1. Manuals
  2. Brands
  3. OPENTEXT Manuals
  4. Disc Duplicator
  5. Tableau Forensic TD4
  6. User manual

OPENTEXT Tableau Forensic TD4 User Manual

Hide thumbs Also See for Tableau Forensic TD4:
Table of Contents

Advertisement

Quick Links

Download this manual
OpenText™ Tableau™ Forensic TD4
Duplicator
User Guide
This guide presents a wide range of technical information and
procedures for using the OpenText Tableau Forensic TD4
Duplicator.
ISTD230100-UGD-EN-1

Advertisement

Table of Contents
loading

Related Manuals for OPENTEXT Tableau Forensic TD4

Summary of Contents for OPENTEXT Tableau Forensic TD4

  • Page 1 OpenText™ Tableau™ Forensic TD4 Duplicator User Guide This guide presents a wide range of technical information and procedures for using the OpenText Tableau Forensic TD4 Duplicator. ISTD230100-UGD-EN-1...
  • Page 2 Rev.: 2023-Mar-06 This documentation has been created for OpenText™ Tableau™ Forensic TD4 Duplicator 23.1. It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product, on an OpenText website, or by any other means.

  • Page 3: Table Of Contents

    Table of Contents Preface ..................5 Drive capacity and transfer rate measurement conventions ....5 Overview ..................7 TD4 kit contents ................9 Navigating TD4 ................10 2.2.1 Home screen .................. 10 2.2.2 Drive details ..................12 2.2.3 System navigation menu ..............12 2.2.4 Job status ..................
  • Page 4 Troubleshooting common problems ..........82 6.2.1 Firmware recovery ................83 6.2.2 Power supply issues ................ 84 6.2.3 Thermal issues ................84 6.2.4 Problems with drive detection ............85 6.2.5 Real-time clock data retention issue ..........86 OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 5: Preface

    Preface This guide presents a wide range of technical information and procedures for using the OpenText Tableau Forensic TD4 Duplicator, a product of OpenText. It is divided into the following chapters: Overview: Provides general information about TD4 as well as unpacking, starting up, and navigating TD4 menus and reading the LEDs.

  • Page 7: Overview

    Chapter 2 Overview Tableau TD4 is a powerful and intuitive forensic duplicator that offers valuable, high-performance imaging capabilities in a small, portable package. The touch screen user interface is easy to use and provides a familiar user experience similar to modern tablets and smartphones.
  • Page 8 Chapter 2 Overview Always free firmware update support. Clearly labeled and color-coded source (write blocked) and destination (read/write) ports. The left source (write blocked) side of TD4. The right destination (read/write) side of TD4. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 9: Td4 Kit Contents

    2.1 TD4 kit contents TD4 ships in a boxed kit with custom foam that includes the following items: Item Model # Description OpenText Tableau Forensic TD4 Duplicator Provides power to TD4. Uses a universal 3-prong style AC line cord and is compatible with 100-240V AC line voltages worldwide.

  • Page 10: Navigating Td4

    Do not discard the TD4 foam packaging, as it is designed to fit several industry- standard hard sided carrying cases (for example, the Pelican 1500). If you received the TD4 kit in the cardboard box shipped by OpenText, you can reuse the stacking foam inserts in your own hard-sided case.
  • Page 11 2.2. Navigating TD4 Each function tile may be opened to show more information, enter data, and, if applicable, start the associated job. Depending on various conditions, the job will either start immediately after hitting the Start button or an advanced settings screen will be displayed to allow configuration of specific settings before starting the job.

  • Page 12: Drive Details

    Tapping the System Navigation Menu icon in the upper-left corner of the top navigation bar displays the TD4 System Navigation Menu, as shown below. For additional information on the items in this menu, see “Configuring TD4” on page OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 13: Job Status

    2.2. Navigating TD4 2.2.4 Job status After a job starts, its job status screen is automatically displayed. This status screen shows the details of a given job, including a header showing the job type, its status, its start and end times, the overall data rate, time remaining, and percent complete. The lower area of the job status screen shows additional job details, including hash values (when available) sub-step progress (for example, Duplication separate from Verification in a duplication/verification job), a settings summary, and the drives...

  • Page 14: Job History

    And failed jobs will show a partially filled red progress bar. Tapping a specific job tile from the list will open the detailed job status screen for that job. An example of a Job History list is shown below. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 15 2.2. Navigating TD4 As can be seen at the top of the Job History screen above, the current case (as identified by the Case ID system setting) is shown along with a count of the number of different cases included in the Job History list. In some situations, it may be convenient to view and manage (export or delete) only a subset of jobs from the list.

  • Page 16: Reading The Status Leds

    TD4. It is white when the unit is booting up, blinking white when a power issue is detected, off when the unit is on but idle, blue when an operation is in progress, blinking green when an operation completes successfully, and blinking red when an operation fails. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 17: Interpreting Audio Feedback

    There are many vendors of wireless keyboards and mice, and some may not be compatible with TD4. If you prefer to use a wireless keyboard or mouse and yours is not working with TD4, contact OpenText Customer Support for keyboard recommendations.

  • Page 19: Configuring Td4

    Chapter 3 Configuring TD4 This chapter describes the steps to configure TD4 prior to using it on a regular basis. 3.1 Startup sequence When turned on, TD4 displays an initialization screen during the boot sequence. The initial boot cycle (after a factory reset) will show a setup wizard that brings out key system settings to make it easy to configure your TD4 for use.
  • Page 20 The options are: Standard and Exhaustive. Standard mode means that error recovery attempts will read blocks of data that are always 32,768 bytes. In Exhaustive mode, error recovery reads will occur down to OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 21 3.2. Configuring TD4 the most granular level possible, which is individual sectors. Exhaustive mode will ensure the maximum amount of recoverable data, but it will also add time to the job. The default setting is Standard. Retry Count: This tells the TD4 how many times to attempt to re-read a given block of data when an error is encountered.

  • Page 22: Administration

    Tap the Administration button in the System Navigation Menu to initiate this setup. The initial Administration setup screen is shown below. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 23 3.2. Configuring TD4 Tap Enable Administration to get started. The first step is to set a six-digit Administration PIN. The PIN must be entered twice to ensure accuracy. Once Administration is enabled, the following areas can be selected to block access to anyone without the PIN: System Boot Lock: If selected, the unit will boot directly to the PIN pad, and the Administrator PIN will need to be entered to use the unit.
  • Page 24 Note: When Administration has been enabled, even if none of the individual control options has been selected, the Administrator PIN will be required to update the firmware on the unit. This prevents circumvention of the Administration settings by downgrading firmware. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 25: Locking The System

    3.2. Configuring TD4 3.2.3 Locking the system It may be desirable to lock your TD4 system while unattended to ensure no settings are changed or that your active jobs are not altered in any way. To lock your system, simply tap on the Lock System item in the System Navigation Menu. A screen will appear that allows for entry of a six-digit personal identification number (PIN), as shown below.

  • Page 26: Updating Td4 Firmware

    3.2.4 Updating TD4 firmware TD4 firmware is stored on a non-volatile, non-removable memory device inside the unit. When a TD4 firmware update becomes available on the OpenText website (Tableau Download Center), you can download the firmware package file and use it to update the unit.

  • Page 27: Connecting Drives

    The following sections provide information that will allow for the safe and reliable connection of drives to TD4. Note: For drives that require adapter cables to connect to TD4, OpenText highly recommends leaving the adapter cables plugged into TD4 and attaching/removing the drives from the other end of the cables.

  • Page 28: Drive Adapters

    (left) side interfaces: SATA/SAS, PCIe, USB. The associated user interface drive tile will become active and can be tapped to view detailed information about the drive and perform drive specific actions. For source drives, the available drive actions are as follows: Browse filesystems OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 29: Destination Drives

    3.3. Connecting drives Blank check Remove HPA/DCO/AMA Tableau encryption unlock A job summary specific to that drive can also be viewed on the drive details screen, with a link to view the filtered job history list for that drive. The Eject button for each drive is located at the bottom-right side of the drive details screen.

  • Page 30: Drive Detection

    “Destination drives” on page 29 earlier in this chapter for more information on available actions. The image below shows the TD4 home screen with the following drives connected: USB source, USB accessory, SATA destination, PCIe destination. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 31: Using Td4

    Chapter 4 Using TD4 This chapter covers detailed procedures and information for using TD4. 4.1 Home screen The home screen of TD4 displays function tiles for initiating the following forensic jobs: Duplicate Logical Image Hash Verify Restore It also includes tiles for entering/viewing essential information, as follows: Case Info Job History User Guide...
  • Page 32 System Navigation Menu icon. Such a warning will never be seen under normal operating conditions. See “Thermal issues” on page 84 for more information. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 33: Drive Details

    4.2. Drive details 4.2 Drive details On the left and right sides of the home screen you will find drive tiles that align with the physical drive connection ports. These tiles will be inactive for any ports that have no drive attached. When a drive is attached to a given port, that tile will become active and can be tapped to access detailed information about the drive and perform drive-specific actions.

  • Page 34: Job Status

    Also, when a job is running, a circular spinner is shown in the top navigation bar to the right of the TD4 model name. Tapping the spinner reopens the job status screen. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 35: Job History

    4.5. Job history Once a job has completed, the job status screen is displayed and shows the final status of that job. If the job status screen is left open after completion of the job, completion status indicators will continue until the job status screen is closed. Those completion status indicators include a flashing status LED and, if Idle Chirp is enabled in system settings, audible notification (once every minute).
  • Page 36 Drive serial number Note: There is an easy way to filter the Job History list to show only jobs associated with a specific drive. To do so, tap on the desired drive tile from the OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 37: Viewing Sources And Destinations

    4.6. Viewing sources and destinations home screen. Scroll to the Jobs summary section at the bottom of the drive details screen and then tap the View button. A list of only the jobs associated with that drive will be shown. You can expand the filter in that view to see the specific criteria that was used to filter the list.
  • Page 38 Each detectable filesystem will have a filesystem card that shows more information about the filesystem. To browse a filesystem, tap the filesystem card. If a drive has any sector limitations in place (HPA/DCO/AMA), a OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 39 4.6. Viewing sources and destinations warning message will be provided in the top portion of the Contents section. Such sector limitations are also identified with the icon attached to the drive tiles on the home screen. The Jobs section of the Drive Details screen provides information about jobs that have been performed with that drive.

  • Page 40: Blank Check

    Imaging jobs. Due to the drive-altering nature of the actions available in this utility, Reconfigure is only available for destination drives. To access the Reconfigure utility setup screen (shown below), tap Reconfigure from the Contents section of the drive details screen. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 41: Remove Sector Limitations

    4.6. Viewing sources and destinations Reconfigure allows sequential completion of the requested tasks without need for user intervention. This makes it easy to execute common destination media preparation steps in automated fashion, without having to do each one as a separate step.

  • Page 42: Volatile Hpa Removal

    In the case of an automatic, volatile HPA removal from a connected source drive, the TD4 user interface makes it obvious what has occurred by stating how many HPA sectors have been exposed, as shown in the following screenshot. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 43 4.6. Viewing sources and destinations Referring to the drive details screenshot above, the fact that the HPA has been removed is reflected in two ways. One, the drive’s Size field reflects the full capacity of the drive (with HPA removed). And two, the Contents section shows how many HPA sectors were exposed in red text.

  • Page 44: Non-Volatile Hpa/Dco/Ama Removal

    The screenshot below shows the drive details screen for a drive with a DCO- protected region. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 45 4.6. Viewing sources and destinations IDE drives with a DCO require special considerations with TD4. DCO setting changes require power-cycling the drive which, for directly connected SATA drives, is done automatically by TD4. However, since IDE drive power can be provided in several ways, TD4 cannot deterministically cycle an IDE drive’s power.

  • Page 46: Wiping Destination Or Accessory Drives

    Caution Wiping drives results in sustained writing of the media, which can create abnormally high thermal operating conditions inside the drive. OpenText highly recommends using a fan or an external drive cooler when wiping media on TD4 to help prevent thermal damage to drives.
  • Page 47 4.6. Viewing sources and destinations Option Description Secure Erase The ATA Secure Erase command instructs the drive to reset all available blocks to the erase state. How the erase state is (SSD only) implemented on the drive is not mandated by the ATA specification, which means the final data state on drives is manufacturer dependent (and not necessarily all zeros).
  • Page 48 TD4's control. From OpenText empirical testing over a large sample size of drives from different manufacturers, Secure Erase will reliably wipe drives...

  • Page 49: Encrypting Destination And Accessory Drives

    OpenText is not able to recover lost passwords for TD4 encrypted media, so take appropriate steps to ensure you never lose your password. To remove encryption from a drive, connect the drive to a TD4 destination or accessory port and then, without unlocking the encryption, wipe the drive.

  • Page 50: Formatting Destination And Accessory Drives

    Format option. Select the desired filesystem type and then tap the Start button. Note: OpenText strongly recommends not using FAT as a destination or accessory drive filesystem. On TD4, FAT filesystems are limited to a maximum output file size of 2GB and reading from or writing to them is known to be slower than other filesystem types.
  • Page 51 4.6. Viewing sources and destinations the edge of its home screen drive tile. Such a drive will also include a warning message near the top of the drive details screen indicating the drive is a locked Opal drive and that it cannot be read, as shown in the screenshot below. Note that Opal drives that have not had their encryption enabled will behave as regular, non-encrypted drives.

  • Page 52: Browsing

    In the browser portion of the screen, you can scroll up and down to view the list of directories and files. Scrolling right/left is also enabled if filenames are long and go OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 53: Case Information

    4.8. Case information off the screen. The size of each file is shown in parentheses at the end of the filename. To open individual directories, double-tap the directory name or single-tap the directory to select, and then tap the open directory icon .

  • Page 54: Cloning

    However, if using Ex01 or E01, the source drive may fit on a smaller drive because these formats can compress the data before writing to the OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 55: Performing A Duplication

    4.9. Duplicating destination drive. There is no guarantee that the data will be compressed enough to fit on a smaller destination drive, especially in cases where the data is mostly incompressible such as encrypted data. Note: Be careful when attempting to copy a source drive to a same size or smaller destination drive.
  • Page 56 (DCO present on source). Note that the items that directly caused the advanced settings screen to be displayed are shown as expanded, but that other, potentially related setting items will also appear in that screen unexpanded. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 57 4.9. Duplicating Once all the advanced setup screen settings have been resolved/verified, tap the Start button to begin the Duplication job. 4. After a Duplication job is started, a job status screen will appear, as shown below. User Guide ISTD230100-UGD-EN-1...
  • Page 58 To see a live version of the drive details and to be able to browse mounted filesystems (even during an active job), use the drive tiles on the home screen to access the drive details screens. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 59: Files Created During Disk-To-File Duplication

    4.9. Duplicating Icons will appear on the job status screen drive cards to provide at-a-glance indication of things like no detectable filesystem present , HPA/DCO/AMA in place , or the presence of Tableau encryption (locked or unlocked) Note: An easy way to tell which destination drives are getting which type of Duplication job output (clone or image) is to look for the ‘no filesystem’...

  • Page 60: Logical Imaging

    Unlike a physical duplication job, the option of shelving a source drive DCO/AMA (removing it and then re-applying it at the end of the job) does not exist in logical OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 61: Performing A Logical Image

    4.10. Logical imaging imaging. The existence of a DCO or AMA will be obvious (per warnings in multiple locations), but the DCO/AMA will need to be permanently removed using the Remove HPA/DCO/AMA utility before gaining access to all portions of the source media.
  • Page 62 (SHA-256 selected). Note that the items that directly caused the advanced settings screen to be displayed are shown as expanded but that other, potentially related setting items will also appear in that screen unexpanded. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 63 4.10. Logical imaging Once all the advanced settings screen settings have been resolved/verified, tap the Start button to begin the Logical Image job. Note: As indicated by the informative message in the screenshot above (“This is your system default”), whenever a setting is changed in an advanced settings screen as part of the setup for a specific job, that is equivalent to changing that setting in the main Settings menu.
  • Page 64 , or the presence of Tableau encryption (locked or unlocked) Note: The drive cards in the job status screen can be tapped to show detailed drive information. However, when drive details are viewed from OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 65: Files Created During A Logical Image Job

    4.10. Logical imaging this area, the information is considered historical as of the start of the job, as indicated by date and time information in the top-right corner of the drive details screen. This means that changes to drive information during the job (such as reduced free space on the destination drive) will not be reflected and browsing of any mounted filesystems is disabled.

  • Page 66: Hashing

    Start button. If none of the settings are set to Prompt and there are no other job configuration issues that need to be resolved, the job will start, and the job status screen will be displayed. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 67 4.11. Hashing If the Hash system setting is set to Prompt, an advanced settings screen will appear which will allow selection of the hash types for the job. Select the desired hash types and then tap the Start button to begin the Hash job. 3.

  • Page 68: Verifying

    You may also Export the job log from this screen (even for an in-progress job, if desired) by tapping the Export button in the bottom-left corner and then selecting the desired destination or accessory drive/ filesystem. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 69: Restoring

    4.13. Restoring The drive used in the Verification job will be shown near the bottom of the job status screen. This drive card provides basic drive information, such as the connected port name, the overall size of the drive, and either the Evidence ID (if entered) or the drive’s make/model/serial number.

  • Page 70: Forensic Logs

    The detailed information captured in the forensic logs will depend on the job type. A summary of the information captured for an image-based duplication job is shown below. See the sample logs at the end of this section for some specific job log examples. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 71: Sample Logs

    4.14. Forensic logs Status: Overall job status (Incomplete, Ok, Error/Failed, Canceled), date/time stamps, identification of TD4 as the acquisition system, and the firmware version in use at the time of the acquisition. The following pieces of optional information will also be included in this section: Examiner name, Case ID, Case Notes, and Job Notes. Source: Source drive details, including overall drive information (Evidence ID (if set), interface type, TD4 port, make/model number, firmware version, serial number(s), protocol specific details (e.g., SCSI/USB info), HPA/DCO/AMA related...
  • Page 72 Expanding the section with an error condition will show more detailed information on the error status, including the cause of the error. OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 73 4.14. Forensic logs Sample Log 1 – Successful EX01 Duplication Note: All log sections are collapsed except for Acquisition Results. User Guide ISTD230100-UGD-EN-1...
  • Page 74 This additional section lists the sector address and the number of sectors of each unreadable region of the source drive. As an example, the following forensic log read error entry means that an error was encountered in at least one of the 64 OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 75 4.14. Forensic logs sectors starting at sector offset 234,567: Error # 1: Read error (source), address=234567, length=64 Note: The default error granularity setting is Standard, which will result in a minimum chunk of 32KB of source data (64 sectors for a 512B sector drive) that will get skipped and filled with zeros upon completion of the attempted reads (assuming no reads were successful).

  • Page 77: Adapters

    Chapter 5 Adapters This chapter describes the drive adapters available for TD4, which extend imaging capabilities in an easy to connect and use manner. 5.1 PCIe SSD adapters Tableau PCIe SSD adapters enable the acquisition of PCIe based SSDs of various types via the TD4 PCIE source port.

  • Page 78: Pcie Firewire Adapter (Tda7-9)

    / m.2 SATA SSD Adapter (TDA3-3) SATA LIF Hard Disk Adapter (TDA3-LIF) 3.5” – 1.8” IDE Hard Disk Adapter (TDA5-18) 3.5” – 2.5” IDE Hard Disk Adapter (TDA5-25) 3.5” – ZIF IDE Hard Disk Adapter (TDA5-ZIF) OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...
  • Page 79 5.4. SATA/IDE adapters Visit the Tableau product website at https://security.opentext.com/tableau/hardware to learn more about available Tableau adapters. User Guide ISTD230100-UGD-EN-1...

  • Page 81: Specifications And Troubleshooting

    Chapter 6 Specifications and troubleshooting 6.1 Specifications Connectors: Source Side SATA/SAS One SATA/SAS (6 GBPS) signal connectors Drive Power One 4-pin Molex Mini-Fit power connector for SATA/SAS drive power PCIe One PCIe (10 GBPS) adapter connector One USB 3.2 Gen 1 (5 GBPS) Type-C connector (USB 3.0 SuperSpeed equivalent) Connectors: Destination Side SATA...

  • Page 82: Troubleshooting Common Problems

    One Year Parts and Workmanship from Date of Purchase 6.2 Troubleshooting common problems This section covers the following troubleshooting issues and solutions: Firmware recovery Power supply issues Thermal issues Problems with drive detection Time/date data retention issues OpenText™ Tableau™ Forensic TD4 Duplicator ISTD230100-UGD-EN-1...

  • Page 83: Firmware Recovery

    2. Download the latest TD4 firmware package file from the Tableau Download Center at https://www.opentext.com/products/tableau-download-center store it at the root directory on that FAT32 filesystem. 3. After the firmware package file has been written to the USB stick, eject the USB stick from your computer and then plug it into the rear accessory port on your unpowered TD4.

  • Page 84: Power Supply Issues

    If after powering the unit up again, the yellow thermal warning returns and persists for more than one hour, contact OpenText My Support at https://support.opentext.com...

  • Page 85: Problems With Drive Detection

    If the red thermal warning condition returns, please immediately shut down the unit and contact OpenText My Support https://support.opentext.com for further guidance.

  • Page 86: Real-Time Clock Data Retention Issue

    TD4. If there are no firmware updates available to resolve your detection issue, contact your Tableau reseller or OpenText My Support at https://support.opentext.com report your issue. 6.2.5 Real-time clock data retention issue Under normal operating conditions, the real-time clock on your TD4 should retain the time and date settings for the life of the product.

Table of Contents