When pulling files for patron requests, you may occasionally come across corrupted or incomplete disk images. These are disk images with blank file trees, file trees containing only program files (see image below), or disk images that, when analyzed in Disk Image Processor, output error/"Cannot read DFXML" messages. Be especially aware of CDs from the company RitzPic or that say they have an extent of "12 digital files, 10 MB." If you come across these CDs, scroll down to Part II - Overwritten Content.
Part I - Corrupted or Erroneous Disk Images
These disks can have multiple things wrong with them. The following guide is not an exhaustive list, but rather steps that have previously successfully recovered missing information.
- "Error Reading DFXML File"
- Some disk images appear fine, but when analyzed in Disk Image Processor come back with the message "Error Reading DFXML File." If this is the case, mount the disk image in FTK Imager and/or Autopsy to verify whether the disk image successfully extracted the content. If the files are present on the disk image but analysis continues to give an error message, mount the disk image in FTK Imager (if not already). Go to Step 3 of Part II - Overwritten Content and follow the steps to extract and analyze the files.
Part II - Overwritten Content
Some disk images in the collection only pick up metadata from the company who produced the disks. So far, this has only been the case for CDs from the company RitzPic (example above). These CDs come back with extents of 12 digital files & 10 MB and a date range of 10/6/05-10/7/05. If you come across these disks, go through the following steps to extract and analyze the original content.
1. Mount the disk image in FTK Imager to make sure the original content is not present in the file tree. Typically, the disk image will have this structure:
2. If the disk image has only company files, you will need to extract the files directly from the CD. Load the CD using the external CD drive and open it in FTK Imager.
i. When FTK prompts you to select a Source Evidence Type, choose Logical Drive. The Source Drive will be D:\ - PHOTOS [CDFS].
3. When the disk is mounted, expand the file tree to view the files. You should see a "Track 1" and "Track 2." Track 1 will be the company files picked up in the disk image, and Track 2 will be the original content you want to extract.
4. In the Evidence Tree, navigate to the level you want to export. Right click and choose "Export Files." Export them to the "Disk Images" folder under the title "AIPNUMBER_files" (i.e., 2017009_02_252_files).
5. Now, switch to BitCurator on the Spyder laptop. Open CCA Tools>Folder Processor.
6. Click Select Source and navigate to "Disk Images." Load the entire file. In the main window, select the folders you want to analyze by clicking the box to the left of the folder name. Click only the file(s) you are working with currently. In this example, I would only select 2017009_02_252_files. Select the Destination as the Disk Image Output folder on the external hard drive. Select Run bulk_extractor. Then, click Create SIPs.
7. The program will create analysis files for the folder just like Disk Image Processor creates for a disk image. When the output is complete, analyze it for malware, PII, and generated metadata. Once modifications have been made, if necessary, copy the _files folder to the AIP destination (i.e., TOSHIBA EXT>2017009_02>2017009_02_252) for the files to be bagged. Replace any documentation with the correct information.