Bitcurator Operating
-
Upload
lydia-perry -
Category
Documents
-
view
222 -
download
0
Transcript of Bitcurator Operating
-
8/10/2019 Bitcurator Operating
1/18
BitCurator Operating Instructions
Published:
Revised:
-
8/10/2019 Bitcurator Operating
2/18
UALR Center for Arkansas History and Culture
1 Revised:
ContentsIntroduction ..................................................................................................................................... 2
Whats an Image? ....................................................................................................................... 2
Booting up BitCurator .................................................................................................................. 4
Booting for the First Time ....................................................................................................... 4
Mounting Media as Read-Only .............................................................................................. 4
Creating a Forensic Image with Guymager .......................................................................... 6
Understanding Linux Directory Structure ............................................................................ 8
Generating a Forensic Report .................................................................................................. 12
Viewing a Forensic Report ........................................................................................................ 16
-
8/10/2019 Bitcurator Operating
3/18
BitCurator Operating Instructions
Revised: 2
IntroductionBitCurator is open-source digital forensic software designed to help archival
institutions acquire images of digital files.
Whats an Image?A digital image is a snapshot of the digital file that contains the content and metadata.
With an image, you are not using the actual digital file, just the snapshot.
-
8/10/2019 Bitcurator Operating
4/18
UALR Center for Arkansas History and Culture
3 Revised:
Blankpage
-
8/10/2019 Bitcurator Operating
5/18
BitCurator Operating Instructions
Revised: 4
Booting up BitCurator
Booting for the First Time
1.
Open Oracle VM VirtualBox. Click Settings.
2. Click USB.
3.
Uncheck All USB Devices under USB Device Filters.
4. Click OK.
5. Select the BitCurator virtual machine and click Start.
6. Once BitCurator has loaded, insert the external media
into your computer.
Do NOT insert external media until BitCurator has booted.
Mounting Media as Read-OnlyMaking a drive read-only is important to ensure the digital objects will not be changed or
overwritten. To mount a drive as read-only, click the green drive icon at the top-right of the
screen and Set mount policy READ-ONLY.
Once you have booted BitCurator
for the first time, you no longer
have to go through the Settings
menu in steps 1-4.
-
8/10/2019 Bitcurator Operating
6/18
UALR Center for Arkansas History and Culture
5 Revised:
Blankpage
-
8/10/2019 Bitcurator Operating
7/18
BitCurator Operating Instructions
Revised: 6
Creating a Forensic Image with Guymager
1. Double-click the Imaging Toolsfolder
2. Double-click Guymager.
3.
Select the drive you want to image (click Rescanif you do not see the image listed).
4. Right-click on the drive and click Acquire image.
5.
Click Linux dd raw imageunder File format.
5.1 Select TiBunder Split size.
5.2. Select Image directoryto designate the location of the saved image file.
5.3: Give the image a file name.
5.4: Click Start.
Figure 1: Acquiring image in Guymager
-
8/10/2019 Bitcurator Operating
8/18
UALR Center for Arkansas History and Culture
7 Revised:
Figure 2: Dialog box in Guymager
-
8/10/2019 Bitcurator Operating
9/18
BitCurator Operating Instructions
Revised: 8
Understanding Linux Directory StructureThe BitCurator software runs on the Linux Ubuntu operating system. The Linux
directory structure is slightly different from the Windows version. Linux organizes files
in a tree-like structure. The top of the tree is the root folder. All other folders stem from
the root folder.
Many folders in the directory pertain to the booting of the system and execution of
programs. For the purposes of these instructions, the directory you need to use is
Home. Home contains the folders for Desktop, Documents, Music, and Pictures. When
you create an image, you want to put it in the Home directory.
Figure 3: Abstract graphic of Linux file system
-
8/10/2019 Bitcurator Operating
10/18
UALR Center for Arkansas History and Culture
9 Revised:
Figure 4: home
directory
Figure 5:
bcadmin folder
within home
directory
-
8/10/2019 Bitcurator Operating
11/18
-
8/10/2019 Bitcurator Operating
12/18
UALR Center for Arkansas History and Culture
11 Revised:
Blankpage
-
8/10/2019 Bitcurator Operating
13/18
-
8/10/2019 Bitcurator Operating
14/18
UALR Center for Arkansas History and Culture
13 Revised:
7. Click Submit Run
Once the scanning has finished, new files will be located in the Bulk Extractor Output
folder. One of those files is an XML file that shows information about the image file.
8. Click BitCurator Reporting Tool in the Forensic Tools Folder
Figure 9: Selecting what file types to
scan in Bulk Extractor Viewer
-
8/10/2019 Bitcurator Operating
15/18
BitCurator Operating Instructions
Revised: 14
9. Click the Reportstab.
10.Under Fiwalk XML file, navigate to the XML file that was created in the Bulk Extractor
Output folder.
10.1: Under Annotated Feature File Directory, navigate to the Annotated Features folder youcreated on the desktop.
10.2: Under Output Directory for Reports, navigate to the Report Output folder you createdon the desktop and type a filename for the report.
11.Click Run.
When the report is completed, you can view each report item in the folder you created on the
desktop.
-
8/10/2019 Bitcurator Operating
16/18
UALR Center for Arkansas History and Culture
15 Revised:
Blank page
-
8/10/2019 Bitcurator Operating
17/18
BitCurator Operating Instructions
Revised: 16
Viewing a Forensic Report
1.
OpenBulk Extractor Viewer in the Forensic Tools folder
2. Click Open Reportunder the File menu
3.
Under Report File, navigate to the XML file that was created in the Bulk Extractor
Output folder
4. Under image file, click Select Custom Path. Navigate to the image file you created in
Guymager
5. Click OK.
6. Click on the type of report you want to view in the Reportswindow. In the Feature
Filewindow, you will see all of the files that pertain to a specific filter.
When you click on a specific file in Feature File, you will see the relevant data in the
file image. In Figure 11, the left window shows that the telephone filter is selected. The
middle window shows all of the telephone numbers that have been found in the disk
image. The right window shows where the numbers are located in the disk image.
Figure 10: Opening a report in Bulk Extractor Viewer
-
8/10/2019 Bitcurator Operating
18/18
UALR Center for Arkansas History and Culture
Figure 11: Viewing a report in Bulk Extractor Viewer