Creating Disk Image Reports using the BitCurator Reporting Tool

Overview

BitCurator users have the option to run a number of different reporting tools against their disk images. Although each of these tools can be run individually, users may alternatively use the "Run All" tab of the BitCurator Reporting Toolin order to simultaneously execute fiwalk, the annotated features report, and the BitCurator forensic reports.

Step 1

Open the BitCurator Reporting Tool by double clicking on the "Forensics Tools" folder on the BitCurator desktop and then double clicking on the "BitCurator Reporting Tool" icon.

Step 2

Select the "Run All" tab from the options along the top ("Run All" is the default selection, see Figure 1).

Step 3

Type or navigate to the location of the following files or directories (see Figure 1):

  • Image File: The location of the forensic disk image to be analyzed.
  • Bulk Extractor Feature Directory: The directory containing the bulk_extractor results associated with the disk image above.
  • Output Directory (fiwalk output, annotated features, and reports will appear in here): A new directory that will be created by the BitCurator Reporting Tool to contain the listed reports.
  • Config File (optional): For additional configuration files; generally left empty.

If you use the navigation button to select the Output Directory, type the name of the new directory in the "Name:" field at the top left of the window and then click "Save". Do not use the "Create Folder" button on the right to create this new directory.

runall-1.png

Figure 1

Step 4

Once each of the file and directory fields above are properly filled out, click the "Run" button. The activity bar on the bottom left will indicated that the report generation process is still ongoing. Once complete, a success or error message will appear in the "Command Line Output" window (see Figure 2).

runall-3.png

Figure 2

Step 5

Completion of the steps above generates the following files in the directory you specified under Output Directory in Step 3:

  • features (directory): The annotated features generated by bulk extractor;
  • bc_format_bargraph.pdf (file): Histogram showing file formats;
  • bulk_extractor_report.pdf (file): High-level overview of bulk extractor feature locations on disk;
  • fiwalk_deleted_files.pdf (file): File documenting paths to any deleted materials found in a given partition;
  • fiwalk-output.xml.xlsx (file): DFXML output (file system metadata) converted to an Excel spreadsheet;
  • fiwalk_report.pdf (file): High-level overview of file system characteristics;
  • format_table.pdf (file): Long-form file format names for formats shown in bc_format_bargraph.pdf;
  • premis.xml (file): PREMIS preservation metadata.

Open the BitCurator reports directory to examine the files. You’ll find visualizations, XLSX transcriptions of file system metadata, high-level reports on file types, and overviews of features identified by bulk_extractor.

If you would like to provide feedback for this page, please follow this link to the BitCurator Wiki Google Form for the BitCurator All Step-by-Step Guides section.