• Filesize – Size of any entries of type file (in bytes)
• Date/time stamps – These are the dates/times related to when the files were
written to the TX1 destination during the backup acquisition job, not the dates/
times of the original source files from the mobile device’s perspective.
• MD5 Hash/SHA1 Hash – Acquired file hash values as calculated by TX1 by
reading back the files that were written to the destination. This is not exactly the
same as an acquisition hash (which is created for physical and logical imaging
jobs before the data is written to the destination), but it is the best that can be
done to mimic an acquisition hash for mobile backup acquisition jobs. The hash
values in this CSV file are what is used to readback verify a Native format
backup acquisition job.
Note: Mobile device backup files can be encrypted (via a setting on the
device), which typically results in more user data being included in the
backup file, which is forensically desirable. However, the files included in
an encrypted backup will typically have different encrypted data from job
to job (with the exact same source file data), which makes the encrypted
backup file hashes inconsistent between subsequent backup acquisition jobs
on the same source device. Keep this in mind as you use this feature in your
digital forensic investigations.
• File Status – Status of the file as read back from the destination during a mobile
backup acquisition job. If the job completed successfully and there were no errors
reading back the files from the destination (when creating the hashes for the
metadata file), all will show as “OK”. If there was an issue while reading the files
back, the job will fail and the offending file will show an “Error” status in the
CSV file.
• Matched Rules – For mobile backup acquisition jobs, this will always indicate
“Y” for yes. This field is more pertinent to logical imaging jobs, which use it to
indicate if a given file was part of a targeted/filtered collection.
[image name].log.html/txt - TX1 generates two forensic log file formats for each
job (mobile backup acquisition included) - one in html format and one in text format.
These logs are accessible through the Logs list in the side navigation menu. They can
also be exported to a destination drive/filesystem (local or network based) for
further analysis and/or case documentation purposes.
Lx01 Android backup acquisition job output files
When Lx01 is selected as the file output type for an Android backup acquisition job,
the same native Android backup file as described in the section above is still
acquired. However, instead of the native file being kept on the destination drive, it is
read back into TX1 and then packed into Lx01 segment files that are then written to
the destination. This type of output helps protect the native backup file from
unintentional modification just as a logical image job does with files from a source
filesystem. The files created by an Android mobile device during a Lx01 file type
backup are written to the destination drive according to the following convention:
Chapter 4 Using TX1
166
OpenText™ Tableau™ Forensic TX1 Imager
ISTX240300-UGD-EN-1
To Next Page
Loading...
