TD3 Forensic Imager

Introduction

The Tableau TD3 is a powerful and intuitive modular forensic imaging system that uses a touchscreen graphical user interface.

The TD3 provides many of the functions traditionally found in general purpose, IT-oriented hard disk duplicators while also providing features and functions that serve specialized needs of the digital computer forensic industry, including:

  • Sustained data transfer rates of up to 7.2 GB/minute, while performing calculations of MD5 and SHA-1 hash values, also known as fingerprints.
  • Native support for SATA, USB 3.0 and FireWire hard disks from the source interface.
  • Additional support for SAS and IDE hard disks using expansion modules.
  • Native support for connecting to network storage CIFS and iSCSI shares.
  • Network-based read only (write blocked) access to attached storage media.
  • Detailed log generation for case documentation.
  • Automatic blank checking of source and destination drives.
  • HPA and DCO support for the detection and handling of hidden/protected data areas on source drives.
  • Remote web based user interface.

The TD3 was designed as a flexible modular imaging system. As shown above, the TD3 can stand alone and interface with SATA, USB 3.0, and FireWire source disks, a SATA destination disk, and network shares.

You can also easily combine the TD3 with an Expansion Module and a TDS1 or TDS2 SATA Storage Module for additional capability. The TD3 is shown below connected directly to one of the Expansion Modules and the TDS2 SATA Storage Module.

TD3 Kit Contents

The TD3 ships in a boxed kit that includes the items shown in the picture.

Navigating the TD3

Use the TD3’s touchscreen display to navigate from module to module and choose or modify options. Use the touchscreen keyboard or a USB keyboard to enter alphanumeric text when prompted.

The Main Menu screen of the TD3 displays a sliding icon list for initiating the various functions:

  • Duplicate
  • Hash
  • Verify
  • HPA/DCO Disable
  • Blank Check
  • Format
  • Wipe
  • Logs
  • Settings

Reading the LEDs

On/Off indicator LED: The top of the TD3 has one light emitting diode (LED) indicating that the unit is turned on.

DC In LED: The back of the TD3, near the power connector, has one LED indicating that the power supply is plugged in.

Network Interface LED: The right side of the TD3, on the RJ-45 Ethernet connector, has two LEDs.

Interpreting Audio Feedback

The TD3 plays one of two sounds to alert you of the end of a disk operation. There is a chime to indicate successful completion of the operation, and a buzzer to indicate a failure to complete the operation. You can turn sounds off from the System Settings submenu in the Settings menu.

USB Keyboard Support

You can connect a standard USB keyboard to the USB port on the right side of the TD3. Using an external keyboard can be more convenient than entering data using the touchscreen keyboard on the TD3.

Startup Sequence

When you turn on the TD3 for the first time, an initialization screen displays for about 20 seconds, followed by a prompt to create an administrator password. The TD3 then loads the initial profile, detects any connected devices, and displays the Main Menu. The TD3 displays icons indicating connected devices, special settings, and warning messages about any detected faults.

Settings

The Settings module provides selections for configuring TD3 options:

  • System Settings: Changes the way the TD3 hardware is configured.
  • Enable iSCSI: Enables/disables the use of the iSCSI features.
  • iSCSI: Configures the iSCSI settings for the system (Source and Destination)
  • CIFS: Configures a windows share as a destination drive.
  • Duplication Settings: Changes the duplication settings.
  • Duplicator Info: Displays information about the TD3 hardware and firmware.
  • Profile Management: Creates, edits, and deletes profiles.
  • Language: Changes the language used for displaying text on the TD3 LCD.

Duplication Settings

Duplication Settings provides options for the following.

  • Examiner: The name of the case examiner.
  • Case ID: The case ID number.
  • Case Notes: Miscellaneous information about the case or duplication process for future reference.
  • Duplication Type: Either Disk-to-File (imaging) or Disk-to-Disk (cloning) duplication. The default is Disk-to-File.
  • Destination Dir: The path on the destination disk for a disk-to-file duplication.
  • Image Dir Naming: The directory naming convention for a collection of disk-to-file duplications.

o Date + Time: A time stamp identifies the directory. This is the default setting.

o Serial Number: The serial number of the source disk identifies the directory.

o Serial + Model Number: The model and serial number of the source disk identifies the directory.

  • Image File Naming: The file naming convention for a disk-to-file duplication.

o Date + Time: A time stamp identifies the duplication. This is the default setting.

o Serial Number: The serial number of the source disk identifies the duplication.

o Serial + Model Number: The model and serial number of the source disk identifies the duplication.

o User Defined: A predefined alphanumeric string identifies the duplication.

  • File Format: Choose the file format for a disk-to-file duplication.

o DD – raw binary data: The source disk data is coded as an uncompressed bit-for-bit replica of the raw sector content.

o E01 – EnCase format: The source disk data is coded as a legacy EnCase evidence file. This is the default setting.

o Ex01 – EnCase 7 format: The source disk data are coded as an EnCase Version 7-compatible evidence file.

  • File Size: The source segment size for a series of image files in a disk-to-file duplication. The default setting is 2 GB.
  • Error Granularity: The granularity of failed reads. The default setting is Exhaustive, which attempts to recover data down to a single sector; otherwise, the TD3 only retries at a 64-sector resolution.
  • Error Retry: The number of times to retry a failed read. The default setting is Retry once.
  • Verification: Enables verification of the generated image. The default setting is Off.

Profile Management

Profile Management provides options for managing duplication profile information and privileges. You can configure each profile with default settings. The TD3 administrator can set a default profile. Profile Management includes the following options:

  • Change Current Profile: Tap to activate a duplication profile from the list of available profiles.
  • The factory default profile is Profile1. The default password for Profile1 is password.
  • Lock/Unlock Current Profile: Tap to lock or unlock the active profile using its password. You must unlock a profile before making changes to it.
  • Change Profile Password: Tap to change the active profile’s password. To change the password, enter the old password and the new password. Reenter the new password for confirmation.
  • Change Profile Lock Timeout: Tap to set the profile lock timeout period to 15 minutes, 30 minutes, 1 hour, or when changing the profile. This time period determines how long a profile remains unlocked before the TD3 automatically locks it. An unlocked profile can be changed by any user with physical access to the TD3.

Languages

You can configure the TD3 for the following languages:

  • English
  • Spanish
  • French
  • German
  • Brazilian Portuguese
  • Russian
  • Simplified Chinese

You can also enter information such as case notes, names, etc. in any of these languages, with the exception of Simplified Chinese. After you select a language, the TD3 restarts in that language. In the following example, Chinese was selected, displaying the Main Menu as follows:

Connecting Hard Disks

The following procedure provides the necessary steps for safely connecting hard disks to the TD3. This procedure applies to typical 3.5″ SATA and IDE hard disks.

To connect hard disks to the TD3:

  1. To connect the Tableau SATA Storage Module Disk Enclosure (TDS1 or TDS2) to the bottom of the TD3, slide the TD3 on top of the disk enclosure from left to right until it is securely connected. If you want two copies of the data, use two TDS2 SATA Disk Enclosures to allow for twinning mode.
  2. On the back of the TD3, connect the TP4 or TP5 power supply to the TD3 power input.
  3. Using the appropriate line cord, plug your TD3 into an AC power source. The green DC In LED on the back of the TD3 indicates that power is available at the power connector.
  4. Confirm that the TD3 power switch is off (the Power LED will be off).
  5. For a SATA source disk connect the drive directly to the TD3 using the appropriate cable. TC4-8-R2: SATA drive unified cable (connected to the SATA power port on the front edge).
  6. For an IDE hard disk, attach the TDPX5 expansion module to the left side of the TD3. Connect

the source disk to the TDPX5 signal input using the appropriate cable.

TC6-8 IDE signal cable (connected to the TDPX5 IDE Expansion Module on the left side).

TC2-8-R2 hard disk power cable (connected to the power connector on the left side of the TDPX5 IDE Expansion Module).

  1. Turn on the TD3 by pressing the TD3 power switch located on the front of the unit to the lower left. The green Power LED indicates that the duplicator is turned on.

Note: When connecting an IDE source disk to the TD3, always connect the blue end of the IDE cable (TC6-2 or TC6-8) to the TD3, and the black end to the hard disk. If using a cable not supplied by Tableau, ensure that the colored stripe on the cable aligns with Pin #1 on the hard disk. Failure to do so can result in unreliable communication between the hard disk and the TD3.

Connecting Notebook Hard Disks

To connect a 1.8″ or 2.5″ notebook hard disk, use the TC6-2 IDE signal cable in conjunction with one of the following notebook adapters:

  • TDA5-18 8″ notebook adapter
  • TDA5-25 5″ notebook adapter
  • TDA5-ZIF 8″ ZIF adapter and cables
  • TC20-3-2 ZIF cable for 0.2mm ZIF connectors
  • TC20-3-3 ZIF cable for 0.3mm ZIF connectors

Note: Use only the shorter TC6-2 (2″) IDE cable when connecting a notebook drive adapter to the TD3. Do not use the longer TC6-8 (8″) IDE cable with notebook drive adapters. ZIF drives and some notebook drives require a very short data path between the drive and the controller, so using anything except the 2″ cable can result in unreliable communication between the disk drive and the TD3.

Drive Detection

After initialization, the TD3 begins drive detection. Icons display on the left and right sides of the Main Menu, indicating the types of source and destination drives that have been recognized. Source drives are shown on the left side of the screen and destination drives on the right. Depending on the type of operation to be performed, you must select a source or  destination drive before an operation can be performed. Operations that require a sourcedrive require that a single source is selected if more than one source drive is present. Similarly, operations that require a destination require that a single destination be selected, if more than one destination is available. If there is only one source or destination, it is automatically selected and used.

Tapping a drive icon on the left (source) or right (destination) of the Main Menu displays additional information about the drives connected:

If the iSCSI Enabled switch in Settings has been set to ON, eligible disks have the option to Export as an iSCSI target. One source and one destination may be exported as an iSCSI target, allowing a remote computer to connect to either drive over iSCSI.

If a disk supports SMART information, the bottom of the Disk Info screen provides a View SMART Report button:

Tapping the View SMART Report Button brings up the disk’s SMART Info for examination:

Tap the Save button to copy this information to the log.

Duplicate

The source drive will be copied to both SATA drives in the TDS2 enclosures. Both destination drives can then be used on separate machines and the resulting images (not necessarily disks) will have identical hashes. In cases where drives do not have matching storage capacities, the smaller drive will limit the amount of data that can be copied. A format must be done before a disk can be duplicated to the destination disk set.

Format

Both drives will be formatted at the same time and the maximum size will be dependent on the smaller drive. For example, if you run format on a 1000GB and 500GB drive, each drive will have one 500GB partition. The 1000GB drive would then be left with 500GB of unused space. Additionally, the format operation puts a special file on each disk to associate them as a disk set for duplication.

Wipe The TD3 can wipe both drives. It wipes them one at a time.

Duplicating

The TD3 duplicates hard disks by either cloning or imaging them.

Disk-to-File/Imaging

Imaging, also known as disk-to-file duplication, is the process of copying a source disk to a series of files on a destination disk. The TD3 supports e01, ex01, and RAW/DD for disk-to-file imaging, with compression enabled on e01 and ex01.

If the destination disk is smaller than the source, a RAW/DD image will not fit on the destination drive. However, if using e01 or ex01, the source disk may fit on a smaller disk because these formats compress the data before writing to the destination disk. There is no guarantee that the data will be compressed enough to fit on a smaller destination drive. Use extreme caution when attempting to copy a source disk to a smaller destination disk.

Disk-To-Disk/Cloning

During disk-to-disk duplication, the contents of the subject disk are copied to the destination, sector-for-sector. If a destination disk is not blank, the TD3 prompts for confirmation to overwrite the contents of the destination disk. This reduces the risk of overwriting valuable data. The following steps describe how to perform a disk-to-disk duplication.

  1. Follow the steps listed in Connecting Hard Disks on page 36 and turn on the TD3. If you want two copies of the disk, you must connect two TDS2 SATA Disk Enclosures to the TD3.
  2. From the Main Menu screen, tap Duplicate. The Duplicate screen displays.
  3. Tap the Settings button. The Duplication Settings screen displays.
  4. Specify the following:
  • Examiner
  • Case ID
  • Case Notes
  • Duplication Type = Disk-to-Disk
  • Destination Dir
  • Image Dir Naming
  • Image File Naming
  • File Format
  • File Size
  • Error Granularity
  • Error Retry
  • Verification
  1. Tap the Back button. The Duplicate screen displays.
  2. Tap the Duplicate button. The duplication Status screen displays and imaging begins. To abort the process, press the Cancel button.
  3. When disk duplication is complete, tap the View Log button to Print or Erase the log.

Disk-To-File Duplication/Imaging

During disk-to-file duplication, the contents of the source disk are copied to the destination disk. This process creates a set of files (e01, ex01, or RAW/DD) on the destination disk that you can examine on a host computer.

If you format a destination disk with a supported filesystem, the TD3 uses that filesystem. Otherwise you must format the destination disk before beginning the duplication process. To perform disk-to-file duplication:

  1. Follow the steps listed in Connecting Hard Disks on page 36 and turn on the TD3. If you want two copies of the image and two TDS2 SATA Disk Enclosures are connected to the TD3, the TDS2 disk set must be formatted together on the TD3.
  2. From the Main Menu screen, tap Duplicate. The Duplicate screen displays.
  3. Tap the Settings button. The Duplication Settings screen displays.
  4. Specify the following:
  •  Examiner
  • Case ID
  • Case Notes
  • Duplication Type = Disk-to-File
  • Destination
  • Destination Dir(ectory)
  • Image Dir Naming
  • Image File Naming
  • File Format
  • File Size
  • Error Granularity
  • Error Retry
  • Verification
  1. Tap the Back button. The Duplicate screen displays.
  2. Tap the Duplicate button. The Duplication Status screen displays and imaging begins. To abort the process, press the Cancel button.
  3. When disk duplication is complete, tap the View Log button to Print or Erase the log.

Files Created During Disk-to-File Duplication

When performing disk-to-file duplication or imaging, the TD3 creates files on the destination hard disk that contain the data copied from the source hard disk. Each of these files is called a segment.

Segments are written to the destination disk according to the following convention:

 (root dir)/

[directory name]/

[filename].E01

[filename].E02

…[

filename].E99

yyyy-mm-dd hh-mm-ss_nnnnn_TTTTT.LOG

[directory name] is the name generated by the TD3 for each separate acquisition.

The [directory name] can be auto-generated by the TD3 or you can enter it yourself. Autogenerated names can be based on the date/time, the serial number of the source device, or the model and serial number of the source device. The [filename] can also be autogenerated, or you can choose to set it to a constant value.

[filename].001 is the first segment or portion of the data copied from the source disk. The segment size is a user-settable option and may also be specified in the Settings > Duplication Settings > File Size screen.

When creating a DD image, you can also specify .DMG naming for segments. A DMG file extension can be specified by selecting Main Menu > Settings > Duplication Settings > File Extension Setting. .DMG refers to a file naming convention used by Apple operating systems.

If the .DMG naming option is selected, the first segment is named [filename].DMG instead of [filename].001. All other segments have standard segment names (for example, [filename].002, [filename].003, and so on).

A .LOG file is generated by the TD3 for each disk-to-file acquisition. yyyy-mm-dd hh-mm-ss is the duplication task start date/time. The next five characters – nnnnn – are generated from the internal log ID number assigned to the log by the TD3. The TTTTT in the filename refers to the type of task as listed in the following table.

Entry/Task

Label Type of Log Entry/Task
Clone Disk-to-Disk Duplication
Image Disk-to-File Duplication
Verify Verify Disk Image
Format Disk Formatting (destination only)
Hash Disk Hashing (source only)
Wipe Disk Wiping (destination only)
Smart SMART Report for Disk

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir