Digital forensics is a specialized field that focuses on recovering and analyzing information from media and devices such as computer hard drives, floppy disks, flash drives, cell phones and so forth. Developed primarily for law enforcement, digital forensics tools and methodologies have been embraced by a growing number of archivists and librarians who are charged with preserving born-digital content. The Johns Hopkins University Archives recently joined the ranks of these non-traditional digital forensic practitioners with the acquisition and installation of a suite of forensic hardware and software.
The technological leap from law enforcement to libraries may seem like an odd one, but both industries have a need to create and analyze authentic, trustworthy and complete version of digital storage devices, the former to produce evidence that will withstand legal scrutiny and be admissible in court, the latter to preserve the digital historical record. Here at Hopkins, we will be using forensic tools to preserve digital materials transferred to the archives by university offices, as well as those donated by individuals or acquired as part of modern manuscript collections.
For our primary workstation, we selected a Forensic Recovery of Evidence Device (FRED) computer that is capable of securely transferring data from all types of current and recent devices, as well as running Forensic Tool Kit (FTK) software for analyzing and processing forensic disk captures. I’m particularly excited to get to work with FTK’s capabilities for analyzing large sets of data as a single unit; for example, I could import the contents of many floppy disks and a hard drive that were all used by the same office around the same time period and analyze them as a single intellectual unit, rather than as discrete objects.
Both the FRED hardware and the FTK software are state-of-the-art equipment marketed primarily for law enforcement. However, in the archives, we also have a need to access vintage formats and file types. For this work, we’ve acquired several pieces of additional hardware including a new Zip drive (yes, you can still buy them new!) and a specialized floppy drive controller called a KryoFlux. Designed and created by the Software Preservation Society, the KryoFlux creates copies of floppy at the magnetic flux level, which is particularly valuable when working with older, potentially damaged disks. So far, we’ve used the KryoFlux with a 3.5” floppy disk drive, and I’m looking forward to buying a 5.25” drive to use with it as well.
Over the next year, we’ll be gaining expertise with the forensic equipment as we use it to transfer the contents of the hundreds of disks and hard drives we already have in our collections as well as those we acquire now that we know we have these capabilities. Have something in an old digital format that you can’t access anymore? We might be interested in taking a crack at it!