OPENTEXT Tableau TX1 - Disabling drive capacity limiting configurations

To Next Page

To Previous Page

OpenText Tableau Forensic TX1 Imager

The Information Company 51

APFS

Bitlocker

Opal

Tableau

Operation

Locked

Unlocked

Locked

Unlocked

Locked

Unlocked

Locked

Unlocked

Physical

Image/

Clone

(Source)

Full drive

will be

imaged/

cloned;

encrypted

state

Full drive

will be

imaged/

cloned;

encrypted

state

Full drive

will be

imaged/

cloned;

encrypted

state

Full drive

will be

imaged/

cloned;

encrypted

state

n/a (no

reads

possible)

Full drive

will be

imaged/

cloned;

unencrypt-

ed state

Full drive

will be

imaged/

cloned;

encrypted

state

Only the

unlocked

encryption

container

contents

will be

imaged/

cloned;

unencrypt-

ed state

Wipe (Dest)

Clears

drive

starting at

sector/

block 0

Clears

drive

starting at

sector/

block 0

Clears

drive

starting at

sector/

block 0

Clears

drive

starting at

sector/

block 0

n/a (no

writes

possible)

Clears

drive

starting at

sector/

block 0

Clears

drive

starting at

sector/

block 0

Clears only

the

unlocked

encryption

container

leaving

encryption

intact

Format

(Dest)

n/a (no

APFS

support

destina-

tion)

n/a (no

APFS

support on

destination)

Will

overwrite

existing

format-

ting,

including

BitLocker

Will

overwrite

existing

formatting,

including

BitLocker

n/a (no

writes

possible)

Formats

drive

starting at

sector/

block 0

Not

allowed

Formats

unlocked

encryption

container

only leaving

encryption

intact

Blank check

(Source/

Dest)

Checks

full drive

starting at

sector/

block 0

Checks full

drive

starting at

sector/

block 0

Checks full

drive

starting at

sector/

block 0

Checks full

drive

starting at

sector/

block 0

n/a (no

reads

possible)

Checks full

drive

starting at

sector/

block 0

Not

allowed

Checks

contents of

unlocked

encryption

container

only

3.3.6 Disabling drive capacity limiting configurations

In the past, the most common method of intentionally limiting the reported capacity of a

drive was by using the ATA HPA (host protected area) or DCO (device configuration

overlay) feature sets. Starting with the ACS-3 (ATA/ATAPI Command Set 3) specification

update, the concept of Addressable Maximum Address (AMA) was introduced. Newer

drives may support this method of limiting the reported drive capacity. TX1 supports all

these methods with automated detection, identification, and notification that will make

dealing with them seamless and easy. From a forensic point of view, it is valuable to

know if HPA, DCO, or AMA are in use. With that knowledge, the forensic practitioner can

make an informed decision about whether or not to acquire data in the hidden regions of

the drive.

Note that these methods (HPA/DCO and AMA) are mutually exclusive. A drive that

supports HPA/DCO will not support AMA, and a drive that supports AMA will not support

HPA/DCO. Also, while HPA and DCO are related features for a given drive, HPA has a

unique attribute (volatile, or temporary, removal) that distinguishes it from DCO and AMA.

For that reason, this section will cover volatile HPA removal as a separate topic before

addressing non-volatile (permanent) removal of HPA/DCO or AMA.

Main Page

OPENTEXT Tableau TX1 - Disabling drive capacity limiting configurations

Table of Contents