For the last couple of weeks on the Sustaining MedArt project I have focused on compiling what I have learned from comparing MedArt with MedArt-2014 in addition to continuing to work with BitCurator.
In my last post I excitedly announced that I had conquered BitCurator perhaps a bit prematurely. I have found that creating a disk image of the hard drive holding MedArt and MedArt-2014 may not be possible. The 2 TB hard drive is too large to be successfully imaged on a computer with only 700 GB of storage left. To combat this problem I tried making a copy of MedArt (which is only 1.8 GB and much easier to work with than the 7.7 GB MedArt-2014), but I have not been able to get BitCurator to read any of the copies I made.
However, I was able to simply copy and paste MedArt onto a small 16 GB flash drive and was able to use it to successfully experiment with some of the forensic tools on BitCurator. Using tools like Bulk Extractor to create reports I was able to see everything that had ever been on the flash drive I was using, even though everything on the flash drive was deleted before the copy of MedArt was added. I did find a few things that were interesting like email addresses attached to certain files that showed me when the files had been emailed and to whom. But the reports really seemed to focus on the actual flash drive more than on its present contents. So I think I will start moving away from BitCurator tools that require a disk image, granted there are not very many.
The BitCurator tools that might provide more useful responses are FITS and sdhash, which I learned about by talking to Matt Burton in DSS. FITS can extract metadata from MedArt and MedArt-2014, and sdhash can compare data. I’m also going to look into Mac’s Filemerge utility which can compare folders. Hopefully using these tools I will be able to get results more relevant to the Sustaining MedArt project.