Tag Archives: archives technology

Awkward Adventures in Digital Forensics

So, this happened at work yesterday:

Awkward Seal meets Digital Forensics

Awkward Seal meets Digital Forensics

Yep, that happened.

I should probably back up:

Libraries and archives have been long familiar with all manner of ways to handle, preserve, provide access to, and generally “deal with” paper- (and film-) based materials (letters, diaries, newspapers, photographs, microfilm, etc.)—-you know, the stuff you can hold IN YOUR HANDS and see what it is—-and even, to a reasonable extent stuff you can’t see what it is just by looking at it (audio/video tapes?).

And then there’s all this “new” digital stuff. I say “new” in quotation marks because, hey, it’s really not THAT new. But it’s a lot newer than, say, paper. But it’s new enough. New enough that for many years, archivists have been sort of…shall we just say, not dealing with it quite to the extent that one might have hoped?

Digital stuff — floppy disks, CDs, DVDs, USB flash drives, hard drives, etc. (not to mention your online life, like webmail and social media) — actually takes a lot more coddling than the paper stuff. Did you ever go up to your grandmother’s attic or your father’s garage and stumble onto a box of neat paper stuff from like 50+ years ago? And you rummaged through it, awed by all the neat things you either never saw before or had completely forgotten about?  Who hasn’t done that, right?

Well, if in 50 years, you stumble onto a box of today’s records, you might be out of luck because there’s a good chance those records will be stored on some type of digital media. Yep, imagine you just found a box of CDs, or better yet floppy disks. Imagine a box of floppy disks in 50 years. You have enough trouble finding the drive you need to read those NOW, am I right?

USB floppy disk drive

USB floppy disk drives are about $15 on Amazon – if you have floppies, get one and start your migration now, while you still can!

OK, so digital media present a variety of challenges to archivists. It’s actually pretty fragile (keep away from light, heat, and in some cases magnets); it’s dependent on technology/hardware to read it (not just your eyes or a magnifying glass); and it can’t survive by accident like a box of papers could. And those are just some of the problems of keeping the data “alive.” Not to mention figuring out how to arrange and describe the files or to provide access to them.

(Here’s a tip: Writing the equivalent of “oh there’s also 1 floppy disk” somewhere in your finding aid probably isn’t going to be super helpful. What’s on it? Do you even know? Can you trust the label—if there even is one? And if it’s on floppy disk, how are you going to let patrons use it? Do you have a floppy disk drive available? And how are you going to make sure that nobody accidentally overwrites the data? Oh and what if the floppy disk spontaneously stops working at some point — or already has — and who hasn’t experienced that?—no comments from those of you too young to even remember floppy disks!— Man those transparent neon ones were the worst for failing at inopportune times—probably due to light damage, I know now!)

OK so there are all these…problems. And a lot of archives have been sort of sweeping this problem under the rug for a while now. Well, the research about how to deal with these problems seems to have been growing rather exponentially over the past several years, and so a lot of us are finally getting our digital act together and attempting to figure out what to do…including the archives where I work.

My co-worker Toni (as the preservation archivist) and I (as the digital initiatives archivist) have been charged with learning how to handle our collections’ digital preservation needs. We’ve been attending “digital preservation” and “electronic records” workshops (SAA’s Digital Forensics for Archivists 2-day workshop was fantastic); reading up on all sorts of things (highly recommend OCLC’s Demystifying Born Digital Reports as a starting point for anyone interested in this topic- they’re simple & to the point, but great); and downloading & experimenting (on test data sets/disks only) with free & trial software (such as FTK Imager). We have learned about using write-blockers and creating disk images to capture the entire contents of a piece of media without inadvertently changing it or missing anything.

Which brings us to what happened yesterday—and another lesson in digital stuff (and this lesson is for everyone, not just archivists).

So we were experimenting with FTK Imager yesterday afternoon, and we popped in a floppy disk I had brought from home. It had a blank adhesive label on it (on which I later wrote my name once I discovered the contents), and we had used Windows Explorer to drag/drop two boring Microsoft Office documents onto it so we were sure there would be something to image.

Here’s what the contents of that floppy disk looked like to Microsoft Windows (2 files):

Floppy disk contents viewed in Windows Explorer

Floppy disk contents viewed in Windows Explorer

Then, we used FTK Imager to create a disk image, capturing ALLLLLLLL of the contents of that disk——including remnants of any deleted files that were never overwritten. That’s right, I said deleted files.

So when we looked at the disk contents in FTK Imager, here’s what we saw (and that’s about the time my jaw dropped and I started with the nervous “omigod-blast-from-the-past-in-a-bad-way” laughter as Toni looked over my shoulder probably wondering if I had gone mad):

Floppy disk contents viewed in FTK Imager

Floppy disk contents viewed in FTK Imager

Um yeah, that’s more than the 2 files I was expecting. Apparently, this was a disk that I DID use…in 2002…and still had lying around. I recognized (and was immediately mortified by the presence of) a diary entry from an ex-boyfriend, nor was I thrilled about what those chat logs from AOL Instant Messenger (hey remember that?) might contain. I also recognized other innocuous MS Office documents: Excel files containing lists of all my classes & grades, Word documents with translations for Latin class (such as the copy of Tacitus’s Annales you can see selected in the image—notice that you can see the hex as well as the text in the window underneath), and other things that looked like school stuff. (We actually exported and opened some of these files I deemed definitely-not-embarrassing. — Oh, and I have since, in the privacy of my own home, looked at that diary entry and the chat logs—-all totally harmless, but who doesn’t have things from sophomore year of college that they’d rather not revisit in front of co-workers?)

We actually were able to learn some things during this experiment, some of which actually pertained to what we were trying to do, but the most salient of these lessons (for me at least) was this:

The IT folks are not just making things up when they tell you that your files are not really gone simply because you hit delete and you cannot “see” them in your operating system anymore. The data is still there unless it is overwritten.

All you did was delete the pointer to that data, cluing your drive in that it can reuse that space if it wants to. If you tore the index pages out of the back of a book, does the content of the book cease to exist? Nope. Sort of like that. If you are interested in a technical explanation of what’s going on when you delete files and why they’re not really gone, I highly recommend this blog post: How-To Geek Explains: Why Deleted Files Can Be Recovered and How You Can Prevent It.

But the bottom line is that when you delete a file, it’s not really gone. I knew this. I KNEW this. But knowing it on the level of “I read it in a book and I’ve heard knowledgeable people say it also,” and knowing it on the level of “omigod I just saw the proof” are not the same. (This must be why they make you do lab experiments in chem class…)

And omigod I just saw the proof. And that was WAY. TOO. EASY.

So. HTG (How-To Geek) suggests some ways to actually truly erase data if/when you need to. But personally, if I had something I wanted to never see the light of…well, a screen…again EVER, then I would only be satisfied with the physical destruction of the media (better copy anything you actually DO want onto a new drive first though). So, to conclude, for your viewing enjoyment, here are some YouTube videos of people physically destroying data on:

…hard drives (you’re going to need a hammer to bust up the platters inside)…

…floppy disks (some of the videos just crinkled them but I wouldn’t trust anything that doesn’t involve cutting up that magnetic disk)…

…and CDs (oh there are tons for this one—who hasn’t tried the microwave one? the melting one is fun—and of course there’s always just breaking it—but one guy even claims to have 101 ways)…

OK, that’s enough fun for now. Hopefully I was able to turn this slightly embarrassing work story into a teachable moment! And yes, I have taken that disk home with me and it will be getting destroyed…

Carry on, folks, and listen to your IT guys!

FIITA: Kables and Cox, redux

Hey, remember just yesterday when I wrote about the Kables and Cox mill records from old Osborn? Well, I have an update — yes, already!

Near the end, I wrote the following lines about the donor named on a placard in the front of each book: “They were donated by one Mrs. F. G. Szonnell – I’m now a little curious how she fits into the picture. Sometimes it’s obvious how or why donors have the things that they donate; not in this case. Perhaps I will do a little digging…”

As it turns out, I don’t have to do any digging. As a matter of fact, earlier today a patron visited me at the library and saved me a lot of time and effort I might have spent on said digging! Having gotten his permission, I’m going to tell you what he told me:

I happened to be working the local history reference desk when a man walked in and asked for Lisa Rickey. Hey, that’s me!  So I asked, “What can I do for you?” Then he mentioned WordPress. My first thought was, Uh-oh, what did I write? I’ve only had this thing for 4 months – have I upset someone already?! 

Then he identified himself as Mr. Dan Szonnell, and I recognized the name immediately. He said he found my blog when he was searching for his name online, and his mother was Mrs. F. G. Szonnell who donated the items mentioned in yesterday’s blog entry. What a fantastic coincidence!

He said he remembered that she bought the books at an auction in the 1950s or 1960s and later donated them to the library. As far as he knew, that was the only connection between his mother and the books.

I’m so glad Mr. Szonnell stopped by to tell me this. I would have assumed — as seems to be the case most of the time — that the person donating the materials was somehow related to the creators. You know the drill: a relative dies and their things are passed on down the line; sometimes those things make their way to a library or archives. But such was not the case here, and I’m glad I didn’t spend any time trying to figure out the connection. I never would have found the link by searching Ancestry.com!

So I give my thanks to Mr. Dan Szonnell for taking the time to tell me the story and for giving me permission to share the story here.

I must say, I’ve had a lot more response to this blog than I expected when I started it up. I’ve had good luck with WordPress and Flickr actually coming up on Google search results. It’s very encouraging; makes me feel that my attempts at sharing history in this way are actually worthwhile. Since people can actually find it, it makes me want to keep doing it! 🙂