See “Encryption unlock” on page 56 for information related to unlocking Opal SEDs.
Note that Opal drives that have not had their encryption enabled will behave as
regular, non-encrypted drives.
An additional consideration for Opal drives is a unique configuration that exposes a
Shadow MBR. This Shadow MBR can be enabled by drive/system manufacturers to
initially identify the drive as a small, non-encrypted volume, which overrides the
actual MBR information. A typical use case for this configuration is to enable system
manufacturers to request credentials from a user before revealing the actual MBR
information on the drive. Regardless of the use case, it is important to be able to
identify situations where only the Shadow MBR is revealed, to make it clear that the
entire drive contents are not being seen. TX1 will detect when an Opal Shadow MBR
is enabled and clearly inform of its presence. The lock icon will show in the affected
drive tile in the Sources list, and the presence of an Opal MBR will be explicitly
called out in the drive details screen. Note that the Shadow MBR configuration is
essentially a unique form of a locked Opal drive, therefore unlocking the Opal
encryption on TX1 will disable the Shadow MBR (regardless of the underlying
encryption state) and make the full, unencrypted drive contents available for triage/
acquisition. Also, Opal encryption unlock (including Shadow MBR disablement) is a
volatile change, meaning that the drive will revert to its original configuration after
it is power cycled.
Chapter 4 Using TX1
176
OpenText™ Tableau™ Forensic TX1 Imager
ISTX240300-UGD-EN-1
To Next Page
Loading...
