sponsored by the



Seamus Ross



Luciana Duranti



Stephen Eniss



Cal Lee



Brad Glisson



Patricia Galloway



Susan Thomas



Peter Hornsby



Michael Olson



Jeremy Leighton John



Simson Garfinkel



Barbara Guttman



Leo Scanlon



Leslie Johnston



Amy Friedlander



Cliff Lynch

sponsored by the

o

Matthew Kirschenbaum

o Associate Professor of English and Associate Director, Maryland Institute for Technology in the Humanities, University of Maryland

o

Richard Ovenden

o Associate Director, Bodleian Library, Oxford

o

Gabriela Redwine

o _{Archivist and Electronic Records Specialist,}

Harry Ransom Center, The University of Texas at Austin

o

Rachel Donahue (Research Assistance)

o Luciana Duranti

o Professor, School of Library, Archival and Information Studies, University of British Columbia

o Bradley Glisson

o Director and Lecturer, Computer Forensics and e-Discovery, Humanities Advanced Technology and Information Institute, University of Glasgow

o Cal Lee

o Assistant Professor, School of Information and Library Science, University of North Carolina, Chapel Hill

o Rob Maxwell

o Lead Incident Handler, Office of Information Technology and Founder, Digital Forensic Lab, University of Maryland

o Doug Reside

o Associate Director, Maryland Institute for Technology in the Humanities

o Susan Thomas



Proposed to Mellon

early 2009



Funded July 2009



Research and Writing

through April 2010



Symposium May 2010



Revisions June-August

2010



Submission to CLIR

August 2010



Archives and Cultural

Heritage Professionals

(Manuscript Repositories)



Technical Forensics

Community



Textual Scholars



Funders



Introduce Computer

Forensics to Cultural

Heritage Community



Identify Points of

Convergence



Create Basis for Further

“Computer forensics

involves the

preservation,

identification, extraction,

documentation, and

interpretation of

computer data.”

“It’s not at all like what you see on “CSI.” Computer forensics can be tiresome, dreary, boring, and downright drudgery. Performing a competent analysis can take days, weeks, or even months depending upon the subject, the condition and state of the hard drive, or the importance of the case. For that time period, the examiner is literally trying on the subject’s life, wearing it like a costume for eight or more hours a day. Everything someone likes, hates, is interested in, fantasizes about, or fetishes goes through his or her keyboard at one point or another. Think about every email message you’ve ever written…every chat you’ve ever typed…every website you’ve ever visited…every phrase you’ve ever searched for online.

“Seriously…think about it. I’ll give you a moment.



Diplomatics



Questioned

Document

Examination



Analytical and

“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the blood or semen he deposits or collects. All of these and more, bear mute witness against him. This is evidence that does not forget. It is not confused by the excitement of the moment. It is not absent because human witnesses are. It is factual evidence. Physical evidence cannot be wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it, study and understand it, can diminish its value.”

“The first step is preservation, where we attempt to preserve the crime scene so that the evidence is not lost. In the physical world, yellow tape is wrapped around the scene. In a digital world, we make a copy of memory, power the computer off, and make a copy of the hard disk. In some cases, the computer cannot be powered off and instead suspicious processes are killed and steps are taken to ensure that known evidence is copied and preserved.”



File System

Forensics



Network Forensics



Incident Response



Intrusion

Detection



Web Forensics

“Data remanence is the

residual physical

representation of data

that has been in some

way erased.”

--

A Guide to

Understanding Data

Remanence in Automated

Information Systems



http://www.fas.org/irp/nsa

“Secure file deletion on

Windows platforms is a

major exercise, and can

only be part of a secure

‘wipe’ of one’s entire

hard disk. Anything less

than that is likely to leave

discoverable electronic

evidence behind.”

-- Michael Caloyannides,



Authenticity

and Integrity



Discovery



Redaction



British Library



Bodleian



Stanford



Emory



UT Austin (and

Ransom Center)



Terminology



Expense



Training



“Smoking Gun”

Fallacy



mgk@umd.edu



http://mith.info/forensi