one key word search) Appraisal Process convoluted. In some cases we did not have the software to open and view the records. Migration to a viewable format was needed before appraisal could be completed. Took extra time (minutes to hours). No guarantee the record was archival. Waste of resources and time.

  6. Why Digital Forensics? “Digital Forensics and Born-Digital Content in Cultural Heritage Collections,” Council on Library and Information Resources (CLIR) – 2010 • Outlined some cultural heritage organizations who had adopted digital forensics as a solution to appraise digital records. • Demonstrated how digital forensics could maintain records authenticity during the accession and appraisal process.

  7. Research • Different forensic software tools were available (EnCase, FTK, etc.). • Contacted various archives to learn more about their experience. • Based on these experiences contacted 3 vendors – 2 proprietary vendors, and one open source vendor. • EnCase was being utilized by government. • PANB contacted the Security Group within the OCIO. • Trial tests were completed with EnCase (Thanks Todd!).

  8. FRED system • I7 Quad Core Processor 3.3Ghz, 32 GB memory • 512GB SSD OS Drive • 128 GB SSD Temp/Cash/DB Drive • 2TB data drive • Win. 81. • UltraBay 3d Write Blocker (Read Only) ports: • SATA (hard disk drive and solid state drive connector) • IDE (hard disk drive connector) • SAS (hard disk drive connector) • USB 3.0 • Firewire • Multimedia card reader (CFC, MSC, SMC, MD, XD etc.)

  9. Creating a New Case • A new case is created for each collection. • Includes information such as the person conducting the case (examiner), a case number (unique identifier), and a description. • Options to acquire the evidence include: • A bit by bit copy of the original, including the unallocated space. • Drag and drop only relevant records. • Logical Evidence File (LEF) file created.

  10. EnCase Interface • Tree Pane – Standard hierarchical folder structure • Table Pane – Includes columns with information about the displayed entries (e.g. Name, tags, size, Is Duplicate, etc.) • View Pane – Different viewing options include Report, Text, Doc, Transcript, Picture.

  11. Oracle: Outside In Technology • Provides software developers with a solution to extract and view the contents of over 600 unstructured file formats. • This included latest office suites to specialty formats, and legacy files. • Identifies file types without proper file extensions. • Viewer displays representation of files without using the files native application.

  12. Processing Records Upon adding records the archives processes the records. Processing may involve: • Recovering deleted files. • Indexing Information • Creating thumbnails of images. • Expanding compound files (e.g. .zip) • Finding Email (e.g..pst, .nsf, .mbox) • Finding internet artifacts. • Conducting a keyword search. • Creating a hash file (MD5 or Sha1) • Breaking password protected files.

  13. Thumbnail Images • Thumbnails are created for each image in a collection. • As per policy, an archivist must review the thumbnail images to tag photos of historical importance. • Must also review images to ensure that we do not accidently release inappropriate images. • Allows us to quickly identify and select records of non-archival value (e.g. family photos).

  14. Indexed Search

  15. Tagging Records • Tags are used in the appraisal, selection, and arrangement process. • Can create up to 63 different tags. • Tags are specific to each case.

  16. Bookmarking and Reporting Bookmarks Reports Reports provide a review of the findings in a case. Could be used to provide a detailed summary of RTI requests. Thumbnail images and email can be included in the report. • Can create as many bookmarks as required. • Can bookmark one or multiple records.

  17. Exporting Records • Can keep data within a forensic file (e.g. LEF) or export (copy) data out of EnCase. • Export single record, multiple records, or entire folders. • Export records based on tags (selection & arrangement).

  18. Current State: • Acquisition • Write Blocker • Disk Image (Logical Evidence File) • Appraisal • Tag duplicates as non records. • Tag records of value based on archival best practices. • Organize records using tags.

  19. Case Study - Email • Literature suggests that email management practices are not working as users continue to manage (or mismanage) their email in an ad hoc fashion. • 1996 - Whittaker and Sidner’s study “Email Overload” • 28% of users frequently filed their email. • 33% file once their mailboxes get too large (spring cleaners). • 33% do not file email. • 2006 – Fisher et el replicate study completed by Whittaker and Sidner. • 21 to 27% are frequent filers. • 41 to 64% are spring cleaners. • 8 to 32% are no filers. • At most, organizations can expect approximately 60-70% compliance from employees to participate in some form of email management.

  20. Not only is the email not managed, it is also at risk when stored in a .pst format. • There is a risk that a .pst file will become corrupt as a result of • Hardware Issues • Data Storage Device Failure • Faulty Networking Device • Power Failure • Software Issues • Incorrect File System Recovery • Virus or other Malicious software • Terminate Outlook Abnormally (e.g. End Task, Power Failure). • Outlook program (e.g. Max size of .pst file for outlook 97 to 2002 was 2GB, anything above this size could result in corruption) • PANB needed a solution to open, select, appraise, search, and export email. • PANB currently has 1,064,538 .msg files.

  21. Searching email • Greater demand to provide access to our email records. • Request for information relating to Enbridge and Tobacco Litigation. • 15 key terms to search. • Old system (window’s explorer) = minutes to hours. • EnCase index search = seconds. • Able to search .pst safely, without risk of damaging the .pst record. • Can export records based on tags into a .msg format.

  22. Unexpected Results • Review of Images revealed “misogynistic” jokes/images. • Should have been deleted by user as a “non-record.” • Archives kept these as a record. • Demonstrated misogyny in the workplace. • Archive stakeholders are interested in this form of record, something that is not often found in the paper records. • Would have most likely been destroyed under old method.

  23. Advantages of using EnCase to appraise email • De-crypt password protected .pst files. • Import and unpack .pst files. • Appraise and select records of archival and/or research value. • Tag records. • Search records using the index search option. • Export the records from .pst to a .msg.

  24. Conclusions • Forensics improves our ability to appraise archival records. • Provides a means for us to arrange digital records. • Improves our ability to search and discover information. • Allows to acquire records in a trusted way to ensure the authenticity of the records.

More Related