bitcurator operating

8/10/2019 Bitcurator Operating

1/18

BitCurator Operating Instructions

Published:

Revised:


2/18

UALR Center for Arkansas History and Culture

1 Revised:

ContentsIntroduction ..................................................................................................................................... 2

Whats an Image? ....................................................................................................................... 2

Booting up BitCurator .................................................................................................................. 4

Booting for the First Time ....................................................................................................... 4

Mounting Media as Read-Only .............................................................................................. 4

Creating a Forensic Image with Guymager .......................................................................... 6

Understanding Linux Directory Structure ............................................................................ 8

Generating a Forensic Report .................................................................................................. 12

Viewing a Forensic Report ........................................................................................................ 16


3/18


Revised: 2

IntroductionBitCurator is open-source digital forensic software designed to help archival

institutions acquire images of digital files.

Whats an Image?A digital image is a snapshot of the digital file that contains the content and metadata.

With an image, you are not using the actual digital file, just the snapshot.


4/18


3 Revised:

Blankpage


5/18


Revised: 4

Booting up BitCurator

Booting for the First Time

1.

Open Oracle VM VirtualBox. Click Settings.

2. Click USB.

3.

Uncheck All USB Devices under USB Device Filters.

4. Click OK.

5. Select the BitCurator virtual machine and click Start.

6. Once BitCurator has loaded, insert the external media

into your computer.

Do NOT insert external media until BitCurator has booted.

Mounting Media as Read-OnlyMaking a drive read-only is important to ensure the digital objects will not be changed or

overwritten. To mount a drive as read-only, click the green drive icon at the top-right of the

screen and Set mount policy READ-ONLY.

Once you have booted BitCurator

for the first time, you no longer

have to go through the Settings

menu in steps 1-4.


6/18


5 Revised:

Blankpage


7/18


Revised: 6

Creating a Forensic Image with Guymager

1. Double-click the Imaging Toolsfolder

2. Double-click Guymager.

3.

Select the drive you want to image (click Rescanif you do not see the image listed).

4. Right-click on the drive and click Acquire image.

5.

Click Linux dd raw imageunder File format.

5.1 Select TiBunder Split size.

5.2. Select Image directoryto designate the location of the saved image file.

5.3: Give the image a file name.

5.4: Click Start.

Figure 1: Acquiring image in Guymager


8/18


7 Revised:

Figure 2: Dialog box in Guymager


9/18


Revised: 8

Understanding Linux Directory StructureThe BitCurator software runs on the Linux Ubuntu operating system. The Linux

directory structure is slightly different from the Windows version. Linux organizes files

in a tree-like structure. The top of the tree is the root folder. All other folders stem from

the root folder.

Many folders in the directory pertain to the booting of the system and execution of

programs. For the purposes of these instructions, the directory you need to use is

Home. Home contains the folders for Desktop, Documents, Music, and Pictures. When

you create an image, you want to put it in the Home directory.

Figure 3: Abstract graphic of Linux file system


10/18


9 Revised:

Figure 4: home

directory

Figure 5:

bcadmin folder

within home

directory


11/18


12/18


11 Revised:

Blankpage


13/18


14/18


13 Revised:

7. Click Submit Run

Once the scanning has finished, new files will be located in the Bulk Extractor Output

folder. One of those files is an XML file that shows information about the image file.

8. Click BitCurator Reporting Tool in the Forensic Tools Folder

Figure 9: Selecting what file types to

scan in Bulk Extractor Viewer


15/18


Revised: 14

9. Click the Reportstab.

10.Under Fiwalk XML file, navigate to the XML file that was created in the Bulk Extractor

Output folder.

10.1: Under Annotated Feature File Directory, navigate to the Annotated Features folder youcreated on the desktop.

10.2: Under Output Directory for Reports, navigate to the Report Output folder you createdon the desktop and type a filename for the report.

11.Click Run.

When the report is completed, you can view each report item in the folder you created on the

desktop.


16/18


15 Revised:

Blank page


17/18


Revised: 16

Viewing a Forensic Report

1.

OpenBulk Extractor Viewer in the Forensic Tools folder

2. Click Open Reportunder the File menu

3.

Under Report File, navigate to the XML file that was created in the Bulk Extractor

Output folder

4. Under image file, click Select Custom Path. Navigate to the image file you created in

Guymager

5. Click OK.

6. Click on the type of report you want to view in the Reportswindow. In the Feature

Filewindow, you will see all of the files that pertain to a specific filter.

When you click on a specific file in Feature File, you will see the relevant data in the

file image. In Figure 11, the left window shows that the telephone filter is selected. The

middle window shows all of the telephone numbers that have been found in the disk

image. The right window shows where the numbers are located in the disk image.

Figure 10: Opening a report in Bulk Extractor Viewer


18/18


Figure 11: Viewing a report in Bulk Extractor Viewer