opentext TD4 Forensic Duplicator User Guide

June 1, 2024
opentext

opentext-logo

opentext TD4 Forensic Duplicator

Specifications

  • Product: OpenText Tableau Forensic TD4 Duplicator
  • Model: ISTD230400-UGD-EN-1
  • Manufacturer: Open Text Corporation
  • Address: 275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1
  • Contact: Tel: +1-519-888-7111, Toll Free Canada/USA: 1-800-499-6544, International: +800-4996-5440, Fax: +1-519-888-0677

Product Information

The OpenText Tableau Forensic TD4 Duplicator is a powerful and intuitive forensic duplicator designed for digital forensics practitioners. It offers high-performance imaging capabilities in a small, portable package. The touch screen user interface provides a familiar experience similar to modern tablets and smartphones.

Features:

  • Custom-built for forensics
  • Standard and advanced imaging features
  • Portable and compact design
  • User-friendly touch screen interface

Usage Instructions

Chapter 1: Preface

This chapter provides technical information and procedures for
using the OpenText Tableau Forensic TD4 Duplicator.

Drive Capacity and Transfer Rate Measurement Conventions:

Tableau products report drive capacities and transfer rates
according to the industry standard powers of ten convention. For
example, a 4 GB hard drive stores up to 4,000,000,000 bytes.

Chapter 2: Overview

The Tableau TD4 is a powerful forensic duplicator with a
user-friendly touch screen interface. It offers high-performance
imaging capabilities in a portable package.

Features:

  • Intuitive user interface
  • Standard and advanced imaging capabilities
  • Compact design for portability

FAQs

  • Q: Can the Tableau TD4 Duplicator be used for imaging multiple drives simultaneously?
    • A: Yes, the Tableau TD4 Duplicator supports imaging multiple drives simultaneously for efficient forensic operations.
  • Q: Is there a warranty for the Tableau TD4 Duplicator?
    • A: Open Text Corporation does not offer warranties for the accuracy of the features presented in the publication. Please refer to the disclaimer section in the user guide for more information.

“`

OpenTextTM TableauTM Forensic TD4 Duplicator
User Guide
This guide presents a wide range of technical information and procedures for using the OpenText Tableau Forensic TD4 Duplicator.
ISTD230400-UGD-EN-1

OpenTextTM TableauTM Forensic TD4 Duplicator User Guide ISTD230400-UGD-EN-1 Rev.: 2023-Oct-19
This documentation has been created for OpenTextTM TableauTM Forensic TD4 Duplicator 23.4. It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product, on an OpenText website, or by any other means.
Open Text Corporation
275 Frank Tompa Drive, Waterloo, Ontario, Canada, N2L 0A1
Tel: +1-519-888-7111 Toll Free Canada/USA: 1-800-499-6544 International: +800-4996-5440 Fax: +1-519-888-0677 Support: https://support.opentext.com For more information, visit https://www.opentext.com
Copyright © 2023 Open Text.
One or more patents may cover this product(s). For more information, please visit https://www.opentext.com/patents.
Disclaimer
No Warranties and Limitation of Liability
Every effort has been made to ensure the accuracy of the features and techniques presented in this publication. However, Open Text Corporation and its affiliates accept no responsibility and offer no warranty whether expressed or implied, for the accuracy of this publication.

Chapter 1

Preface

This guide presents a wide range of technical information and procedures for using the OpenText Tableau Forensic TD4 Duplicator, a product of OpenText. It is divided into the following chapters:
· Overview: Provides general information about TD4 as well as unpacking, starting up, and navigating TD4 menus and reading the LEDs.
· Configuring TD4: Provides system overview information about TD4 as well as procedures for configuring and connecting it.
· Using TD4: Provides detailed information and procedures for TD4 operation.
· Adapters: Describes the adapters that extend the drive acquisition options and destination drive capabilities of TD4.
· Specifications and troubleshooting: Provides TD4 specifications and a brief list of potential problems and solutions. For more complete and current troubleshooting information as well as answers to frequently asked questions (FAQ), visit OpenText My Support (https://support.opentext.com).
1.1 Drive capacity and transfer rate measurement conventions
The computer industry generally adheres to two different conventions for definitions of the terms megabyte (MB) and gigabyte (GB). For computer RAM, 1 MB is defined as 220 = 1,048,576 bytes and 1 GB is defined as 230 = 1,073,741,824 bytes. For drive storage, 1 MB is defined as 106 = 1,000,000 bytes and 1 GB is defined as 109 = 1,000,000,000 bytes. These two conventions are known as powers of two and powers of ten respectively. Microsoft deviates from the hard drive capacity measurement convention and uses the powers of two convention for its operating systems.
Tableau products report drive capacities and transfer rates according to the industry standard powers of ten convention. In TD4 screens, reports, and documentation, a 4 GB hard drive stores up to 4,000,000,000 bytes; a hard drive with a 150 MB/sec transfer rate transfers 150,000,000 bytes per second.

ISTD230400-UGD-EN-1

User Guide

5

Chapter 2

Overview

Tableau TD4 is a powerful and intuitive forensic duplicator that offers valuable, high-performance imaging capabilities in a small, portable package. The touch screen user interface is easy to use and provides a familiar user experience similar to modern tablets and smartphones. TD4 is custom built for forensics and provides many standard and advanced features that serve the specialized needs of digital forensics practitioners, including:
· Acquisition of PCIe, USB, SATA, SAS, FireWire, and IDE drives.
Note: PCIe, IDE, and FireWire adapters (sold separately) are required to image these drive types.
· Output to PCIe, USB, and SATA drives.
· The ability to target file-based evidence with logical imaging functionality and industry standard file outputs (lx01 and metadata csv files).
· The ability to duplicate a source drive to up to five destination drives.
· The ability to prevent damage to disk drives by spinning them down when they are ejected from TD4 prior to physical removal.
· The ability to power down TD4 after the last active job is complete.
· The ability to pause and resume Duplication jobs, including surprise power loss situations.
· The ability to lock specific functions and settings with an administrator PIN to enforce standard settings and procedures for your forensic acquisition jobs.
· Superior data transfer rates, even while performing calculations of MD5, SHA-1, and SHA-256 hash values.
· The ability to view extensive drive detail, including partition and filesystem information.
· Browsing drive filesystems.
· Extensive filesystem support – APFS, ExFAT, NTFS, EXT4, FAT(12/16/32), and HFS+.
· Whole disk, open standard, destination drive encryption using XTS-AES.
· The ability to detect and inform of the presence of enabled Opal encryption, BitLocker, and APFS encryption.
· The ability to mount digital media in Apple devices that support Target Disk Mode.
· Comprehensive destination and accessory drive wiping capabilities, including NIST 800-88 compliant wipes.

ISTD230400-UGD-EN-1

User Guide

7

Chapter 2 Overview
· HPA, DCO, and AMA support for the detection and handling of hidden/ protected data areas on source drives. This includes standalone HPA/DCO/AMA disablement, DCO/AMA “shelving,” and trim support for the creation of a destination DCO or AMA.
· Localized user interface and virtual keyboard support for the following languages: German, English, Spanish (International), French, Korean, Portuguese (Brazilian), Turkish, and Chinese (Simplified)
· Detailed forensic logs in HTML format for case documentation. · The ability to filter the forensic log list to only show logs of interest based on
specific case and/or drive information. The filtered logs can also be exported or deleted. · Always free firmware update support. · Clearly labeled and color-coded source (write blocked) and destination (read/ write) ports.

8

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

The left source (write blocked) side of TD4.

2.1. TD4 kit contents

The right destination (read/write) side of TD4.
2.1 TD4 kit contents
TD4 ships in a boxed kit with custom foam that includes the following items:

Item

Model # TD4

Description
OpenText Tableau Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

TP6

Provides power to TD4. Uses

a universal 3-prong style AC

line cord and is compatible

with 100-240V AC line

voltages worldwide.

TC4-8-R4
TC-PCIE-8 TCA-USB3-AC TPKG-VCT-5

Unified SATA/SAS signal and power to 8in. SATA/SAS signal and 8in. power cable (qty 3)
8in. PCIe adapter cable. Must be used with a Tableau PCIe adapter (qty 1)
USB Type A female to Type C male adapter cable (qty 2)
5-piece Velcro cable tie kit

User Guide

9

Chapter 2 Overview Item

Model # TPKG-CLOTH

Description Microfiber screen cleaning cloth
Quick Reference Guide

Do not discard the TD4 foam packaging, as it is designed to fit several industrystandard hard sided carrying cases (for example, the Pelican 1500). If you received the TD4 kit in the cardboard box shipped by OpenText, you can reuse the stacking foam inserts in your own hard-sided case.
2.2 Navigating TD4
Use the TD4 touchscreen display to navigate the available TD4 functions. Use the onscreen virtual keyboard or a USB keyboard to enter alphanumeric text when prompted. See “USB keyboard and mouse support” on page 17.
2.2.1 Home screen
The home screen of TD4 displays function tiles for initiating the following forensic jobs:
· Duplicate · Logical Image · Hash · Verify · Restore
It also includes tiles for entering/viewing essential information, as follows:
· Case Info · Job History

10

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

2.2. Navigating TD4

Each function tile may be opened to show more information, enter data, and, if applicable, start the associated job. Depending on various conditions, the job will either start immediately after hitting the Start button or an advanced settings screen will be displayed to allow configuration of specific settings before starting the job. More details for each home screen function can be found later in this user guide.
Across the top navigation bar there are buttons to quickly access the System Navigation Menu and the home screen and to view the current time. Tapping the TD4 model name in the top navigation bar takes you to the home screen.
Note: In the event of abnormal cooling conditions, a thermal event warning icon will be shown in the top navigation bar to the right of the System Navigation Menu icon. Such a warning will never be seen under normal operating conditions. Please refer to “Thermal issues” on page 94 for more information.

ISTD230400-UGD-EN-1

User Guide

11

Chapter 2 Overview
2.2.2 Drive details
On the left and right sides of the home screen you will find drive tiles that align with the physical drive connection ports. These tiles will be inactive (grayed-out) for any ports that have no drive attached. When a drive is attached to a given port, that tile will become active and can be tapped to access detailed information about that drive and perform drive-specific actions.
Note: The drive tile for the rear USB accessory port will only appear when a drive is connected to that port. It will appear beneath the system Navigation Menu icon in the top-left corner of the home screen.
See “Using TD4” on page 33 for more information on drive details.
2.2.3 System navigation menu
Tapping the System Navigation Menu icon in the upper-left corner of the top navigation bar displays the TD4 System Navigation Menu, as shown below. For additional information on the items in this menu, see “Configuring TD4” on page 19.

12

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

2.2. Navigating TD4
2.2.4 Job status
After a job starts, its job status screen is automatically displayed. This status screen shows the details of a given job, including a header showing the job type, its status, its start and end times, the overall data rate, time remaining, and percent complete. The lower area of the job status screen shows additional job details, including hash values (when available) sub-step progress (for example, Duplication separate from Verification in a duplication/verification job), a settings summary, and the drives involved in the job. Tapping a drive tile opens a drive details screen which provides a quick view of all the information available for the drive. The fixed bottom area of the job status screen includes buttons for exporting the forensic log and canceling the job. An example of an active Duplication job status screen is shown below.

Note: If the detailed job status screen is closed, a brief summary of the job status is still available in the expanded function tile on the home screen. Tapping the lower portion of that function tile will reopen the detailed job status screen. Also, when a job is running a circular spinner is shown in the top navigation bar to the right of the TD4 model name. Tapping the spinner will reopen the detailed job status screen.

ISTD230400-UGD-EN-1

User Guide

13

Chapter 2 Overview
Once a job has completed, the job status screen is displayed and shows the final status of that job. An example of a completed Duplication job status screen is shown below.

2.2.5 Job history
Historical job status screens can be viewed from the Job History list. To access the Job History list, expand the Job History function tile on the home screen. A summary of the total jobs and cases (based on Case ID setting) will be shown in the expanded function tile. Tap the lower portion of the expanded Job History function tile to open the Job History list. The jobs in this list persist across power cycles. Any active jobs will show in the list with an active blue progress bar. Successfully completed jobs will show with a full green progress bar. Canceled jobs will show a partially filled yellow progress bar. And failed jobs will show a partially filled red progress bar. Tapping a specific job tile from the list will open the detailed job status screen for that job. An example of a Job History list is shown below.

14

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

2.2. Navigating TD4

As can be seen at the top of the Job History screen above, the current case (as identified by the Case ID system setting) is shown along with a count of the number of different cases included in the Job History list.
In some situations, it may be convenient to view and manage (export or delete) only a subset of jobs from the list. To filter the job list, tap on the filter icon near the top-right side of the Job History screen. Filter criteria can be added to show only the desired jobs. The jobs list can be filtered based on the following criteria:
· Examiner name
· Case ID
· Job notes
· Drive vendor
· Drive model
· Drive serial number
Simply tap the desired filter field(s) and enter the filter value(s). A count of how many jobs matched the filter criteria will be shown near the top of the screen next to the filter icon . Note that when multiple criteria are used, all must match for a job

ISTD230400-UGD-EN-1

User Guide

15

Chapter 2 Overview
to show in the filtered list. The filter criteria section of the screen can be expanded and collapsed by tapping on the filter icon .
Note: There is an easy way to filter the Job History list to show only jobs associated with a specific drive. To do so, tap on the desired drive tile from the home screen. Scroll to the Jobs summary section at the bottom of the drive details screen, and then tap on the View button. A list of only the jobs associated with that drive will be shown.
To export the logs associated with jobs in the Job History list, tap on the Export button at the bottom-left of the Job History screen. Select the desired filesystem and then tap the Export button at the bottom-right corner of the browse window.
To delete the jobs (and their associated logs) that are shown in the Job History list, tap the Delete button at the bottom-right of the Job History screen and follow the prompt.
Note: For both exportation and deletion of jobs/logs, whatever jobs are shown in the Job History list are the ones that will be acted upon. If there are no filters in place, then all jobs/logs will be exported or deleted. If a filter is used to show only a subset of the overall jobs list, then only those filtered jobs/logs will be exported or deleted.
Up to 100 jobs can be stored on TD4. When that limit is hit, the start of any subsequent jobs will require acknowledgement that the oldest job will be automatically deleted. In order to avoid that inefficient job startup step, it is recommended that job logs be exported and jobs be deleted at the end of each case.
2.3 Reading the status LEDs
On/Off indicator LED: The illuminated power switch is located in the top-left corner of TD4, and it displays a white LED when the unit is on.
DC In LED: The TP6 power supply cable has a blue LED ring near the end of the barrel connector that indicates the TD4 power supply is receiving adequate DC input power.
Activity LED: The multi-color activity LED is located in the lower-right corner of TD4. It is white when the unit is booting up, blinking white when a power issue is detected, off when the unit is on but idle, blue when an operation is in progress, blinking green when an operation completes successfully, and blinking red when an operation fails.

16

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

2.4. Interpreting audio feedback
2.4 Interpreting audio feedback
TD4 plays one of two sounds that indicate status at the end of a job. A pleasant chime sound with increasing pitch notes plays for a successful job. For a failed job, the sound has decreasing pitch notes. You can change the volume of the sounds or disable them on the Settings screen.
2.5 On-screen warnings
When appropriate, TD4 will provide on-screen warnings within various settings and operations screens. Yellow warnings call the user’s attention to a potential risk but do not impede operations. Red warnings mean that a selected setting cannot be accommodated, an operation has failed, or the potential exists for forensic evidence to be missed, such as when a DCO or AMA is detected and not removed. Users are encouraged to pay attention to and read any displayed warnings when they appear and proceed accordingly.
2.6 USB keyboard and mouse support
You can plug a standard, English language USB keyboard and/or mouse into any TD4 USB port. (While the Accessory port on the rear of TD4 is intended for this purpose, any USB port will work.) You may find it more convenient to use an external keyboard and/or mouse to navigate the UI and enter data instead of using the touchscreen and virtual keyboard. Wireless keyboard/mouse adapters are supported as well, including unified adapters.
Notes
· TD4 supports wireless keyboards and mice. To use a wireless keyboard or mouse, simply plug the USB wireless adapter into the TD4’s rear USB accessory port, and it should automatically pair with the keyboard and start working. There are many vendors of wireless keyboards and mice, and some may not be compatible with TD4. If you prefer to use a wireless keyboard or mouse and yours is not working with TD4, contact OpenText Customer Support for keyboard recommendations.
· If you are using a wireless unified keyboard/mouse adapter with only a mouse, the virtual keyboard may not appear on the TD4 screen for data entry situations. TD4 will see the wireless adapter as the keyboard which makes it want to hide the virtual keyboard in data entry situations. To accommodate this use case, a Virtual Keyboard system setting has been added to allow the virtual keyboard to always be shown when entering data. This setting will be off by default, which means that the virtual keyboard will not appear if a USB keyboard is detected.

ISTD230400-UGD-EN-1

User Guide

17

Chapter 3

Configuring TD4

This chapter describes the steps to configure TD4 prior to using it on a regular basis.
3.1 Startup sequence
When turned on, TD4 displays an initialization screen during the boot sequence. The initial boot cycle (after a factory reset) will show a setup wizard that brings out key system settings to make it easy to configure your TD4 for use. Interacting with that setup wizard screen (by closing it or tapping the Full Settings button) will prevent it from appearing in future boot cycles. Once booted past the setup wizard screen, TD4 displays the home screen and then sequentially powers on and detects connected drives and mounts any supported filesystems.
3.2 Configuring TD4
TD4 default settings are defined using sensible, best-practice values. There are many options and settings you can configure and customize to your specific needs. Tap the System Navigation Menu icon in the upper left corner of the user interface to access the System Navigation Menu, which includes following items:
· Home: Return to the home screen. · Settings: Access the System Settings screen. · Administration: Access the Administration setup screen. · Lock System: Lock the screen with a PIN to prevent access while unattended. · About: Access the About screen to view additional information such as the unit
serial number, firmware version/hash, copyright, and licensing information. Firmware update and factory reset are also initiated from this screen.
3.2.1 Settings
Tap Settings to display the Settings screen.

ISTD230400-UGD-EN-1

User Guide

19

Chapter 3 Configuring TD4

The screenshot above shows the TD4 Settings screen. Each setting and its options and default values are described below.
· Hashes: Allows selection of the desired hash calculations for your Duplicate, Logical Imaging, and Hash jobs. The options are MD5, SHA-1, SHA-256, and Prompt. Selecting Prompt will allow the hashes to be chosen at job startup time. The default hash selections are MD5 and SHA-1.
· `Duplicate’ File Type: Allows selection of the output file type for Duplicate (physical image) jobs. The options are: Ex01, E01, DD, DMG and Prompt. Selecting Prompt will allow the file type to be chosen at job startup time. The default setting is Ex01.
· Max File Size: Allows selection of the desired maximum output file segment size. The options are: 2 GB, 4 GB, 8 GB, and Unlimited. The default setting is Unlimited.
· Error Recovery: Allows selection of the Recovery Mode and Retry Count for when source drive read errors are encountered during Duplicate and Hash jobs.
­ Recovery Mode: This determines the size of reads that will be used to find readable data within regions that have errors. The options are: Standard and Exhaustive. Standard mode means that error recovery attempts will read

20

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

3.2. Configuring TD4

blocks of data that are always 32,768 bytes. In Exhaustive mode, error recovery reads will occur down to the most granular level possible, which is individual sectors. Exhaustive mode will ensure the maximum amount of recoverable data, but it will also add time to the job. The default setting is Standard.
­ Retry Count: This tells the TD4 how many times to attempt to re-read a given block of data when an error is encountered. The options are: 0, 1, 10, and 100. The default setting is 1.

Caution
A retry count setting of 100 is not recommended. If a read continually errors over 10 attempts, it is likely it will never succeed, and continuing to attempt many failed reads could potentially damage an already failing drive and waste valuable investigation time.
· Compression: Allows selection of data compression for E01, Ex01, and LX01 outputs. Selecting the box will ensure that data compression is used whenever possible. The default setting is to compress when possible.
· Evidence File Path: Allows definition of the specific filename and directory for output files. Note that wildcards can be used to automatically enter key information into the filenames and/or output directory, as follows:

Wildcard %d %t %e %s %m %c

Directory/filename data Date (current system date at time of acquisition) Time (current system time at time of acquisition) Evidence ID for the source drive in use Serial number of the source drive in use Model number of the source drive in use Case ID at time of acquisition

The default filename is image. The default directory name is td4 images/%d_%t/.
· Readback Verification: Allows selection of readback verification to be done at the end of the duplication/logical image portion of jobs, to ensure the stored data matches what was acquired. Selecting the Verify box will enable readback verification for all jobs. Selecting Prompt will allow readback verification to be enabled at job startup time. The default setting is Verify.
· Trim Clones: Allows selection of the desired destination “trimming” configuration for all jobs. Trimming a destination drive means that a DCO or AMA will be applied to the destination drive (if it supports them) so that the destination drive size will appear to match that of the original clone source drive. The options are: Never, When possible, and Prompt. Selecting Prompt will allow the Trim Clones setting to be selected at job startup time. The default setting is Never.

ISTD230400-UGD-EN-1

User Guide

21

Chapter 3 Configuring TD4
Note: For clone trimming to work, the chosen destination drive must support DCO or AMA.
· Audio: Allows selection of the system volume level to be used for all audible alerts. Selecting the Idle Chirp box will cause the job completion sound to be repeatedly played every one minute until the job status screen has been closed. Note that, even if Idle Chirp is disabled, the job completion sound will be played one time at the end of the job and the indicator LED will flash completion status until the job status screen has been closed. The default setting is to enable Idle Chirp.
· Time Display: Allows selection of the displayed system time zone and time display mode (12-hour or 24-hour). Time Display setting changes must be explicitly saved to take effect. Note that changing time-related settings is not allowed while a job is running. The default display mode setting is 12-hour mode.
· System Time: Allows entry of the system time. System Time setting changes must be explicitly saved to take effect. Note that changing time-related settings is not allowed while a job is running.
· System Date: Allows entry of the system date. System Date setting changes must be explicitly saved to take effect. Note that changing time-related settings is not allowed while a job is running.
· Brightness: Allows selection of the brightness of the LCD screen.
· Virtual Keyboard: Provides the option to always show the on-screen, virtual keyboard, even when an external keyboard is detected. This is useful for a specific scenario, where a unified (dual-purpose) wireless keyboard/mouse is plugged into TD4, but only the mouse part is being used. Select the `Always show’ option to ensure that the virtual keyboard appears in this situation. By default the virtual keyboard is hidden when a USB keyboard is detected.
· Language: Allows selection of the system language. The options are: German, English, Spanish, French, Korean, Portuguese, Turkish, and Chinese. The default language is English.
Note: When the system language is changed, the virtual keyboard will automatically be switched to that language. If desired, the virtual keyboard can be manually changed to a language that is different than the system language setting. To manually select the virtual keyboard language, tap an input field and then tap the localization button on the keyboard to select the desired language.

22

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

3.2. Configuring TD4
3.2.2 Administration
In some forensic work environments, it may be desirable to prohibit unauthorized users from accessing the unit or changing specific settings. TD4 allows an administrative level user to lock specific areas of the user interface to allow such control. Tap the Administration button in the System Navigation Menu to initiate this setup. The initial Administration setup screen is shown below.

Tap Enable Administration to get started. The first step is to set a six-digit Administration PIN. The PIN must be entered twice to ensure accuracy.
Once Administration is enabled, the following areas can be selected to block access to anyone without the PIN:
· System Boot Lock: If selected, the unit will boot directly to the PIN pad, and the Administrator PIN will need to be entered to use the unit.
· Duplication Configuration: If enabled, the following Duplication settings will require the Administrator PIN to make any changes:
­ Hashes

ISTD230400-UGD-EN-1

User Guide

23

Chapter 3 Configuring TD4
­ `Duplicate’ File Type ­ Max File Size ­ Error Recovery ­ Compression ­ Evidence File Path ­ Readback Verification ­ Trim Clones
The screenshot below shows the Settings menu after Administration control has been enabled for Duplication Configuration. Note the shield with checkmark icon next to the setting items enumerated above. This indicates which settings will require the Administrator PIN to make changes. All users will be able to view the current settings, but any attempts to change any of the locked settings will prompt the user for the Administrator PIN.

To disable TD4 Administration, tap Administration from the System Navigation Menu and then tap Disable Administration. The Administration PIN will need to be entered to complete disablement.

24

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

3.2. Configuring TD4
Note: When Administration has been enabled, even if none of the individual control options has been selected, the Administrator PIN will be required to update the firmware on the unit. This prevents circumvention of the Administration settings by downgrading firmware.
3.2.3 Locking the system
It may be desirable to lock your TD4 system while unattended to ensure no settings are changed or that your active jobs are not altered in any way. To lock your system, simply tap on the Lock System item in the System Navigation Menu. A screen will appear that allows for entry of a six-digit personal identification number (PIN), as shown below.

You will need to enter the six-digit code a second time to verify the PIN. Once the PIN has been verified, the unit will be locked, showing only the PIN pad on the screen.
To unlock the system, simply enter the PIN.
Note: The button at the bottom-left of the keypad allows for randomizing the layout of the digits on the keypad. This can be used to ensure that commonly used PINs do not create a distinct pattern on the screen.

ISTD230400-UGD-EN-1

User Guide

25

Chapter 3 Configuring TD4

This PIN locking mechanism is temporary in the sense that each unlock event will keep the unit unlocked until it is re-locked. Note that power cycling TD4 will clear the screen PIN lock.
3.2.4 Updating TD4 firmware
TD4 firmware is stored on a non-volatile, non-removable memory device inside the unit. When a TD4 firmware update becomes available on the OpenText website (Tableau Download Center), you can download the firmware package file and use it to update the unit.
Note: A firmware update cannot be started while a job is running.
To update your TD4 firmware, go to the Tableau Download Center at https:// www.opentext.com/products/tableau-download-center, then follow these steps:
1. Locate the TD4 section on the Tableau Download Center page, and then tap the latest firmware file link to initiate a download to your computer.
Note: TD4 firmware package files have a .td4_pkg file extension.
2. Copy the downloaded firmware package file to a USB stick and then eject and remove that drive from your computer.
3. Insert the USB stick into any TD4 USB port. 4. Go to the System Navigation Menu by tapping on the icon at the left side of
the top navigation bar. Then tap the About menu item. 5. In the About screen, tap the Update Firmware button. 6. Select the appropriate drive/filesystem by tapping on the filesystem tile. 7. Browse to the location of the desired .td4_pkg file and tap on that file. 8. Once you are sure you want to initiate the update with the selected file, tap the
Select button at the bottom-right of the screen.
TD4 will begin the firmware update process using the selected firmware file.
Caution
Once the firmware update process begins, do not remove or add any drives, turn off the unit, or remove power from the unit. Doing so could cause issues with the firmware update process possibly resulting in a nonfunctional TD4. If something should occur during the firmware update process that results in a failure to update, it is possible that the firmware recovery procedure may be required. See “Troubleshooting common problems” on page 92 for information on the firmware recovery process.
TD4 will automatically reboot into the new firmware once the update process is complete.

26

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

3.3. Connecting drives
Note that the SHA-256 hash value of the currently loaded firmware package is calculated and displayed in the top portion of the About screen along with the full firmware version. This allows for verification that the proper firmware version is running and that it has not been altered. For hash verification purposes, the hash value for a given firmware version is available in the release notes document for each TD4 update, which is available on the Tableau Download Center at https:// www.opentext.com/products/tableau-download-center.
3.3 Connecting drives
The following sections provide information that will allow for the safe and reliable connection of drives to TD4.
Note: For drives that require adapter cables to connect to TD4, OpenText highly recommends leaving the adapter cables plugged into TD4 and attaching/removing the drives from the other end of the cables. While the drive connectors on TD4 are robust and designed for many mating cycles, attaching/ removing drives from the other end of the cables will help maximize the life of your TD4.
3.3.1 USB versions and connector types
USB specifications have changed over time, and, along with them, the naming convention for various USB interface ports/speeds has also changed. For example, when USB 3.0 (SuperSpeed USB) first came out, interface speeds jumped to 5 Gbps over the previous USB 2.0 speed of 480 Mbps. With the advent of USB 3.1, the concept of generations was introduced to cover the various interface speeds. For example, USB 3.0 SuperSpeed is equivalent to USB 3.1 Gen 1 at 5 Gbps, and USB 3.1 Gen 2 doubled that speed to 10 Gbps. More recently, the USB 3.2 standard has been released. However, the generational reference for speeds remains the same as USB 3.1, with USB 3.2 Gen 1 being 5 Gbps and USB 3.2 Gen 2 being 10 Gbps. Using the most recent USB specification language, TD4’s source USB port is USB 3.2 Gen 1 running at 5 Gbps. Its destination USB ports are USB 3.2 Gen 2 running at 10 Gbps. For simplicity, these ports are labeled as “USB” on the TD4 itself and they will commonly be referred to as USB ports in this user guide.
TD4 USB ports all use USB Type C connectors. Type C drives and drive cables can be inserted into TD4 without regard for orientation. To connect a USB Type A drive to TD4, a Tableau TCA-USB3-AC Type A-to-Type C adapter cable (or equivalent commercially available adapter) is required.

ISTD230400-UGD-EN-1

User Guide

27

Chapter 3 Configuring TD4

3.3.2 Drive adapters
For some of the TD4 ports, external adapters are required to connect certain types of drives. Chapter 5 of this user guide contains a comprehensive list of available Tableau drive adapters. Here is a summary of commonly used adapters:

Drive Type PCIe add-in card SSD m.2 PCIe SSD Apple PCIe SSD 2013+ u.2 SSD (PCIe) IDE Apple PCIe SSD 2016+ FireWire mSATA/m.2 SATA SSD

Tableau Adapter Part Number TDA7-1 TDA7-2 TDA7-3 TDA7-4 TDA7-5 TDA7-7 TDA7-9 TDA3-3

3.3.3 Drive tiles
On the left and right sides of the home screen you will find drive tiles that align with the physical drive connection ports. These tiles will be grayed-out for any ports that have no drive attached. When a drive is attached to a given port, that tile will become active and can be tapped to access detailed information about that drive and perform drive-specific actions.

Note: The drive tile for the rear USB accessory port will only appear when a drive is connected to that port. It will appear beneath the System Navigation Menu icon in the top-left corner of the home screen.
3.3.4 Source drives
TD4 runs one forensic job at a time, and, as a result, it was designed to only allow connecting one source drive at a time. Multiple source drives can physically be connected to TD4 and doing so will not cause any damage to the device. However, when more than one source drive is connected, the source drive tiles will turn red and all operations that require a source drive (Duplication, Logical Image, Hash, and Restore) will be prohibited. Verify is the one operation that can still be done with multiple source drives attached, as it uses only destination drives.
Connect a drive (or a drive adapter with drive in place) to one of the TD4 source (left) side interfaces: SATA/SAS, PCIe, USB. The associated user interface drive tile will become active and can be tapped to view detailed information about the drive and perform drive specific actions. For source drives, the available drive actions are as follows:
· Browse filesystems

28

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

3.3. Connecting drives
· Blank check · Remove HPA/DCO/AMA · Tableau encryption unlock
A job summary specific to that drive can also be viewed on the drive details screen, with a link to view the filtered job history list for that drive. The Eject button for each drive is located at the bottom-right side of the drive details screen.
3.3.5 Destination drives
Connect one or more drives to the TD4 destination (right) side: SATA (x2), PCIe, and/or USB (x2). The associated user interface drive tile(s) will become active and can be tapped to view detailed information about the drive and perform drive specific actions. For destination drives, the available drive actions are as follows:
· Browse filesystems · Blank check · Reconfigure (see “Reconfigure” on page 42 section for detailed information
about the destination drive Reconfigure function) · Tableau encryption unlock
A job summary specific to the drive can also be viewed on this screen, with a link to view the filtered Job History list for that drive. The Eject button for each drive is located at the bottom-right side of the drive details screen.
See “Duplicating” on page 58 and “Performing a logical image” on page 69 for details on running Duplicate and Logical Image jobs.
3.3.6 Accessory drives
An Accessory USB port is available on the rear of TD4. This port can be used to attach a USB drive to allow for exporting job logs or updating TD4 firmware. It can also be used to attach a keyboard and/or mouse (wired or wireless).
Caution
The USB Accessory port on the rear of TD4 is not write-protected! Evidence media should never be connected to this port.
When an Accessory USB drive is attached to TD4 and detected, a small drive tile will appear just below the System Navigation Menu icon in the top left of the user interface.

ISTD230400-UGD-EN-1

User Guide

29

Chapter 3 Configuring TD4
3.3.7 Drive detection
After booting, TD4 begins detecting connected drives sequentially. Inactive drive tiles shown on the left and right sides of the screen will become fully visible and active when a drive is detected. Tap any drive tile to view detailed information about the connected drive and to perform drive-specific actions. See “Source drives” on page 28 and “Destination drives” on page 29 earlier in this chapter for more information on available actions.
The image below shows the TD4 home screen with the following drives connected: USB source, USB accessory, SATA destination, PCIe destination.

30

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

3.4. Turning TD4 off
3.4 Turning TD4 off
To turn off your TD4, simply push the power button in the top left corner of the unit. Confirm the request by tapping the Shutdown button or tap the Cancel button to keep the unit powered up.
In some cases, it may be desirable to have the TD4 power itself off after the current job is completed. In the case of running a job overnight or over a weekend with the unit unattended, this can help reduce power consumption and unnecessary runtime on any attached drives. To turn off TD4 when the current job is complete, simply push the power button in the top left corner of the unit as you normally would, and then tap the Shutdown button. The current job will complete and then the unit will power itself off. This will work for any job type.
Note: If the power button shutdown method described above is used, there is no need to eject any attached drives before shutting down TD4. Using this proper shutdown method allows the software time to quiesce any active tasks and eject drives prior to turning the unit off. Forcing TD4 to power off by pulling the power cord or holding down the power button is not recommended as it may corrupt any existing partition/filesystem information.

ISTD230400-UGD-EN-1

User Guide

31

Chapter 4

Using TD4

This chapter covers detailed procedures and information for using TD4.
4.1 Home screen
The home screen of TD4 displays function tiles for initiating the following forensic jobs: · Duplicate · Logical Image · Hash · Verify · Restore It also includes tiles for entering/viewing essential information, as follows: · Case Info · Job History

ISTD230400-UGD-EN-1

User Guide

33

Chapter 4 Using TD4

Each function tile may be opened to show more information, enter data, and, if applicable, start the associated job. Depending on various conditions, the job will either start immediately after hitting the Start button or an advanced settings screen will be displayed to allow configuration of specific settings before starting the job. More details for each home screen function can be found later in this chapter.
Across the top navigation bar there are buttons to quickly access the System Navigation Menu and the home screen and to view the current time. Tapping the TD4 model name in the top navigation bar takes you to the home screen.
Note: In the event of abnormal cooling conditions, a thermal warning icon will be shown in the top navigation bar to the right of the System Navigation Menu icon. Such a warning will never be seen under normal operating conditions. See “Thermal issues” on page 94 for more information.

34

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.2. Drive details
4.2 Drive details
On the left and right sides of the home screen you will find drive tiles that align with the physical drive connection ports. These tiles will be inactive for any ports that have no drive attached. When a drive is attached to a given port, that tile will become active and can be tapped to access detailed information about the drive and perform drive-specific actions.
Note: The drive tile for the rear USB accessory port will only appear when a drive is connected to that port. It will appear beneath the System Navigation Menu icon in the top-left corner of the home screen.
See “Viewing sources and destinations” on page 39 for more information on the drive details screen and associated functionality.
4.3 System navigation menu
Tapping the System Navigation Menu icon in the upper-left corner of the top navigation bar displays the TD4 System Navigation Menu, as shown below. For additional information on the items in this menu, see “Configuring TD4” on page 19.

ISTD230400-UGD-EN-1

User Guide

35

Chapter 4 Using TD4
4.4 Job status
After a job starts, its job status screen is automatically displayed. This status screen shows the details of a given job, including a header showing the job type, its status, its start and end times, the overall data rate, remaining time, and percent complete. The lower area of the job status screen shows additional job details, including hash values (when available) sub-step progress (for example, Duplication separate from Verification in a duplication/verification job), a settings summary, and a listing of the drives involved in the job. Tapping a drive tile opens its drive details screen which provides a view of all the information available for the drive. The fixed bottom area of the job status screen includes buttons for exporting the forensic log for that job and canceling the job. An example of an active Duplication job status screen is shown below.

Note: If the job status screen is closed, a brief summary of the job status is still available in the expanded function tile on the home screen. Tapping the lower portion of that function tile will reopen the job status screen. Also, when a job is running, a circular spinner is shown in the top navigation bar to the right of the TD4 model name. Tapping the spinner reopens the job status screen.

36

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.5. Job history
Once a job has completed, the job status screen is displayed and shows the final status of that job.

If the job status screen is left open after completion of the job, completion status indicators will continue until the job status screen is closed. Those completion status indicators include a flashing status LED and, if Idle Chirp is enabled in system settings, audible notification (once every minute). If Idle Chirp is disabled, the job completion audible notification will only be provided one time.
4.5 Job history
Job status screens can be viewed from the jobs list which is accessible from the Job History tile on the home screen. Tapping the lower portion of the expanded Job History tile opens the jobs list for that unit. The jobs in this list are stored on the unit and persist across power cycles. Any active jobs will show in the list with an active blue progress bar. Successfully completed jobs will show with a full green progress bar. Canceled jobs will show a partially filled yellow progress bar. And failed jobs will show with a partially filled red progress bar. Tapping a specific job tile from the list will open the job status screen for that job. An example of a Job History list is shown below.

ISTD230400-UGD-EN-1

User Guide

37

Chapter 4 Using TD4

As can be seen at the top of the Job History screen above, the current case (as identified by the Case ID setting) is shown along with a count of the number of different cases included in the Job History list.
In some situations, it may be convenient to view and manage (export or delete) only a subset of jobs from the list. To filter the job list, tap on the filter icon near the top-right side of the Job History screen. Filter criteria can be added to show only the desired jobs. Note that when multiple criteria are used, all must match for a job to show in the filtered list. The jobs list can be filtered based on the following criteria:
· Examiner name
· Case ID
· Job notes
· Drive vendor
· Drive model
· Drive serial number
Note: There is an easy way to filter the Job History list to show only jobs associated with a specific drive. To do so, tap on the desired drive tile from the

38

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations
home screen. Scroll to the Jobs summary section at the bottom of the drive details screen and then tap the View button. A list of only the jobs associated with that drive will be shown. You can expand the filter in that view to see the specific criteria that was used to filter the list.
To export the logs associated with jobs in the Job History list, tap on the Export button at the bottom-left of the Job History screen. Select the desired filesystem and folder and then tap the Export button at the bottom-right corner of the browse window.
To delete the jobs that are shown in the Job History list, tap the Delete button at the bottom-right of the Job History screen and follow the prompt.
Note: For both log exportation and job deletion, whatever jobs are shown in the Job History list are the ones that will be acted upon. If there are no filters in place, then all logs/jobs will be exported or deleted. If a filter is used to show only a subset of the overall jobs list, then only those logs/jobs will be exported or deleted.
Up to 100 jobs can be stored on TD4. When that limit is hit, the start of any subsequent jobs will require acknowledgement that the oldest job will be automatically deleted. To avoid that inefficient job startup step, it is recommended that logs be exported and then jobs deleted at the end of each case.
See “Forensic logs” on page 79 for more information regarding TD4 forensic logs.
4.6 Viewing sources and destinations
To access the drive details screen for a source or destination, tap the desired drive tile on the TD4 home screen. Drive tiles are shown on the left (source) and right (destination) sides of the TD4 user interface. The drive details screen for a source SATA drive is shown below.

ISTD230400-UGD-EN-1

User Guide

39

Chapter 4 Using TD4

The Evidence ID field at the top of the drive details screen allows a brief description of the drive to be entered. This Evidence ID value is an informal way to identify drives which allows them to be more easily recognized throughout the TD4 user interface. This Evidence ID will appear in the drive details screens and drive cards, which are seen in various places such as in the Source and Destination(s) sections of the job status screen. Evidence ID will also appear in the forensic logs. If no Evidence ID is entered for a given drive, the drive will be identified by the vendor name, model, and serial number.
After the Evidence ID field, the top section of the drive details screen shows key information about the selected drive, such as size, vendor, model, firmware revision, serial number(s), sector size, and available (reported) sectors. USB drives will have additional information shown, including a USB specific serial number.
The Contents section of the drive details screen provides information about what is on the drive, and it also allows for drive specific actions such as Blank Check, Reconfigure (destinations only), Remove HPA/DCO/AMA (sources only), and Tableau Encryption Unlock. For drives with detectable filesystems, the top portion of the Contents section indicates the partition table type, number of partitions, and number of filesystems. Each detectable filesystem will have a filesystem card that shows more information about the filesystem. To browse a filesystem, tap the filesystem card. If a drive has any sector limitations in place (HPA/DCO/AMA), a

40

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations
warning message will be provided in the top portion of the Contents section. Such
sector limitations are also identified with the icon attached to the drive tiles on the home screen.
The Jobs section of the Drive Details screen provides information about jobs that have been performed with that drive. The Jobs count indicates the number of all forensic jobs done using that drive, and it includes the following operations: Duplications, Logical Images, Hashes, Verifications, Reconfigures, Blank Checks, Restores, and Remove Sector Limitations. The Completed Acquisitions count indicates the number of fully completed, successful acquisition type jobs, namely Duplications and Logical Images. If all the jobs for a given drive have the same Case ID, that Case ID is shown in this section as well. If there are multiple Case IDs associated with a given drive, “Multiple” will be shown in the Case ID field. The View button in the bottom right of the Jobs section will display a filtered Job History list showing only the jobs associated with that specific drive.
At the bottom right of any Drive Details screen is the Eject button. Simply tap the Eject button and respond to the prompt to eject a drive from the system. Ejecting a drive removes it from the system software in a safe manner and is recommended before unplugging any attached media from a powered TD4 and before powering down TD4 with drives attached. For destination and accessory drives in particular (since they are read/write), failure to eject a drive prior to removal from the system could corrupt the drive filesystem, which could result in loss of previously captured evidence/data. Note that ejection of media being used in a job will not be allowed until the job is complete.
In addition to quiescing the drive for system removal, pressing the Eject button will issue an ATA spin down command to drives that may support it. Spinning down rotating hard disk drives is recommended to minimize the chance of platter damage upon physical removal of the drive from the system. Note that not all drives support this command, and some may take longer to eject from the system due to lack of spin down command support. But this is considered a minor inconvenience compared to the benefit of minimizing the chance of drive damage.
Caution
It is highly recommended to eject all drives from the system prior to physically removing them from TD4. This puts the drives in a quiescent state, which will ensure system stability and the integrity of the data on the drives.
For media attached to TD4 PCIe ports, ejection prior to removal is required. Hot-swapping PCIe drives without ejecting them may cause system instability and unpredictable TD4 behavior/performance.
Forced power removal (by pulling the power cord or holding down the power button) can cause issues with attached drives, including corruption of formatting information. If possible, it is highly recommended to power down through the user interface (via a quick power button press), which will automatically eject all attached drives prior to shutting down the unit.

ISTD230400-UGD-EN-1

User Guide

41

Chapter 4 Using TD4

4.6.1 Blank check
The Blank Check utility checks a drive for the presence of meaningful data. To access the Blank Check Setup screen, tap Blank Check in the Contents section of any drive details screen.
The following table provides Blank Check option details:

Option Fast
Random
Linear

Description
Quickly checks to determine if the drive appears to be blank by reading in and checking the sectors in the Master Boot Record, the Primary GPT, and the Secondary GPT.
Performs the Fast check, then reads in up to 75% of the available sectors randomly to determine if they are blank. The blank check will stop as soon as a non-blank data pattern is detected.
Linearly reads in up to 100% of the available sectors to check if the drive is blank. The blank check will stop as soon as a non-blank data pattern is detected.

A sector is considered blank if it contains only the same repeated 2-byte pattern. Any non-repeating pattern is considered to be non-blank. However, each individual sector may contain different repeating patterns. If any sector is found to not be blank, the drive is not considered blank, and the blank check will stop.

Note: The Fast and Random blank check options do not perform exhaustive checks of the entire drive. It is possible for a drive to appear to be blank according to a Fast or Random check while still storing forensically relevant information.
4.6.2 Reconfigure
The Reconfigure utility allows for execution of drive specific actions, mostly related to preparing a destination drive to be used for future Duplication and Logical Imaging jobs. Due to the drive-altering nature of the actions available in this utility, Reconfigure is only available for destination drives. To access the Reconfigure utility setup screen (shown below), tap Reconfigure from the Contents section of the drive details screen.

42

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations

Reconfigure allows sequential completion of the requested tasks without need for user intervention. This makes it easy to execute common destination media preparation steps in automated fashion, without having to do each one as a separate step. For example, a destination drive could be wiped and then formatted in one job by selecting Wipe and Format, setting the options for each sub-step, and then tapping Start. Note that the listed order of the optional sub-functions of Reconfigure is intentional and matches the order in which they will be applied to the drive. Details on each Reconfigure sub- function are provided in the sub-sections below.
4.6.2.1 Remove sector limitations
In the past, the most common method of intentionally limiting the reported capacity of a drive was by using the ATA HPA (host protected area) and/or DCO (device configuration overlay) feature sets. Starting with the ACS-3 (ATA/ATAPI Command Set 3) specification update, the concept of Addressable Maximum Address (AMA) was introduced. Newer drives may support this method of limiting the reported drive capacity. TD4 supports all these methods with automated detection, identification, and notification that will make dealing with them seamless and easy. From a forensic point of view, it is valuable to know if HPA, DCO, or AMA are in use. With that knowledge, the forensic practitioner can make an informed decision about whether to acquire data in the hidden regions of the drive.

ISTD230400-UGD-EN-1

User Guide

43

Chapter 4 Using TD4
Note that these methods (HPA/DCO and AMA) are mutually exclusive. A drive that supports HPA/DCO will not support AMA, and a drive that supports AMA will not support HPA/DCO. Also, while HPA and DCO are related features for a given drive, HPA has a unique attribute (volatile, or temporary, removal) that distinguishes it from DCO and AMA. For that reason, this section will cover volatile HPA removal as a separate topic before addressing non-volatile (permanent) removal of HPA/DCO or AMA.
TD4 also provides the ability to “shelve” a DCO or AMA, which means disabling a source drive DCO or AMA for the purposes of evidence duplication and then putting the same DCO/AMA back after the job is complete. See “Duplicating” on page 58 for more details on shelving a DCO.
4.6.2.2 Volatile HPA removal
HPA can be disabled without making a permanent modification to the drive. This is known as volatile, or temporary, removal of the HPA configuration. When a drive that has had its HPA removed in this manner is removed from TD4 (or is otherwise powered down) and then reconnected, it will always come back in its original state (with the original HPA configured and enabled). Since this is a temporary drive configuration change only (not a change to the data stored on the drive), TD4 automatically disables HPA on any drive connected to one of its source ports. Since DCO and AMA settings can only be disabled on a permanent basis, TD4 does not automatically disable them on connected source drives.
In the case of an automatic, volatile HPA removal from a connected source drive, the TD4 user interface makes it obvious what has occurred by stating how many HPA sectors have been exposed, as shown in the following screenshot.

44

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations

Referring to the drive details screenshot above, the fact that the HPA has been removed is reflected in two ways. One, the drive’s Size field reflects the full capacity of the drive (with HPA removed). And two, the Contents section shows how many HPA sectors were exposed in red text. Note that this HPA related information is also captured in the forensic logs.
TD4 never makes automatic changes to any drive capacity limiting configurations on destination drives. TD4 was designed to give the forensic practitioner complete control over the destination drive. If you choose to restrict the destination drive capacity using HPA, DCO, or AMA, TD4 will not override that decision.

ISTD230400-UGD-EN-1

User Guide

45

Chapter 4 Using TD4
4.6.2.3 Non-volatile HPA/DCO/AMA removal
The Remove Sector Limitations utility permanently disables the HPA, DCO, or AMA configurations on the selected drive. These changes are permanent, cannot be undone, and will persist over drive power cycles.
For destination drives, the Remove Sector Limitations utility is included in the Reconfigure function, which is available in the Contents section of the drive details screen. Tap the desired destination drive tile from the home screen, and then tap the Reconfigure button on the drive details screen. In the Reconfigure Setup screen, select Remove Sector Limitations, and then press the Start button. Any identified sector limitations (HPA/DCO or AMA) will be removed from the destination drive.
For source drives, the Remove Sector Limitations utility is available directly in the Contents section of the drive details screen. This is because there is no Reconfigure utility for source drives, since most of the Reconfigure options are specifically intended for destination drives.
Note that for HPA/DCO, you cannot remove a DCO-protected region on a drive without also removing any HPA-protected region, as defined by the ATA specification.
If a drive has an HPA/DCO or AMA configured, a red warning message is displayed in the Contents section of the drive details screen indicating the number of sectors that are hidden by the HPA/DCO/AMA. The icon is also shown on the edge of the drive tile on the home screen and near the top of the drive details screen to provide at-a-glance identification of the presence of a sector limiting configuration. The screenshot below shows the drive details screen for a drive with a DCOprotected region.

46

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations

IDE drives with a DCO require special considerations with TD4. DCO setting changes require power-cycling the drive which, for directly connected SATA drives, is done automatically by TD4. However, since IDE drive power can be provided in several ways, TD4 cannot deterministically cycle an IDE drive’s power.
To disable a DCO on an IDE drive, ensure that the IDE drive (via TDA7-5) is the only connected source drive and then complete the following steps:
1. Tap Remove Sector Limitations from the source drive details screen and confirm that DCO removal is desired to start the task.
2. Tap Eject at the bottom-right of the drive details screen.
3. Remove power from the IDE drive.
4. Remove TDA7-5 from TD4.
5. Re-connect TDA7-5 (with IDE drive connected) to TD4.
6. Re-connect power to the IDE drive.
Note: Specifically for IDE drives connected via TDA7-5, the forensic log for a DCO/AMA removal job will report successful completion of the DCO removal operation immediately after the command has been issued to the drive. TD4

ISTD230400-UGD-EN-1

User Guide

47

Chapter 4 Using TD4

has no way of knowing if the command actually completed at the drive level. The DCO state should be manually verified after the reboot is complete and before subsequent jobs are started.
4.6.2.4 Wiping destination or accessory drives
The Wipe media utility provides six wipe types for destination and accessory drives. The table below provides detailed information on each type of supported wipe.
Note: If an HPA/DCO/AMA configuration is present on a drive that you intend to wipe and you want to wipe the entire drive (not just the exposed portion), select the Remove Sector Limitations function in the Reconfigure setup screen along with the Wipe function prior to starting the Reconfigure job.
Caution
Wiping drives results in sustained writing of the media, which can create abnormally high thermal operating conditions inside the drive. OpenText highly recommends using a fan or an external drive cooler when wiping media on TD4 to help prevent thermal damage to drives.

Option Overwrite

Description
Single Pass: TD4 will write a constant pattern (all zeros) to the drive in a single pass. Verification is optional.
Multiple Pass: TD4 performs three full write passes to the destination or accessory drive. The first pass writes zeros (0x0000) and the second pass writes ones (0xFFFF), and the third pass writes a randomly selected constant value between 0x0001 and 0xFFFE. Verification is optional. If enabled, it can be configured to verify after each wipe pass or after only the last pass.

48

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations

Option Secure Erase (SSD only)
Sanitize – Block Erase (SSD only)
Sanitize Overwrite

Description
The ATA Secure Erase command instructs the drive to reset all available blocks to the erase state. How the erase state is implemented on the drive is not mandated by the ATA specification, which means the final data state on drives is manufacturer dependent (and not necessarily all zeros). For drives that do not support Secure Erase, TD4 will indicate this limitation during wipe type selection.
Due to the indeterminate nature of the post-wipe data state, TD4 does not offer verification for Secure Erase wipes.
Due to known issues with inconsistent and unreliable Secure Erase support on rotating drives (HDDs), TD4 only supports this feature on SSDs.
Note that Secure Erase will erase all accessible drive space, but it will not necessarily erase over-provisioned space or other space reserved by the drive’s internal controller.
TD4 will force removal of any detected HPA/DCO/AMA configurations prior to starting a Secure Erase wipe.
The ATA and SCSI Sanitize Block Erase commands instruct the drive to erase all flash memory blocks. This is typically done electrically, not through writing of data to the drive. While the state of post-wipe data is not mandated by the ATA/SCSI specifications, Sanitize Block Erase typically leaves a drive in a cleared (all zeros) state, which allows for post-wipe verification. For drives that do not support Sanitize ­ Block Erase, TD4 will indicate this limitation during wipe type selection.
Note that Sanitize Block Erase will erase all user accessible drive space as well as over-provisioned space and any other space reserved by the drive’s internal controller.
TD4 will force removal of any detected HPA/DCO/AMA configurations prior to starting a Sanitize Block Erase wipe.
The ATA and SCSI Sanitize Overwrite command instructs the drive to overwrite all drive data in both storage and ondrive cache with zeros. This feature is typically implemented on HDDs but is available on some SSDs. For drives that do not support Sanitize ­ Overwrite, TD4 will indicate this limitation during wipe type selection.
Note that, for SSDs that support Sanitize Overwrite, in addition to all user- accessible drive space, over-provisioned space and other space reserved by the drive’s internal controller will also be erased.
TD4 will force removal of any detected HPA/DCO/AMA configurations prior to starting a Sanitize Overwrite wipe.

ISTD230400-UGD-EN-1

User Guide

49

Chapter 4 Using TD4

Option NIST 800-88 R1 Clear
NIST 800-88 R1 Purge

Description
A NIST Clear wipe will perform an overwrite wipe with post-wipe verification. For USB drives it will perform three passes, and for all other drives it will perform one pass.
TD4 will force removal of any detected HPA/DCO/AMA configurations prior to starting a NIST 800-88 R1 Clear wipe.
For more details regarding NIST 800-88 R1 Clear, refer to SP 800-88 r1: Guidelines for Media Sanitization which is available on NIST’s web site.
A NIST Purge wipe is only possible if the drive supports certain wipe commands. For SSDs that support Sanitize Block Erase, that method will be used with post-wipe verification. Otherwise, if a drive supports Sanitize ­ Overwrite (HDD or SSD), then that method will be used with post-wipe verification. Drives that do not support either of these commands cannot be NIST 800-88 R1 Purged, and the TD4 will indicate this limitation during wipe type selection.
TD4 will force removal of any detected HPA/DCO/AMA configurations prior to starting a NIST 800-88 R1 Purge wipe.
For more details regarding NIST 800-88 R1 Purge, refer to SP 800-88 r1: Guidelines for Media Sanitization which is available on NIST’s web site.

Note: Secure Erase and Sanitize wipes have notable nuances, as follows:
· The exact differences between Secure Erase and Sanitize can be subtle, depending on the drive manufacturer’s implementation. But, in general terms, Secure Erase is adequate for environments that are not concerned with removing any evidence of previous data in the physical memory chips. Secure Erase will guarantee that a typical host system read will return only wiped data, but someone with advanced capabilities to do chip-off memory structure analysis could theoretically discern previous data bit states. Sanitize is meant to cover situations that demand more secure data removal where advanced data retrieval techniques are of concern, with the downside of it taking much longer to complete.
· Secure Erase and Sanitize command requirements do not guarantee the final state of the data on wiped drives, which can result in wipe job failures that are out of TD4’s control. From OpenText empirical testing over a large sample size of drives from different manufacturers, Secure Erase will reliably wipe drives in a very short period of time, but with a higher likelihood of a non- deterministic data state when complete, which makes reliable verification impossible. Sanitize has proven to be more reliable in clearing all data to zeros, which allows for post-wipe verification. If you experience Sanitize wipe verification failures, contact OpenText My Support at https:// support.opentext.com to report the specific make and model of the drive, and the Tableau team will investigate.

50

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations
4.6.2.5 Encrypting destination and accessory drives
TD4 can encrypt destination and accessory drives using password-based XTS-AES whole disk encryption. This Tableau-based encryption is compatible with the Tableau TD2u Forensic Duplicator, TX1 Tableau Forensic Imager, and the open source VeraCrypt utility. Encryption can only be setup on destination and accessory drives as it requires a write modification to the drive.
Caution
The encryption process overwrites the destination/accessory drive, so remember to encrypt the destination drive before using it in a TD4 acquisition job.
To encrypt a drive attached to a TD4 destination or accessory port, select Encrypt from the Reconfigure option list. Enter the desired encryption password and then tap the Start button.
Note: TD4 supports auto-capitalization for text entry fields. This means that the first character in an entry will be capitalized, and subsequent character entries will be automatically switched to lower case. The exception is password entry fields. Auto-capitalization is disabled for password entry fields to avoid confusion and prevent incorrect password entries. It is recommended to double-check password entries by viewing them in plain text (using the eye icon at the end of the entry field) before submission.
A Tableau-encrypted destination or accessory drive can be unlocked with the password to allow browsing or imaging/restoring to the encrypted container.
A Tableau-encrypted source drive can be unlocked with the password to allow browsing or imaging/restoring of the drive’s unencrypted contents to a destination drive.
OpenText is not able to recover lost passwords for TD4 encrypted media, so take appropriate steps to ensure you never lose your password.
To remove encryption from a drive, connect the drive to a TD4 destination or accessory port and then, without unlocking the encryption, wipe the drive.
Note: If a Tableau encrypted drive is unlocked prior to wiping, the encryption will remain intact and only the contents of the unlocked encryption container will be wiped. If clearing the encrypted state is desired, the drive’s encryption must remain locked prior to initiating a wipe.

ISTD230400-UGD-EN-1

User Guide

51

Chapter 4 Using TD4

4.6.2.6 Formatting destination and accessory drives
To perform an image duplication to or save logs to a drive, you must format the destination or accessory drive with a filesystem that is recognizable by TD4. TD4 supports formatting destination and accessory drives in the following filesystem formats: exFAT, NTSF, FAT, HFS+, or EXT4.
Note: TD4 cannot format a drive with an APFS nor write to a drive with a preexisting APFS. It will mount APFS formatted volumes as read-only on all TD4 ports (source, destination, and accessory). Such filesystems are not usable for any activities that require writing, even on destination and accessory ports.
exFAT is recommended for best compatibility when accessing drives with all modern operating systems. EXT4 is recommended for use with Linux forensic tools. HFS+ is recommended for use with MacOS forensic tools.
Note: When FAT is selected as the filesystem type for a destination drive format, TD4 will format the drive as FAT32. However, job logs (including the format log) and all user interface elements will simply show this as FAT. That is because TD4 supports reading from all FAT formats (12, 16, and 32) and simply identifying them all as FAT is considered acceptable and accurate for filesystem identification purposes.
To format a destination or accessory drive, attach the drive to the desired TD4 port and then tap on the associated drive tile on the TD4 home screen. Tap the Reconfigure button in the Contents section of the drive details screen and then select the Format option. Select the desired filesystem type and then tap the Start button.
Note: OpenText strongly recommends not using FAT as a destination or accessory drive filesystem. On TD4, FAT filesystems are limited to a maximum output file size of 2GB and reading from or writing to them is known to be slower than other filesystem types. Also, FAT does not support drives over 2TB.
4.6.3 Opal encryption
Opal encryption is a hardware-based encryption method that is managed by the controller on the drive with only minimal host system interaction. Opal is an industry standard created by the Trusted Computing Group (TCG) consortium that defines, among other things, the interface protocol to these types of hardware encrypted drives. These are commonly referred to as self-encrypting drives (SEDs) as the host system does little more than provide a front-end interface to manage the encryption. The control system on the drive is responsible for encrypting/ unencrypting all stored data on the drive and controlling access to it.
TD4 can detect Opal SEDs that have had their encryption enabled and will warn of the presence of Opal encryption in various places in the user interface and forensic logs. A detected locked Opal drive will have a red lock icon (with the lock closed) on

52

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations
the edge of its home screen drive tile. Such a drive will also include a warning message near the top of the drive details screen indicating the drive is a locked Opal drive and that it cannot be read, as shown in the screenshot below.

Note that Opal drives that have not had their encryption enabled will behave as regular, non-encrypted drives.
An additional consideration for Opal drives is a unique configuration that exposes a shadow MBR. This shadow MBR can be enabled by drive/system developers to expose a small portion of the drive as a non-encrypted container, which overrides the main drive information presented to the host. A typical use case for this configuration is to enable computer manufacturers to request credentials from a user before revealing the main portion of the drive. Regardless of the use case, it is important to be able to identify situations where only the shadow MBR is revealed, to make it clear that the entire drive contents are not being seen. TD4 will detect when an Opal shadow MBR is enabled, and clearly inform of its presence. The lock icon will show in the affected drive tile on the home screen, and the presence of an Opal MBR will be explicitly called out in the drive details screen. Currently, management of Opal encryption is not supported by TD4 (including Opal encryption unlock and Opal shadow MBR disablement). Please contact OpenText Customer Support for acquisition options for such drives.

ISTD230400-UGD-EN-1

User Guide

53

Chapter 4 Using TD4
Caution
Docking station type devices that have Opal drives in them must support ATA command pass-through for TD4 to properly detect the presence of Opal encryption. Docking stations that do not support ATA command pass-through may present locked Opal media as all zeros with no indication of Opal encryption being present in the TD4 user interface. Use caution when acquiring any media via a docking station. If you suspect a drive in a docking station is Opal encrypted but is not being presented that way in the TD4 user interface, removing the drive from the enclosure and connecting it directly to TD4 may yield the desired outcome.
4.6.4 APFS and BitLocker encryption
TD4 can detect the presence of filesystems encrypted with Apple’s APFS and Microsoft’s BitLocker encryption. These encryption methods only apply to filesystems, which is distinct from full (or whole) disk encryption methods that are applied at the drive level, regardless of formatting. As a result, indicating the presence of APFS and BitLocker encryption on TD4 is done differently than the other detectable full disk encryption types (Tableau and Opal).
TD4 will show the presence of APFS and BitLocker encryption in the filesystem tiles shown on the drive details screen, as shown in the screenshots below.
Note: Unlike the other full disk encryption methods (Tableau and Opal), drives with APFS and BitLocker encrypted filesystems can be physically acquired (Duplication job) in their locked state, and then unlocked during subsequent investigative workflow steps using tools such as OpenText EnCase Forensic.

54

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.6. Viewing sources and destinations

ISTD230400-UGD-EN-1

User Guide

55

Chapter 4 Using TD4

Note: Unlike the other full disk encryption methods (Tableau and Opal), drives with APFS and BitLocker encrypted filesystems can be physically acquired (Duplication job) in their locked state and then unlocked during subsequent investigative workflow steps using tools such as OpenText’s EnCase Forensic.
4.7 Browsing
The browse function provides an easy way to view the contents of a mounted filesystem. To browse a filesystem, tap the desired drive tile from the home screen. The drive details screen for the selected drive will be displayed. For drives with at least one mounted filesystem, the Contents section of the drive details screen will show general information about the partition(s)/filesystem(s), and a filesystem card will be displayed showing key information for each filesystem. To browse a given filesystem, simply tap the filesystem card from the Contents section of the drive details screen, which will display a browse modal. A sample browse modal is shown below.

56

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.7. Browsing

The top part of the browse window will show the filesystem information, followed by the current file path. The starting path location is always the root of the filesystem, as indicated by the forward slash (/) just above the filesystem contents section. That path information will be updated as folders are navigated to always indicate the current path.
In the browser portion of the screen, you can scroll up and down to view the list of directories and files. Scrolling right/left is also enabled if filenames are long and go off the screen. The size of each file is shown in parentheses at the end of the filename.
To open individual directories, double-tap the directory name or single-tap the directory to select, and then tap the open directory icon . Tap the up directory icon
to back out of a directory.
For destination and accessory drives, new directories can be created and directories/ files can be deleted. To create a new directory, simply tap the create directory icon and enter the new directory name. To delete a directory or file, single-tap the directory or file to select, and then tap the delete icon .

ISTD230400-UGD-EN-1

User Guide

57

Chapter 4 Using TD4
4.8 Case information
Case information is a key part of any digital investigation. When entered on TD4, case information will be displayed in key places throughout the user interface during job execution and captured in forensic logs. This allows easy correlation of key acquisition artifacts with specific cases throughout an investigation.
To enter case information, expand the Case Info function tile from the home screen. Tap each of the fields to enter the desired text. Note that text entry fields on TD4 are live. That means what you type will automatically be saved when you navigate away from the text entry field, with no need to explicitly save the new entry.
The following case information can be entered on TD4: Examiner Name, Case ID, and Case Notes.
At the bottom of the Case Info function tile is a selection box that will drive a prompt to enter Job Notes at the start of each job. When this box is checked, an advanced settings screen will appear before the start of each job that allows Job Notes to be entered. This allows for specific information about a particular piece of digital evidence to be entered and captured in the forensic log for each job.
4.9 Duplicating
TD4 will duplicate one source drive to up to five destination drives. Only one source may be connected at a time and thus only one forensic job can be run at a time. For a given job, the destinations can be a mix of cloned and imaged copies.
Note: This section is focused on whole-disk duplication operations, also known as physical imaging. See “Logical imaging” on page 68 for details on that alternative acquisition method.
Before starting any forensic job, TD4 automatically checks for preconditions. These preconditions are related to specific job setup parameters that could impact the ability of TD4 to execute the desired job. Some preconditions produce warnings that appear in the expanded function tile on the home screen. Some of those warnings require changes before being able to start the job, while others are informational and do not prevent the job from starting. For any precondition checks that may require changes, an advanced settings screen will appear after pressing the Start button to allow the appropriate settings to be adjusted before starting the job.

58

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.9. Duplicating

4.9.1 Cloning
A clone, also known as a disk-to-disk duplication, makes an exact copy of the source drive to the destination drive(s).
TD4 will automatically select clone for any destinations that have no detectable filesystems. If any such destinations are connected, an informational message will appear in the expanded Duplicate function tile on the home screen to indicate that those drives will be clones.
Note: The icon indicates no detectable filesystems and will be shown next to the clone informational message in the expanded Duplicate function tile and on the left side of any applicable destination drive tiles. Those types of destination drives will always become a clone of the source drive.
It is best practice to wipe destination media before duplicating to it as this can help to identify potentially defective media and bad sectors, and it can reduce the risk of cross-contaminating a clone duplication with stale data.
Note that, at the beginning of clone and restore jobs, TD4 prepares the destination drive by wiping sectors 0, 1, and end-of-drive minus 1. This ensures there is no stale partition table data on the drive, which reduces the possibility of drive detection issues at the end of the job.
Note: Because partition table information is relative to the sector size of the source drive, cloning to a destination drive with a different sector size is not allowed. TD4 will detect this sector size mismatch issue and warn the user. This condition will need to be rectified before the clone job can be started.
4.9.2 Imaging
An image, also known as disk-to-file duplication, copies the source drive to a series of files (sometimes called segments) on the destination drive. TD4 supports EnCase file formats Ex01 and E01 and raw file formats dd and dmg. For Ex01 and E01 output types, compression is supported and enabled by default.
For image file outputs, the maximum segment size can be set in system settings to any of the following: 2 GB, 4 GB, 8 GB, or Unlimited. Smaller segments create more segment files and Unlimited creates one large file segment.
Note: Not all image file size options are available in all situations. Due to filesystem addressing limitations, FAT32 formatted destinations have a maximum file size of 2 GB.
If the destination drive is smaller than the source, a dd or dmg image will not fit on the destination drive. However, if using Ex01 or E01, the source drive may fit on a smaller drive because these formats can compress the data before writing to the destination drive. There is no guarantee that the data will be compressed enough to fit on a smaller destination drive, especially in cases where the data is mostly incompressible such as encrypted data.

ISTD230400-UGD-EN-1

User Guide

59

Chapter 4 Using TD4
Note: Be careful when attempting to image a source drive to a same size or smaller destination drive, even if compression is enabled. Image file formatting adds overhead and, when coupled with incompressible data (such as encrypted data), a larger destination drive may be needed.
If the available filesystem space on a destination drive is the same size as or smaller than the source drive for an imaging job (Ex01 or E01 format), and compression is disabled, TD4 will prevent the job from being started. Enable compression and/or use a destination with more available filesystem space to be able to start such a job.
4.9.3 Performing a duplication
To perform a duplication:
1. Follow the steps listed in “Connecting drives” on page 27 to connect the source drive and destination drive(s).
2. Ensure that all destination drives are formatted according to the type of duplication job output desired for each drive. Destinations that have filesystems will automatically receive an image file type output according to the `Duplicate’ File Type system setting (Ex01, E01, DD, or DMG). Destinations that have no detectable filesystems will automatically receive a clone of the source drive.
Note: When no filesystems are detected on a destination drive, that drive will automatically receive a clone of the source drive. In this case, a message will appear in the Duplicate function tile before job start and a small icon will appear there and on the home screen drive tile to indicate that the drive will be a clone. That icon will also be present on the destination drive tile within the job status screen.
3. Expand the Duplicate function tile on the home screen. A summary of the main job settings will be shown along with any pertinent warning messages, as can be seen in the screenshot below. Verify the settings, resolve any blocking warnings, and then tap the Start button. If none of the settings are set to prompt and there are no other job configuration issues that need to be resolved, the job will start, and the job status screen will be displayed.

60

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.9. Duplicating

If any of the job settings are set to Prompt, the advanced settings screen will appear which will allow selection of the specific settings desired for the impending job. The Prompt option is available for the following system settings: Hashes, `Duplicate’ File Type, Readback Verification, and Trim Clones.
If there are any issues with the job setup/configuration that TD4 considers to be blocking or of forensic significance, the advanced settings screen will appear and provide information about the issue and the ability to rectify it, if possible. An example of a blocking configuration issue is if a SHA-256 hash is selected with E01 file type output. E01 does not support SHA-256 hashes.
The screenshot below is an example of the advanced settings screen for a Duplicate job with a Prompt setting (Readback Verification) and an issue of forensic significance (DCO present on source).

ISTD230400-UGD-EN-1

User Guide

61

Chapter 4 Using TD4

Once all the advanced setup screen settings have been resolved/verified, tap the Start button to begin the Duplication job.
4. After a Duplication job is started, a job status screen will appear, as shown below.

62

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.9. Duplicating

You may cancel an active job by tapping Cancel in the bottom-right corner of the job status screen. You may also export the job log from this screen (even for inprogress jobs, if desired) by tapping the Export button in the bottom- left corner and then selecting the desired destination or accessory drive/filesystem.
The source and destination drives used in a job are shown near the bottom of the job status screen. These drive cards provide basic drive information, such as the connected port name, the overall size of the drive, and either the Evidence ID (if entered) or the drive’s make/model/serial number.
Note: The drive cards in the job status screen can be tapped to show detailed drive information. However, when drive details are viewed from this area, the information is considered historical as of the start of the job, as indicated by date and time information in the top-right corner of the drive details screen. This means that changes to drive information during the job (such as reduced free space on the destination drive) will not be reflected and browsing of any mounted filesystems is disabled. To see a live version of the drive details and to be able to browse mounted filesystems (even during an active job), use the drive tiles on the home screen to access the drive details screens.

ISTD230400-UGD-EN-1

User Guide

63

Chapter 4 Using TD4

Icons will appear on the job status screen drive cards to provide at-a-glance indication of things like no detectable filesystem present , HPA/DCO/AMA in place , or the presence of Tableau encryption (locked or unlocked) .
Note: An easy way to tell which destination drives are getting which type of Duplication job output (clone or image) is to look for the `no filesystem’ icon in the top-right area of the destination drive cards on the job status screen. Seeing that icon means that drive will be made a clone of the source drive.
4.9.4 Files created during disk-to-file duplication
When performing an image-based duplication job, TD4 creates files (sometimes called segments) on the destination drive that contain the data copied from the drive.
Segments are written to the destination drive according to the following convention (Ex01 output shown as an example):
[directory_name]/
[filename].Ex01
[filename].Ex02
.
.
.
[filename].Ex99
[filename].log.html
[filename].td4_packed_log
[directory_name] is defined in the Evidence File Path Directory setting. The default value is /td4images/%d%t/, where %d is the current date and %t is the current time at the start of the Duplication job.
[filename] is defined in the Evidence File Path Filename setting. The default value is image.
[filename].Ex01 (or .E01 or, for dd/dmg outputs, .001) is the first segment or portion of the data copied from the source drive. All other segments have sequential standard segment names (for example, [filename].Ex02, [filename].Ex03, and so on). Note that, for cancelled or failed jobs, there may also be a [filename].Ex01.partial file in the output directory.
Note: The Max File Size system setting will determine the size of the output segment files. The options are 2GB, 4GB, 8GB, and Unlimited. The information

64

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.9. Duplicating
above regarding segment file naming conventions applies to all but the Unlimited setting. For Unlimited, TD4 will capture all source drive data in one large segment file on each destination with an extension of .EX01, .E01, or, for dd/dmg, .001. Also, due to a FAT32 filesystem limitation, if any one of the destination drives is formatted as FAT32, all destinations will get 2GB segment files.
TD4 generates a [filename].log.html file for each image job. This is the forensic log for each job. It also creates a [filename].TD4_packed_log file, which can be used to do a standalone verification of the original image or to restore an image file to the original drive format.
4.9.5 Pausing and resuming a duplication job
In certain situations, significant amounts of imaging time can be saved by being able to pause and later resume a duplication job. And losing hours of imaging time due to an unexpected power loss can be frustrating and inefficient. TD4 has you covered, providing the means to pause and resume imaging jobs with the following output file formats: e01, ex01, dd, and dmg.
To pause a running duplication imaging job, simply tap the Pause button near the top of the active job status screen and confirm your desire to pause the job. The job will be paused, as shown in the screenshot below.

ISTD230400-UGD-EN-1

User Guide

65

Chapter 4 Using TD4

To resume a paused job, tap the Play button near the top of the job status screen. If the job status screen of a paused job is not currently displayed, it can be redisplayed by tapping on the paused job in the Job History list.
Note: If an imaging job has been paused and a new Duplicate job is started, that new job will start from the beginning. To resume a previously paused job, you must locate the paused job in the Job History list and tap on it to display its job status screen before tapping the Play button.
If the Play button is grayed out on the job status screen of a previously paused job, it likely means that the job conditions are not the same as before the pause. This can include obvious conditions like the original source and destination drives not being present. Another possible reason for an inactive Play button is if the destination is full-disk encrypted and the unit was power cycled after the initial pause, and the encryption was not unlocked after the subsequent power up. In general, check to make sure that the job conditions are exactly the same prior to attempting to resume a previously paused job.
TX1 also supports resuming a job after a power loss. For the supported job types (e01, -ex01, ¬dd, ¬dmg), if power is unexpectedly lost during an imaging job (including manual shut down from power button long press), it can be resumed

66

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.9. Duplicating
after power is restored. To resume a job after a power loss event, make sure the original drives are connected to TD4 before turning it back on. Then locate the paused job in the Job History screen. Note that paused jobs will show with a partially completed blue status bar. Tap on the paused job to view its job status screen, and then tap on the Play button to resume the job.
The forensic logs for paused and resumed jobs will provide some specific and unique information. The information differs slightly depending on the source of the pause event (manually initiated or power loss). In the case of a manual pause event, a line will be added to the log to indicate the date and time of the event. Each subsequent pause (if manually initiated) and resume event is logged, providing an accurate capture of how many pause/resume cycles occurred during the job. When unexpected power loss is the cause of the pause, there is no time for the system to log the pause time before shutting down, so that information is unavailable and thus not included in the log. In that case, a message is added to the log after the job is resumed to indicate that the missing pause information is likely due to a power loss event, and the job’s elapsed time is not calculated, since it cannot be accurately determined. The following log sample shows a completed power loss paused/ resumed job. Note that, had this been a manually paused/resumed job, the line with the possible power loss warning would be replaced by a Paused field, with the date and time of the pause event.

ISTD230400-UGD-EN-1

User Guide

67

Chapter 4 Using TD4
4.10 Logical imaging
TD4 provides the ability to logically image source drive folders and files from detectable filesystems. When used in conjunction with physical disk imaging, logical imaging enables rapid acquisition of source file data, providing TD4 users the ability to balance thoroughness with acquisition time and effort for the demands of a given case.
TD4 logical imaging jobs will create industry standard Lx01 logical evidence files, which are compatible with EnCase Forensic and other common digital forensics investigation tools. Each logical imaging job will also create a forensic log file, with a file extension of .log.html. For details on all logical imaging output files, see “Files created during a logical image job” on page 73.
TD4logical imaging acquires all files/folders on the source filesystem with no opportunity to down select or target specific files/folders as is possible on TX1. TD4 logical imaging is still considered a valuable option for time- sensitive situations where acquiring a full physical image of the drive is not possible or to get a jump on file analysis/triage while a secondary physical image is being acquired.
Due to the fact that source file data compressibility is not determined prior to starting a logical imaging job, it is not possible to determine with certainty if the data from a source filesystem will fit on a destination filesystem. As a result, TD4 only warns the user that a destination may be too small when the used space of the source filesystem is larger than the available space on the destination, and the job can still be started. However, if the source data is highly incompressible (or if compression is disabled), it is possible for the destination filesystem to become full, thus causing the job to fail.
Note: Use caution when attempting to logically image from a source filesystem to a smaller destination filesystem. If the source data is not compressible, the job may fail due to lack of space on the destination.
Unlike a physical duplication job, the option of shelving a source drive DCO/AMA (removing it and then re-applying it at the end of the job) does not exist in logical imaging. The existence of a DCO or AMA will be obvious (per warnings in multiple locations), but the DCO/AMA will need to be permanently removed using the Remove HPA/DCO/AMA utility before gaining access to all portions of the source media.
Filesystem read errors encountered during logical imaging jobs may result in unpredictable acquisition behavior. When they occur, such errors are indicated by a red warning message at the top of the Logical Image progress section of the job status screen. TD4 will skip any file that results in a read error and will attempt to read any remaining files. The CSV output will show an error status for any files that were not acquired. If you encounter filesystem read errors during a logical imaging job, we recommend that you clone or physically image the drive (e01, ex01, dd, dmg) instead of trying to do a logical image.

68

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.10. Logical imaging
4.10.1 Performing a logical image
To perform a logical image:
1. Follow the steps listed in “Connecting drives” on page 27 to connect the source and destination drives.
2. Ensure that all destination drives have at least one mountable filesystem. Destinations that have mounted filesystems will receive an Lx01 image file output. Destinations that have no detectable filesystems will not receive any outputs from a Logical Image job.
Note: Each destination drive used in a Logical Image job must have a filesystem to store the resulting acquisition output files. If any of the attached destination drives do not have a detectable filesystem, a warning message will appear above the Start button indicating that destinations must have filesystems. If there is at least one destination drive with a filesystem, the Logical Image job may still be started, but only the destinations that have mounted filesystems will receive the output evidence files.
3. Expand the Logical Image function tile on the home screen. A summary of the main job settings will be shown along with any pertinent warning messages as can be seen in the screenshot below. Verify the settings, resolve any blocking warnings, and then tap the Start button. If none of the settings are set to prompt and there are no other job configuration issues that need to be resolved, the job will start, and the job status screen will be displayed.

ISTD230400-UGD-EN-1

User Guide

69

Chapter 4 Using TD4

If any of the job settings are set to Prompt, an advanced settings screen will appear which will allow selection of the specific settings desired for the impending job. The Prompt option is available for the following system settings related to Logical Imaging: Hashes and Readback Verification.
If there are any issues with the Logical Image job setup/configuration that TD4 considers to be blocking or of forensic significance, an advanced settings screen will appear and provide information about the issue and the ability to rectify it, if possible. An example of a blocking configuration issue is if SHA-256 is selected in system settings. LX01 does not support SHA-256 hashing.
The screenshot below is an example of the advanced settings screen for a Logical Image job with a Prompt setting (Readback Verification) and an issue of forensic significance (SHA-256 selected). Note that the items that directly caused the advanced settings screen to be displayed are shown as expanded but that other, potentially related setting items will also appear in that screen unexpanded.

70

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.10. Logical imaging

Once all the advanced settings screen settings have been resolved/verified, tap the Start button to begin the Logical Image job.
Note: As indicated by the informative message in the screenshot above (“This is your system default”), whenever a setting is changed in an advanced settings screen as part of the setup for a specific job, that is equivalent to changing that setting in the main Settings menu.
4. After a Logical Image job is started, its job status screen will appear, as shown below.

ISTD230400-UGD-EN-1

User Guide

71

Chapter 4 Using TD4

The number of files found on the source filesystem along with the total size of those files is shown just under the header section of the job status screen, above the Logical Image progress bar. Note that TD4 logical imaging acquires all files/ folders on the source filesystem with no opportunity to down select or target specific files/folders as is possible on TX1.
You may cancel an active Logical Image job by tapping Cancel in the bottomright corner of the job status screen. You may also Export the job log from this screen (even for an in-progress job, if desired) by tapping the Export button in the bottom-left corner and then selecting the desired destination or accessory drive/filesystem.
The source and destination drives used in a Logical Image job are shown near the bottom of the job status screen. These drive cards provide basic drive information, such as the connected port name, the overall size of the drive, and either the Evidence ID (if entered) or the drive’s make/model/serial number. Icons will appear on these drive cards to provide at-a-glance indication of things
like no detectable filesystem present , HPA/DCO/AMA in place , or the
presence of Tableau encryption (locked or unlocked) .
Note: The drive cards in the job status screen can be tapped to show detailed drive information. However, when drive details are viewed from

72

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.10. Logical imaging

this area, the information is considered historical as of the start of the job, as indicated by date and time information in the top-right corner of the drive details screen. This means that changes to drive information during the job (such as reduced free space on the destination drive) will not be reflected and browsing of any mounted filesystems is disabled. To see a live version of the drive details and to be able to browse mounted filesystems (even during an active job), use the drive tiles on the home screen to access the drive details screens.
4.10.2 Files created during a logical image job
When performing a logical image on TD4, multiple different files may be output to each destination depending on the job configuration, as follows:
· {image_name}.Lx01, {image_name}.Lx02, etc. are the forensic evidence files for the operation. They contain all the data and metadata for each file and folder acquired.
· {image_name}.csv is a comma-separated values file that contains certain metadata for every file and folder acquired. This type of file can easily be imported into many common data processing applications such as Microsoft Excel. CSV file data contents and format information can be found in “Source file metadata” on page 73.
· {image_name}.log.html contains the forensic log of the logical imaging job.
· {image_name}.TD4_packed_log contains a TD4 readable copy of the forensic log that can later be used for standalone verification of the Lx01 file set.
4.10.3 Logical image verification
Verification of Lx01 files differs from verification of physical imaging operations because, in an Lx01 file, there is no overall hash. Each file’s data stored in the Lx01 has an associated hash that was calculated during the original acquisition. The logical imaging verification function reads back the file data from the Lx01 on the destination, calculates a new hash value for each file, and compares that hash value to the originally stored acquisition hash value. A failure of any one file to match the original acquisition hash value will result in a verification failure.
4.10.4 Source file metadata
Logical imaging with TD4 includes source file metadata in the CSV output file, as shown in the table below.

Column Path
Type

Content
Contains the full, filesystem-relative path for this entry. Example: / users/charles/pictures.
Either contains “Directory,””Symlink,” or “File,” depending on what kind of entry this row represents.

ISTD230400-UGD-EN-1

User Guide

73

Chapter 4 Using TD4

Column Filesize Creation Date Accessed Date Modified Date Written Date MD5 Hash
SHA1 Hash
File Status

Content
The file size, in bytes, of the entry. This field is empty for directories.
The IS0 8601 UTC date/time string for the creation date of this entry. This field is empty if the creation date is unavailable.
The IS0 8601 UTC date/time string for the accessed date of this entry. This field is empty if the accessed date is unavailable.
The IS0 8601 UTC date/time string for the modified date of this entry. This field is empty if the modified date is unavailable.
The IS0 8601 UTC date/time string for the written date of this entry. This field is empty if the written date is unavailable.
The MD5 Hash of the entry. This field is empty for directories. It is also empty if no MD5 hash was calculated, no MD5 hash was configured, or the entry did not match the rules for acquisition.
The SHA1 Hash of the entry. This field is empty for directories. It is also empty if no SHA1 hash was calculated, no SHA1 hash was configured, or the entry did not match the rules for acquisition.
OK if there were no problems reading file data/metadata.

ERRORS if there were errors reading file data and/or metadata.

Matched Rules

This field is empty for directories.
“Y”if the file matched the acquisition’s rules for inclusion. For TD4, this will always show a match as file/folder down selection/filtering is not supported.

4.11 Hashing
Forensic practitioners may need to calculate the hash values, or fingerprints, for a source drive without making a copy of the drive. The Hash function can generate MD5, SHA-1, and SHA-256 hash values for a source drive, as determined by the Hashes system setting.
1. Follow the steps listed in “Connecting drives” on page 27 to connect the desired source drive.

Note: Since TD4 only allows one source drive to be used for any job, connect only the desired hash source drive and ensure no other source drives are attached. If any other source drives are attached, a warning will be provided in the Hash function tile and the Start button will be inactive (grayed out).
2. Expand the Hash function tile on the home screen. A summary of the pertinent job settings will be shown along with any applicable warning messages. Verify the settings, resolve any blocking warnings, and then tap the Start button. If none of the settings are set to Prompt and there are no other job configuration issues that need to be resolved, the job will start, and the job status screen will be displayed.

74

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.11. Hashing
If the Hash system setting is set to Prompt, an advanced settings screen will appear which will allow selection of the hash types for the job. Select the desired hash types and then tap the Start button to begin the Hash job. 3. After the Hash job is started, the job status screen will appear, as shown below.

You may cancel an active Hash job by tapping Cancel in the bottom-right corner of the job status screen. You may also export the job log from this screen (even for an in-progress job, if desired) by tapping the Export button in the bottom-left corner and then selecting the desired destination or accessory drive/filesystem.
The source drive used in the Hash job will be shown near the bottom of the job status screen. This drive card provides basic drive information, such as the connected port name, the overall size of the drive, and either the Evidence ID (if entered) or the drive’s make/model/serial number. Icons will appear on these drive cards to provide at-a-glance indication of things like no detectable
filesystem present , HPA/DCO/AMA in place , or the presence of Tableau
encryption (locked or unlocked) .
Note: The drive cards in the job status screen can be tapped to show detailed drive information. However, when drive details are viewed from this area, the information is considered historical as of the start of the job,

ISTD230400-UGD-EN-1

User Guide

75

Chapter 4 Using TD4

as indicated by date/time information in the top-right corner of the drive details screen. To see a live version of the drive details and to be able to browse mounted filesystems, use the drive tiles on the home screen to access the drive details screen.
4.12 Verifying
The standalone Verify function verifies the integrity of an existing image file by reading back the data from the image file, calculating a hash value of that data, and then comparing that calculated hash value with the value of the original acquisition hash.
Note that, while the same Verify function can be used for standalone verification of physical and logical images, the underlying mechanism is different. This is because physical images contain whole disk acquisition hash values and logical images contain file-based acquisition hash values. No difference will be noticed during the verification job itself, but the source image type will make a difference in how the results are reported. For a physical image verification job, the drive-level readback hash values will be reported in the forensic log. For a logical image verification job, a simple pass/fail indication will be reported in the forensic log. A pass indicates that all the file-based verification hashes match the original acquisition file hashes. If any individual file in a logical image file fails to verify, the entire verification job will show as failed.
1. Follow the steps listed in “Connecting drives” on page 27 to connect the desired destination drive.
Note: Verification jobs use only destination or accessory drives as the source of the verification inputs.
2. Expand the Verify function tile on the home screen, and then tap the Start button.
3. In the advanced settings screen, tap the Select a log file button to launch a browse modal. Browse to the appropriate destination/accessory drive and filesystem, locate the desired .td4_packed_log file, and select that file by tapping it once. Then tap the Select button.
Note: When browsing for packed log files, only files with an extension of .td4_packed_log will be shown in the browse window.
4. Review the selected filesystem and file path information, and, if accurate, tap the Start button to begin the verification job. The Verify job status screen will appear.
You may cancel an active Verify job by tapping Cancel in the bottom-right corner of the job status screen. You may also Export the job log from this screen (even for an in-progress job, if desired) by tapping the Export button in the bottom-left corner and then selecting the desired destination or accessory drive/ filesystem.

76

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.13. Restoring

The drive used in the Verification job will be shown near the bottom of the job status screen. This drive card provides basic drive information, such as the connected port name, the overall size of the drive, and either the Evidence ID (if entered) or the drive’s make/model/serial number. Icons will appear on these drive cards to provide at-a-glance indication of things like no detectable filesystem present , HPA/DCO/AMA in place , or the presence of Tableau encryption (locked or unlocked) .
Note: The drive cards in the job status screen can be tapped to show detailed drive information. However, when drive details are viewed from this area, the information is considered historical as of the start of the job, as indicated by the date and time information in the top-right corner of the drive details screen. To see a live version of the drive details and to be able to browse mounted filesystems, use the drive tiles on the home screen to access the drive details screen.
4.13 Restoring
The Restore function allows for recreation of the original drive format from a previously created TD4 forensic image file. The uses for this feature are varied but include the ability to use a restored drive as a system boot disk and to simply create an archival copy of the evidence in its original format for future case reference.
The Restore function works with all physical duplication image file types (E01, Ex01, dd, dmg). It does not support restoration from a logical image file set (Lx01).
It is best practice to wipe destination media before restoring to it as this can help to identify potentially defective media and bad sectors, and it can reduce the risk of cross-contaminating a restored drive with stale data.
Note that, at the beginning of a Restore job, TD4 prepares the destination drive by wiping sectors 0, 1, and end-of-drive minus 1. This ensures there is no stale partition table data on the drive which reduces the possibility of drive detection issues at the end of the job.
Note: Because partition table information is relative to the sector size of the source drive, restoring to a destination drive with a different sector size is not allowed. TD4 will detect this sector size mismatch issue and warn the user. This condition will need to be rectified before the Restore job can be started.
To restore a drive from an image file:
1. Follow the steps listed in “Connecting drives” on page 27 to connect the desired source and destination drives.
Note: Restore jobs use source drives as the source of the input files (packed log file and image segment files). Also, a Restore job will effectively wipe any destination drives that are attached/detected at the time the job is

ISTD230400-UGD-EN-1

User Guide

77

Chapter 4 Using TD4
started. Make sure none of your destinations have critical files on them before starting a Restore job.
2. Expand the Restore function tile on the home screen, and then tap the Start button. The Restore Setup screen will appear.
3. In the Restore Setup screen, tap the Select a log file button to launch a browse modal. Browse to the appropriate source drive/filesystem, locate the desired .td4_packed_log file (the one from which you want to restore), and select that file by tapping it once. Then tap the Select button.
Note: When browsing for packed log files, only files with an extension of .td4_packed_log will be shown in the browse window.
4. Review the selected filesystem and file path information, verify any other settings in the Restore Setup screen, and, if everything is set properly, tap the Start button to begin the Restore job. The Restore job status screen will appear.
Notes
· During the Restore job, hashes are calculated as data is extracted from the source evidence file set and written out to the destination. These hashes are considered source hashes and are thus captured in the source section of the Restore job’s forensic log. Even if Readback Verification is not enabled for the Restore job, these source hashes are compared to the original physical image acquisition hashes and, if a mismatch is detected, the Restore job will fail.
· If Readback Verification is enabled for a Restore job, the portion of the destination drive that was written out during the Restore (which matches the size of the original source drive) will be read back, and readback hash values will be calculated and compared to the source hashes. If a mismatch is detected, the verification portion of the Restore job will fail. These readback hashes are captured in the destination section of the Restore job’s forensic log. Note that if the readback hash values matched the source hash values, they will be considered lower priority pieces of data in the HTML forensic logs and thus hidden by default. These hashes can be viewed by expanding the destination drive section(s) of the forensic log.

78

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

4.14. Forensic logs

4.14 Forensic logs
TD4 generates a detailed log for all forensic jobs and most media utility operations. The information captured during each job is used to create both the job status screens seen in the user interface (available from the Job History list) and the forensic job logs that can be exported to an external drive. This section is specific to the exported forensic logs. For information on the Job History list and job status screens, see “Job history” on page 37 and “Job status” on page 36.
The detailed information captured in the forensic logs will depend on the job type. A summary of the information captured for an image-based duplication job is shown below. See the sample logs at the end of this section for some specific job log examples.
· Status: Overall job status (Incomplete, Ok, Error/Failed, Canceled), date/time stamps, identification of TD4 as the acquisition system, and the firmware version in use at the time of the acquisition. The following pieces of optional information will also be included in this section: Examiner name, Case ID, Case Notes, and Job Notes.
· Source: Source drive details, including overall drive information (Evidence ID (if set), interface type, TD4 port, make/model number, firmware version, serial number(s), protocol specific details (e.g., SCSI/USB info), HPA/DCO/AMA related information, RAID and encryption information, size/layout information, and the partition table type), partition details, and, if present and supported by TD4, filesystem specific information.
· Acquisition Results: Details about the acquisition aspects of the job, including block start and count numbers, acquisition hash values, and read error information.
· Configuration: Job configuration information, such as the output file format type, segment file size, and whether or not compression was enabled.
· Image Destination: Destination drive details, including readback verification hash values (if enabled for the job), overall drive information (interface type, TD4 port, make/model number, firmware version, serial number(s), protocol specific details (e.g., SCSI/USB info), HPA/DCO/AMA related information, RAID and encryption information, size/layout information, and the partition table type), partition details, and filesystem specific information.
· Failure Summary: If a failure occurred during the job, this section will be shown and will include a failure reason and code. Note that the failure code is not intended to be meaningful to the end user. In cases where customer support is required to resolve a job failure situation, the failure code should be noted and included in the incident report. This information will help in determining the root cause of the failure.
To access the job logs stored on your TD4, expand the Job History function tile on the home screen and then tap in the lower portion of the function tile. A list of all the jobs stored on the unit will be displayed. Tapping on a job will display its job status screen. Note that you cannot open and view forensic logs files directly on TD4. job

ISTD230400-UGD-EN-1

User Guide

79

Chapter 4 Using TD4
status screens show the key information about the job, but the job log will need to be exported to a destination or accessory drive to be able to view the forensic log file on a separate computer.
4.14.1 Sample logs
Two sample logs are shown below – one from a successful duplication and one from a failed standalone verification. As shown in the HTML log samples, there are up/ down arrows on the right side of each section header. A down arrow indicates the section is collapsed; An up arrow indicates it has been expanded. The sample HTML logs below are shown with all fields collapsed for simplicity. Each piece of log information was categorized as critical or supplementary, and only the critical information is shown when a section is collapsed. When an exported log is viewed on a separate computer, each section can be expanded to show the detailed, supplementary information. In that expanded view, the critical information is highlighted with bold field descriptions, while the supplementary information is shown in light gray. Note that specific pieces of log information may be considered supplementary in one situation but critical in another. For example, the encryption information for a given source drive will be considered supplementary if the drive has no encryption but will become critical if encryption is detected.
The initial state for any HTML log will be to show all fields collapsed with only the critical information displayed. While individual sections can be toggled between showing all the information or just a summary, there is a button at the top right side of the HTML log screen that will allow all sections to be expanded or collapsed.
Error messaging in the HTML logs has some unique functionality as well. Any error conditions will show in red text as critical information in the summarized view. Expanding the section with an error condition will show more detailed information on the error status, including the cause of the error.

80

OpenTextTM TableauTM Forensic TD4 Duplicator

ISTD230400-UGD-EN-1

Sample Log 1 ­ Successful EX01 Duplication

4.14. Forensic logs

Note: All log sections are collapsed except for Acquisition Results.

ISTD230400-UGD-EN-1

User Guide

81

Chapter 4 Using TD4 Sample Log 2 ­ Failed Standalone Verification (source unreadable)

Note: All log sections are collapsed except for the Driv

References

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>

Related Manuals