Matthew KirschenbaumUniversity of Maryland

sponsored by the

Andrew W. Mellon Foundation

Seamus Ross Luciana Duranti Stephen Eniss Cal Lee Brad Glisson Patricia Galloway Susan Thomas Peter Hornsby Michael Olson Jeremy Leighton John Simson Garfinkel Barbara Guttman Leo Scanlon Leslie Johnston Amy Friedlander Cliff Lynch

"Despite its origins in law enforcement, security and other

areas seemingly far removed from the cultural heritage sector, we saw an amazing degree of convergence between the professional forensics community and attendees charged with the stewardship of born digital

materials from arts, humanities, and personal archives.”

sponsored by the

Andrew W. Mellon Foundation

o Matthew Kirschenbaumo Associate Professor of English and Associate

Director, Maryland Institute for Technology in the Humanities, University of Maryland

o Richard Ovendeno Associate Director, Bodleian Library, Oxford

o Gabriela Redwineo Archivist and Electronic Records Specialist,

Harry Ransom Center, The University of Texas at Austin

o Rachel Donahue (Research Assistance)o Doctoral Candidate, University of Maryland

College of Information Studies

o Luciana Durantio Professor, School of Library, Archival and Information

Studies, University of British Columbiao Bradley Glisson

o Director and Lecturer, Computer Forensics and e-Discovery, Humanities Advanced Technology and Information Institute, University of Glasgow

o Cal Leeo Assistant Professor, School of Information and Library

Science, University of North Carolina, Chapel Hillo Rob Maxwell

o Lead Incident Handler, Office of Information Technology and Founder, Digital Forensic Lab, University of Maryland

o Doug Resideo Associate Director, Maryland Institute for Technology in

the Humanitieso Susan Thomas

o Digital Archivist, Bodleian Library, Oxford

Proposed to Mellon early 2009

Funded July 2009 Research and Writing

through April 2010 Symposium May 2010 Revisions June-August

2010 Submission to CLIR

August 2010 Publication late 2010

Archives and Cultural Heritage Professionals (Manuscript Repositories)

Technical Forensics Community

Textual Scholars

Funders

Donors

Introduce Computer Forensics to Cultural Heritage Community

Identify Points of Convergence

Create Basis for Further Contact and Collaboration

“Computer forensics involves the

preservation, identification, extraction,

documentation, and interpretation of

computer data.”

–Kruse and Heiser, Computer Forensics:

Incident Response Essentials (2002)

“It’s not at all like what you see on “CSI.” Computer forensics can be tiresome, dreary, boring, and downright drudgery. Performing a competent

analysis can take days, weeks, or even months depending upon the subject, the condition and state of the hard drive, or the importance of the case. For

that time period, the examiner is literally trying on the subject’s life, wearing it like a costume for eight or more hours a day. Everything someone

likes, hates, is interested in, fantasizes about, or fetishes goes through his or her keyboard at one point or another. Think about every email message you’ve ever written…every chat you’ve ever typed…every website you’ve

ever visited…every phrase you’ve ever searched for online.

“Seriously…think about it. I’ll give you a moment.

“Now think about me reading and seeing it all. That should scare you a little bit, and if it didn’t, you’re probably lying to yourself. It’s okay. Most people

do.”http://www.forensicfocus.com/the-darker-side-of-computer-forensics

Diplomatics Questioned

Document Examination

Analytical and Descriptive Bibliography

“Wherever he steps, whatever he touches, whatever he leaves, even unconsciously, will

serve as a silent witness against him. Not only his fingerprints or his footprints, but his hair, the fibers from his clothes, the glass he breaks, the tool mark he leaves, the paint he scratches, the

blood or semen he deposits or collects. All of these and more, bear mute witness against him.

This is evidence that does not forget. It is not confused by the excitement of the moment. It is

not absent because human witnesses are. It is factual evidence. Physical evidence cannot be

wrong, it cannot perjure itself, it cannot be wholly absent. Only human failure to find it,

study and understand it, can diminish its value.”

—Paul L. Kirk. 1953. Crime investigation: physical evidence and the police laboratory.

Interscience Publishers, Inc.: New York.

“The first step is preservation, where we attempt to preserve the

crime scene so that the evidence is not lost. In the physical world,

yellow tape is wrapped around the scene. In a digital world, we make a

copy of memory, power the computer off, and make a copy of the hard disk. In some cases, the computer cannot be powered off and instead suspicious processes are killed and steps are taken to

ensure that known evidence is copied and preserved.”

--Brian Carrierhttp://www.digital-evidence.org/di_basics.html

File System Forensics

Network Forensics Incident Response Intrusion

Detection Web Forensics Mobile Forensics

“Data remanence is the residual physical representation of data that has been in some way erased.”--A Guide to Understanding Data Remanence in Automated Information Systems

http://www.fas.org/irp/nsa/rainbow/tg025-2.htm

“Secure file deletion on Windows platforms is a

major exercise, and can only be part of a secure

‘wipe’ of one’s entire hard disk. Anything less

than that is likely to leave discoverable electronic

evidence behind.”

-- Michael Caloyannides, Computer Forensics and

Privacy (Norwood, MA: Artech House, 2001), 28

Authenticity and Integrity

Discovery Redaction Data recovery

British Library Bodleian Stanford Emory UT Austin (and

Ransom Center) MITH at Maryland

Terminology Expense Training “Smoking Gun”

Fallacy Ethics

mgk@umd.edu

http://mith.info/forensics