displayed). TX1 does not know how many bytes it needs to acquire until the scan
is complete.
• Three new status fields show the live status of the scanned files:
– Scanned shows the number of files the job has checked so far to see if it
should include them.
– Matched shows the number of files that will be acquired by this job out of the
number of files scanned.
– Imaged shows the number of files that have been fully acquired out of the
number of files matched.
• The Settings section includes the settings specific to logical imaging that have
been configured for the active job.
• The Included Files section shows a text summary of the rules used by the active
job to determine which files should be acquired.
Note: Filesystem read errors encountered during logical imaging jobs may result in
unpredictable acquisition behavior. When they occur, such errors are indicated by a
red warning message at the top of the Logical section of the status screen. You will
also see non-matching values in the Matched and Imaged fields on the Job Status
screen at the end of the job and errors noted in the job's metadata file. If you suspect
drive/filesystem read errors during a logical imaging job, we recommend that you
clone or physically image the drive (e01, ex01, dd, dmg) instead of trying to do a
logical image. In addition to a physical image (or if a physical image is not possible),
try logically imaging the source in multiple, smaller jobs instead of trying to gather
all files/folders in one job. If the errors happen to be in less forensically interesting
areas of the filesystem, this could result in a more valuable file/folder acquisition set.
4.5.3.2 Files created during logical imaging
When performing a logical image on TX1, multiple different files may be output to
each destination depending on the job configuration, as follows:
• [image_name].log contains the forensic log of the logical imaging operation.
• [image_name].Lx01, [image_name].Lx02, ... are the forensic evidence files for
the operation. They contain all the data and metadata for each file and folder
acquired.
• [image_name].csv is a comma separated value store of all the metadata for every
file and folder acquired. Optionally, this file also contains all the metadata for
files and folders that were not acquired. This type of file can easily be imported
into many common data processing applications such as Microsoft Excel. CSV
file data contents and format information can be found in “Source file metadata”
on page 140.
• [image_name].tx1_packed_log contains a TX1 readable copy of the forensic log
that can be used for later standalone verification of the lx01 file set.
Chapter 4 Using TX1
136
OpenText™ Tableau™ Forensic TX1 Imager
ISTX240300-UGD-EN-1
To Next Page
Loading...
