OpenText Tableau Forensic TX1 Imager
The Information Company 125
non-matching values in the Matched and Imaged fields on the Job Status screen at the
end of the job and errors noted in the job’s metadata file. If you suspect drive/filesystem
read errors during a logical imaging job, we recommend that you clone or physically
image the drive (e01, ex01, dd, dmg) instead of trying to do a logical image. In
addition to a physical image (or if a physical image is not possible), try logically imaging
the source in multiple, smaller jobs instead of trying to gather all files/folders in one job. If
the errors happen to be in less forensically interesting areas of the filesystem, this could
result in a more valuable file/folder acquisition set.
4.5.3.2 Files created during logical imaging
When performing a logical image on TX1, multiple different files may be output to each
destination depending on the job configuration, as follows:
• {image_name}.log contains the forensic log of the logical imaging operation.
• {image_name}.Lx01, {image_name}.Lx02, … are the forensic evidence files
for the operation. They contain all the data and metadata for each file and folder
acquired.
• {image_name}.csv is a comma separated value store of all the metadata for every
file and folder acquired. Optionally, this file also contains all the metadata for files and
folders that were not acquired. This type of file can easily be imported into many
common data processing applications such as Microsoft Excel. CSV file data
contents and format information can be found at “Source file metadata” on page 139.
• {image_name}.tx1_packed_log contains a TX1 readable copy of the forensic
log that can be used for later standalone verification of the lx01 file set.
All the above output files are generated when a given destination is configured to be the
Lx01 + Metadata job type. No CSV metadata file is generated for the Lx01 job type. No
lx01 file set or .tx1_packed_log file is generated for the Metadata job type.
If all destinations are configured to be the Metadata job type, and no hashes are
configured, the file data for each file will not be read at all. This allows an investigator to
quickly create a record of all source file metadata.
4.5.3.3 Logical image verification
Verification of lx01 files differs from verification of physical imaging operations because,
in an lx01 file, there is no overall hash. Each file’s data stored in the lx01 has an
associated hash that was calculated during the original acquisition. The logical imaging
verification function reads back the file data from the lx01 on the destination, calculates a
new hash value for each file, and compares that hash value to the originally stored hash
value. A failure of any one file to match the original hash value will result in a
verification/job failure.
4.5.3.4 Advanced logical imaging setup
The logical imaging setup of TX1 can be switched to Advanced Logical Imaging Setup
mode. By enabling this setting in the Default settings screen, two additional search setup
options are activated. If Advanced Logical Imaging Setup is enabled but none of its
Copyright © 2022 Open Text. All rights reserved. Trademarks owned by Open Text.
To Next Page
Loading...