this area, the information is considered historical as of the start of the job,
as indicated by date and time information in the top-right corner of the
drive details screen. This means that changes to drive information during
the job (such as reduced free space on the destination drive) will not be
reflected and browsing of any mounted filesystems is disabled. To see a
live version of the drive details and to be able to browse mounted
filesystems (even during an active job), use the drive tiles on the home
screen to access the drive details screens.
4.10.2 Files created during a logical image job
When performing a logical image on TD4, multiple different files may be output to
each destination depending on the job configuration, as follows:
{image_name}.Lx01, {image_name}.Lx02, etc. are the forensic evidence files for the
operation. They contain all the data and metadata for each file and folder acquired.
{image_name}.csv is a comma-separated values file that contains certain metadata
for every file and folder acquired. This type of file can easily be imported into many
common data processing applications such as Microsoft Excel. CSV file data contents
and format information can be found in “Source file metadata” on page 65.
{image_name}.log.html contains the forensic log of the logical imaging job.
{image_name}.TD4_packed_log contains a TD4 readable copy of the forensic log
that can later be used for standalone verification of the Lx01 file set.
4.10.3 Logical image verification
Verification of Lx01 files differs from verification of physical imaging operations
because, in an Lx01 file, there is no overall hash. Each file's data stored in the Lx01
has an associated hash that was calculated during the original acquisition. The
logical imaging verification function reads back the file data from the Lx01 on the
destination, calculates a new hash value for each file, and compares that hash value
to the originally stored acquisition hash value. A failure of any one file to match the
original acquisition hash value will result in a verification failure.
4.10.4 Source file metadata
Logical imaging with TD4 includes source file metadata in the CSV output file, as
shown in the table below.
Column Content
Path Contains the full, filesystem-relative path for this entry. Example: /
users/charles/pictures.
Type Either contains “Directory,”“Symlink,” or “File,” depending on what
kind of entry this row represents.
Filesize The file size, in bytes, of the entry. This field is empty for directories.
4.10. Logical imaging
ISTD230100-UGD-EN-1
User Guide
65
To Next Page
Loading...