OpenText Tableau Forensic TX1 Imager
The Information Company 49
Whether dealing with APFS, BitLocker, or Opal encryption on a given drive/volume, the
same Encryption Unlock media utility is used to unlock it. A pulldown field at the top of
the Encryption Unlock screen lists all the detected encrypted types on a given drive,
whether they be at the whole disk or volume level. Simply select the encrypted entity you
want to unlock, enter the password (or BitLocker recovery key), and then tap the Unlock
button to begin the encryption unlocking process. If successful, the progress bar will turn
green. Close the Encryption Unlock screen to access the other TX1 functions with the
now unlocked drive/volume. Once unlocked, each drive/volume can be used with any
supported operations including browsing, imaging (physical or logical), and any
applicable media utilities.
While unlocking APFS, BitLocker, and Opal encryption is simple and done using the
same Encryption Unlock media utility, there are some notable differences in how TX1
handles these types of encryption that warrant special consideration, as covered in the
sub-sections below.
3.3.5.1 Opal encryption
Opal Self Encrypting Drives (SEDs) that have had their encryption enabled in a Linux
environment can be unlocked by TX1, as described in the beginning of Encryption unlock
above. The presence of Opal encryption is noted in any area of the user interface that
shows information about the attached drive, including drive tiles (which show in
numerous locations), the Drive Details screen, and the Content Breakdown screen.
A locked Opal drive exposes no useful forensic information to TX1. The only options
available for such media are ejection and unlocking. An unlocked Opal drive will appear
as an unencrypted drive to the system and be usable for all supported forensic functions.
Note: The Opal standard does not specify an algorithm for generating a lock key from a
plain text password. TX1 uses the Linux SEDUTIL function to report information about
Opal drives and unlock them. This function uses an Opal-specific key generation
algorithm as defined by the Trusted Computing Group. Other systems exist for enabling
encryption on Opal drives (for example, BitLocker) which may employ a key derivation
algorithm other than what the SEDUTIL function uses. Attempting to use a known
password for such drives using TX1 will result in failed unlock attempts. Please contact
OpenText Customer Support if you suspect you have run into such a situation.
3.3.5.2 BitLocker encryption
Drives and partitions that are encrypted with Microsoft BitLocker can be unlocked by TX1,
as described in the beginning ofEncryption unlock above. The presence of BitLocker
encryption is noted in any area of the user interface that shows information about the
attached drive and/or partitions on the drive. This includes drive tiles (shown in the
Source and Destination drive lists, among other locations), partition tiles (which show
whenever a filesystem is being selected for an operation), the Drive Details screen, and
the Content Breakdown screen.
Note: It is possible for BitLocker drives to have been originally encrypted and secured in
a manner that TX1 will not be able to unlock/unencrypt. In particular, Smart Card and
Copyright © 2022 Open Text. All rights reserved. Trademarks owned by Open Text.
To Next Page
Loading...