Restoring - OPENTEXT Tableau Forensic TD4 User Manual

The drive used in the Verification job will be shown near the bottom of the job
status screen. This drive card provides basic drive information, such as the
connected port name, the overall size of the drive, and either the Evidence ID (if
entered) or the drive's make/model/serial number. Icons will appear on these
drive cards to provide at-a-glance indication of things like no detectable
filesystem present
encryption (locked or unlocked)

4.13 Restoring

The Restore function allows for recreation of the original drive format from a
previously created TD4 forensic image file. The uses for this feature are varied but
include the ability to use a restored drive as a system boot disk and to simply create
an archival copy of the evidence in its original format for future case reference.
The Restore function works with all physical duplication image file types (E01, Ex01,
dd, dmg). It does not support restoration from a logical image file set (Lx01).
It is best practice to wipe destination media before restoring to it as this can help to
identify potentially defective media and bad sectors, and it can reduce the risk of
cross-contaminating a restored drive with stale data.
Note that, at the beginning of a Restore job, TD4 prepares the destination drive by
wiping sectors 0, 1, and end-of-drive minus 1. This ensures there is no stale partition
table data on the drive which reduces the possibility of drive detection issues at the
end of the job.
Note: Because partition table information is relative to the sector size of the
source drive, restoring to a destination drive with a different sector size is not
allowed. TD4 will detect this sector size mismatch issue and warn the user.
This condition will need to be rectified before the Restore job can be started.
To restore a drive from an image file:
1. Follow the steps listed in
source and destination drives.
ISTD230100-UGD-EN-1
, HPA/DCO/AMA in place
Note: The drive cards in the job status screen can be tapped to show
detailed drive information. However, when drive details are viewed from
this area, the information is considered historical as of the start of the job,
as indicated by the date and time information in the top-right corner of the
drive details screen. To see a live version of the drive details and to be able
to browse mounted filesystems, use the drive tiles on the home screen to
access the drive details screen.
"Connecting drives" on page 27
Note: Restore jobs use source drives as the source of the input files (packed
log file and image segment files). Also, a Restore job will effectively wipe
any destination drives that are attached/detected at the time the job is
, or the presence of Tableau
.
User Guide
4.13. Restoring
to connect the desired
69