Appearance
To transfer born-digital records safely, move them under controlled conditions that prove nothing changed: connect the donor's media through a write-blocker, capture the bits (a disk image where integrity matters, a metadata-preserving copy where it does not), generate a fixity checksum at the source and re-verify it after the copy, then quarantine and virus-scan before anything reaches your trusted store. The goal is a faithful, evidenced copy with original timestamps and paths intact — because those are the first things a careless transfer destroys.
What "safe transfer" actually means
Safe transfer is not just "getting the files off the stick". It means moving content into custody while (a) preserving the original bits exactly, (b) preserving the contextual metadata — filenames, paths, timestamps — and (c) producing evidence that the copy is faithful. A drag-and-drop in Explorer fails all three: it can change last-access dates, drop paths, and leaves no proof of integrity.
Why a write-blocker comes first
The moment you connect a donor's drive, the operating system may write to it — updating timestamps, creating index files, even mounting it read-write. A hardware or software write-blocker prevents that, so the act of reading the media cannot alter it. Use one whenever the original carrier has evidential value, which for born-digital archives is almost always.
bash
# Software write-block on Linux before imaging (BitCurator does this for you)
blockdev --setro /dev/sdbImage the carrier or copy the files?
Both are valid; the choice depends on what you need to preserve.
| Situation | Approach | Why |
|---|---|---|
| Forensic integrity, possible deleted files | Disk image (E01/raw) | Captures slack space and the full filesystem |
| Simple folder of live files | Logical copy with timestamp flags | Lighter, sufficient |
| Unknown / fragile media | Image first, extract later | One safe read of failing media |
| Optical disc | Image to ISO | Preserves structure |
A common pattern is to image first — one clean read of possibly failing media — then extract the logical files from the image at leisure.
How do you capture the image and prove fidelity?
Use a forensic imager (Guymager in BitCurator, or ewfacquire) that hashes as it reads, so integrity is proven in the same pass.
bash
# Forensic capture with embedded MD5/SHA-256 (EWF/E01 format)
ewfacquire -t /work/sip-204/disk -f encase6 -c best /dev/sdb
# Or a metadata-preserving logical copy when imaging is overkill
rsync -a --times /mnt/donor/ /work/sip-204/payload/
sha256deep -r /work/sip-204/payload > /work/sip-204/baseline.sha256ewfacquire records the source hash inside the image; for a logical copy, hash the source, copy, then hash the destination and compare.
Then what — quarantine, scan, identify
Freshly arrived files are untrusted. Hold them in quarantine, virus-scan, then identify formats before anything enters your store.
bash
clamscan -r --infected /work/sip-204/payload # virus scan
sf -json /work/sip-204/payload > formats.json # format identification (PUIDs)Only clean, identified content with verified fixity earns its way into the trusted archive. Anything that fails goes back to triage, not into the collection.
A practical end-to-end checklist
- Note the carrier (type, label, donor) and photograph it.
- Connect through a write-blocker.
- Image the media (or do a timestamp-preserving copy) with hashing on.
- Verify source and destination hashes match.
- Move the copy to quarantine; virus-scan.
- Identify formats (Siegfried) and generate filesystem metadata (DFXML).
- Record the transfer event: tool, version, date, operator, hashes.
- Release to ingest only after every check passes.
Following this in order means you never have to wonder later whether a record is authentic — the evidence is built in.
Key Takeaways
- Safe transfer preserves the bits, the contextual metadata, and proof of fidelity — not just the files.
- Always read donor media through a write-blocker so connecting it cannot alter it.
- Image when forensic integrity or deleted files matter; copy with timestamp flags when they do not.
- Hash at the source and re-verify after copying; matching hashes are your evidence.
- Preserve original filenames, paths and timestamps — a naive copy destroys them.
- Quarantine and virus-scan before anything reaches the trusted store, and log the transfer event in full.
Frequently Asked Questions
What does 'transfer' mean for born-digital records?
Transfer is the controlled movement of files from a donor's carrier (a USB stick, hard drive, or floppy) into your custody, capturing the bits and their original metadata intact and proving nothing changed in the process.
Why use a write-blocker?
A write-blocker physically prevents your workstation from writing to the donor's media, so the act of connecting and reading does not alter timestamps or content. Without one, simply plugging in a drive can change the very metadata you need to preserve.
Should I copy files or make a disk image?
Make a disk image when forensic integrity, deleted-file recovery, or the full filesystem context matters; do a logical file copy when you only need the live files and the carrier is simple. Many workflows image first, then extract.
How do I prove the transfer was faithful?
Generate a fixity checksum at the source and verify it after the copy. If the before and after hashes match, you have evidence the bits are identical; record both, the tool used, and the date.
What metadata must survive the transfer?
Original filenames, full paths, and the created/modified/accessed timestamps, plus the carrier's identity. These are easily destroyed by a careless copy, so use tools and flags that preserve them.
What is a quarantine step in transfer?
Quarantine holds the freshly transferred files in isolation for virus scanning and checks before they reach your trusted store, so malware or malformed packages never touch the archive.