Processing profiles vs. additional analysis in FTK

[Creighton Barrett]

Hi everyone,

A few questions for anyone using FTK in their digital forensics workflows. FTK provides a few "processing profiles" that can be used when disk images are added to a case. You can also create custom processing profiles and perform "additional analysis" on images after they have been added. 

Has anyone created a custom profile to suite your archival workflows? Or are you using an FTK default profile? Do you have a core set of additional analysis options you run after the images are added? Or is it case by case?

There seems to be two choices when building a case: do all the processing at once OR do some minimal processing when images are added and then do some additional analysis.

Some of the options are very time consuming (e.g., flagging duplicates, checking files against the NSRL, expanding compound files, etc.) and may not be necessary all of the time.

I'd love to hear from FTK users in the cultural heritage communities about how they approach these decisions when building a new case in FTK.

Cheers,

Creighton Barrett

Digital Archivist

Dalhousie University Archives

[Amanda May]

Hi Creighton -

I use FTK at the Library of Congress, mostly on special collections. When making a new case, I set the processing profile to field mode. This allows me to get up and running and do the most basic indexing quickly. Since I'm sometimes adding hundreds of pieces of evidence, this is essential. After all of the evidence is added, I run additional analysis depending on the needs of the collection. Most commonly, I run hashes, check for duplicates and expand compound files. We also have PII and classification marker searches that I run in Live Search. When I was running these additional analyses as part of the initial evidence processing, I was getting hang-ups and crashes (granted, this was before I upped our FRED's memory and optimized in a couple other ways), so I reverted to field mode as a way of at least getting the full index before attempting the deeper looks.

I hope this helps,

Amanda May

Digital Conversion Specialist

Library of Congress

[Creighton Barrett]

Hi Amanda,

This is very helpful, thank you. Do you expand all compound files as part of your additional analyses? Or only certain types of compound files?

I am particularly interested in this process because I have a feeling that I have overly complicated one of our cases by unnecessarily expanding compound files. We know there is extensive duplication across laptops, external drives, floppy discs, etc. We compound that problem by expanding all of the duplicate Microsoft files. 

Put another way: we all know that Microsoft Office files are compound files and can have embedded objects. It's not really a consideration from an appraisal/selection perspective. If we are selecting complete DOCX files to be extracted from the case and ingested into our preservation system as files, does the FTK case really need to be cluttered with all those compound objects? 

Nice tip to run the PII and classification searches in Live Search rather than as part of the evidence processing! I will look into that too.

Thanks again,

Creighton

--
You received this message because you are subscribed to the Google Groups "Digital Curation" group.
To unsubscribe from this group and stop receiving emails from it, send an email to digital-curati...@googlegroups.com.
To post to this group, send email to digital-...@googlegroups.com.
Visit this group at https://groups.google.com/group/digital-curation.
For more options, visit https://groups.google.com/d/optout.

[Amanda Koss May]

We're generally looking at expanding only the archive files - Zip, tar, etc. I know that we were confused in some earlier cases because of the Microsoft metadata files that suddenly appeared. Depending on the project, I may or may not expand the compound files or do the Live Search for PII/Classification, it just depends on the needs and what the archivist wants.

Best,

Amanda

You received this message because you are subscribed to a topic in the Google Groups "Digital Curation" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/digital-curation/qoymsFcFAvI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to digital-curati...@googlegroups.com.

To post to this group, send email to digital-...@googlegroups.com.
Visit this group at https://groups.google.com/group/digital-curation.
For more options, visit https://groups.google.com/d/optout.

--

Amanda Koss May
amanda...@gmail.com

301-266-0141

[Creighton Barrett]

Okay that makes sense, thanks, Amanda!

Not sure how many FTK users there are in GLAM institutions out there, but I'd love to hear other thoughts on this from other institutions.

Cheers,

Creighton

[Matthew Burgess]

It is great to hear how other cultural institutions are using FTK, and I had the same question regarding processing profiles after using FTK a few weeks ago. Does anyone have any procedures or guidelines they would be willing to share, or point to online, on the use of FTK in this space? We are beginning to use it as part of our acquisitions workflow at the State Library of NSW (Australia) and would love to see examples of how other organisations are making use of it.

Thanks,

Matthew Burgess

Digital Collections Analyst

State Library of NSW