OpenText Tableau Forensic TX1 Imager
The Information Company 161
There are three encryption related lines in a log for each drive that was part of the job, as
follows:
• Opal Encryption: This section of the log has two sub-fields: Supported (Yes/No)
and Locked (Yes/No).
• Tableau Encrypted: This field identifies if the drive has been encrypted by TX1. The
options for this field are: No, Locked, and Unlocked.
• Whole disk encryption: This field will be populated with the specific type of third-
party whole disk encryption that TX1 was able to detect. The options for this field are:
None detected, BitLocker, BitLocker To Go, Symantec PGP Disk, LUKS,
BestCrypt, McAfee Drive Encryption (SafeBoot), Sophos Safeguard, Winmagic
SecureDoc, GuardianEdge Encryption, Symantec Endpoint Encryption, and
FileVault 2. Note that FileVault 2 cannot be conclusively detected using standard
signature inspection, but the existence of Core Storage can be detected. TX1
indicates that FileVault 2 encryption is possible when a Core Storage partition is
detected.
Note that partition information is also provided in the logs, including Partition Encryption
status (type, if present, or None detected).
If TX1 detects any bad sectors on the source drive, it adds a section at the end of the job
log. This additional section lists the sector address and the number of sectors of each
unreadable region of the source drive. As an example, the following forensic log read
error entry means that an error was encountered in at least one of the 64 sectors starting
at sector offset 234,567: Error # 1: Read error (source), address=234567,
length=64
Note: The default error granularity setting is Standard, which will result in a minimum
chunk of 32kB of source data (64 sectors for a 512B sector drive) that will get skipped
and filled with zeros upon completion of the attempted reads (assuming no reads were
successful). If this condition is encountered, consider changing the error granularity
setting to be Exhaustive, which will result in repeated read attempts of the error region
with decreasing sector sizes. This will maximize the amount of recoverable data and
minimize the sectors that get skipped and filled with zeros.
If error retries are enabled and TX1 is able to successfully read sector data after an initial
read error is encountered, the Total recoverable errors count shown in the Duplication
Results area will reflect the number of original read errors encountered. The Total
unrecoverable errors count will reflect read errors for which no retry attempts were
successful.
It is a best practice to export and delete logs from TX1 after each case. TX1 will store 100
logs before overwriting logs (starting with the oldest log). A warning will be provided
before any logs are overwritten. Once a log is deleted or overwritten, the data is
unrecoverable.
Copyright © 2022 Open Text. All rights reserved. Trademarks owned by Open Text.
To Next Page
Loading...