Forensic workstation

how it might assist your digital preservation activities…

In March 2020 I decided to create a forensic workstation to give me the capacity to support clients looking to extract or process files from a range of media. I documented the process (and the costs) through a series of four blogs:

  1. the base unit – including starting point and specification 
  2. additional hardware – including hard drives, zip drives and floppy disk drives
  3. software – supporting software you might need including anti-virus and digital preservation tools 
  4. write blockers – what are they and how do I use one

I was conscious that the approach taken in the blogs meant that some more general aspects and considerations were not covered. I have deliberately avoided making explicit recommendations as this is dependent on a number of variable factors including ICT support and policies, digital preservation skills, knowledge and experience at the institution. What is right for one service may not be appropriate for another.

What is a forensic workstation?

A forensic workstation is a device that you use specifically for processing born-digital archives and should be a key component to every digital preservation workflow.

The scale and extent of born-digital archives is on a different scale than many archivists are used to. Instead of talking about boxes or linear metres, accessions might be measured in terms of number of files (10,000+ is not untypical) with extent in GB or TB.  We have new tools and new opportunities to help us undertake routine processing tasks but also to gain new insights and perspectives into the material in our care.

You can purchase a system designed for this specific task, but the FRED (Forensic Recovery Evidence Device) machines start at £5000. Assuming you don’t have this sum to invest you can build your own forensic workstation to provide similar functionality for a fraction of the cost as my blogs have highlighted.

Considerations – networked or not?

Being freelance and not based within an organisation the question of whether to network the workstation or not was not one I need to make. Many recommend keeping the workstation off the network to eliminate the risk of a virus from the media spreading onto the network. However this also has the impact of needing a workable solution for installing and updating the anti-virus software on the workstation. Some tools like DROID also rely on updates but these can be downloaded and transferred across manually.

If at all possible secure the appropriate administrator permissions to allow you to download and install other software to support your digital preservation activities. 

Considerations – media formats?

I started with an expectation of needing to handle a range of media including 3.5″ floppy disks, CD and DVDs and hard drives from computers and laptops (see additional hardware – part 2). I recognised that I may need to identify solutions for other media formats (zip drives, Amstrad disks etc) as and when the need arises. In an institutional setting this might be determined by undertaking a review of media already held within existing collections.

I have produced a 2 page summary (300kb, PDF) of the hardware options my forensic workstation (including the additional hardware and write blockers) supports as things currently stand.

Consideration – at what point do I need a forensic workstation? 

From experience it can be beneficial to consider your digital preservation journey as one of several stages that may occur in parallel or staggered as resources allow:

  1. Intellectual control: gaining an understanding of what born-digital items are currently held in the archive
    – this typically results in the creation of an information audit identifying media formats held and possibly consideration of the framework in which a digital preservation strategy needs to exist.

  2. Physical control: informed by an understanding of media formats held
    – this typically results in setting aside (or purchasing) drives to read prioritised media formats and initial efforts to document steps and processes to read and extract files. Creating or re-purposing a forensic workstation often occurs at this point.

  3. Talking to depositors: helped by the confidence gained through gaining intellectual and physical control
    – this typically results in updating physical forms and process and a preliminary digital preservation policy (be inspired by other institutions policies) but emphasis is on collecting and not on providing access (at this point).

  4. Joining the dots: how does digital preservation link to any existing cataloguing and/or discovery systems
    – this typically results in a roadmap showing how the parts might work together. Consideration given to how and where appraisal, cataloguing, rights management and metadata are managed.

  5. Access: considering what access looks like (eg via a locked-down laptop or online)
    – this typically begins with small collections with low risks to test the processes and then scaled-up. All processes and documentation can now be reviewed and updated.  

If you have an idea or a proposal you would like to discuss with me please use the contact form to get in touch.