sponsored by the
Seamus Ross
Luciana Duranti
Stephen Eniss
Cal Lee
Brad Glisson
Patricia Galloway
Susan Thomas
Peter Hornsby
Michael Olson
Jeremy Leighton John
Simson Garfinkel
Barbara Guttman
Leo Scanlon
Leslie Johnston
Amy Friedlander
Cliff Lynch
sponsored by the
o
Matthew Kirschenbaum
o Associate Professor of English and Associate Director, Maryland Institute for Technology in the Humanities, University of Maryland
o
Richard Ovenden
o Associate Director, Bodleian Library, Oxford
o
Gabriela Redwine
o Archivist and Electronic Records Specialist,
Harry Ransom Center, The University of Texas at Austin
o
Rachel Donahue (Research Assistance)
o Luciana Duranti
o Professor, School of Library, Archival and Information Studies, University of British Columbia
o Bradley Glisson
o Director and Lecturer, Computer Forensics and e-Discovery, Humanities Advanced Technology and Information Institute, University of Glasgow
o Cal Lee
o Assistant Professor, School of Information and Library Science, University of North Carolina, Chapel Hill
o Rob Maxwell
o Lead Incident Handler, Office of Information Technology and Founder, Digital Forensic Lab, University of Maryland
o Doug Reside
o Associate Director, Maryland Institute for Technology in the Humanities
o Susan Thomas
Proposed to Mellon
early 2009
Funded July 2009
Research and Writing
through April 2010
Symposium May 2010
Revisions June-August
2010
Submission to CLIR
August 2010
Archives and Cultural
Heritage Professionals
(Manuscript Repositories)
Technical Forensics
Community
Textual Scholars
Funders
Introduce Computer
Forensics to Cultural
Heritage Community
Identify Points of
Convergence
Create Basis for Further
“Computer forensics
involves the
preservation,
identification, extraction,
documentation, and
interpretation of
computer data.”
“It’s not at all like what you see on “CSI.” Computer forensics can be tiresome, dreary, boring, and downright drudgery. Performing a competent analysis can take days, weeks, or even months depending upon the subject, the condition and state of the hard drive, or the importance of the case. For that time period, the examiner is literally trying on the subject’s life, wearing it like a costume for eight or more hours a day. Everything someone likes, hates, is interested in, fantasizes about, or fetishes goes through his or her keyboard at one point or another. Think about every email message you’ve ever written…every chat you’ve ever typed…every website you’ve ever visited…every phrase you’ve ever searched for online.
“Seriously…think about it. I’ll give you a moment.
Diplomatics
Questioned
Document
Examination
Analytical and
“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”
“The first step is preservation, where we attempt to preserve the crime scene so that the evidence is not lost. In the physical world, yellow tape is wrapped around the scene. In a digital world, we make a copy of memory, power the computer off, and make a copy of the hard disk. In some cases, the computer cannot be powered off and instead suspicious processes are killed and steps are taken to ensure that known evidence is copied and preserved.”
File System
Forensics
Network Forensics
Incident Response
Intrusion
Detection
Web Forensics
“Data remanence is the
residual physical
representation of data
that has been in some
way erased.”
--
A Guide to
Understanding Data
Remanence in Automated
Information Systems
http://www.fas.org/irp/nsa
“Secure file deletion on
Windows platforms is a
major exercise, and can
only be part of a secure
‘wipe’ of one’s entire
hard disk. Anything less
than that is likely to leave
discoverable electronic
evidence behind.”
-- Michael Caloyannides,
Authenticity
and Integrity
Discovery
Redaction
British Library
Bodleian
Stanford
Emory
UT Austin (and
Ransom Center)
Terminology
Expense
Training
“Smoking Gun”
Fallacy
mgk@umd.edu
http://mith.info/forensi