290 likes | 383 Views
Computer Forensics and Cultural Heritage. Matthew Kirschenbaum University of Maryland. sponsored by the Andrew W. Mellon Foundation.
E N D
Computer Forensics and Cultural Heritage Matthew Kirschenbaum University of Maryland
sponsored by the Andrew W. Mellon Foundation
"Despite its origins in law enforcement, security and other areas seemingly far removed from the cultural heritage sector, we saw an amazing degree of convergence between the professional forensics community and attendees charged with the stewardship of born digital materials from arts, humanities, and personal archives.” Seamus Ross Luciana Duranti Stephen Eniss Cal Lee Brad Glisson Patricia Galloway Susan Thomas Peter Hornsby Michael Olson Jeremy Leighton John Simson Garfinkel Barbara Guttman Leo Scanlon Leslie Johnston Amy Friedlander Cliff Lynch
sponsored by the Andrew W. Mellon Foundation
Authors • Matthew Kirschenbaum • Associate Professor of English and Associate Director, Maryland Institute for Technology in the Humanities, University of Maryland • Richard Ovenden • Associate Director, Bodleian Library, Oxford • Gabriela Redwine • Archivist and Electronic Records Specialist, Harry Ransom Center, The University of Texas at Austin • Rachel Donahue (Research Assistance) • Doctoral Candidate, University of Maryland College of Information Studies
Consultants • Luciana Duranti • Professor, School of Library, Archival and Information Studies, University of British Columbia • Bradley Glisson • Director and Lecturer, Computer Forensics and e-Discovery, Humanities Advanced Technology and Information Institute, University of Glasgow • Cal Lee • Assistant Professor, School of Information and Library Science, University of North Carolina, Chapel Hill • Rob Maxwell • Lead Incident Handler, Office of Information Technology and Founder, Digital Forensic Lab, University of Maryland • Doug Reside • Associate Director, Maryland Institute for Technology in the Humanities • Susan Thomas • Digital Archivist, Bodleian Library, Oxford
Timeline • Proposed to Mellon early 2009 • Funded July 2009 • Research and Writing through April 2010 • Symposium May 2010 • Revisions June-August 2010 • Submission to CLIR August 2010 • Publication late 2010
Audience • Archives and Cultural Heritage Professionals (Manuscript Repositories) • Technical Forensics Community • Textual Scholars • Funders • Donors
Purpose(s) • Introduce Computer Forensics to Cultural Heritage Community • Identify Points of Convergence • Create Basis for Further Contact and Collaboration
Table of Contents • Introduction • Purpose and Audience • Terminology and Scope • Organization • Background and Assumptions • Prior Work • About this Document • Acknowledgements • Challenges • Legacy Formats • Unique and Irreplaceable • Trustworthiness • Authentication • Data Recovery • Costing • Ethics • Archival • Scholarly • Privacy • Working with Data Creators • Conclusions and Recommendations Appendices • References • Forensic Software • Forensic Hardware
A definition “Computer forensics involves the preservation, identification, extraction, documentation, and interpretation of computer data.” –Kruse and Heiser, Computer Forensics: Incident Response Essentials (2002)
Not CSI “It’s not at all like what you see on “CSI.” Computer forensics can be tiresome, dreary, boring, and downright drudgery. Performing a competent analysis can take days, weeks, or even months depending upon the subject, the condition and state of the hard drive, or the importance of the case. For that time period, the examiner is literally trying on the subject’s life, wearing it like a costume for eight or more hours a day. Everything someone likes, hates, is interested in, fantasizes about, or fetishes goes through his or her keyboard at one point or another. Think about every email message you’ve ever written…every chat you’ve ever typed…every website you’ve ever visited…every phrase you’ve ever searched for online. “Seriously…think about it. I’ll give you a moment. “Now think about me reading and seeing it all. That should scare you a little bit, and if it didn’t, you’re probably lying to yourself. It’s okay. Most people do.” http://www.forensicfocus.com/the-darker-side-of-computer-forensics
Precedents Diplomatics Questioned Document Examination Analytical and Descriptive Bibliography
Locard’s Exchange Principle: “Every Contact Leaves a Trace” “Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.” —Paul L. Kirk. 1953. Crime investigation: physical evidence and the police laboratory. Interscience Publishers, Inc.: New York.
Computer as Crime Scene “The first step is preservation, where we attempt to preserve the crime scene so that the evidence is not lost. In the physical world, yellow tape is wrapped around the scene. In a digital world, we make a copy of memory, power the computer off, and make a copy of the hard disk. In some cases, the computer cannot be powered off and instead suspicious processes are killed and steps are taken to ensure that known evidence is copied and preserved.” --Brian Carrier http://www.digital-evidence.org/di_basics.html
Types File System Forensics Network Forensics Incident Response Intrusion Detection Web Forensics Mobile Forensics
Remanence “Data remanence is the residual physical representation of data that has been in some way erased.” --A Guide to Understanding Data Remanence in Automated Information Systems http://www.fas.org/irp/nsa/rainbow/tg025-2.htm
Little wonder then . . . “Secure file deletion on Windows platforms is a major exercise, and can only be part of a secure ‘wipe’ of one’s entire hard disk. Anything less than that is likely to leave discoverable electronic evidence behind.” -- Michael Caloyannides, Computer Forensics and Privacy (Norwood, MA: Artech House, 2001), 28
What computer forensics can do for archives . . . Authenticity and Integrity Discovery Redaction Data recovery
Some Current Venues British Library Bodleian Stanford Emory UT Austin (and Ransom Center) MITH at Maryland
Cautions Terminology Expense Training “Smoking Gun” Fallacy Ethics
Thank You mgk@umd.edu http://mith.info/forensics