File names. They are important. I would prefer they do not contain symbols, diacritics or weird characters in them but that is one of the many challenges with digital collecting. Ignoring the fact that I work with digital collections professionally, for some reason it has taken me a while to come to the realisation that giving a file name some meaning is not only useful in general, but gives it context and a voice when it ends up somewhere else. It should not come as a surprise that completing an information management degree and working in a library has that affect.

As a photographer, I have been taking digital photographs since the early 2000s (although I would not have called myself a photographer back then). Somewhere along the line I decided that the file name assigned by the camera was important so I never renamed files once downloaded onto my computer. At least I had the common sense to begin organising my files in folders based on year, month and day at some point while studying photography but the earlier images are just in one folder for the entire year. What happens when IMG_0458.jpg finds itself on my desktop, in an email to someone else or orphaned out there in the digital world? My earlier digital cameras did not embed technical metadata into the file so the various dates (such as date created, or date modified) are not reliable indicators of its creation date. It also does not let me know what the photograph is unless I open the file to view it.

I have just over 2TB of digital photographs from 2002-2017 so it is definitely possible for files to lose their context given the amount of computers I have had during that time. Migrating data always involves risk, from data loss to files ending up in the wrong place. A couple of years ago I created my own file and folder naming schema for my digital photographs and I have progressively gone back through my archive to rename files and folders to give them more meaning (still more work to do there).

Example of my folder and file naming structure
The above example shows how the file name includes a date as well as a short description (in this case, my cat's name!). The folder structure keeps the files in an organised structure where I can easily find something if I know the rough date it was taken, and the descriptive name in both the folder and file name enable me to understand what it contains without opening the file first.

In the context of collecting institutions, file and folder naming conventions will be based on given systems and repositories. For example, folder names for born-digital acquisitions at SLNSW are based on the reference code assigned by the catalogue system (for either published or unpublished material) and we encourage our clients and donors to use descriptive file names where possible.

Using descriptive file names that includes both a date and short description ensure that digital files can speak for themselves without any in-depth analysis. It is also important to follow general file naming guidelines which include:

  • Follow basic computer system rules for file names. This includes only using alphanumeric characters, using hyphens or underscores instead of spaces, ensure file names end with a file extension
  • Use a unique name for each file
  • Append file names to distinguish originals from derivatives
  • Be consistent with file names
  • Do not use multiple names for the same file
Adapted from dpBestflow.org



This post is my contribution to the GLAM Blog Club August theme: 'Silence'.

Cover image: Any excuse to use a cat photo. This is 170302_Jade002, as seen in the naming example above.

I had the time to do some testing on a new Windows-based digital acquisitions computer last week. With word that there is a "MacBook" in the collection that needed to have a disk image created, I thought I would take the opportunity to do some testing on our own early 2011 MacBook Pro before the other device was taken out of storage for me to have a look at.

I was fortunate enough to complete advanced digital forensics training back in June this year and set out to work out the logistics of the task at hand - how can I create a forensic disk image of an Apple Mac computer using a PC running Windows?

My research led me to the discovery of Target Disk Mode (TDM) on Mac computers, which provides the ability to connect two computers using FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3. While this is designed to connect two Mac computers, it also provides the ability to mount the drive on any other computer that has the ability to both connect to and read it. The challenge with a Windows-based machine is the ability to read Mac HFS file systems.

Hardware and Software


In my case, the digital acquisitions PC is running Windows 7, utilising FTK Imager to create the disk image. FTK Imager can detect and image Mac file systems without installing any additional software. If you want to mount and read the disk image, this requires the installation of drivers or other software. 

It is possible to download the HFS+ drivers for Windows, which will provide read-only access to the disk image or any HFS formatted storage media on a Windows machine. It is important to note that if you do this, you need to remove any other programs you might have installed to read HFS formatted drives.

Hardware based write-blockers are always recommended for any digital preservation/digital forensic work where possible. This is because hardware is more reliable than software when it comes to ensuring no data is being written to the target drive. I used a Tableau Forensic FireWire Bridge T9 to connect the Macbook to the PC.

You need a Mac computer with the ability to boot in TDM. It is also critical that FileVault is not turned on, otherwise the filesystem will be encrypted. If the disk is encrypted and you have the login details you can turn FileVault off, otherwise you will need to look into decryption. It is important to have these things in mind when laptops are acquired as part of a collection.

Disk Imaging

Once I had everything connected, and the MacBook booted in TDM, I used FTK Imager to create a physical disk image. With a 500GB hard drive on the Mac, I left the default image fragment size of 1.5GB which divides the image into a series of sequentially numbered files all 1.5 GB in size. You can set it to create one single file, but with restrictions on file sizes on various file systems it is best to break it down into smaller chunks.

The disk imaging process was roughly four hours, and due to the fact that I only had a couple of 256 solid state drives on the PC, I needed to split the output of files across the drives by adding an overflow image destination.

Results

I tried mounting the disk image through FTK Imager before I had installed the HFS+ drivers. This meant that Windows could not read it, and asked if I wanted to format the disk when trying to access it through the Windows file browser. After installing the drivers and re-mounting the disk image I had no problem browsing through the files and folders.

Once you have created the forensic disk image, you now have the ability to analyse it using software such as Forensic Toolkit (FTK) or BitCurator. Unfortunately I did not select a good target machine for analysis as the MacBook Pro had been reformatted and not used in a while so it did not contain enough content to warrant analysis.

Future Challenge

After successfully testing this method for remotely disk imaging a Mac computer, the aforementioned "MacBook" in the collection was located in storage and found its way to me. It turns out that it is actually an Apple iBook G3/366 SE (Original/Clamshell) that does not have a FireWire port or the ability to use TDM. On top of that, it also has no power supply and the battery has previously been removed because it was expanding and had damaged the laptop body.


The first step will be sourcing a power supply and determining whether the machine will turn on as well as what operating system it is running. Then it will be a matter of determining the best way to create a disk image. The last resort will be removing the hard drive if it is determined that the laptop is just a physical carrier and the content is considered the collection item. If anyone has experience with this, I would love to hear from you!






Further reading and resources:



Image credits: MacBook icon designed by D3Images / Freepik, Tableau forensic bridge icon designed by Matthew Burgess, PC computer icon from yED Graph Editor