OpenText Tableau Forensic TX1 Imager
The Information Company 119
Define what to include in the top selection box, our initial acquisition dataset is empty.
Any configured searches will potentially add to that empty acquisition dataset.
The file search options are covered in detail in the following sections. Before getting into
those details, here is some general information regarding logical image searches:
• A search defines parameters for the kinds of files that are of interest to a forensic
investigation. Adding searches will include/exclude every instance of that kind of file.
• Multiple searches can be configured for a given job (using the Add Search button at
the bottom of the search setup window), but they are logically independent from each
other. This means that if a search gets a hit on a file, it will be added to/removed from
the acquisition dataset even if a subsequent search is configured to ignore that same
kind of file.
• Within a single search box, all the criteria defined must match for a given file to be
included in (or excluded from) the acquisition dataset.
• The first entry in each search setup box provides a name field for the search. The
default name is Unnamed Search. Changing the name to something more specific
may help when reviewing the summary of all searches in the logical image job setup
screen or when viewing the forensic log associated with a logical image job.
• Each of the search parameter fields makes use of drop-down selection boxes to help
guide the setup of each parameter.
• Text fields used for matching file names, file extensions, and file paths can use any
Unicode characters TX1-supported filesystems might contain.
Note: Unicode is the standard for encoding visual text characters/symbols into digital
values to allow computer systems to understand what characters/symbols are being
referenced for proper display and processing. It was defined to allow digital encoding of
special characters/symbols (including language specific accent glyphs, for example) that
are not covered by the ASCII standard. TX1 uses UTF-8 (Unicode Transformation
Format – 8 bit) to encode all possible characters/symbols used in all filesystems that TX1
supports and to use those encoded values when matching characters during logical
image searches. For characters that are composed of multiple, distinct glyphs (for
example the German umlaut over the letter A), TX1 uses the NFC (Normalization
Function Composition) standard to normalize the various encoding methods into a
common hex value for matching purposes. For more information, search for “UTF-8” and
“Unicode equivalence” on the internet.
The various search parameter fields that TX1 supports are covered in the following
sections.
4.5.2.1 File type
The File type search parameter restricts the search to apply only to files that match a list
of file extensions. Each search can have any number of file type constraints. When
multiple file type constraints are included in a given search, a match of any one of them
will include/exclude a given file.
Copyright © 2022 Open Text. All rights reserved. Trademarks owned by Open Text.
To Next Page
Loading...