I had the pleasure of attending the very informative presentation by Eddy Colloton, Jonathan Farbowitz, Flaminia Fortunato, and Caroline Gil about how each of their corresponding institutions approaches disk imaging. This talk was based on a 2 day workshop about disk imaging (
"Peer Forum I: Disk Imaging" (December 7-8, 2017 at MoMA)):
https://www.mediaconservation.io/disk-imagingWith the
Hirshhorn Museum and Sculpture Garden, Solomon R. Guggenheim Museum, and Museum of Modern Art in New York represented, it covered a comprehensive discussion about what each institution has established as their protocols.
When disk imaging, the most common choices you have are between capturing the disk as RAW vs EWF. Both capture all of the information on the disk (even deleted files or empty space) but, like most technology, there are pros and cons to both.
vs EWF
When you image via RAW, you get a bit for bit copy of the drive, which takes up an enormous amount of space since you are also copying over the empty blocks. When you use EWF, you are able to compress the disk image and take up less space, but these disk images are more difficult to mount and may result in preservation problems if the software to decompress is no longer available. Both should give you access to the same data, you just have to make the decision about what is more valuable to your institution (drive space vs potential incompatibility). Also, you can export a Raw image from an EWF and vice versa (using the appropriate software).
I also appreciated the disk image report that the Guggenheim captures:
They also mentioned that photographs of the computer you are imaging are important, as well as using system reporting reports (Mac - system profiler, PC - MSInfo, Limus - hardinfo). Keeping serial numbers of hardware is also a good idea.
Your disk imaging toolkit:
Hardware - write blockers or forensic duplicator
Software - ddrescue, FTKimager, Guymager, Tableau Forensic Imager (all similar)
side note, Guymager doesn't use compression unless a block contains all zeros. Guymager also provides the most thorough sidecar info files.
Post-imaging steps:
QC - checking for bad sectors (can find this in the sidecar file). Older media is more likely to have bad sectors. New media shouldn't have lots of bad sectors and if it does, you can try ddrescue for data recovery.
Verifying image against the source media via checksums.
Mount image on another computer, check partitions and files. Fiwalk report and sleuth kit can help with this.
https://github.com/simsong/dfxml this can find the difference between 2 fiwalk reports (image vs source)
mounting disk images - libewf is a command line tool to access EWF format. But Caroline has been having problems with some of the images mounting as text files (ultimately needed to change the extension). Or mount using Bit Curator.
Lastly, here were some tests that showed different setups for imaging (using EWF)
All in all, it was an extremely helpful and informative talk and panel!
#Featured#47thAnnualMeeting(NewEngland)#ElectronicMediaGroup#AICmtg19