Skip to content

Home

Jump to bottom
e2d2 edited this page Aug 31, 2016 · 1 revision

Welcome to the rmc-workflow-scripts wiki!

The following is RMC's documentation on how to use the data triage scripts and what they are doing behind the scenes. RMC technicians perform this activity in our BitCurator environment.

  1. Open a terminal window and navigate to where disk image triage scripts live.

    ```````````cd Desktop/rmc-workflow-scripts/disk-image-triage ```````````
  2. Copy each disk image and log file into folder based on the media number.

    1. In terminal window, run the following script. Replace RMA04133 with the collection number you've been working with.

      ```````````python3 organize-dirs.py ~/Desktop/RMA04133```````````

    2. If they are large files (CDs, DVDs), this will take some time. When it is finished, spot check to make sure all files look like they've been successfully copied.

  3. Aggregate Guymager log files into a single csv file. CSV file is saved under directory "organized"

    1. In terminal window, run the following script. Again, replace RMA04133 with the collection number you've been working with.

      ```````````python3 guymager-log-md.py ~/Desktop/RMA04133```````````
    2. CSV file is saved under directory "organized"

    3. CSV output columns and where it’s pulling data from and meaning:

      1. rmc_accession: guymager Case Number (technician inputted)

      2. rmc_item_number: guymager Evidence number (technician inputted)
      3. technician: guymager Examiner (technician inputted)
      4. file_path: guymager Image path (technician inputted)
      5. disk_image_format: guymager Format (technician selected)
      6. acquire_date: Ended (guymager calculates from time stamp of process end time)
      7. acquisition_time: how long it took to image and verify (guymager calculates and script translates)
      8. raw_md5_hash: MD5 hash (hash value of raw disk image, not of e0x file)
      9. number_sector_errors: if bad sector errors are listed
  4. Extract raw disk image from .e0x files, identify what file system(s) are represented on media, and dumps values into csv file

    1. In terminal window, run the following script. Again, replace RMA04133 with the collection number you've been working with.

      ```````````python3 filesystem-id.py ~/Desktop/RMA04133```````````
    2. CSV file is saved under directory "organized"
  5. Run Bulk Extractor over raw disk images to identify potential level 1 data.

    1. In terminal window, run the following script. Again, replace RMA04133 with the collection number you've been working with.

      ```````````python3 level1-data.py ~/Desktop/RMA04133```````````
    2. A folder gets created under each media folder for the bulk extractor output .txt files. These can be used to review potential level1 data.
    3. CSV file is saved under directory "organized"
    4. CSV output columns and where it’s pulling data from and meaning:
      1. alerts.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      2. ccn_track2.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      3. ccn.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      4. pii.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      5. telephone.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      6. level_1: 0 if alerts.txt, ccn_track2.txt, cnn.txt, or pii.txt are 0; otherwise 1 (means there may be Level 1 data and technician should review)
      7. level_2: 0 if telephone.txt is 0; otherwise 1 (means there may be telephone numbers and technician may wish to review)

  6. Combine CSV output files into single file for inclusion into digital accession spreadsheet

    1. In terminal window, run the following script. Again, replace RMA04133 with the collection number you've been working with.

      ```````````python3 merge-outputs.py ~/Desktop/RMA04133/```````````

    2. CSV output columns and where it’s pulling data from and meaning:

      1. rmc_accession: guymager Case Number (technician inputted)

      2. rmc_item_number: guymager Evidence number (technician inputted)
      3. technician: guymager Examiner (technician inputted)
      4. file_path: guymager Image path (technician inputted)
      5. disk_image_format: guymager Format (technician selected)
      6. acquire_date: Ended (guymager calculates from time stamp of process end time)
      7. acquisition_time: how long it took to image and verify (guymager calculates and script translates)
      8. raw_md5_hash: MD5 hash (hash value of raw disk image, not of e0x file)
      9. number_sector_errors: if bad sector errors are listed
      10. alerts.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      11. ccn_track2.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      12. ccn.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      13. pii.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      14. telephone.txt: 0 if file is 0 bytes; 1 if file is greater than 0 bytes
      15. level_1: 0 if alerts.txt, ccn_track2.txt, cnn.txt, or pii.txt are 0; otherwise 1 (means there may be Level 1 data and technician should review)
      16. level_2: 0 if telephone.txt is 0; otherwise 1 (means there may be telephone numbers and technician may wish to review)
      17. exx_total_size: size of .e0x file
Clone this wiki locally