Download
Share
Print this page
OPENTEXT Tableau Forensic TX1 User Manual
  1. Manuals
  2. Brands
  3. OPENTEXT Manuals
  4. Laboratory Equipment
  5. Tableau TX1
  6. User manual

OPENTEXT Tableau Forensic TX1 User Manual

Hide thumbs Also See for Tableau Forensic TX1:

Advertisement

Quick Links

Download this manual
OpenText™ Tableau™ Forensic TX1
Imager
User Guide
This guide presents a wide range of technical information and
procedures for using the OpenText Tableau Forensic TX1
Imager.
ISTX240300-UGD-EN-1

Advertisement

loading
Need help?

Need help?

Do you have a question about the Tableau Forensic TX1 and is the answer not in the manual?

Questions and answers

Related Manuals for OPENTEXT Tableau Forensic TX1

Summary of Contents for OPENTEXT Tableau Forensic TX1

  • Page 1 OpenText™ Tableau™ Forensic TX1 Imager User Guide This guide presents a wide range of technical information and procedures for using the OpenText Tableau Forensic TX1 Imager. ISTX240300-UGD-EN-1...
  • Page 2 Rev.: 2024-Aug-21 This documentation has been created for OpenText™ Tableau™ Forensic TX1 Imager 24.3. It is also valid for subsequent software releases unless OpenText has made newer documentation available with the product, on an OpenText website, or by any other means.
  • Page 3 Table of Contents Preface ..................7 Drive capacity and transfer rate measurement conventions ....7 Overview ..................9 TX1 kit contents ................12 Navigating TX1 ................14 2.2.1 Home screen .................. 14 2.2.2 Side navigation menu ..............15 2.2.3 Jobs tab ..................16 2.2.4 Job status ..................
  • Page 4 About the logical imaging process ..........135 4.5.3.1 Logical image job status ..............135 4.5.3.2 Files created during logical imaging ..........136 4.5.3.3 Logical image verification ............... 137 4.5.3.4 Advanced logical imaging setup ............. 137 OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 5 Table of Contents 4.5.4 File extensions ................138 4.5.5 Folders ..................140 4.5.6 Source file metadata ..............140 Verifying ..................141 Browsing ..................145 4.7.1 Viewing text and image files ............146 Restoring ..................148 Mobile backup acquisition .............. 152 4.9.1 Connecting and detecting mobile devices ........
  • Page 6 Problems with drive detection ............206 6.2.4 Problems detecting Apple devices in target disk mode ..... 207 6.2.5 Long time to complete locally initiated firmware update ....208 6.2.6 Real-time clock data retention issue ..........209 OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 7 Preface This guide presents a wide range of technical information and procedures for using the OpenText Tableau Forensic TX1 Imager. It is divided into the following chapters: • Overview: Provides general information about TX1 as well as unpacking, starting up, and navigating TX1 menus and reading the LEDs.
  • Page 9 Chapter 2 Overview TX1 is a powerful, yet intuitive, forensic imager that offers superior local and networked imaging performance with no compromises. The touch screen user interface is easy to use and provides a familiar user experience similar to modern tablets and smartphones.
  • Page 10 • Detailed forensic logs for case documentation in text and HTML formats. • The ability to filter the forensic log list to only show logs of interest based on specific case and/or drive information. The filtered logs can also be exported or deleted. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 11 • Always free firmware update support via Tableau Firmware Update (TFU) on a host system, via TX1 file browsing of any mounted filesystem (local drive or network share), or via the remote user interface. • Clearly labeled and color-coded source (write blocked) and destination (read/ write) ports.
  • Page 12 TX1 ships in a boxed kit with custom foam that includes the following items: Item Model # Description TX1 Forensic Imager TX1-S1 Optional destination drive bay for up to two 2.5" or 3.5" SATA or SAS drives OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 13 Do not discard the TX1 foam packaging, as it is designed to fit several industry- standard hard sided carrying cases (for example, the Pelican 1500). If you received the TX1 kit in the cardboard box shipped by OpenText, you can reuse the stacking foam inserts in your own hard sided case.
  • Page 14 • Restore • Mobile Tap one of these icons to begin a job and enter the job setup screen. A job setup screen provides a stepper-based flow from which you can view default settings, OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 15 2.2. Navigating TX1 enter job notes for your case, change settings, and start the job. Tap the left arrow in the job setup tab to navigate back to the previous screen or to the Home screen. Across the top navigation bar there are buttons to quickly access the side navigation menu , the Home screen, and view the current time.
  • Page 16 Likewise, as jobs are completed, they are moved to the Recent area, so that a user can see what has already completed. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 17 2.2. Navigating TX1 Jobs are queued in the order they were entered. You can reorder queued jobs by dragging individual jobs to place them in the order you prefer. On the TX1 screen, press and hold the drag icon of the job you want to select, then drag the job to the desired position in the queue and release.
  • Page 18 Tapping a drive tile opens a drive details screen, which provides a quick view of all the information available for the drive. An example of an active Job Status screen is shown below. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 19 2.2. Navigating TX1 Note: The solid orange triangle in the corner of the drive tiles indicates that the drive is currently being used as part of an active job. This is shown regardless of the location of the drive tile and makes it easy to spot drives that are in use. Similarly, drives that are part of a queued but not yet active job will show as an orange border triangle with white in the middle.
  • Page 20 Recent area of the Jobs tab. Simply tap on the job row from the Recent jobs area and the final Job Status screen for that completed job is shown, including a link to the job log. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 21 2.3. Reading the status LEDs 2.2.5 Quick Reference Guide TX1 ships with a Quick Reference Guide that illustrates the drive connections, Status LED, power button, cable recommendations, and tips for getting started. Keep this card with TX1 as you familiarize yourself with its operation. 2.3 Reading the status LEDs On/Off indicator LED: The illuminated power switch is located in the top-left corner of TX1 and it displays a white LED when the unit is on.
  • Page 22 TX1, please contact Customer Support for keyboard recommendations. 2.7 Startup sequence When turned on, TX1 displays an initialization screen during the boot sequence. Once booted, TX1 displays the Home screen and then sequentially powers on connected drives. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 23 Chapter 3 Configuring TX1 This chapter describes the steps to configure TX1 prior to using it on a regular basis. 3.1 Startup sequence When turned on, TX1 displays an initialization screen during the boot sequence. Once booted, TX1 displays the Home screen and then sequentially powers on connected drives.
  • Page 24 Tap the setting row to reveal additional settings such as Date & Time (as shown in the screenshot below). Once the area expands, tap a setting value to reveal and select from a drop-down menu. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 25 3.2. Configuring TX1 To enable setting the TX1 system time via an NTP server, a valid network connection and at least one NTP server source is required. The default NTP server is a public internet option (pool.ntp.org (http://pool.ntp.org/)). This can be changed to one of the other public internet options or a local network NTP server.
  • Page 26 3.2.2 Network settings Tap Network Settings to display the Network Settings page. Note: TX1 does not support direct connectivity to any specific, commercially available cloud share service, such as AWS, Azure, or Google Cloud. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 27 3.2. Configuring TX1 The Network Settings screen displays network related information and the current connection status in the top area, followed by a Configuration area for setting the IP address, MTU (maximum transmission unit) value, and custom hostname. Following the network configuration area are areas for 802.1X configuration, and an HTTPS certificate area.
  • Page 28 Note that one or more certificates (depending on the EAP type and other settings) may need to be loaded onto your TX1 before attempting to authenticate on the OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 29 3.2. Configuring TX1 network. The certificate loading process is straightforward. First, store the required certificates on a USB memory device, and then insert that device into a TX1 USB Accessory port. In the CA and/or Client certificate areas in the Network Settings screen, tap the appropriate certificate installation button (Install CA Cert or Install Client Cert).
  • Page 30 MSCHAPv2). A CA certificate must be installed on TX1 to enable server authentication. This method uses an identity and password for client authentication. A client certificate is not required. Tap Save to show the selected EAP type and status in the settings summary. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 31 3.2. Configuring TX1 After saving the selected EAP type and Phase two internal protocol settings, a yellow icon appears in the right side of the top navigation bar, and an Add Password button becomes active in the settings summary area. Tap the navigation bar icon or Add Password to enter an 802.1X passphrase/password.
  • Page 32 Network Settings screen shows the current SSL certificate information and provides options for manually generating a new TX1 certificate or installing a custom certificate. See “Remote web interface” on page 190 for more details regarding SSL certificate options. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 33 3.2. Configuring TX1 3.2.3 Default settings Tap Defaults to display the Operations Defaults page. Several different entry methods are used for the settings on this page, including direct data entry, sliders, radio buttons, and an Image Directory name builder area. As shown above, the Date + Time and Model directory path element boxes have been selected (in that order), so therefore the image directory path is tx1_images/...
  • Page 34 Default settings can easily be restored to their factory set values. Simply select the Defaults item from the side navigation menu and then scroll to the bottom of the screen. Select the Restore defaults item and all settings will be immediately returned to their factory set values. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 35 3.2. Configuring TX1 3.2.4 User management In some forensic work environments, it may be desirable to set up distinct users with unique passwords to limit access to the available TX1 units. Also, with the addition of remote access capability, the ability to set user credentials has become a security requirement.
  • Page 36 When the administrator is logged in and viewing their own User Management screen, (as shown above for default User1), a Logout button is also visible. This button logs out only that instance (local or remote) of that user. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 37 3.2. Configuring TX1 To create a new user, simply tap the Create New User button at the bottom right of the Users list screen and enter the username and initial password for the new user and tap submit. A User Management screen will appear for the new user allowing complete user configuration (as shown in the screenshot above for User1).
  • Page 38 This can be used to ensure that commonly used PINs do not create a distinct pattern on the screen. This PIN locking mechanism is temporary in the sense that a power cycle of TX1 will remove the lock. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 39 Note: If this is your first time downloading the TFU installer from OpenText My Support, you will need to perform steps 7-9, after which the installer will be downloaded to your machine. 7. The OpenText End User License Agreement page is displayed.
  • Page 40 On the TX1 that is being updated, make sure that the memory device (USB drive or network share) that contains the .tx1_pkg file is mounted and accessible to TX1. Then open the side navigation menu and tap Firmware Version (or About). The screen below will appear. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 41 3.2. Configuring TX1 Tap Browse for Firmware, which will display a screen that lists all mounted drives/shares. Tap on the desired drive/share and then use the Browse window to navigate to the folder that contains the TX1 firmware package file. Select the desired file, and then tap the Select button in the bottom .tx1_pkg...
  • Page 42 About option. The remote About screen is shown below. Note that the Upload device firmware section is shown only in the remote user interface version of this About screen. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 43 3.2. Configuring TX1 Tap Select File in the Upload Device Firmware section of the About screen. Use the Windows File Navigator browse window to navigate to the appropriate folder and select the desired TX1 firmware package file (saved from Tableau Firmware Update as described earlier in this section).
  • Page 44 TX1’s About screen. This allows for at-a-glance verification that the proper firmware version is running and that it has not been altered. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 45 3.3. Media utilities (traditional media) 3.3 Media utilities (traditional media) Accessible from the Sources, USB Accessories, or Destinations buttons at the bottom of the Home screen (and all locations that provide drive lists), TX1 provides the following media utilities for all traditional media types (mobile devices excluded): •...
  • Page 46 Note that a specific sector number can also be entered in the box at the bottom of the screen. Simply tap the box, enter the desired sector number, and tap outside the entry field to go directly to that sector. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 47 3.3. Media utilities (traditional media) Filesystem elements show basic filesystem information (label, type, a free/used/total space) and a Browse button that opens TX1's standard browse modal, as shown in the screenshot below. User Guide ISTX240300-UGD-EN-1...
  • Page 48 Verification is optional. Note that an active Sanitize wipe may make a drive unresponsive for an extended period of time. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 49 If you experience Sanitize wipe verification failures, please contact OpenText Customer Support to report the specific make and model of the drive, and the Tableau team will investigate.
  • Page 50 Note: Wiping drives results in sustained writing of the media, which can create abnormally high thermal operating conditions inside the drive. OpenText highly recommends using the TX1-S1 drive bay (which has active cooling) or an external drive cooler or fan when wiping media on TX1 to help prevent thermal damage to drives.
  • Page 51 3.3. Media utilities (traditional media) Option Description Overwrite - TX1 performs three full write passes to the destination or accessory drive. Multiple Pass The first pass writes zeros (0x0000) and the second pass writes ones (0xFFFF). When a custom data pattern is specified, it will be written only on the third pass.
  • Page 52 TX1 can purge drives that support conformant Sanitize commands. The Purge option is disabled if the Sanitize command is not supported by the drive. The screenshots below show examples of NIST Clear and NIST Purge compliant drive wipe setups. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 53 3.3. Media utilities (traditional media) The following flowchart depicts how TX1 determines wipe setting conformity to NIST 800-88 r1. Note that this flowchart reflects handling of drives with no HPA/ DCO/AMA settings. User Guide ISTX240300-UGD-EN-1...
  • Page 54 FAT is considered acceptable and accurate for filesystem identification purposes. Note: TX1 cannot format a destination drive with an APFS filesystem, though it can mount a previously formatted APFS volume on any connected drive (source, destination, or accessory port). OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 55 The encryption password can be changed only on destination and accessory drives, as it requires a write modification to the encrypted header. OpenText is not able to recover lost passwords for TX1 encrypted media, so take appropriate steps to ensure you never lose your password.
  • Page 56 SEDUTIL function uses. Attempting to use a known password for such drives using TX1 will result in failed unlock attempts. Please contact OpenText Customer Support if you suspect you have run into such a situation. OpenText™ Tableau™ Forensic TX1 Imager...
  • Page 57 3.3. Media utilities (traditional media) An additional consideration for Opal drives is a unique configuration that exposes a Shadow MBR. This Shadow MBR can be enabled by drive/system manufacturers to initially identify the drive as a small, non-encrypted volume, which overrides the actual MBR information. A typical use case for this configuration is to enable system manufacturers to request credentials from a user before revealing the actual MBR information on the drive.
  • Page 58 (Source) systems to folders systems to folders possible) folders systems to folders image will be image will be will be image will be from) imaged from) imaged imaged from) imaged OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 59 3.3. Media utilities (traditional media) APFS Bitlocker Opal Tableau Operation Locked Unlocked Locked Unlocked Locked Unlocked Locked Unlocked Physical Full drive Full drive Full drive Full drive n/a (no Full drive Full drive Only the Image/ will be will be will be will be reads...
  • Page 60 In the case of an automatic, volatile HPA removal from a connected source drive, the TX1 user interface makes it obvious what has occurred, as shown in the following screenshots. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 61 3.3. Media utilities (traditional media) Referring to the drive details screenshot above, the fact that the HPA has been removed is reflected in the following areas on this screen: The Size field in the header reflects the full capacity of the drive (with HPA removed), along with a warning to draw attention to the HPA removal event.
  • Page 62 Adapter (TDA7-5). DCO setting changes require power-cycling the drive which, for directly connected SATA drives, is done automatically by TX1. PCIe, as implemented on TX1, does not allow for hot drive removal (including power- cycling). To disable a DCO on an IDE drive: OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 63 3.3. Media utilities (traditional media) Confirm that TX1 is powered off. Connect the IDE drive to a Tableau IDE Adapter (TDA7-5) and connect the adapter to the TX1 PCIe port. Note that IDE drive power does not come directly from the TDA7-5 adapter.
  • Page 64 Note: The Fast and Smart blank check options do not perform exhaustive checks of the entire drive. It is possible for a drive to appear to be blank OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 65 3.3. Media utilities (traditional media) according to the Fast or Smart check while still storing forensically relevant information. 3.3.8 Browse filesystem The Browse function provides an easy way to view the contents of a recognized filesystem on any mounted drive, whether it is connected locally or via the network interface (iSCSI or CIFS).
  • Page 66 This media utility is available for ATA drives that support SMART data reporting. Selecting this feature will display available SMART data as reported by the drive. This information can be annotated with case info and saved as a log. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 67 3.3. Media utilities (traditional media) 3.3.10 Export This media utility allows the user to export any source, accessory, or destination drive as an iSCSI target in read-only mode. This makes the drive available to be read by a remote user on any IP-based network via the Ethernet connection on the rear of TX1, which can be useful for evidence file transfer purposes.
  • Page 68 Any exported drives can be un-exported by navigating to the iSCSI Export media utility for the drive and tapping on the Remove Export button in the lower right portion of the iSCSI Export screen. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 69 3.3. Media utilities (traditional media) 3.3.11 Eject This media utility is provided to allow for safe ejection of attached drives. Ejecting a drive removes it from the system software in a safe manner and is recommended before unplugging any attached media from a powered TX1 and before powering down TX1 with drives attached.
  • Page 70 (HDDs, SSDs). The information above is specific to traditional media devices. See “Mobile backup acquisition” on page 152 for information specific to that type of job. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 71 3.4. Connecting drives 3.4.2 Destination drives Connect one or more drives to the TX1 destination (right) side: SATA/SAS (x2) or USB 3.0. If using the Drive Bay, insert one or more 2.5" or 3.5" SATA/SAS drives. Note: The SATA/SAS destination DC OUT ports directly on TX1 are enabled even when a TX1-S1 Drive Bay is connected, allowing for easy connection of up to four SATA/SAS destination drives.
  • Page 72 Note: Mobile devices connected to TX1 have unique detection interactions compared to traditional media devices (HDDs, SSDs). The information above is specific to traditional media devices. See “Mobile backup acquisition” on page 152 for information specific to that type of job. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 73 3.5. Turning TX1 off 3.5 Turning TX1 off To turn off your TX1, simply push the power button in the top left corner of the unit. The shutdown options will be different for an idle unit versus one that has active/ queued jobs.
  • Page 75 Chapter 4 Using TX1 This chapter covers detailed procedures and information for using TX1. 4.1 Navigating TX1 features and options The outline below maps TX1 navigation and feature structure. 4.1.1 Home screen • Duplicate • Logical • Verify • Hash •...
  • Page 76 TX1 will detect this sector size mismatch issue and warn the user. This condition will need to be rectified before the clone job can be started. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 77 4.3. Duplicating 4.3.2 Imaging An image, also known as disk-to-file duplication, copies the source drive to a series of files (sometimes called segments or chunks) on the destination drive. TX1 supports EnCase file formats ex01 and e01 and raw file formats dd and dmg. Compression is supported, and enabled by default, with ex01 and e01 file formats.
  • Page 78 If desired, you can also attach a USB keyboard to one of the front Accessory USB ports to make data entry easier. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 79 4.3. Duplicating 4. To change or add a source drive, tap the 2 or Source heading. From the source list modal that is displayed, select a drive from the list. A green check confirms your selection. Close the modal by tapping the X in the upper right corner or by tapping outside of the modal.
  • Page 80 5. To change or add the destination drive(s) tap the 3 or Destination(s) heading. From the destination list modal that is displayed, select one or more drives from the list. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 81 4.3. Duplicating For each selected destination drive, a Job type panel expands below the Drive tile. Select the Clone radio button to clone to the destination or select the Image radio button to image to the destination. For clones, the option is displayed to trim the destination drive to be the same size as the source using a DCO or AMA.
  • Page 82 Duplication/ Image Type Hash Type Options Notes DD/DMG/Clone MD5, SHA-1, SHA-256 Can pick any two hash types. Limited to two to minimize chances of inadvertent performance degradation. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 83 4.3. Duplicating Duplication/ Image Type Hash Type Options Notes MD5 and SHA-1 E01 format does not currently support SHA-256. MD5 and SHA-1 forced on together since E01 format cannot support SHA-1 alone, and it was decided to not allow MD5 alone to simplify setting configurations.
  • Page 84 DMG is selected as the file format. 8. Once you are satisfied with your settings and drive selection, tap the Start Duplication button. A Job Status screen is automatically displayed, as shown below. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 85 4.3. Duplicating 4.3.3.1 Files created during disk-to-file duplication When performing an image, TX1 creates files (sometimes called segments or chunks) on the destination drive that contain the data copied from the drive. Segments are written to the destination drive according to the following convention: (image base directory)/ [directory name]/ [filename].E01...
  • Page 86 To set up Automated Acquisition mode: 1. From the Home screen, tap the Duplicate icon. The Duplicate job setup screen is displayed. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 87 4.3. Duplicating 2. To modify or enter job notes, tap the 1 or Job Notes heading to expand the section. Tap a text box to modify or enter Name, Case ID, or Notes values and the virtual keyboard is displayed on the bottom half of the screen. If desired, you can also attach a USB keyboard to one of the front Accessory USB ports to make data entry easier.
  • Page 88 AMA or DCO settings will have those settings disabled prior to the start of the job and then replaced after the job is complete. See “Disabling drive capacity limiting configurations” on page 60 for more information regarding the Shelve AMA/DCO feature. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 89 4.3. Duplicating 4. Your selection of Automated Acquisition mode will be confirmed by the automated acquisition icon in the left side of the drive tile turning green with a gray checkmark inside. Close the modal by tapping the X in the upper right corner or by tapping outside of the modal.
  • Page 90 If an image destination is desired, format the destination drive by selecting the details option from the additional options menu (three vertical dots at the right side of the drive tile) or from the Destinations button on the Home screen. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 91 4.3. Duplicating To make a network share visible in the Source or Destination selection lists in a job setup screen, first add and mount the share from the Sources or Destinations buttons on the Main screen. 6. To change the common settings, tap the 4 or Common Settings heading. Select up to two hash types of MD5, SHA-1, and SHA-256.
  • Page 92 Jobs tab header area next to the active/queued job count. This allows for at-a-glance awareness that automated acquisition mode is active, even when not looking at the Jobs tab. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 93 4.3. Duplicating If any source drives were previously connected to the system and the Acquire Currently Connected option was set in step 3 above, then a job will be started or queued for each of the connected drives. If no source drives were previously connected to the system or the Acquire Currently Connected option was disabled in step 3 above, then no automated jobs will be started until a new source drive is detected by the system.
  • Page 94 1. Tap the Sources or Destinations button at the bottom of the Home screen. Then tap the orange plus button in the upper right corner of the drive list and tap Mount iSCSI Target to display the iSCSI Discovery screen. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 95 4.3. Duplicating 2. Enter the IP address of the iSCSI server by tapping on the Address field. If needed, change the default iSCSI Port from 3260 to the port used by the iSCSI server. If needed, enter a Discovery Username and Discovery Password. Note: Throughout the TX1 user interface, passwords can be shown as either plain text or hidden.
  • Page 96 4. Tap an iSCSI target and the iSCSI Login screen is displayed. If needed, enter a login username, password, and a nickname (optional). Tap the Login button to login and mount the iSCSI target. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 97 4.3. Duplicating 5. If the login is successful, you can optionally save the target as a Bookmark for convenient future access. To save a target as a bookmark tap the Save As Bookmark button under the iSCSI drive tile and enable or disable the desired Username and Password values to be saved.
  • Page 98 Duplication as a source (if mounted as a source), Duplication as a destination (if mounted as a destination), Hash (as a source), Verify (as a destination), and some media utilities. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 99 4.3. Duplicating 4.3.5.2 Adding a CIFS share To add a CIFS share as a source or destination: 1. Tap the Sources or Destinations button at the bottom of the Home screen. Then tap the orange plus button in the upper right corner of the drive list and tap Mount CIFS Share to display the mounting screen.
  • Page 100 Note: In Static IP setting cases or on networks with no domain name server (DNS), it is still possible to use a server's computer name to specify the share to mount. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 101 4.3. Duplicating 3. Enter a share name for the server listed in the status summary and select Next or tap List Shares to select from a list of available shares. User Guide ISTX240300-UGD-EN-1...
  • Page 102 Tap the Show Hidden Shares slider to view default admin/hidden shares in the share list. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 103 4.3. Duplicating 5. Enter a nickname for this CIFS share (optional) and enter a login username and password (if required). Choose the SMB Version and enable SMB 3.0 encryption (if desired), then tap the Mount button to login and mount the CIFS share. User Guide ISTX240300-UGD-EN-1...
  • Page 104 To save a share as a bookmark tap the Save As Bookmark button under the CIFS drive tile, enable or disable the desired Username and Password values to be saved, and then tap the Save as Bookmark button. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 105 4.3. Duplicating 7. The bookmark is now saved (if selected). The share can now be accessed like any mounted filesystem for logical acquisition as a source (if mounted as a source), as a destination for physical and logical image files (if mounted as a destination), Verify (as a destination), Restore (as a source or destination), and some media utilities.
  • Page 106 Jobs tab, simply tap its Pause button , and confirm the desire to pause the job. The job will be moved to the Recent area with a status of Paused, as shown below. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 107 4.3. Duplicating There are three distinct ways to resume a paused job: • By tapping the Play button on the paused job in the Recent area of the Jobs tab. • By tapping the Resume Job button in the header of the Job Status screen. (The Job Status screen can be viewed by tapping on the job in the Jobs tab.) •...
  • Page 108 1. From the Home screen, navigate to the side navigation menu (available by tapping the menu icon at the top left of the Home screen). OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 109 4.3. Duplicating 2. Tap the Logs menu item to see a list of all the stored job logs. User Guide ISTX240300-UGD-EN-1...
  • Page 110 3. Find the desired paused job log (Paused status on the right, with the appropriate job start date and time shown) and tap on that log list entry to display the Log Details screen for that job log. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 111 4.3. Duplicating 4. Review the log details to confirm this is the job that was running when power was lost that you intend to resume. Note that logs for completed jobs that experienced a power loss event will have a message at the top of the log indicating *** POSSIBLE POWER LOSS EVENT DETECTED ***.
  • Page 112 The following log sample shows a completed power loss paused/resumed job. Note that, had this been a manually paused/resumed job, the line with the possible power OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 113 4.3. Duplicating loss warning would be replaced by a Paused field, with the date and time of the pause event. TX1 also allows the resumption of imaging jobs that failed for the following reasons: • Source drive missing or disconnected •...
  • Page 114 MD5, SHA-1, and SHA-256 hash values for a source drive. You can use up to two different hash algorithms in one operation. To create a hash of a source drive: 1. From the Home screen, tap the Hash button. 2. Enter Job Notes and select a Source drive. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 115 4.4. Hashing 3. Select a Sector Range for the hash. The default settings will always provide a full drive hash, but certain situations (such as a failing source drive with bad sectors) could benefit from a partial drive hash. Partial drive hashes are defined by start and end sector values.
  • Page 116 4. To cancel the hash operation, close the Job Status screen by tapping the X in the upper right corner, and then tap the Cancel button from the Active Jobs area at the top of the Jobs summary screen. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 117 4.5. Logical imaging When the hash operation is finished, the results display on the screen. To access the forensic log of the hash job, simply tap the View Log button in the header of the completed Job Status screen. You can also view the log information by selecting Logs from the side navigation menu.
  • Page 118 “Connecting drives” on page 70 to connect the source drive and all relevant destination drives. 2. From the Home screen, tap the Logical icon. The Logical Image job setup screen will be displayed, as shown below. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 119 4.5. Logical imaging The job setup screen is organized in a natural workflow from top to bottom, but the steps and settings can be accessed in any order. The default values display for each step and setting. Tap the step number or heading to expand the section and view or change the settings.
  • Page 120 Note: Within any screen displaying a list of drives, you can tap the options icon (three vertical dots) located on the right side of the drive tile to see more drive detail and access any available media utilities. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 121 4.5. Logical imaging Note: Unlike a physical duplication job, the option of shelving a source drive DCO/AMA (removing it and then re-applying it at the end of the job) does not exist in logical imaging. The existence of a DCO or AMA will be obvious (per warnings in multiple locations), but the DCO/AMA will need to be permanently removed using the manual HPA/DCO/AMA Disable media utility before gaining access to all portions of the source media.
  • Page 122 Regardless of whether you are including items in an empty dataset or excluding items from a full dataset, the same setup style is used to limit what is acquired, as covered in detail below. 6. Select files and folders to include/exclude. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 123 4.5. Logical imaging In the example shown above, Define what to include is selected, which means the initial acquisition dataset is empty. To manually select which files and folders to include, tap the blue circle/plus sign icon labeled Add files/folders in the Select files and folders to include section.
  • Page 124 7. To select the destination drive(s) tap the 4 or Destination(s) heading. All available destination drives will be shown in a modal window, with a tile shown below each drive to show its recognized filesystem(s). Tap the desired OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 125 4.5. Logical imaging destination filesystem(s) (up to four) and the selected filesystem tile will show in green, with a checkbox added to its parent drive tile. Selecting a filesystem will also open a drawer under the filesystem tile, which shows the options for logical imaging destinations, as follows: •...
  • Page 126 Destination network shares can be mounted from the Destinations button on the main screen as well. 8. To change the job settings, tap the 5 or Settings heading. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 127 4.5. Logical imaging Select the desired Hash type for the logical image job - MD5 and/or SHA-1. Note that hash values for source files will be calculated based on the chosen hash settings, even if no lx01 outputs are requested. In that case, the file data is still read to allow for hash calculation, and the file-based hash values are stored in the metadata output file.
  • Page 128 The latter setting may be useful in cases where time or other constraints only allowed partial source file gathering. 9. Once you are satisfied with all the logical image job settings, tap the Start Logical Image button. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 129 4.5. Logical imaging 4.5.2 Include/exclude criteria From the main Files to Acquire window, searches can be added that will allow for targeted acquisition of specific file/directory criteria. Select either Add New Search or Add Saved Search in the Include files that match the searches below box to specify a search or series of searches to apply to the logical imaging job.
  • Page 130 • The first entry in each search setup box provides a name field for the search. The default name is Unnamed Search. Changing the name to something more specific may help when reviewing the summary of all searches in the logical OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 131 4.5. Logical imaging image job setup screen or when viewing the forensic log associated with a logical image job. • Each of the search parameter fields makes use of drop-down selection boxes to help guide the setup of each parameter. •...
  • Page 132 Wildcard Character Matching Rule Examples Matches any number of Law* any characters (including Matches: Law, Laws, Lawyer none). Does not match: NoLaw, La, aw *Law* Matches: Law, NoLaw, Lawyer Does not match: La, aw OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 133 4.5. Logical imaging Wildcard Character Matching Rule Examples Matches any single character. Matches: Bit, bit, Sit, sit Does not match: it, slit, bits [abc] Matches one instance of [SB]it any of the characters Matches: Sit, Bit between the brackets. Does not match: sit, bit, it Note: The literal bracket characters (“[“...
  • Page 134 File Dates >= lets you specify a date and only match files with one or more timestamps on or after the given date. File Dates <= lets you specify a date and will only match files with one or more timestamps on or before the given date. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 135 4.5. Logical imaging File Dates in Range lets you specify two dates and will only match files with one or more timestamps on or between the two given dates. Dates are entered by typing them into the text boxes in YYY-MM-DD format. Dates will match the rule if any of the TX1 supported timestamps for that filesystem match the File Date setting.
  • Page 136 “Source file metadata” on page 140. • contains a TX1 readable copy of the forensic log [image_name].tx1_packed_log that can be used for later standalone verification of the lx01 file set. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 137 4.5. Logical imaging All the above output files are generated when a given destination is configured to be the Lx01 + Metadata job type. No CSV metadata file is generated for the Lx01 job type. No file set or file is generated for the Metadata job type. lx01 .tx1_packed_log If all destinations are configured to be the Metadata job type, and no hashes are...
  • Page 138 $db, db$, fp, pjx, mda, mdt, mdn, mdb, mde, ldb, mar, mdw, mny, wdb, mlb, odb, sqlite, sdb, db, sqlite3, sqlite, kexi, shm, db-wal, sqlite-wal, cix, dba OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 139 4.5. Logical imaging File Type File Extension Documents cch, cfl, cht, ch3, aft, abc, xlc, gra, opx, adt, smf, pfc, att, bfx, brk, ezf, can, cci, ccitt, cpf, cfp, ef3, fcx, ftf, f96, dxn, gam, cg3, fax, tbf, jet, bk, kfx, awd, oaz, prd, tef, sci, tri, wpf, q, cvp, mif, zvd, key, sld, cpp, ch4, crp, cpr, pps, ppt, pot, pptx, odp, otp, sxi, sti, numbers, slk, lss, wks, 123, gph, wk4, xlk, xls, xlsx, xlt, xlb, xlw, ods, ots, sxc, stc, wkq, wrk, rpc, rpn, ltr, fdf, pdf,...
  • Page 140 The SHA1 Hash of the entry. This field is empty for directories. It is also empty if no SHA1 hash was calculated, no SHA1 hash was configured, or the entry did not match the rules for acquisition. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 141 4.6. Verifying Column Content File Status OK if there were no problems reading file data/metadata. ERRORS if there were errors reading file data and/or metadata. This field is empty for directories. Matched Rules “Y” if the file matched the acquisition's rules for inclusion. 4.6 Verifying The standalone Verify function verifies the integrity of an existing image file by reading back the data from the image file, calculating a hash value of that data, and...
  • Page 142 Chapter 4 Using TX1 3. Select a Packed log file. Browse the destination and locate an existing TX1 packed log file. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 143 4.6. Verifying Note: The packed log files will always appear at the top of the file list in a given source folder when browsing. This provides easy access to these types of files in situations where there are many segment files. 4.
  • Page 144 Chapter 4 Using TX1 The verification process begins. A Job Status modal displays the verification status. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 145 4.7. Browsing 5. To cancel the Verify operation, tap the Cancel button from the Jobs summary screen. When the Verify operation is complete, the results are displayed on a final Job Status screen. The log for the completed job can be easily viewed by tapping on the View Log link on the right side of the top status bar or from the side navigation menu.
  • Page 146 View button at the bottom of the Browse screen. Simply tap the View button to see the text or image file directly on TX1. The screenshot below shows a sample image file displayed on TX1. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 147 4.7. Browsing TX1-generated packed log files (extension “tx1_packed_log”) can also be viewed directly on TX1. These files are used as input for Restore and Verify jobs. Being able to view these files before starting one of those jobs can help ensure the desired file is selected.
  • Page 148 2. From the Home screen, tap the Restore button. 3. Enter Job notes, select a Source drive, and then select a Packed log file by browsing the source and selecting the appropriate TX1 packed log file. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 149 4.8. Restoring Note: The packed log files will always appear at the top of the file list in a given source folder when browsing. This provides easy access to these types of files in situations where there are many segment files. User Guide ISTX240300-UGD-EN-1...
  • Page 150 5. If desired, enable read-back verification. This will read the entire destination drive back after the Restore job is complete, calculate a read-back hash value, and compare that value with the original image file acquisition hash. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 151 4.8. Restoring 6. Tap the Start Restore button at the bottom of the screen. A Job Status modal is displayed. User Guide ISTX240300-UGD-EN-1...
  • Page 152 (HDDs and SSDs). That includes the way they are detected, the commands sent, and the information received. This section is focused exclusively on mobile device backup acquisition, including acquisition workflow steps and OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 153 Regardless of the mobile device’s connector type, commercial adapter cables are readily available at a reasonable price, and they will be needed to connect different mobile devices to TX1. Contact OpenText Customer Support if you need assistance finding a suitable mobile device USB adapter cable for use with TX1.
  • Page 154 Android devices, TX1 is not able to discern the state of encryption on the device. Care must be taken to ensure that backup encryption is set to the desired state directly on the Android device prior to beginning a mobile backup acquisition job on TX1. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 155 4.9. Mobile backup acquisition Whether backup encryption was previously enabled on the mobile device or enabled as part of the acquisition workflow, the password will need to be noted, as it will be required to access the backup file contents in the upstream forensic investigation software tool.
  • Page 156 If desired, you can also attach a USB keyboard to one of the front Accessory USB ports to make data entry easier. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 157 4.9. Mobile backup acquisition 4. To change or add a source mobile device, tap the 2 or Source heading. From the displayed source list modal, select a mobile device from the list. A green check confirms your selection. If a connected mobile device is not showing in the TX1’s source list, it is possible that phone interaction/configuration is required.
  • Page 158 Destinations drive list accessible on the Home screen. See “Duplication over a network” on page 94 for more information on mounting iSCSI drives and CIFS/ SMB network shares. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 159 4.9. Mobile backup acquisition 6. To change the job settings, tap the 4 or Settings heading. The setting options and default setting values are as follows: • File output: Native will capture the mobile device’s backup file structure directly to the chosen destination drive/filesystem. Lx01 will create a logical image file set that encapsulates the native files.
  • Page 160 Readback verification in the Defaults setting area 7. Once you are satisfied with your settings and device/drive selections, tap the Start Mobile Backup Acquisition button. A Job Status screen is automatically displayed, as shown below. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 161 4.9. Mobile backup acquisition Note: It may be required to interact with the mobile device after the job has been started on TX1. It is not always possible for TX1 to provide informative messaging in the job status screen to indicate that input is required on the mobile device before the actual backup file creation process begins.
  • Page 162 TX1 generated mobile backup acquisition job metadata file. [image name].csv It contains the following information for each file acquired during the backup job: • Path – The overall path name of the folder/file as written to the destination drive/ filesystem. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 163 4.9. Mobile backup acquisition • Type – Identification of the path type (Directory or File) • Filesize – Size of any entries of type file (in bytes) • Date/time stamps – These are the dates/times related to when the files were written to the TX1 destination during the backup acquisition job, not the dates/ times of the original source files from the mobile device’s perspective.
  • Page 164 Keep this in mind as you use this feature in your digital forensic investigations. • File Status – Status of the file as read back from the destination during a mobile backup acquisition job. If the job completed successfully and there were no errors OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 165 4.9. Mobile backup acquisition reading back the files from the destination (to pack them into the Lx01 segment files), all will show as “OK”. If there was an issue while reading the files back, the job will fail and the offending file will show an “Error” status in the CSV file. •...
  • Page 166 The files created by an Android mobile device during a Lx01 file type backup are written to the destination drive according to the following convention: OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 167 4.9. Mobile backup acquisition [image base directory]/ [directory name]/ [image name].csv [image name].log.html [image name].log.txt [image name].Lx01 [image name].Lx02 [image name].Lx99, etc. is defined in Setting Defaults or when selecting a [image base directory] destination drive. The default is /tx1_¬images/. is the image sub-directory name auto-generated for each [directory name] acquisition and is defined in Setting Defaults or when selecting a destination drive...
  • Page 168 They contain all the data and metadata for each acquired mobile backup file and folder. 4.10 Viewing sources and destinations Tap the Sources or Destinations button on the Home screen to display the list of connected drives. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 169 4.10. Viewing sources and destinations Tap a drive row to view the drive details, to access Media Utilities, or tap the options icon located on the right side of the drive row to view more options. The top blue section of the drive details screen displays the physical drive interface as well as the drive model, serial number, and size.
  • Page 170 In the Drive Utilization area, if the drive has one or more filesystems, tap the Entire drive menu to display a list of filesystems. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 171 4.10. Viewing sources and destinations Select a filesystem to display In use and Freeutilization information. Note that changing this selection from Entire drive to one of the detected filesystems only changes the utilization information displayed in this specific sub-area of this screen. All other information on this screen reflects the entire drive, and the media utilities below will act on the entire drive.
  • Page 172 TX1 can also detect the hardware-based Opal encryption method. TX1 can detect the following types of encryption: • APFS • Apple FileVault 2 • BestCrypt • BitLocker • BitLocker To Go • Check Point Full Disk Encryption OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 173 4.10. Viewing sources and destinations • GuardianEdge Encryption (Plus, Anywhere, Hard Disk Encryption) • LUKS • McAfee Drive Encryption (SafeBoot) • Opal • Sophos Safeguard (Enterprise and Easy/Ultimaco) • Symantec Endpoint Encryption • Symantec PGP Disk • WinMagic SecureDoc Full Disk Encryption Encryption detection information is always shown in the drive tile for a given drive, regardless of the viewing location within the user interface and what type of encryption is present (whole disk or partition based).
  • Page 174 Chapter 4 Using TX1 OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 175 4.10. Viewing sources and destinations 4.10.1.1 Opal encryption Opal encryption is a unique, hardware-based encryption method that is managed by the controller on the drive with only minimal host system interaction. Opal is an industry standard created by the Trusted Computing Group (TCG) consortium that defines, among other things, the interface protocol to these types of hardware encrypted drives.
  • Page 176 Also, Opal encryption unlock (including Shadow MBR disablement) is a volatile change, meaning that the drive will revert to its original configuration after it is power cycled. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 177 4.10. Viewing sources and destinations Caution Docking station type devices that have Opal drives in them must support ATA command pass-through for TX1 to properly detect the presence of Opal encryption and allow it to be unlocked. Docking stations that do not support ATA command pass-through may present locked Opal media as all zeros with no indication of Opal encryption being present in the TX1 user interface.
  • Page 178 RAID system drives can be reliably detected, and knowing about them can be of forensic value. TX1 will detect drives from the following RAID system types: • Intel RST (BIOS) • SNIA DDF • Linux MD • Adaptec HostRAID ASR • Highpoint (HPT37X HPT45X) OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 179 4.10. Viewing sources and destinations • Intel Software RAID • JMicron JMB36x • LSI Logic MegaRAID • NVidia NForce • Promise FastTrack • Silicon Image Medley • VIA Software RAID RAID detection information is always shown in the drive tile for a given drive, regardless of the viewing location within the user interface and what type of RAID is detected.
  • Page 180 Chapter 4 Using TX1 OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 181 4.11. Logs module 4.11 Logs module TX1 generates a detailed log for all forensic jobs and most media utility operations. The detailed information captured in the logs will depend on the job type. A summary of the information captured for an image-based duplication job is shown below.
  • Page 182 Recent jobs list and the log for that job is deleted while it is paused, the job will not be resumable and will need to be started over. Tap on a job row to view the detailed forensic log for that job. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 183 4.11. Logs module Before showing some specific sample logs later in this section, let us cover the basic log management options available from the bottom of the log details screen. • Resume Job ‒ If highlighted (orange), then the job is resumable. See “Pausing and resuming a duplication job”...
  • Page 184 TX1 user interface, the sample logs below are shown in legacy text format as it provides a better view for showing all the log information at once. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 185 4.11. Logs module 4.11.2.1 Log 1 User Guide ISTX240300-UGD-EN-1...
  • Page 186 Chapter 4 Using TX1 4.11.2.2 Log 2 OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 187 4.11. Logs module There are three encryption related lines in a log for each drive that was part of the job, as follows: • Opal Encryption: This section of the log has two sub-fields: Supported (Yes/No) and Locked (Yes/No). • Tableau Encrypted: This field identifies if the drive has been encrypted by TX1. The options for this field are: No, Locked, and Unlocked.
  • Page 188 It is a best practice to export and delete logs from TX1 after each case. TX1 will store 100 logs before overwriting logs (starting with the oldest log). A warning will be provided before any logs are overwritten. Once a log is deleted or overwritten, the data is unrecoverable. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 189 4.11. Logs module 4.11.3 Filtering logs TX1 can store up to 100 forensic logs. To make it easier to view, export, and delete specific logs of interest, a Filter Logs feature has been provided. To filter the log list, simply tap the log filter icon at the bottom left side of the log list screen.
  • Page 190 TX1. However, the logs for any remotely initiated jobs will reflect the time zone as set on TX1. • The Factory Reset feature is not available to remote users. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 191 4.12. Remote web interface • Network Configuration settings are viewable remotely but can only be changed directly on TX1. • Locking the system (PIN lock) from any location (local or any remote user instance) will lock all the active screens. 4.12.1 SSL certificate setup and installation TX1 uses SSL certificates to ensure secure communication during remote sessions.
  • Page 192 Once you install your own certificate, TX1 will retain it in the event of reboot or power disruption. Manually generating a TX1 self-signed certificate will overwrite your own certificate and return TX1 to the default state of generating a new self-signed certificate upon annual expiration. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 193 4.12. Remote web interface Note: TX1 remote user interface has been validated for use with the following web browsers: Chrome (v86.0.4240.75), Firefox (v81.0.2), and Safari (v13.2.1). Older and newer versions of these browsers and even other browsers may work fine but have not been validated at this time. 4.12.2 Accessing TX1 remotely To access TX1 remotely, a valid username and password are required.
  • Page 194 TX1, type TX1's IP address (or hostname) into the address field in the web browser (same field where you would enter a web page URL), and press Enter. The remote UI login screen should be shown in your browser. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 195 4.12. Remote web interface Note: The SSL certificate will show as invalid for TX1 at this time. An exception will need to be made to view the remote user interface. 5. Enter the username and password, and the TX1 user interface should appear in your browser, as shown below.
  • Page 196 This allows for easy identification of the specific TX1 associated with each browser window, which is helpful in a lab environment with multiple TX1 units being accessed remotely from the same browser. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 197 Chapter 5 Adapters This chapter describes the add-on drive adapters available for TX1, which extend imaging capabilities in an easy to connect and use manner. Important The PCIe interface on TX1 does not support hot-swapping. PCIe adapters with drives installed must be attached to TX1's PCIe port before powering up the unit.
  • Page 198 TDA7-5) and TC2-8-R2 power cable. 3. Power on TX1. 4. The Sources drive counter will increment by one to let you know your IDE drive is connected. Tap the Sources tab to view IDE drive details. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 199 5.3. PCIe FireWire adapter (TDA7‒9) 5.3 PCIe FireWire adapter (TDA7‒9) The PCIe FireWire adapter (TDA7-9) enables the acquisition of FireWire drives via the TX1's PCIe source port. The PCIe FireWire adapter kit (sold as an add-on to the TX1 kit) includes 9-pin and 6-pin FireWire adapter cables which are used to connect the FireWire media to the adapter.
  • Page 200 Different Macintosh computers have different FireWire connectors, so check the connector type before you begin. FireWire 800 connectors are common on many legacy Mac systems. A FireWire 800 9-pin to 9-pin cable is shown below. OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 201 5.4. Apple Target Disk Mode acquisition adapters 5.4.3 Thunderbolt 2 adapter cable Adapting from a Thunderbolt 2 connector on a Mac to TX1 requires two separate adapters/cables. A Thunderbolt 2 to FireWire 800 (9-pin) adapter is used along with the same FireWire 800 (9-pin to 9-pin) cable shown above to connect between the Thunderbolt 2 port on the Macintosh and the TX1 FireWire 800 port.
  • Page 203 Chapter 6 Specifications and troubleshooting 6.1 Specifications Connectors: Source Side SATA/SAS Two SATA/SAS (6 GBPS) signal connectors One USB 3.1 Gen 1 (5 GBPS) Standard-A connector FireWire One 1394b “FireWire 800” signal connector PCIe One PCIe (10 GBPS) adapter connector Drive Power Two 3M-style 4-pin power connectors for SATA/SAS drive power...
  • Page 204 • Thermal issues • Problems with drive detection • Problems detecting Apple devices in the Target Disk Mode • Long time to complete locally initiated firmware update • Replacing the backup battery for the real-time clock OpenText™ Tableau™ Forensic TX1 Imager ISTX240300-UGD-EN-1...
  • Page 205 This includes the inlet vents on both sides of the unit and the fan outlet vent in the rear. If there are no obstructions to these airflow vents, then please contact OpenText Customer Support at your earliest convenience for further guidance.
  • Page 206 Tableau issues firmware updates to address most compatibility issues. If your drive is not recognized by TX1, check the Tableau download webpages (https://security.opentext.com/tableau/download-center) to see if any firmware updates are available for TX1. OpenText™ Tableau™ Forensic TX1 Imager...
  • Page 207 6.2. Troubleshooting common problems If there are no firmware updates available to resolve your detection issue, please contact your Tableau reseller or OpenText Customer Support to report your issue or ask for further assistance. 6.2.4 Problems detecting Apple devices in target disk mode...
  • Page 208 If you are still having trouble detecting your Apple computer in TDM, please contact OpenText Customer Support to report your issue or ask for further assistance. 6.2.5 Long time to complete locally initiated firmware update The ability to update TX1's firmware from the unit via any mounted media (local or network based) has made firmware updates more flexible and convenient.
  • Page 209 6.2. Troubleshooting common problems 6.2.6 Real-time clock data retention issue Under normal operating conditions, the real-time clock on your TX1 should retain the time and date settings for the life of the product. If the time and/or date setting is not being retained after power cycles, there could be an issue with the battery inside the unit.