[image base directory]/
[directory name]/
[image name].csv
[image name].log.html
[image name].log.txt
[image name].Lx01
[image name].Lx02
.
.
.
[image name].Lx99, etc.
[image base directory] is defined in Setting Defaults or when selecting a
destination drive. The default is /tx1_¬images/.
[directory name] is the image sub-directory name auto-generated for each
acquisition and is defined in Setting Defaults or when selecting a destination drive
during duplication job setup. The default setting is Date and Time.
[image name].csv is the TX1 generated mobile backup acquisition job metadata file.
It contains the following information for each native iOS file acquired during the
backup job:
• Path – The overall path name of the folder/file as written to the destination drive/
filesystem during the backup acquisition job. Note that those folders/files will not
be seen directly on the destination after completion of the Lx01 output job, but
they represent the file structure that is encapsulated in the Lx01 file set.
• Type – Identification of the path type (Directory or File)
• Filesize – Size of any entries of type file (in bytes)
• Date/time stamps – These are the dates/times related to when the files were
written to the TX1 destination during the backup acquisition job, not the dates/
times of the original source files from the mobile device’s perspective.
• MD5 Hash/SHA1 Hash – Acquired file hash values as calculated by TX1 by
reading back the files that were written to the destination (as encapsulated in the
Lx01 segment files). This is not exactly the same as an acquisition hash (which is
created for physical and logical imaging jobs before the data is written to the
destination), but it is the best that can be done to mimic an acquisition hash for
mobile backup acquisition jobs. The hash values in this CSV file are what is used
to readback verify an Lx01 format backup acquisition job.
Note: Mobile device backup files can be encrypted (via a setting on the
device), which typically results in more user data being included in the
backup file, which is forensically desirable. However, the files included in
an encrypted backup will typically have different encrypted data from job
to job (with the exact same source file data), which makes the encrypted
backup file hashes inconsistent between subsequent backup acquisition jobs
on the same source device. Keep this in mind as you use this feature in your
digital forensic investigations.
• File Status – Status of the file as read back from the destination during a mobile
backup acquisition job. If the job completed successfully and there were no errors
4.9. Mobile backup acquisition
ISTX240300-UGD-EN-1
User Guide
167
To Next Page
Loading...
