Status: Overall job status (Incomplete, Ok, Error/Failed, Canceled), date/time
stamps, identification of TD4 as the acquisition system, and the firmware version in
use at the time of the acquisition. The following pieces of optional information will
also be included in this section: Examiner name, Case ID, Case Notes, and Job Notes.
Source: Source drive details, including overall drive information (Evidence ID (if
set), interface type, TD4 port, make/model number, firmware version, serial
number(s), protocol specific details (e.g., SCSI/USB info), HPA/DCO/AMA related
information, RAID and encryption information, size/layout information, and the
partition table type), partition details, and, if present and supported by TD4,
filesystem specific information.
Acquisition Results: Details about the acquisition aspects of the job, including block
start and count numbers, acquisition hash values, and read error information.
Configuration: Job configuration information, such as the output file format type,
segment file size, and whether or not compression was enabled.
Image Destination: Destination drive details, including readback verification hash
values (if enabled for the job), overall drive information (interface type, TD4 port,
make/model number, firmware version, serial number(s), protocol specific details
(e.g., SCSI/USB info), HPA/DCO/AMA related information, RAID and encryption
information, size/layout information, and the partition table type), partition details,
and filesystem specific information.
Failure Summary: If a failure occurred during the job, this section will be shown and
will include a failure reason and code. Note that the failure code is not intended to
be meaningful to the end user. In cases where customer support is required to
resolve a job failure situation, the failure code should be noted and included in the
incident report. This information will help in determining the root cause of the
failure.
To access the job logs stored on your TD4, expand the Job History function tile on
the home screen and then tap in the lower portion of the function tile. A list of all the
jobs stored on the unit will be displayed. Tapping on a job will display its job status
screen. Note that you cannot open and view forensic logs files directly on TD4. job
status screens show the key information about the job, but the job log will need to be
exported to a destination or accessory drive to be able to view the forensic log file on
a separate computer.
4.14.1 Sample logs
Two sample logs are shown below - one from a successful duplication and one from
a failed standalone verification. As shown in the HTML log samples, there are up/
down arrows on the right side of each section header. A down arrow indicates the
section is collapsed; An up arrow indicates it has been expanded. The sample HTML
logs below are shown with all fields collapsed for simplicity. Each piece of log
information was categorized as critical or supplementary, and only the critical
information is shown when a section is collapsed. When an exported log is viewed
on a separate computer, each section can be expanded to show the detailed,
supplementary information. In that expanded view, the critical information is
highlighted with bold field descriptions, while the supplementary information is
4.14. Forensic logs
ISTD230100-UGD-EN-1
User Guide
71
To Next Page
Loading...
