Our Approach: Before we get into the nitty-gritty, it might be helpful to give our equipment choices some context. Whenever possible, we want to use the simplest and most inexpensive solutions that still allow us to preserve material to our high standards. This has led us to use off the shelf computing equipment for the workstations and add forensic-specific peripherals as needed. We were first introduced to this approach via this 2012 blog post by Porter Olsen (and this 2013 follow up post) on building a workstation at the Maryland Institute for Technology in the Humanities. We have also had the pleasure of speaking with several colleagues from different institutions. Applying their experiences with a range of off the shelf and specialized equipment to our context was invaluable.
Another important factor driving our approach is our backlog of material on removable media. We see this as our number one digital preservation concern and developing production-level workflows for imaging that media is our primary objective. This means using the lab as a testbed for specific equipment or software, or pursuing any major research or development projects independent of those workflows, will have to wait for another day. We would also like to share our work with the community and assume it will be applicable to more institutions if it doesn't start with “Step 1: buy one $7,000 computer”. Don’t get me wrong, I like spending money on things with lights and buttons, and those FREDs do look pretty sweet, but we feel these decisions should be driven by the make up, needs, and priorities of our digital content. Right now off the shelf workstations fit the bill.
Our Equipment:
Imaging Workstation I
OS: Windows 10
Key software: FTK Imager, Brunnhilde via BitCurator VM, Virtualbox
Specifications: Intel i7-6700, 32GB RAM, SSD system disk and 1TB hard drive for VM storage
Nickname: Darth
This machine was purpose-built to run FTK Imager and virtualize obsolete operating systems and additional preservation tools using Virtualbox. We first used Darth as the main workstation for optical disks, 5.25 floppies, some USB-based media and files without physical container. This workstation provides the flexibility to run FTK Imager, Bagger, and the software included with Device Side Data’s FC5025 natively on Windows while running the awesome tool Brunnhilde in a BitCurator VM. This has emerged as our preferred OS/software configuration.
Imaging workstation #1 finds your lack of faith disturbing. Shown running a BitCurator VM.
Imaging Workstation II
OS: Windows 10
Key software: FTK Imager, Brunnhilde via BitCurator VM
Specifications: Intel Core i7-6700 CPU, 16GB RAM, SSD system & storage disk
Nickname: Ms. Pacman (formally Mr. Crummy)
Mr. Crummy (named after a document recovered from a virus-ladened hard drive) was our second-generation computer intended to run BitCurator as its native operating system and was built using the recommended configuration. While BitCurator tools were the core pieces of software in the first year of our forensic imaging program, we recently adapted our workflow and shifted away from BitCurator as the central software platform. As such, we reimaged this workstation using Darth’s Windows 10 based configuration, and Ms. Pacman was born. More on BitCurator below.
Ms. Pacman (still in need of an appropriate desktop image) set up with a FC5025 and vintage 5.25 inch floppy drive.
Additional Workstations & Equipment: We have two more workstations in the lab, one more Windows 10 rig (Little Ms. Sunshine) and an iMac (Macky). These computers are standard configurations except the dual Ethernet ports on each for external and in-lab networks. Sunshine is primarily used to test workflows but can be pressed into production if necessary. Macky is used in cases where we need OSX and manages transfers from our local NAS to more permanent preservation storage. Speaking of the NAS, we use a 15TB Drobo for the lab’s storage pool. Chromebooks to access online resources while working at the off-line imaging stations round out our modern workstation inventory.
We also have several pieces of specialized forensic peripherals. These include two hardware write blockers from Digital Intelligence for use with external USB and Firewire media, and a CRU Forensic ComboDock for accessing bare SATA and IDE hard drives. Device Side Data’s FC5025 allows us to connect vintage 5.25 inch floppy drives via USB for imaging.
ComboDock in action. And no, this photo was not staged just for this blog post. Nope. Not at all.
More on BitCurator: Although this is a post on hardware, I want to flesh out our use of BitCurator a bit. Over the past year we experienced stability issues with it as a native OS, running the gamut from annoying freezes to major issues in how it handled external storage media. This instability, together with the flexibility of the FTK/ BC VM approach, led us to transition our workflows to Windows-based machines. Since that transition, we have not experienced any of the instability we faced when running BitCurator as the native OS.
This change highlights how the approach mentioned at the top of this post drives our decisions. We will continue to adopt workflows, tools, and equipment that work best for us while prioritizing the design of stable, sharable, well-documented, and production-focused process. That is not to say we don’t want to help in the design and troubleshooting of community tools like BitCurator, but production will remain the main focus as long we we have a backlog of media to preserve.
Watch for more posts on the lab, including a super nerdy discussion on software and our growing collection of vintage machines!