started. Make sure none of your destinations have critical files on them
before starting a Restore job.
2. Expand the Restore function tile on the home screen, and then tap the Start
button. The Restore Setup screen will appear.
3. In the Restore Setup screen, tap the Select a log file button to launch a browse
modal. Browse to the appropriate source drive/filesystem, locate the
desired .td4_packed_log file (the one from which you want to restore), and select
that file by tapping it once. Then tap the Select button.
Note: When browsing for packed log files, only files with an extension
of .td4_packed_log will be shown in the browse window.
4. Review the selected filesystem and file path information, verify any other
settings in the Restore Setup screen, and, if everything is set properly, tap the
Start button to begin the Restore job. The Restore job status screen will appear.
Notes
During the Restore job, hashes are calculated as data is extracted from the
source evidence file set and written out to the destination. These hashes are
considered source hashes and are thus captured in the source section of the
Restore job’s forensic log. Even if Readback Verification is not enabled for
the Restore job, these source hashes are compared to the original physical
image acquisition hashes and, if a mismatch is detected, the Restore job will
fail.
If Readback Verification is enabled for a Restore job, the portion of the
destination drive that was written out during the Restore (which matches
the size of the original source drive) will be read back, and readback hash
values will be calculated and compared to the source hashes. If a mismatch
is detected, the verification portion of the Restore job will fail. These
readback hashes are captured in the destination section of the Restore job’s
forensic log. Note that if the readback hash values matched the source hash
values, they will be considered lower priority pieces of data in the HTML
forensic logs and thus hidden by default. These hashes can be viewed by
expanding the destination drive section(s) of the forensic log.
4.14 Forensic logs
TD4 generates a detailed log for all forensic jobs and most media utility operations.
The information captured during each job is used to create both the job status
screens seen in the user interface (available from the Job History list) and the
forensic job logs that can be exported to an external drive. This section is specific to
the exported forensic logs. For information on the Job History list and job status
screens, see “Job history” on page 35 and “Job status” on page 34.
The detailed information captured in the forensic logs will depend on the job type. A
summary of the information captured for an image-based duplication job is shown
below. See the sample logs at the end of this section for some specific job log
examples.
Chapter 4 Using TD4
70
OpenText™ Tableau™ Forensic TD4 Duplicator
ISTD230100-UGD-EN-1
To Next Page
Loading...
