• Whole disk encryption: This field will be populated with the specific type of
third-party whole disk encryption that TX1 was able to detect. The options for
this field are: None detected, BitLocker, BitLocker To Go, Symantec PGP Disk,
LUKS, BestCrypt, McAfee Drive Encryption (SafeBoot), Sophos Safeguard,
Winmagic SecureDoc, GuardianEdge Encryption, Symantec Endpoint
Encryption, and FileVault 2. Note that FileVault 2 cannot be conclusively
detected using standard signature inspection, but the existence of Core Storage
can be detected. TX1 indicates that FileVault 2 encryption is possible when a
Core Storage partition is detected.
Note that partition information is also provided in the logs, including Partition
Encryption status (type, if present, or None detected).
If TX1 detects any bad sectors on the source drive, it adds a section at the end of the
job log. This additional section lists the sector address and the number of sectors of
each unreadable region of the source drive. As an example, the following forensic
log read error entry means that an error was encountered in at least one of the 64
sectors starting at sector offset 234,567: Error # 1: Read error (source), address=
234567, length=64
Note: The default error granularity setting is Standard, which will result in a
minimum chunk of 32kB of source data (64 sectors for a 512B sector drive) that
will get skipped and filled with zeros upon completion of the attempted reads
(assuming no reads were successful). If this condition is encountered, consider
changing the error granularity setting to be Exhaustive, which will result in
repeated read attempts of the error region with decreasing sector sizes. This
will maximize the amount of recoverable data and minimize the sectors that
get skipped and filled with zeros.
If error retries are enabled and TX1 is able to successfully read sector data after an
initial read error is encountered, the Total recoverable errors count shown in the
Duplication Results area will reflect the number of original read errors
encountered. The Total unrecoverable errors count will reflect read errors for which
no retry attempts were successful.
It is a best practice to export and delete logs from TX1 after each case. TX1 will store
100 logs before overwriting logs (starting with the oldest log). A warning will be
provided before any logs are overwritten. Once a log is deleted or overwritten, the
data is unrecoverable.
Chapter 4 Using TX1
188
OpenText™ Tableau™ Forensic TX1 Imager
ISTX240300-UGD-EN-1
To Next Page
Loading...
