The Challenge of E-Records: Adopting Digital Forensics as

a Solution

William Vinh-Doyle

November 5, 2015

The beginning…• The Provincial Archives of New Brunswick (PANB) was established in

1967.

• Under provincial legislation the Archives has the responsibility to assemble, and to make available for research, records bearing upon the history of New Brunswick.

• “Records” is defined as:a) Correspondence, memoranda, forms and other papers and books;

b) Maps, plans and charts;

c) Photographs, prints and drawings;

d) Motion picture films, microfilms and video tapes;

e) Sound recordings, magnetic taps, computer cards, and other machine readable records;

f) All other documentary materials regardless of physical form or characteristics.

Fast Forward…• 1980s – Sound and Moving Images unit is established at PANB

to preserve audio and film collection.

• 1990 to 2010 – Archival community expresses concerns about digital born records being preserved, but little action is taken.

Records are transferred to PANB on external media and placed in repository along with paper records for storage.

Archives unaware of the digital records in its custody and control. Little intellectual control.

• 2010 – Archives reallocates resources to commit one FTE to establish a digital preservation program.

Digital Preservation Unit (DPU) • Develop policies, standards, procedures, and

guidelines applicable to digital records. GNB Transfer Standard GNB Digitization Standard Managing and Capturing Social Media for Long-Term

Preservation (DRAFT) Guidelines for Preserving Digital Records in Small Archival

Institutions (DRAFT)

• Acquire digital born and digital made records.• Appraise digital records (selection). • Preserve digital records.

Previous State

• Limited in ability to capture records in a secure way.

Risk that software or operating system would inadvertently change the original media, including adding, deleting, or modifying information.

• Searching was limited to Windows Explorer (minutes to hours to complete one key word search)

• Appraisal Process convoluted. In some cases we did not

have the software to open and view the records.

Migration to a viewable format was needed before appraisal could be completed.

Took extra time (minutes to hours).

No guarantee the record was archival.

Waste of resources and time.

Why Digital Forensics?“Digital Forensics and Born-Digital Content in Cultural Heritage Collections,” Council on Library and Information Resources (CLIR) – 2010•Outlined some cultural heritage organizations who had adopted digital forensics as a solution to appraise digital records.•Demonstrated how digital forensics could maintain records authenticity during the accession and appraisal process.

Research• Different forensic software tools were available

(EnCase, FTK, etc.).• Contacted various archives to learn more about their

experience.• Based on these experiences contacted 3 vendors – 2

proprietary vendors, and one open source vendor.• EnCase was being utilized by government.

– PANB contacted the Security Group within the OCIO.

• Trial tests were completed with EnCase (Thanks Todd!).

FRED system• I7 Quad Core Processor 3.3Ghz, 32 GB memory

• 512GB SSD OS Drive

• 128 GB SSD Temp/Cash/DB Drive

• 2TB data drive

• Win. 81.

• UltraBay 3d Write Blocker (Read Only) ports:– SATA (hard disk drive and solid state drive connector)– IDE (hard disk drive connector)– SAS (hard disk drive connector)– USB 3.0– Firewire

• Multimedia card reader (CFC, MSC, SMC, MD, XD etc.)

Creating a New Case• A new case is created for each

collection.• Includes information such as the

person conducting the case (examiner), a case number (unique identifier), and a description.

• Options to acquire the evidence include:

– A bit by bit copy of the original, including the unallocated space.

– Drag and drop only relevant records.

• Logical Evidence File (LEF) file created.

EnCase Interface• Tree Pane – Standard

hierarchical folder structure• Table Pane – Includes

columns with information about the displayed entries (e.g. Name, tags, size, Is Duplicate, etc.)

• View Pane – Different viewing options include Report, Text, Doc, Transcript, Picture.

Oracle: Outside In Technology• Provides software developers with a solution to

extract and view the contents of over 600 unstructured file formats.

• This included latest office suites to specialty formats, and legacy files.

• Identifies file types without proper file extensions.• Viewer displays representation of files without using

the files native application.

Processing RecordsUpon adding records the archives processes the records. Processing may involve:

– Recovering deleted files.– Indexing Information– Creating thumbnails of images.– Expanding compound files (e.g.

.zip)– Finding Email

(e.g..pst, .nsf, .mbox)– Finding internet artifacts.– Conducting a keyword search.– Creating a hash file (MD5 or

Sha1)– Breaking password protected

files.

Thumbnail Images• Thumbnails are created for each image in a

collection.• As per policy, an archivist must review the thumbnail

images to tag photos of historical importance. – Must also review images to ensure that we do not accidently

release inappropriate images.– Allows us to quickly identify and select records of non-

archival value (e.g. family photos).

Indexed Search

Tagging Records

• Tags are used in the appraisal, selection, and arrangement process.

• Can create up to 63 different tags.• Tags are specific to each case.

Bookmarking and Reporting

Bookmarks

• Can create as many bookmarks as required.

• Can bookmark one or multiple records.

Reports

• Reports provide a review of the findings in a case.

• Could be used to provide a detailed summary of RTI requests.

• Thumbnail images and email can be included in the report.

Exporting Records• Can keep data within a forensic file (e.g. LEF) or

export (copy) data out of EnCase. • Export single record, multiple records, or entire

folders.• Export records based on tags (selection &

arrangement).

Current State:

• Acquisition– Write Blocker

– Disk Image (Logical Evidence File)

• Appraisal– Tag duplicates as non

records.

– Tag records of value based on archival best practices.

– Organize records using tags.

Case Study - Email• Literature suggests that email management practices are not working

as users continue to manage (or mismanage) their email in an ad hoc fashion.

• 1996 - Whittaker and Sidner’s study “Email Overload”– 28% of users frequently filed their email. – 33% file once their mailboxes get too large (spring cleaners).– 33% do not file email.

• 2006 – Fisher et el replicate study completed by Whittaker and Sidner. – 21 to 27% are frequent filers.– 41 to 64% are spring cleaners.– 8 to 32% are no filers.

• At most, organizations can expect approximately 60-70% compliance from employees to participate in some form of email management.

• Not only is the email not managed, it is also at risk when stored in a .pst format.

• There is a risk that a .pst file will become corrupt as a result of – Hardware Issues

Data Storage Device Failure Faulty Networking Device Power Failure

– Software Issues Incorrect File System Recovery Virus or other Malicious software Terminate Outlook Abnormally (e.g. End Task, Power Failure). Outlook program (e.g. Max size of .pst file for outlook 97 to 2002 was

2GB, anything above this size could result in corruption)

• PANB needed a solution to open, select, appraise, search, and export email.

• PANB currently has 1,064,538 .msg files.

Searching email• Greater demand to provide access to our email

records.• Request for information relating to Enbridge and

Tobacco Litigation.• 15 key terms to search.• Old system (window’s explorer) = minutes to hours.• EnCase index search = seconds.• Able to search .pst safely, without risk of damaging

the .pst record. • Can export records based on tags into a .msg format.

Unexpected Results• Review of Images revealed “misogynistic”

jokes/images.• Should have been deleted by user as a “non-record.” • Archives kept these as a record.• Demonstrated misogyny in the workplace.• Archive stakeholders are interested in this form of

record, something that is not often found in the paper records.

• Would have most likely been destroyed under old method.

Advantages of using EnCase to appraise email

• De-crypt password protected .pst files.• Import and unpack .pst files.• Appraise and select records of archival and/or

research value.• Tag records.• Search records using the index search option.• Export the records from .pst to a .msg.

Conclusions• Forensics improves our ability to appraise archival records.• Provides a means for us to arrange digital records.• Improves our ability to search and discover information.• Allows to acquire records in a trusted way to ensure the

authenticity of the records.