You are on page 1of 18

BitCurator Operating Instructions

Published:

Revised:

UALR Center for Arkansas History and Culture

Contents
Introduction ..................................................................................................................................... 2
Whats an Image? ....................................................................................................................... 2
Booting up BitCurator .................................................................................................................. 4
Booting for the First Time ....................................................................................................... 4
Mounting Media as Read-Only.............................................................................................. 4
Creating a Forensic Image with Guymager .......................................................................... 6
Understanding Linux Directory Structure ............................................................................ 8
Generating a Forensic Report.................................................................................................. 12
Viewing a Forensic Report ........................................................................................................ 16

Revised:

BitCurator Operating Instructions

Introduction
BitCurator is open-source digital forensic software designed to help archival
institutions acquire images of digital files.

Whats an Image?
A digital image is a snapshot of the digital file that contains the content and metadata.
With an image, you are not using the actual digital file, just the snapshot.

Revised:

UALR Center for Arkansas History and Culture

Blankpage

Revised:

BitCurator Operating Instructions

Booting up BitCurator
Booting for the First Time
1. Open Oracle VM VirtualBox. Click Settings.
2. Click USB.
3. Uncheck All USB Devices under USB Device Filters.
4. Click OK.
5. Select the BitCurator virtual machine and click Start.

Once you have booted BitCurator


for the first time, you no longer
have to go through the Settings
menu in steps 1-4.

6. Once BitCurator has loaded, insert the external media


into your computer.
Do NOT insert external media until BitCurator has booted.

Mounting Media as Read-Only


Making a drive read-only is important to ensure the digital objects will not be changed or
overwritten. To mount a drive as read-only, click the green drive icon at the top-right of the
screen and Set mount policy READ-ONLY.

Revised:

UALR Center for Arkansas History and Culture

Blankpage

Revised:

BitCurator Operating Instructions

Creating a Forensic Image with Guymager


1. Double-click the Imaging Tools folder
2. Double-click Guymager.
3. Select the drive you want to image (click Rescan if you do not see the image listed).
4. Right-click on the drive and click Acquire image.
5. Click Linux dd raw image under File format.

Figure 1: Acquiring image in Guymager

5.1 Select TiB under Split size.


5.2. Select Image directory to designate the location of the saved image file.
5.3: Give the image a file name.
5.4: Click Start.

Revised:

UALR Center for Arkansas History and Culture

Figure 2: Dialog box in Guymager

Revised:

BitCurator Operating Instructions

Understanding Linux Directory Structure


The BitCurator software runs on the Linux Ubuntu operating system. The Linux
directory structure is slightly different from the Windows version. Linux organizes files
in a tree-like structure. The top of the tree is the root folder. All other folders stem from
the root folder.
Many folders in the directory pertain to the booting of the system and execution of
programs. For the purposes of these instructions, the directory you need to use is
Home. Home contains the folders for Desktop, Documents, Music, and Pictures. When
you create an image, you want to put it in the Home directory.

Figure 3: Abstract graphic of Linux file system

Revised:

UALR Center for Arkansas History and Culture

Figure 4: home
directory

Figure 5:
bcadmin folder
within home
directory

Revised:

BitCurator Operating Instructions

Figure 6: Folders inside bcadmin


directory

Revised:

10

UALR Center for Arkansas History and Culture

Blankpage

11

Revised:

BitCurator Operating Instructions

Generating a Forensic Report


1. Create three folders on the desktop and title them Bulk Extractor Output, Report
Output, and Annotated Features
2. Double-click on Forensic Tools and open Bulk Extractor Viewer
3. Click the Run Bulk Extractor icon

Figure 7: Run Bulk Extractor icon

4. Under Image file, navigate to the image file you created in Guymager.
5. Under Output Feature Directory, navigate to the Bulk Extractor Output folder you
created on the desktop
6. Under Scanners, make sure base16, Facebook, and Outlook are checked.

Figure 8: Navigating to the image file and bulk


extractor output folder

Revised:

12

UALR Center for Arkansas History and Culture

Figure 9: Selecting what file types to


scan in Bulk Extractor Viewer

7. Click Submit Run


Once the scanning has finished, new files will be located in the Bulk Extractor Output
folder. One of those files is an XML file that shows information about the image file.
8. Click BitCurator Reporting Tool in the Forensic Tools Folder

13

Revised:

BitCurator Operating Instructions

9. Click the Reports tab.


10. Under Fiwalk XML file, navigate to the XML file that was created in the Bulk Extractor
Output folder.

10.1: Under Annotated Feature File Directory, navigate to the Annotated Features folder you
created on the desktop.

10.2: Under Output Directory for Reports, navigate to the Report Output folder you created
on the desktop and type a filename for the report.
11. Click Run.
When the report is completed, you can view each report item in the folder you created on the
desktop.

Revised:

14

UALR Center for Arkansas History and Culture

Blank page

15

Revised:

BitCurator Operating Instructions

Viewing a Forensic Report


1. Open Bulk Extractor Viewer in the Forensic Tools folder
2. Click Open Report under the File menu
3. Under Report File, navigate to the XML file that was created in the Bulk Extractor
Output folder
4. Under image file, click Select Custom Path. Navigate to the image file you created in
Guymager

Figure 10: Opening a report in Bulk Extractor Viewer

5. Click OK.
6. Click on the type of report you want to view in the Reports window. In the Feature
File window, you will see all of the files that pertain to a specific filter.
When you click on a specific file in Feature File, you will see the relevant data in the
file image. In Figure 11, the left window shows that the telephone filter is selected. The
middle window shows all of the telephone numbers that have been found in the disk
image. The right window shows where the numbers are located in the disk image.

Revised:

16

UALR Center for Arkansas History and Culture

Figure 11: Viewing a report in Bulk Extractor Viewer

17

Revised: