Problematic Disk Images

When pulling files for patron requests, you may occasionally come across corrupted or incomplete disk images. These are disk images with blank file trees, file trees containing only program files (see image below), or disk images that, when analyzed in Disk Image Processor, output error/"Cannot read DFXML" messages. Be especially aware of CDs from the company RitzPic or that say they have an extent of "12 digital files, 10 MB." If you come across these CDs, scroll down to Part II - Overwritten Content.


A disk image with only program files.A RitzPic CD.


Part I - Corrupted or Erroneous Disk Images
These disks can have multiple things wrong with them. The following guide is not an exhaustive list, but rather steps that have previously successfully recovered missing information.

  1. "Error Reading DFXML File"
    1. Some disk images appear fine, but when analyzed in Disk Image Processor come back with the message "Error Reading DFXML File." If this is the case, mount the disk image in FTK Imager and/or Autopsy to verify whether the disk image successfully extracted the content. If the files are present on the disk image but analysis continues to give an error message, mount the disk image in FTK Imager (if not already). Go to Step 3 of Part II - Overwritten Content and follow the steps to extract and analyze the files.
  2. Incomplete Disk Images
    1. If a disk image shows only program files but you believe there should be collection material present, mount the disk in FTK Imager. Expanding the Evidence Tree will reveal the disk's file structure and any files present.
    2. If this attempt is unsuccessful, mount the disk in Autopsy. Analyze the disk to see if any more files appear.
    3. If this does not work, it is likely that the disk has degraded and lost all/some of its content. Feel free to come back to the disk at a later date/if you learn any new information. If it is a floppy disk, it may need to be imaged in the Kryoflux. Read the Guide to Using the Kryoflux and reach out to the Harry Ransom Center for further assistance.

Part II - Overwritten Content

Some disk images in the collection only pick up metadata from the company who produced the disks. So far, this has only been the case for CDs from the company RitzPic (example above). These CDs come back with extents of 12 digital files & 10 MB and a date range of 10/6/05-10/7/05. If you come across these disks, go through the following steps to extract and analyze the original content.

1. Mount the disk image in FTK Imager to make sure the original content is not present in the file tree. Typically, the disk image will have this structure:


2. If the disk image has only program/company files as in the example above, you will need to extract the files directly from the CD. Load the CD using the external CD drive and open it in FTK Imager.

    i. When FTK prompts you to select a Source Evidence Type, choose Logical Drive. The Source Drive will be D:\ - PHOTOS [CDFS].



  



3. When the disk is mounted, expand the file tree to view the files. You should see a "Session/Track 1" and "Session/Track 2." Track 1 will be the generic files picked up in the disk image, and Track 2 will be the original content you want to extract.

4. In the Evidence Tree, navigate to the level you want to export. Right click and choose "Export Files." Export them to the "Disk Images" folder under the title "AIPNUMBER_files" (i.e., 2017009_02_252_files).

5. Now, switch to BitCurator on the Spyder laptop. Open CCA Tools>Folder Processor.

6. Click Select Source and navigate to "Disk Images." Load the entire file. In the main window, select the folders you want to analyze by clicking the box to the left of the folder name. Click only the file(s) you are working with currently. In this example, I would only select 2017009_02_252_files. Select the Destination as the Disk Image Output folder on the external hard drive. Select Run bulk_extractor. Then, click Create SIPs.


7. The program will create analysis files for the folder just like Disk Image Processor creates for a disk image. When the output is complete, analyze it for malware, PII, and generated metadata.

       i. The "date modified" field will now show the date you extracted the files. For a more accurate date range in the finding aid, you can amend this to show the most recent date in the file tree.

8. Once modifications have been made, if necessary, copy the _files folder to the AIP destination (i.e., TOSHIBA EXT>2017009_02>2017009_02_252) for the files to be bagged. Replace any documentation with the correct information.