Disk Imaging


Troubleshooting the Disk Imaging Workflow

Jennifer Allora and Guillermo Calzadilla, Under Discussion, 2005, color video, sound, 6 minutes 14 seconds
Philadelphia Museum of Art

I’m winding down on the 8th month of my NDSR Art Residency at the Philadelphia Museum of Art and I still have not viewed any of the pieces in the time-based media collection. I’ve seen the DVDs in their cases and the external hard drives neatly tucked away in a storage cabinet, but I have not viewed a single work.

You might be wondering why I don’t just pop a DVD into a DVD player and watch it. Sounds simple enough. Well, think of it this way: if we are to treat the artwork stored on this DVD with the same care as we would a Picasso painting, you can’t just yank it out of storage and throw it in a gallery. Because the condition of the piece is unknown when it is first purchased or pulled from long-term storage, it must first be assessed for degradation or damage. Furthermore, not a single piece in the PMA collection has been backed up: that single copy is all we’ve got. Since I’m not a time-based media art conservator and the PMA does not have one currently on staff, watching a one-of-a-kind DVD has not really been an option.

Until now!

After months of research and meetings with many stakeholders across the Museum (conservators, curators, executives, IT, and archivists) and building a framework to preserve the time-based media art collection, I finally have the resources to create backups of the works currently stored on DVDs and external hard drives.

In order to make certain I am fully backing up the artwork, I have chosen to create forensic disk image backups. A forensic disk image captures every bit of the drive, including the software that makes that hardware work and any deleted content that has not been overwritten. Simultaneously, during the disk imaging process vital technical metadata is extracted and made human readable. The reason for using this approach is simple: forensic disk images produce an authentic and complete preservation backup of the object.

For reference, here’s my workstation setup:

Computer: Digital Intelligence Forensic Recovery of Evidence Device (FRED)

External Hard Drives: G-Technology 6TB G-Drive with Thunderbolt 3 and LaCie 6TB d2 Thunderbolt 3 Desktop Drive

Write Blocker: Tableau Ultrabay 4d

Computer OS: Windows 10

Software: Windows Defender Antivirus software; Oracle VM VirtualBox running the BitCurator Environment. In BitCurator, I’m using prepackaged software: Guymager for creating images; Bulk Extractor for pulling technical metadata; BitCurator Reports for making that metadata easier to read; and Bagger for securely transferring the content.

Over the past two weeks, I’ve slowly and carefully been imaging the master and exhibition DVDs of Jennifer Allora and Guillermo Calzadilla’s 2005 video piece Under Discussion. As expected, this undertaking has not been without its fair share of unexpected obstacles that have required troubleshooting. Although troubleshooting is very much a learn-as-you-do activity, I think it could be useful to share a few examples of the issues I encountered and how I eventually solved them. (Disclaimer: If you find any of my solutions lacking or inaccurate, please do not hesitate to contribute your thoughts to the conversation.)

Problem: BitCurator would not recognize a DVD.

Solution: This can happen for a number of reasons. In my case, BitCurator didn’t automatically recognize the DVD and, consequently, I had to do it manually. At the top of the BitCurator window in the Devices dropdown menu, I found the missing device under Optical as “Host E:”. When BitCurator finally recognized the device, a disk icon appeared in the desktop dock.

Problem: Windows 10 would not recognize an attached disk.

Solution: Devices can only be recognized by one operating system at a time. Once BitCurator is running, it will automatically recognize any devices I attach to the computer; therefore, if BitCurator is open the device will not be recognized in the computer’s native Windows 10 environment. Once I closed BitCurator, the device could be recognized by Windows.

Problem: Guymager does not accommodate some special characters (hyphens, umlauts, etc.) in the disk image file names and destination folders. This has become a larger issue for me because I want to use the TMS Object Number in the unique identifier of digital files and these Object Numbers contain hyphens. When I use a special character that Guymager won’t recognize, an error message informs me it will automatically remove that problem character (i.e. 2006-84-1e becomes 2006841e).

Solution: My solution thus far has been to manually add the hyphens into the file names after the files have been created by Guymager. To make sure the file names match the metadata in the .info file, I have to open the .info file in text software like LibreOffice (included in BitCurator), alter the file names to include the hyphens, and then resave. As this adds a number of steps to the workflow, this is not an ideal long-term solution. Next steps are to explore other imaging software options and/or reassess our unique identifier standards.

Problem: Scanning an external device for viruses without putting the computer at risk of infection.

Solution: Turn off all “Autoplay” and “Auto Mount” settings in Windows 10 and BitCurator and then manually select the drive for virus scanning.

Problem: The newest version of BitCurator VM, 1.8.16, will not fully boot up and gets stuck at an Ubuntu login terminal screen. Additionally, after installation of the new version, the older 1.7.40 version of BitCurator that was still installed in the VM also stopped fully booting.

Solution: This issue is still not fully resolved, unfortunately. After reading through the BitCurator Google Group threads and a number of Ubuntu forums, it would appear the issue derives from the version of Ubuntu in the 1.8.16 BitCurator package. (Please correct me if I am wrong about this!). As it is not recommended to update the programs packaged in BitCurator, these Ubuntu bugs will not be fixed until the next version of BitCurator is released. In the meantime, I have removed the 1.8.16 version completely from the FRED computer. The most thorough way I have found to do this is, from the VirtualBox home screen, right click on version 1.8.16 and select Remove. I was then asked if I wanted to remove BitCurator from VirtualBox or if I wanted to remove the files from the computer. I selected the remove-all-files option. I removed the older version 1.7.40 in the same way and then reinstalled it. The older version is working again.

Problem: Cannot update software on the FRED because it is not connected to the Internet. Consequently, important virus software definitions are always out-of-date.

Solution: On a computer that was connected to the Internet, I found the most recent update of, for example, the Microsoft Defender Antivirus software and downloaded it to that computer. I copied the downloaded file to an external hard drive which I then plugged into FRED. I ran through the installation steps and found that the software was automatically updated. I then deleted the downloaded file off the FRED as it was no longer needed.

NOTE 1: Keeping a log of the updates and setting updates standards/schedules will help with making the updating process consistent and accurate.

NOTE 2: Before adding any new files to the FRED computer, a quick virus check of the external hard drive should be performed in order to verify that it has not been infected by newly downloaded content.

The last example is just one of many issues I’ve stumbled upon related to working on a non-networked computer. I had not anticipated how difficult it would be to manage a computer like the FRED! I’ll never again take for granted all of the automated updating my computer does, because manually managing an non-networked computer is no small task.

If you have any digital forensics troubleshooting experiences, please share them!