Logical Imaging - OPENTEXT Tableau Forensic TD4 User Manual

Chapter 4 Using TD4
Note: The Max File Size system setting will determine the size of the output
segment files. The options are 2GB, 4GB, 8GB, and Unlimited. The information
above regarding segment file naming conventions applies to all but the
Unlimited setting. For Unlimited, TD4 will capture all source drive data in one
large segment file on each destination with an extension of .EX01, .E01, or, for
dd/dmg, .001. Also, due to a FAT32 filesystem limitation, if any one of the
destination drives is formatted as FAT32, all destinations will get 2GB segment
files.
TD4 generates a
log for each job. It also creates a
used to do a standalone verification of the original image or to restore an image file
to the original drive format.

4.10 Logical imaging

TD4 provides the ability to logically image source drive folders and files from
detectable filesystems. When used in conjunction with physical disk imaging, logical
imaging enables rapid acquisition of source file data, providing TD4 users the ability
to balance thoroughness with acquisition time and effort for the demands of a given
case.
TD4 logical imaging jobs will create industry standard Lx01 logical evidence files,
which are compatible with EnCase Forensic and other common digital forensics
investigation tools. Each logical imaging job will also create a forensic log file, with a
file extension of
created during a logical image job" on page
TD4logical imaging acquires all files/folders on the source filesystem with no
opportunity to down select or target specific files/folders as is possible on TX1. TD4
logical imaging is still considered a valuable option for time-sensitive situations
where acquiring a full physical image of the drive is not possible or to get a jump on
file analysis/triage while a secondary physical image is being acquired.
Due to the fact that source file data compressibility is not determined prior to
starting a logical imaging job, it is not possible to determine with certainty if the data
from a source filesystem will fit on a destination filesystem. As a result, TD4 only
warns the user that a destination may be too small when the used space of the
source filesystem is larger than the available space on the destination, and the job
can still be started. However, if the source data is highly incompressible (or if
compression is disabled), it is possible for the destination filesystem to become full,
thus causing the job to fail.
Note: Use caution when attempting to logically image from a source filesystem
to a smaller destination filesystem. If the source data is not compressible, the
job may fail due to lack of space on the destination.
Unlike a physical duplication job, the option of shelving a source drive DCO/AMA
(removing it and then re-applying it at the end of the job) does not exist in logical
OpenText™ Tableau™ Forensic TD4 Duplicator
60
[filename].log.html
[filename].TD4_packed_log
. For details on all logical imaging output files, see
.log.html
file for each image job. This is the forensic
65.
file, which can be
"Files
ISTD230100-UGD-EN-1