Tableau Forensic Duplicator User Guide Version 4.01 TD2 Copyright© 2016 Guidance Software, Inc. All rights reserved. EnCase®, EnScript®, Tableau®, FastBloc®, Guidance Software® and EnCE® are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Products and corporate names appearing in this work may or may not be registered trademarks or copyrights of their respective companies, and are used only for identification or explanation into the owners' benefit, without intent to infringe. Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software, Inc. Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act, no part of this work may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise. Product manuals and documentation are specific to the software versions for which they are written. For previous or outdated versions of this work, please contact Guidance Software, Inc. at http://www.guidancesoftware.com. Information contained in this work is furnished for informational use only, and is subject to change at any time without notice. CONTENTS Preface 3 About this Guide ....................................................................................................... 3 Conventions Used in this Guide .............................................................................. 3 Disk Capacity and Transfer Rate Measurement Conventions .......................... 3 Overview 1 Tableau TD2 ............................................................................................................... 2 TD2 Kit Contents ........................................................................................................ 2 Navigating the TD2 ................................................................................................... 4 Reading the LEDs ...................................................................................................... 6 USB Keyboard Support ............................................................................................. 6 LCD Contrast ............................................................................................................. 7 Setting up the TD2 9 Startup Sequence ...................................................................................................10 Initialization ..............................................................................................................10 Configuring the TD2 ................................................................................................10 User-Selected Startup Mode .................................................................................11 Setup (Menu 9) .......................................................................................................11 System Options (Menu 9.1) .......................................................................................... 11 Imaging Options (Menu 9.2) ........................................................................................ 12 TD2 Info (Menu 9.3) .......................................................................................................15 Factory Reset (Menu 9.4) ............................................................................................. 15 Connecting Hard Disks ..........................................................................................16 Connecting Notebook Hard Disks ..............................................................................17 Drive Detection .......................................................................................................17 Using the TD2 19 Overview ..................................................................................................................20 TD2 Menus and Options ............................................................................................... 20 Duplicate Disk (Menu 1) ........................................................................................22 Disk-to-Disk/Cloning (Menu 1.1) ..................................................................................22 Disk-to-File/Imaging (Menu 1.2) ..................................................................................24 Preconditions Checking ........................................................................................28 Format Disk (Menu 2) .............................................................................................31 Format Dest (Menu 2.1) ................................................................................................ 31 Format USB (Menu 2.2) .................................................................................................33 Wipe Disk (Menu 3) .................................................................................................33 One Pass Write (Menu 3.1) ........................................................................................... 33 Multi Pass Write (Menu 3.2) .......................................................................................... 33 Hash Utilities (Menu 4) ............................................................................................34 Blank Check (Menu 5) ...........................................................................................34 Disk Information (Menu 6) .....................................................................................35 Disk Utilities (Menu 7) ..............................................................................................36 Removal of DCO and HPA Regions ...........................................................................36 Dest Free Space (Menu 7.3) ........................................................................................ 36 Status Information ...................................................................................................37 Logs (Menu 8) ..........................................................................................................37 View Logs (Menu 8.1) ...................................................................................................38 Sample TD2 Log .............................................................................................................39 Save All Logs (Menu 8.2) .............................................................................................. 41 Print All Logs (Menu 8.3) ............................................................................................... 42 Erase Logs (Menu 8.4) ...................................................................................................42 Resetting and Clearing Internally Stored Information ......................................42 Troubleshooting and Support 45 Troubleshooting Common Problems ...................................................................46 Power Supply Issues ......................................................................................................46 Problems with Disk Detection ...................................................................................... 46 Replacing the Backup Battery for the Real-time Clock ..........................................47 Support .....................................................................................................................51 Overview ........................................................................................................................ 51 Find Support Online ......................................................................................................51 Contact Guidance Software ...................................................................................... 54 Index 57 PREFACE About this Guide This guide presents a wide range of technical information and procedures for using the TD2. It is divided into the following chapters. Overview: Provides general information about the TD2 as well as unpacking, starting up, and navigating the TD2's menus and LEDs. Setting up the TD2: Provides system overview information about the TD2 as well as procedures for configuring and connecting the TD2. Using the TD2: Provides detailed information and procedures for using the TD2. Troubleshooting and Support: Provides a brief list of potential problems and solutions. For more complete and current troubleshooting information as well as answers to frequently asked questions (FAQ), visit the Tableau web site at www.tableau.com. Conventions Used in this Guide The TD2 has two soft keys placed immediately under the LCD display. The bottom line of the LCD displays text indicating the current function for each of the two soft keys. In this guide, soft key labels are indicated with square brackets. For example, [Select] indicates that Select is displayed above a soft key on the LCD. Disk Capacity and Transfer Rate Measurement Conventions The computer industry generally adheres to two different conventions for the definitions of the terms megabyte (MB) and gigabyte (GB). For computer RAM, 1 MB is defined as 220 = 1,048,576 bytes and 1 GB is defined as 230 = 1,073,741,824 bytes. For disk storage, 1 MB is defined as 106 = 1,000,000 bytes and 1 GB is defined as 109 = 1,000,000,000 bytes. These two conventions are known as powers of two and powers of ten respectively. Microsoft deviates from the hard disk capacity measurement convention and uses the powers of two convention for its operating systems. Tableau reports disk capacities and transfer rates according to the industry standard powers of ten convention. In TD3 screens, reports, and documentation, a 4 GB hard disk stores up to 4,000,000,000 bytes; a hard disk with a 150 MB/sec transfer rate transfers 150,000,000 bytes per second. Chapter 1 OVERVIEW In This Chapter Tableau TD2 TD2 Kit Contents Navigating the TD2 Reading the LEDs USB Keyboard Support LCD Contrast 2 Tableau TD 2 Versio n 4 .0 1 User's Guide Tableau TD2 The Tableau TD2 is a forensic 1:2 duplicator. It has many of the functions traditionally found in general-purpose, IT-oriented hard disk duplicators and provides features and functions that serve the specialized needs of forensic practice, including: Sustained data transfer rates of up to 9 GB/minute, while performing calculations of MD5 and SHA-1 hash values, also known as fingerprints. Native support for SATA and IDE hard disks from the source interface. Parallel duplication, or twinning, to two destination interfaces for SATA hard disks. Detailed log generation for case documentation. Automatic blank checking of source and destination drives. HPA and DCO support for the detection and handling of hidden/protected data areas on source and destination drives. TD2 Kit Contents The TD2 ships in a boxed kit that includes the following. Item Model # TD2 Description TD2 Forensic 1:2 Duplicator TP4-NC High-output power supply. The TP4 provides enough power to supply the TD2 and most common combinations of source and destination hard disks. The TP4 uses a universal 2-pin AC line cord and is compatible with 110240VAC line voltages worldwide. TP4-LC-US North America shipments include the TP4-LC-US AC line cord for use with the TP4-NC power supply. When shipped to other geographic markets, the local reseller typically adds an AC line cord which is appropriate for the local market. Ov erv iew Item Model # TC2-8-R2 Description Hard disk power cable to connect IDE and some legacy-style SATA hard disks to the TD2 (3M to Molex). TC3-8 SATA signal cable to connect SATA hard disks to the TD2. TC4-8-R2 SATA/SAS power/signal cable to SAS signal and 3M power (2 pieces). This unified cable connects power and signal connectors current hard disks. TC5-8-R2 Hard disk power cable to connect 15-pin SATA power connectors to the TD2 (SATA to 3M). TC6-8 IDE signal cable to connect IDE hard disks to the TD2. Do not use the TC6-8 IDE cable to connect notebook drive adapters to the TD2. Use the shorter TC6-2 IDE cable shown with the TKA5-AD adapter pack below. TC7-6-6 6-pin FireWire/1394 signal cable. Used to connect the TD2 to a host computer for firmware updates. 3 4 Tableau TD 2 Versio n 4 .0 1 User's Guide Item Model # TKA5-AD Description Adapter pack for notebook hard disks. Includes TC6-2, TDA3-1, TDA5-18, TDA5-25, and TDA5-ZIF w/TC20-BN TQS-TD2 Quick Start card for TD2 kit. Do not discard the foam packaging. It is designed to fit several industry-standard hard-sided carrying cases. If you received the TD2 kit in the cardboard box shipped by Tableau, you can buy a hard-sided case and reuse the foam insert directly in that case. Navigating the TD2 When using the TD2, you may be prompted to enter certain information into the display. Use the up/down/left/right arrow keys and the center button to select values. Ov erv iew 5 While you are entering information, the TD2 displays two soft key functions at the bottom of the LCD display. The soft keys perform major actions such as selecting a task, canceling a function, or moving between different display screens. Use the arrow keypad to navigate within a given screen/menu. The function of the soft keys depends on the current context. The soft keys might have functions such as [Back] and [Next], as they do during the Configuration Wizard. The soft keys might also serve to select items like [Cancel] and [Ok]. The center button on the arrow keypad also serves as a [Select] button when navigating among TD2 menus. However, it cannot be used to start major tasks, such as duplication or disk wiping. Only soft keys labeled [Select] or [Start] initiate major tasks. Vertical Arrow Keys scroll up or down and highlight menu items for selection. Horizontal Arrow Keys scroll left or right and toggle between character lists. In the upper left corner of the Main menu, the TD2 displays the date and time. As you navigate the TD2’s menu structure, date/time is replaced by the menu item number. For example, the Duplicate Disk menu is Menu 1, the Disk-to-Disk menu is Menu 1.1, and the Disk-to-File menu is Menu 1.2. These menu numbers help you navigate the menu hierarchy. The TD2 is shipped with a Quick Start card that illustrates the layout of the display, buttons, connectors, and switches on the TD2. Keep the Quick Start card with the TD2 as you familiarize yourself with its operation. 6 Tableau TD 2 Versio n 4 .0 1 User's Guide Reading the LEDs The front of the TD2 has seven light emitting diodes (LEDs). An eighth is located on the rear edge of the TD2, near the power connector. The SATA Source and IDE Source LEDs indicate that the source drive is connected to the left side of the TD2. The Destination 1 and Destination 2 LEDs indicate that the destination drives are connected to the right side. A yellow Alert LED on the right flashes to indicate the need for user intervention. USB Keyboard Support You can connect a standard USB keyboard to either of the USB ports on the front of the TD2. Using a keyboard is often more convenient than entering data using the arrow keypad on the TD2. When using a USB keyboard the Enter key on the keyboard generally corresponds to the right soft key on the TD2. The Esc (escape) key on the keyboard generally corresponds to the left soft key. If your keyboard has arrow keys or a mouse-like input device, the up and down arrows (or mouse actions) generally correspond to the up and down (vertical) arrows on the TD2. Ov erv iew LCD Contrast The following picture illustrates the front edge of the TD2. Adjust the contrast of the TD2 LCD display by using a small Phillips screwdriver to rotate the contrast control located on the front of your TD2. 7 CHAPTER 2 SETTING UP THE TD2 In This Chapter Startup Sequence Initialization Configuring the TD2 User-Selected Startup Mode Setup (Menu 9) Connecting Hard Disks Drive Detection 10 Tableau TD 2 Versio n 4 .0 1 User's Guide Startup Sequence The TD2 is optimized for the needs of forensic practitioners and computer forensic processes. The following flowchart illustrates what happens when you turn ON the TD2. Initialization After you turn ON the TD2, it runs a six-second initialization and self-test procedure while it displays the copyright notice. An LED check is then conducted so you can verify that all of the LEDs are functioning. When initialization is complete, the TD2 displays warning messages about any detected faults. Configuring the TD2 The TD2 comes ready to be connected to the TP4 power supply and turned ON. After running a six-second initialization and self-test procedure, the TD2 runs the Configuration Wizard. The Configuration Wizard prompts you for the default username, current date/time, and preferred startup mode. The TD2 stores these settings in non-volatile flash memory for use at each startup. Setting up the TD 2 11 The startup mode feature lets you customize the TD2 for a specific workflow. The Startup Mode setting provides the following options. Disk-to-Disk (cloning) for disk cloning Disk-to-File (imaging) for disk imaging Main menu You can configure the startup mode and other settings any time from the Setup menu (Menu 9.4). Once you have configured your TD2, the startup sequence bypasses the Configuration Wizard unless you have used Factory Reset (Menu 9.7) in the Setup menu. User-Selected Startup Mode If you use the TD2 for duplication only, you can customize the startup mode for disk duplication. In the Startup menu, you can change the default startup target of the TD2 from the Main menu to either Disk-to-Disk or Disk-to-File duplication. Setup (Menu 9) The Setup menu provides options for setting TD2 options, defaults, and the current date/time. The Setup menu also provides options for viewing TD2 information and current status. System Options (Menu 9.1) The following table lists additional options and values you can set in System Options. Option Choices Default Description Specifies the TD2 startup mode as: Disk Disk = Disk-to-Disk duplication Startup File Disk File = Disk-to-File duplication Main Menu Main Menu = Main Menu 12 Tableau TD 2 Versio n 4 .0 1 User's Guide Option Examiner Name Choices [Alphanumeric] Default NA Description The Examiner Name option lets you set or change the name of the examiner or user of the TD2. This information appears in each log recorded by the TD2. Alphabetic names can be entered using upper and lowercase letters and spaces. The square brackets in the screen indicate the selected data entry mode: enter an upper case character, enter a lower case character, enter a space (spc), or delete a character (del). The up and down arrows select the desired alphabetic character. The center button on the arrow keypad enters a letter or selects the delete function. Once you have set the desired name, press the [Save] soft key to record your changes. The Date and Time option lets you set or change the time stored by the real time clock in the TD2. Date and Time [Numeric] NA Language NA NA Finished Alert The square brackets in the screen indicate the currently selected field. Use the left and right arrow keys to select the desired field. Use the up and down arrow keys to change the value in each field. Once you have set the desired date and time, press the [Save] soft key to record your changes. Currently, TD2 only supports English. When On, the TD2 flashes the yellow Alert LED at the end of a normal/successful acquisition/task. On On Off When Off, the TD2 flashes the yellow Alert LED only if there is an unusual condition or error. Imaging Options (Menu 9.2) Imaging Options lets you specify the duplicator startup mode and other options related to disk duplication. The following table lists the options and values you can set for each option. Setting up the TD 2 Option ImgType Choices EnCase .e01 Default Raw/DD Description Specifies whether the Disk-to-File operation creates an EnCase e01 file, a Raw/DD file, or if the user should be prompted at execution time. Off Specifies if the image type should be displayed. 4 GB Segment size affects the size of file segments written when performing Disk-to-File (imaging) operations. No Specifies whether you will be prompted to enter/override the default directory name in a Disk-toFile acquisition. Date+Time Specifies the default format for the name of the directory assigned for each acquisition. Raw/DD Prompt Show ImgType On Off File Size 4 GB 2 GB 1 GB 700 MB Dir Prompt Yes No Dir Name Date+Time Serial Number Model+Serial Num File Prompt Yes Date+time generates a directory name of the form yyyy-mm-dd hhmm-ss corresponding to the date/time at which the duplication started. No Specifies whether you will be prompted to enter/override the default filename for each segment file in a Disk-to-File acquisition. Default Specifies the file naming convention used firing Disk-to-File duplication. In default mode, the first segment is named IMAGE001. In DMG mode, the first chunk is named IMGE.DMG. Prompt When set to Prompt, the TD2 prompts you to enter a Case ID. No File Ext Default DMG Case ID Prompt Skip When set to Skip, the Case ID is suppressed in subsequent TD2 logs. 13 14 Tableau TD 2 Versio n 4 .0 1 User's Guide Option Case Note Choices Prompt Default Prompt Description When set to Prompt, the TD2 prompts you to enter Case Notes. Skip When set to skip, the Case Notes are suppressed in subsequent TD2 logs. Err Recov Fast Complete The TD2 supports two different error recovery modes: fast and complete. 100 Specifies the maximum number of errors allowed on the source drive. On Specifies whether the TD2 verifies the data written to the destination disk by calculating the MD5 and SHA-1 hash values. If set to On, the TD2 calculates the hash on the destination drive after the cloning/imaging process completes, and then compare the hash values to the values calculated at the time of imaging. Complete Err Limit No Limit 1000 100 One Zero Verify Hash On Off Note: Verification can take as long as the cloning/imaging process because all of the data on the destination disk must be re-read to calculate the hash. When duplicating to a twinned pair of disks, this process requires more time; destination disks are verified one at a time. Restore Defaults Yes No NA Selecting this option automatically restores all Options to the settings shown in the Default column in this table. There is also a Restore Options selection under Imaging Options. Selecting this option automatically restores all Options to the settings shown in the Default column in the preceding table. Setting up the TD 2 15 Error Recovery Modes The TD2 supports two different error recovery modes, Complete and Fast. Both modes refer to the way in which the TD2 recovers from read errors on the source hard disk. The Complete error recovery mode is the default and more exhaustive of the two. When the TD2 detects a read fault in Complete mode, it begins a retry strategy that attempts to read each sector in the 64-sector block that contains the error. Complete mode therefore produces the most complete destination image. However, the exhaustive strategy used by the TD2 can also be timeconsuming, if the source drive has many read faults. The Fast error recovery mode is intended for use with drives that have a high number of read faults. When in Fast mode, the TD2 treats the source drive as a series of 64-sector blocks (32,768byte blocks). An error in any 64-sector block causes the entire block to be treated as an error. This allows the TD2 to move quickly through a drive with many read faults, but at the loss of some potentially readable sectors near each fault. In both error recovery modes, the TD2 handles unreadable sectors in the same way. When the TD2 has determined that a sector cannot be read from the source drive, it fills in the missing data with zeros on the destination drive. Zero data inserted in this way is also included by the TD2 when calculating the MD5 and SHA1 hashes for the duplication. The TD2 treats all media errors on a destination disk as fatal or unrecoverable errors because each destination disk is receiving a copy of evidence critical to a forensic examination. It is not recommended to store data to a destination disk with known defects. TD2 Info (Menu 9.3) Selecting the TD2 Info option displays selected information for the TD2 itself, as shown in the following table. Legend S/N Example Value 01d1000c Description The TD2 serial number. FWVersion 1.20 The TD2 firmware release. FWDate Oct 10 2008 The build date for the TD2 firmware release. FWTime 09:05:46 The build time for the TD2 firmware release. Factory Reset (Menu 9.4) The Factory Reset option resets all TD2 configuration settings and defaults to the factory state. Factory Reset also does a physical erase of all logs stored in TD2 flash. After performing a Factory Reset the TD2 retains no user-specific or case-specific information. The only setting not cleared by a Factory Reset is the current date and time. Internally Stored Information provides additional information regarding data stored in non-volatile memory by the TD2. 16 Tableau TD 2 Versio n 4 .0 1 User's Guide Connecting Hard Disks Looking from the front view, make sure to attach the source drive to the left side of the duplicator and the destination drive(s) to the right side. The following procedure provides the steps for connecting hard disks to the TD2. This procedure applies to typical 3.5" SATA and IDE hard disks. To connect hard disks to the TD2: 1. Confirm that the TD2 power switch is Off (the Power LED will be Off). 2. Connect the source disk with its signal cable to the TD2 signal input using the appropriate cable. o TC6-8 IDE signal cable o TC3-8 SATA signal cable 3. Connect the source disk with its power cable to the TD2 power input. o TC2-8-R2: IDE/SATA drive power cable o TC5-8-R2: SATA drive power cable 4. Connect the destination disk or disks with the TC4-8-R2: SATA drive unified cable(s) to the TD2 signal/power output(s). 5. Note: The TD2 is equipped with the ability to connect two destination disks to the unit at the same time. Currently, the TD2 can write to two destination drives simultaneously (twinning). To create a single copy, connect a drive only to the Dest-1 port. 6. On the back of the TD2, connect the TP4 power supply to the TD2 power input. 7. Using the appropriate line cord, plug your TD2 into an AC power source. The green DC Power In LED indicates that power is available at the power connector. Setting up the TD 2 17 8. Turn On the TD2 by pressing the TD2 power switch located on the front of of the unit to the lower left. The green Power LED indicates that the duplicator is turned On. Note: When connecting an IDE source disk to the TD1, always connect the blue end of the IDE cable (TC6-2 or TC6-8) to the TD2 and the black end to the hard disk. If using other than a Tableausupplied cable, ensure that the colored stripe on the cable aligns with Pin #1 on the hard disk. Failure to do so can result in unreliable communication between the hard disk and the TD2. Connecting Notebook Hard Disks If you are connecting a 1.8" or 2.5" notebook hard disk, use the TC6-2 IDE signal cable in conjunction with one of the following notebook adapters: TDA5-18 1.8" notebook adapter TDA5-25 2.5" notebook adapter TDA5-ZIF 1.8" ZIF adapter and cables o TC20-3-2 ZIF cable for 0.2mm ZIF connectors o TC20-3-3 ZIF cable for 0.3mm ZIF connectors Note: Only use the shorter TC6-2 (2") IDE cable when connecting a notebook drive adapter to the TD2. Do not use the longer TC6-8 (8") IDE cable with notebook drive adapters. ZIF drives and some notebook drives require a very short data path between the drive and the controller, so using anything except the 2" cable can result in unreliable communication between the disk drive and the TD2. Drive Detection After initialization, the TD2 begins drive detection. The LCD indicates whether source and destination drives have been recognized. Steady illumination of the SATA Source, Destination 1, and Destination 2 LEDs indicates drive detection. If you have selected a Disk-to-Disk or Disk-to-File startup mode during configuration, the LCD continually indicates disk detection. If drives are detected on both the source and destination ports, the LCD displays the Main menu. You can then view details of the detected drives by selecting Disk Information (Menu 6). CHAPTER 3 USING THE TD2 In This Chapter Overview Duplicate Disk (Menu 1) Preconditions Checking Format Disk (Menu 2) Wipe Disk (Menu 3) Hash Utilities (Menu 4) Blank Check (Menu 5) Disk Information (Menu 6) Disk Utilities (Menu 7) Status Information Logs (Menu 8) Resetting and Clearing Internally Stored Information 20 Tableau TD 2 Versio n 4 .0 1 User's Guide Overview This chapter covers detailed procedures and information for using the TD2. It is organized according to the TD2's menu tree to facilitate navigation of the TD2. TD2 Menus and Options The menus and screens in the TD2 are arranged in a tree structure. Under the Main menu, each branch of the tree is numbered to guide you as you navigate the menu tree. These numbers also make it easy to refer back to this guide for detailed information. The following outline provides the menu structure. Main Menu 1. 2. Duplicate Disk 1.1 Disk-to-Disk 1.2 Disk-to-File Format 2.1 Format Dest 2.1.1 Quick FAT32 2.1.2 2.2 Quick exFAT Format USB 2.2.1 Quick FAT32 2.2.2 3. 4. Wipe Disk 3.1 One Pass Write 3.2 Multi Pass Write Hash Utilities 4.1 5. Quick exFAT Hash Source Blank Check 5.1 Source Disk 5.2 Dest-1 Disk Using the TD 2 5.3 6. 7. 8. Dest-2 Disk Disk Information 6.1 Source Disk 6.2 Dest-1 Disk 6.3 Dest-2 Disk Disk Utilities 7.1 Src: Rmv DCO, HPA 7.2 Src: Rmv HPA 7.3 Dest Free Space Logs 8.1 View Logs 8.2 Save All Logs 8.3 Print All Logs 8.3.1 Newest to Oldest 8.3.2 Oldest to Newest 8.4 9. Erase Logs Setup 9.1 System Options 9.1.1 Startup 9.1.2 Examiner Name 9.1.3 Date and Time 9.1.4 Language 9.1.5 9.2 Finished Alert Imaging Options 9.2.1 ImgType 9.2.2 Show ImgType 9.2.3 File Size 9.2.4 Dir Prompt 21 22 Tableau TD 2 Versio n 4 .0 1 User's Guide 9.2.5 Dir Name 9.2.6 File Prompt 9.2.7 File Ext 9.2.8 Case ID 9.2.9 Case Note 9.3 9.2.10 Err Recov 9.2.11 Err Limit 9.2.12 Verify Hash 9.2.13 Restore Defaults TD2 Info 9.3.1 S/N 9.3.2 FWVersion 9.3.3 FWDate 9.3.4 FWTime 9.4 Factory Reset Duplicate Disk (Menu 1) The TD2 duplicates hard disks by either cloning or imaging them. Cloning, also known as disk-todisk duplication, is the process of copying a source disk, sector by sector, to a destination disk. Source disk sector one is copied to destination disk sector one, then sector two is copied to sector two, sector three to sector three, and so on. Imaging, also known as disk-to-file duplication, is the process of copying a source disk to a series of files on destination disks. Disk-to-Disk/Cloning (Menu 1.1) Follow these steps to perform disk-to-disk duplication. 1. Follow the steps listed in Connecting Hard Disks on page 16 and turn ON the TD2. 2. From the Main menu, use the arrow keys to navigate to Duplicate Disk > Disk-to-Disk (Menu 1.1). Using the TD 2 23 3. Press the [Start] soft key. 4. Enter a Case ID. To abort the process, press the [Cancel] soft key. 5. Enter a Case Note. To abort the process, press the [Cancel] soft key. Duplication begins and progress reports appear on the LCD. To see detailed information, press the [Details] soft key. To terminate duplication, press the [Cancel] soft key. 6. When the process is complete, Print or Save the log. Before duplication, the TD2 performs a series of condition checks to determine whether to proceed. If the TD2 encounters a problem, the TD2 indicates the problem, and if necessary, halts the process. The following table lists details available during disk-to-disk duplication or at the end of duplication. To see these details during duplication, press the [Details] soft key. Legend Task Example Value Disk to Disk Ok Stat Description Indicates disk-to-disk duplication has been selected. Current status of the duplication. Error Incomplete Date 2008-10-14 Date on which the duplication started. Time 14:54 Time at which the duplication started. User Tableau The name of the user. See Examiner Name (Menu 9.1.2). ID: 12345678 Case number or other identifying characters. Notes: Twin, 500GB Key information about the duplication. ST380215A The model of the source disk. --Source Disk-Model 24 Tableau TD 2 Versio n 4 .0 1 User's Guide Legend Example Value 9RX7Y3DP Description Serial number of the source disk. Model WDC WD4000A The model of destination disk 1. S/N WD-WCAS838529 Serial number of destination disk 1. Model WDC WD4000A The model of destination disk 2. S/N WD-WCAS838530 Serial number of destination disk 2. 0 Number of read errors on source disk. 0 Number of read errors recorded in the logs. This may be less than the number of errors counted if the log entry is full. Log entries can typically record up to several hundred errors for each logged operation. S/N --Dest-1-- --Dest-2-- --Errors-Counted Recorded --Hashes-SHA-1 <<no info>> MD5 <<no info>> <<no info>> displays until the operation is finished. Once the operation is finished, the hash value displays. Disk-to-File/Imaging (Menu 1.2) During disk-to-file duplication, the TD2 performs any necessary destination disk formatting automatically. If a destination disk already has an acceptable format and sufficient free space to store at least one image file, the TD2 uses that format. If a destination disk is not either formatted or blank, or if it lacks sufficient free space, the TD2 prompts you for confirmation to format the disk. This reduces the risk of overwriting valuable data. In most cases, the Tableau TD2 should be turned Off when you connect and disconnect hard disks; however, when you perform a disk-to-file duplication, the destination disk might become full. When this happens, the TD2 prompts you to connect the next destination disk. Do not turn Off the TD2 during this process. 1. Follow the steps listed in Connecting Hard Disks on page 16. 2. From the Main menu, use the arrow keys to navigate to Duplicate Disk > Disk-to-File (Menu 1.2). Using the TD 2 25 3. Press the [Start] soft key. Note: If you have enabled additional prompts (through Setup > Imaging Options or Setup > Case Info Options) you will be prompted for additional information after pressing the [Start] soft key. By default, directory and filename prompts are turned off. Through the Setup menus you can choose to enable prompts for those items as well as for case ID and case notes fields. 4. Enter a Case ID. To abort the process, press the [Cancel] soft key. 5. Enter a Case Note. To abort the process, press the [Cancel] soft key. Imaging begins and progress reports appear on the LCD. To see detailed information, press the [Details] soft key. 6. When the process is complete, Print or Save the log. The TD2 offers a high degree of flexibility in selecting defaults for each kind of field so that you can configure the TD2 to match your desired workflow. The TD2 supports disk spanning. The TD2 can span a single source disk across a series of files on multiple destination disks. The on-screen TD2 display shows information only for the first destination disk. The log recorded in flash memory by the TD2 records information for each destination disk, and a copy of the log is written to the last destination disk. The following table lists details available during disk-to-file duplication or at the end of duplication. To see these details during duplication, press the [Details] soft key. Legend Task Example Value Disk to File Ok Stat Description Indicates Disk-to-File duplication has been selected. Current status of the duplication. Error Incomplete Date 2008-10-14 Date on which the duplication started. Time 14:54 Time at which the duplication started. User Tableau The name of the user. See Examiner Name (Menu 9.1.2). ID: 12345678 Case number or other identifying 26 Tableau TD 2 Versio n 4 .0 1 User's Guide Legend Example Value Description characters. Notes: Twin, 500 GB Key information about the duplication. Model ST380215A The model of the source disk. S/N 9RX7Y3DP Serial number of the source disk. Model WDC WD4000A The model of the first of the dest-1 disks (see note following this table). S/N WD-WCAS838531 Serial number of the first of the dest-1 disks. Model WDC WD4000A The model of the first of the dest-2 disks (see note following this table). S/N WD-WCAS838532 Serial number of the first of the dest-2 disks. File Size 4.0 GB Indicates the file size being used for files on the destination disk(s). # of Files 10 Number of files written (so far) to the destination disk(s). Disk Count 1 Number of destination disk(s) used so far. 0 Number of read errors on source disk. 0 Number of read errors recorded in the logs. This may be less than the number of errors counted if the log entry is full. Log entries can typically record up to several hundred errors for each logged operation. --Source Disk-- --Dest-1-- --Dest-2-- --Errors-Counted Recorded --Hashes-SHA-1 <<no info>> MD5 <<no info>> <<no info>> displays until the operation is finished. Once the operation is finished, the hash value displays. Using the TD 2 27 Files Created During Disk-to-File Duplication When performing disk-to-file duplication or imaging, the TD2 creates files on the destination hard disk that contain the data copied from the source hard disk. Files are written to the destination disk according to the following convention: (root dir)/ TD2_IMG/ [directory name]/ [filename].E01 [filename].E02 … [filename].E99 yyyy-mm-dd hh-mm-ss nnnnn TTT.LOG [directory name] is the name generated by the TD2 for each separate acquisition. If an acquisition spans multiple destination disks, the same [directory name] is used on each destination disk. This makes it easy to group image files related to a particular acquisition. The [directory name] can be auto-generated by the TD2 or you can enter it yourself. Autogenerated names can be based on the date/time, the serial number of the source device, or the model and serial number of the source device. The auto-generated [filename] is IMAGE, although you may choose to override this value. For a complete list of the options you may use to control the auto-generation and user prompting for directory and filenames, see Imaging Options (Menu 9.2) on page 12. [filename].001 is the first file, or portion of the data copied from the source disk. The file size is a user-settable option and may also be specified under the Setup > Imaging Options menu. There may be a maximum of 999 files for a single disk copy. If you have specified a file size that requires more than 999 files, the TD2 reports an error and aborts the duplication process. When creating a DD image, you can also specify .DMG naming for files. .DMG refers to a file naming convention used by Apple operating systems. If the .DMG naming option is selected, the first file is named IMAGE.DMG instead of IMAGE.001. All other files have standard filenames (for example, IMAGE.002, IMAGE.003, and so on). A .LOG file is generated by the TD2 for each disk-to-file acquisition. yyyy-mm-dd hh-mm-ss is the duplication task start date/time. The next five characters – nnnnn – are generated from the internal log ID number assigned to the log by the TD2. The TTT in the filename refers to the type of task as listed in the following table. 28 Tableau TD 2 Versio n 4 .0 1 User's Guide Prefix BCK Type of Log Entry/Task Blank Check D2D Disk-to-Disk Duplication D2F Disk-to-File Duplication FMT Disk Formatting (destination only) HPA HPA / DCO Operation HSH Disk Hashing (source only) WIP Disk Wiping (destination only) The three-character codes in the above table match those displayed in the Logs > View Logs menu. If the disk-to-file duplication spans more than one destination disk, the directory structure shown in the above table is reproduced on each destination disk. However, the .LOG file is written only to the last disk in the set. Swapping Destination Hard Disks during Disk-to-File Duplication In most cases, the Tableau TD2 should be turned Off when you connect and disconnect hard disks; however, when you perform a Disk-to-File duplication, the destination disk might become full. When this happens, the TD2 prompts you to connect the next destination disk. Do not turn Off the TD2 during this process. After connecting the new disk, press the [Continue] soft key. The TD2 checks the status of the new destination disk and prompts you to format it, if necessary. The duplication process then continues. Preconditions Checking Before starting a Disk-to-Disk or Disk-to-File duplication, the TD2 automatically checks for a number of preconditions. Some preconditions are warnings, and you can choose to continue or cancel after viewing each one. Some preconditions are fatal and require that the duplication process be aborted. One condition pauses the process and prompts you to intervene. The following table summarizes the preconditions checked by the TD2 prior to duplication. Using the TD 2 Name Source Disk HPA Disk-to-Disk or Disk-to-File Both Type Warning Explanation Reports that HPA is in use on the source disk. The TD2 automatically removes HPA on the source disk. This warning indicates that an HPA was present on the source disk. Reports that DCO is in use on the source disk. Source Disk DCO Both Warning The TD2 does not automatically remove DCO on the source disk, as doing so requires a permanent modification of the source disk. You can cancel the duplication and manually remove the DCO using the Disk Utilities option under the Main menu. Reports that either HPA or DCO is in use on the destination disk. The TD2 does not automatically remove HPA or DCO on the destination disk. This warning notifies you that the duplicator is not using the total size of the destination disk. You can cancel the duplication and manually remove the HPA / DCO using the Disk Utilities option under the Main menu. Destination Disk HPA or DCO Both Warning Destination Disk Too Small Disk-to-Disk Fatal For Disk-to-Disk duplication, the destination disk must be at least as large as the source disk. Fatal For Disk-to-File duplication, the segment size must be large enough so that the entire copy can fit in 999 segments. You need to specify a larger segment size using the Setup > Imaging Options menu. Warning The TD2 checks selected sectors on the source disk looking for non-blank data patterns. If all of the checked sectors appear to be blank, the TD2 warns that the source might be blank. This does not mean that the source is necessarily blank, but it could mean that the source has been partially wiped or that an ATA password has been set for the source drive. Warning The TD2 checks selected sectors on the destination disk looking for non-blank data patterns. If the destination disk is not blank, an unintentional overwrite is possible. This warning provides the opportunity to abort the duplication. Segment Size Too Small Source Disk May Be Blank Destination Disk May Not Be Blank Disk-to-File Both Disk-to-Disk 29 30 Tableau TD 2 Versio n 4 .0 1 User's Guide Name Destination Disk May Not Be Blank Disk-to-Disk or Disk-to-File Disk-to-File Type Warning Explanation When performing Disk-to-File duplication the TD2 needs each destination disk to be formatted with the FAT32 file system. If the destination disk is already formatted for FAT32, the TD2 uses this formatting without overwriting any existing files. If the destination disk does not have a FAT32 file system, the TD2 can format one during duplication. If the destination disk appears to be blank, the TD2 formats it without any warnings. Duplication Will Span Multiple Destination Disks Disk-to-File Warning When performing Disk-to-File duplication, the TD2 checks the available space on the destination disk. If the destination disk appears to be too small to receive the entire contents of the source drive, the TD2 issues a warning, providing an opportunity either to change disks or to proceed. When performing Disk-to-File duplication to a twinned pair of destination disks, to ensure a valid mirroring process, the TD2 first verifies that the twinned pair have identical content. If the TD2 determines, using blank check, that the twinned pair are blank, it automatically formats the pair. If either disk appears to be non-blank, the TD2 issues a warning providing an opportunity to abort the duplication before formatting the twinned pair. Twin disks must be (re)formatted Both User Interventi on When the TD2 formats a twinned pair, it stores a special marker file on each disk. When this twinned pair is later connected as a destination, the TD2 then verifies it as a twinned pair by detecting the identical markers and free space. This process enables you to accumulate multiple source images on large twinned pairs of destination disks. When formatting two destination disks, the TD2 sets the usable capacity to be the lesser capacity of the two drives. Note: If either disk is connected to a Windows system without a write blocker, Windows will probably alter the disk contents. The TD2 will then reject the altered twinned pair as invalid and prompt you to Using the TD 2 Name New destination disk is full Disk-to-Disk or Disk-to-File Disk-to-File Type User Interventi on 31 Explanation reformat them. Reformatting an invalidated twinned pair destroys any previously collected images. When performing Disk-to-File duplication, the TD2 checks the available space on the destination disk. If the destination disk does not have enough room for a complete file, then the TD2 pauses and requires you to change destination disks. Format Disk (Menu 2) When using disk-to-file imaging, the destination drive must be formatted with a file system that is recognizable by the TD2. Currently, the TD2 supports destination disks that are formatted as FAT32 or exFAT. The FAT32 file size limit is 4 GB. The exFAT file size limit is 16 EB (16,000,000 TB). When file sizes are larger than 4 GB, exFAT should be used. From the formatting menu you can manually format either the destination disk or a USB mass storage device attached to one of the TD2's USB ports. 1. From the Main menu, use the arrow keys to navigate to Format (Menu 2). 2. Select Format Dest (Menu 2.1) or Format USB (Menu 2.2). 3. Select the file system (Quick FAT32 or Quick exFAT). 4. To confirm your selection, press the [Yes] soft key. The formatting task begins. Format Dest (Menu 2.1) The Format Dest option allows you to format the destination disk with a file system used by the TD2. The TD2 does what is generally referred to as a Quick Format. In other words, the TD2 writes the necessary Master Boot Record, Partition Boot Record, and data structures to the destination disk. The TD2 does not do a full surface scan of the destination disk. If you want to verify the integrity of the destination disk you should format it using a traditional computer and operating system. You do not need to pre-format destination drives when using the Disk-to-File duplication mode of the TD2. If a destination disk is unformatted, or formatted, and not blank, the TD2 prompts you to format it before beginning the duplication.. 32 Tableau TD 2 Versio n 4 .0 1 User's Guide Large Disk Support The TD2 supports two methods of formatting disks: Master Boot Record (MBR) GUID Partition Table (GPT) In general, disks of less than 2 TB are formatted with the MBR option. Disks greater than 2 TB are formatted with GPT. Large disks can be formatted with MBR, but only the first two terabytes of space are used. The GPT format involves creating multiple partitions of up to 2 TB each. When a GPT disk is attached to a Windows system, Windows assigns each partition a drive letter. In the formatting step, when the TD2 recognizes a large disk greater than 2 TB, a menu displays: Large disk found. Select disk format. Two soft keys allow you to select GPT or MBR. If two destination disks are connected, twinning is selected. The formatting operation formats to the capacity of the lower capacity drive. If this capacity is less than 2 TB, the MBR format is used regardless of the size of the larger drive. Advanced Format Support Traditionally, hard drives have had an internal structure built around sectors of 512 bytes. Newer drives, especially drives with capacities greater than 2 TB, feature the Advanced Format (AF) structure that uses internal sectors of 4096 bytes. Such drives still support I/O transfers that reference 512-sectors; internally, the drives map these references to the internal 4096-byte physical sectors. Implicit in this mapping is the need to accommodate writes that alter the data stored in just a portion of a physical sector. This is accomplished by an inefficient read-modifywrite cycle. Historically, disks have been formatted with the first partition located at sector 63. However, if a host computer aligns partitions and clusters of 512-byte sectors on boundaries that are not a multiple of 8, then the frequency with which the drive must resort to read-modify-write cycles can severely degrade performance. The TD2 recognizes AF disks. It formats them accordingly with partitions and clusters positioned at sector locations that are a multiple of 8. If an AF disk is paired with a non-AF disk for twinning, they are both are formatted in accordance with the rules for optimum AF alignment. Using the TD 2 33 Format USB (Menu 2.2) The Format USB option allows you to format a USB mass storage device connected to one of the TD2's USB ports. You must attach a USB mass storage device, such as a thumb drive, to one of the TD2's USB ports before selecting this option. Note: You can attach only one USB mass storage device to the TD2 at a time. Connecting more than one USB mass storage device to the TD2's USB ports may lead to confusing results, as you cannot tell which USB mass storage device the TD2 is using. Wipe Disk (Menu 3) You may wish to wipe the destination disk before use, especially when doing disk-to-disk cloning. The TD2 gives you two options to wipe a destination disk: you can perform a fast, one-pass wipe or a multi-pass wipe. 1. Follow the steps listed in Connecting Hard Disks on page 16 and turn ON the TD2. No source disk is necessary. 2. From the Main menu, use the arrow keys to navigate to Wipe Disk (Menu 3). 3. Select One Pass Write (Menu 3.1) or Multi Pass Write (Menu 3.2). 4. To confirm your selection, press [Yes]. The wiping task begins, and progress reports appear on the LCD. Note: If you connect two destination disks of different sizes, the Wipe Disk utility wipes an area equal to the capacity of the smaller drive. To fully wipe the larger of two destination drives, connect it to the Dest-1 port as the only destination drive. One Pass Write (Menu 3.1) The TD2 writes a constant pattern of zeros (00h) to the destination drive in a single pass. The TD2 will display on-screen performance and timing metrics during the wiping process. You may cancel the wiping operation at any time by pressing the [Cancel] soft key. Note: The TD2 will not automatically overwrite an HPA or DCO on the destination drive. Multi Pass Write (Menu 3.2) The TD2 performs full passes of writes to the destination drive. The first pass writes zeros (00h), the second pass writes ones (FFh), and the third pass writes a randomly selected constant value between 01h and FEh. The TD2 will display on-screen performance and timing metrics during the wiping process. You may cancel the wiping operation at any time by pressing the [Cancel] soft key. 34 Tableau TD 2 Versio n 4 .0 1 User's Guide Hash Utilities (Menu 4) There are times when a forensic practitioner would like to calculate the hash values, or fingerprints, for a source disk without making a copy of the disk. With the Hash Utilities menu, you can generate an MD5 and SHA-1 hash value for the hard disk attached to the source side of the TD2. You can cancel the hashing operation at any time by pressing the [Cancel] soft key. If the source disk has an HPA-protected region, the TD2 automatically disables the HPA before performing the hash calculation. This is the same as the TD2's behavior during duplication. If you compare the hash values produced when duplicating a disk and when using the Hash Utilities, you should get the same hash results. When the hashing operation is finished, the TD2 prompts you to press the [Ok] soft key. After pressing [Ok], you see a Hash Options menu: Hash Options 1. View Hash 2. Compare to Logs Selecting View Hash lets you view the MD5 and SHA-1 hash results on the TD2 display. The MD5 and SHA-1 hash results are too wide to display completely on screen, so you may use the left and right arrow keys to scroll the hash results. Selecting Compare to Logs lets you see quickly if you have recently performed any other tasks with the same source drive on this TD2 unit. The TD2 will search the logs stored in flash memory looking for any Disk-to-Disk, Disk-to-File, or Hash log entries that have matching hash values. If there are any matching entries, the TD2 displays a list of them. Blank Check (Menu 5) The Blank Check menu lets you do a quick blank check on the source or either destination drive. The TD2 performs a quick check to determine if the selected disk appears to be blank by reading sectors in the Master Boot Record, the Primary GPT, and the Secondary GPT. A sector is considered to be blank if it contains only a repeating pattern such as 00h, E5h, or FFh. Any nonrepeating pattern is considered to be non-blank. If all sectors read by the TD2 have repeating patterns (though not necessarily the same repeating pattern), then the TD2 concludes the drive may be blank. This quick check is not an exhaustive check of the entire drive. It is possible for a drive to appear to be blank according to the quick check while still storing forensically relevant information. A forensic examiner should treat blank source disks with some suspicion and use other tools, like a Tableau write blocker, to examine the drive to see if it contains forensically relevant information. Using the TD 2 35 Disk Information (Menu 6) The TD2 can display detailed information for the source or the destination hard disk(s). Source Disk (Menu 6.1) displays information for the SATA or IDE hard disk attached to the source side of the TD2. the Dest-1 and Dest-2 (Menus 6.2 and 6.3) display information for the hard disks attached to the destination side of the TD2. The following table lists the disk information displayed by the TD2: Legend Model Example Value ST380215A Definition The model name reported by the hard disk through the ATA IDENTIFY command. S/N 9RX7Y3DP The serial number reported by the hard disk through the ATA IDENTIFY command. Firm Rev 3.AAD The firmware revision reported by the hard disk through the ATA IDENTIFY command. Capacity 40.0 GB The capacity of the hard disk as it will be copied/used by the TD2. LBA 20,000,000 The capacity in sectors as reported by the hard disk at power ON. HPA 78,125,000 The capacity in sectors as reported by the hard disk using the ATA HPA (Host Protected Area) feature set. DCO 156,301,488 The capacity in sectors as reported by the hard disk using the ATA DCO (Device Configuration Overlay) feature set. HPA in use Yes Yes if the ATA HPA feature set is being used to reduce the apparent capacity of the hard disk. DCO in use Yes Yes if the ATA DCO feature set is being used to reduce the apparent capacity of the hard disk. Sec in use No Yes if the ATA Security feature set may be in use to password protect the contents of the hard disk. Cable IDE IDE or SATA. PIO mode PIO 4 The PIO (Programmed I/O) mode being used by the TD2 to communicate with the hard disk. DMA mode UDMA 5 The DMA or UDMA mode being used by the TD2 to communicate with the hard disk. 36 Tableau TD 2 Versio n 4 .0 1 User's Guide Disk Utilities (Menu 7) The TD2 offers several utilities to assist with the processing of drives. These utilities can be found in Menu 7. Removal of DCO and HPA Regions The TD2 automatically detects the use of the ATA HPA (Host Protected Area) and DCO (Device Configuration Overlay) feature sets. Both HPA and DCO feature sets can be used to reduce the apparent capacity of a hard disk. From a forensic point of view it is valuable to know if HPA and/or DCO are in use. With that knowledge, the forensic practitioner can make an informed decision about whether or not to acquire data in the hidden regions of the drive. You can disable HPA without making a permanent modification to the drive, so the TD2 automatically disables HPA on any hard disk connected to the source side of the duplicator. It is not, however, possible to disable DCO without making a permanent modification to the hard disk. For this reason, the TD2 will not automatically disable DCO on the source hard disk. The TD2 never makes automatic changes to HPA and DCO on a destination hard disk. The TD2 is designed using the assumption that the forensic practitioner has complete control over the destination hard disk. If you choose to restrict the destination drive capacity using HPA or DCO, the TD2 will not override that decision. The TD2 cannot disable HPA or DCO on the destination disk(s), however, the TD2 does detect and warn about DCO on the destination disk(s). The options within the Disk Utilities menu allow you to permanently disable either just the HPA or both the DCO and HPA on the source disk. Remove DCO & HPA (Menu 7.1) You cannot remove a DCO-protected region on a hard disk without also removing any HPAprotected region. If you want to permanently remove both the HPA and DCO on either the source or destination hard disk, use the options under this menu. Remove HPA (Menu 7.2) You can remove an HPA-protected region on a hard disk without making any changes to the DCO settings on the hard disk. If you want to permanently remove the HPA on either the source or destination hard disk, use the options under this menu. Dest Free Space (Menu 7.3) To quickly determine the free space on the attached destination drive, select Disk Utilities > Dest Free Space (Menu 7.3). This option displays the capacity of the drive and the available space. Using the TD 2 37 Status Information During long disk operations including duplication, wiping, and stand-alone hashing, the TD2 displays five performance/timing metrics in a rotating loop to track progress of the selected operation. The following table explains each of the performance/timing metrics displayed by the TD2. Metric Elapsed Time Displayed As Elapsed: min sec Description Total elapsed time since the start of the current task. Time Remaining TimeRem: min sec Estimated remaining time for the current task. This time is calculated using the amount of data remaining divided by the average transfer rate. Instantaneous Transfer Rate (bytes per second) Instant: xxx MB/sec The average over the most recent six seconds, displayed both in bytes per second and bytes per minute. Instantaneous Transfer Rate (bytes per minute) Instant: yyy GB/min Average Transfer Rate (bytes per minute) Average: yyy GB/min The average rate since the start of the current task. A rotating-media hard disk transfers data faster at the beginning of duplication than at the end. Expect to see the instantaneous transfer rate at the beginning of a duplication task decrease up to 50% by the end of the task. This transfer rate decrease is normal and does not indicate a problem with any of the hard disks involved or the TD2. Logs (Menu 8) Whenever the TD2 performs an operation which reads, writes, or modifies a hard disk, it creates a log entry to record that operation. The TD2 has an internal flash memory with the capacity to store approximately 59 of the most recently logged operations. Once the TD2 has stored 59 log entries, the creation of a new log entry will automatically overwrite the oldest log entry. The Logs menu lets you view, print, save, and erase log entries. 38 Tableau TD 2 Versio n 4 .0 1 User's Guide View Logs (Menu 8.1) Selecting the View Logs option displays a list of the logs currently recorded in the TD2's internal flash memory. The most recent log entry is displayed at the top of this list with the oldest log entry at the bottom (end) of the list. Log entries are displayed as: 10-13 12:46 Wip Ok 10-13 12:45 Wip X … The first part of the line is the month and date (MM-DD) on which the log was recorded. The second part is the time at which the log was recorded (HH:MM) using a 24-hour clock format. The third part of each line is a three-character code indicating the type of task recorded in the log. For a complete listing of the three-character codes, see Writing Logs to a USB Storage Device on page 41. In the above example, Wip refers to a Disk Wiping operation. The last part of the line is an abbreviation indicating the result of the logged operation: Result Ok Definition Task completed normally. Er Task completed with an error. X Task was aborted or canceled by the user. NC Task did not finish. This might happen if the duplicator is turned off in the middle of the task. Use the up and down arrows to scroll through the list of log entries. A small sideways triangle ► indicates the currently selected log entry. To view the currently selected entry, press the [Select] soft key. Using the TD 2 39 Sample TD2 Log The TD2 maintains detailed logs for each task initiated by the user. Here is a sample of an errorfree log for a Disk-to-File acquisition. -------------------------Start of Tableau TD2 Log entry----------------- Task: Disk to File Status: Ok Created: 2008-08-14 13:15 Closed : 2008-08-14 13:43 User: Tableau Case ID: TD2 Demonstration Case Notes: The TD2 is an awesome forensic duplicator! Duplicator serial num: 01d1101a Duplicator firmware timestamp: Aug 12 2009 11:43:33 Duplicator firmware revision: 2.10 Duplicator log ID num: 7 ----------------------Disk-to-File Results---------------------- # of sectors: 293,046,768 (150.0 GB) Destination filename convention: Default Segment size in sectors: 7,812,480 (3.9 GB) Segments expected: 38 Segments written: 38 Filename of first segment: TD2_IMG/WDC WD1500HLFS-01G6U0_WDWXLY08147051/IMAGE.001 40 Tableau TD 2 Versio n 4 .0 1 User's Guide Total errors: 0 Errors recorded: 0 SHA1: 813d0f6bf853d6681314911fe6fe02c9b96ecbd8 MD5 : af995be7c61fc0a8ffe052b842fbabbd --------------------------Source Disk--------------------------- Model: WDC WD1500HLFS-01G6U0 S/N: WD-WXLY08147051 Firmware Revision: 04.04V01 Capacity in sectors reported Pwr-ON: 293,046,768 (150.0 GB) Capacity in sectors reported by HPA: 293,046,768 (150.0 GB) Capacity in sectors reported by DCO: 293,046,768 (150.0 GB) HPA in use: No DCO in use: No ATA Security in use: No Cable/Interface type: SATA ATA PIO mode: PIO 4 ATA DMA mode: UDMA 5 Peak power: +5V : 4.81 V 691 mA +12V: 12.2 V 335 mA -----------------------Destination Disks------------------------ Destination disks used: 1 Destination disks recorded: 1 Using the TD 2 41 ----------------------Dest-1 Disk #1----------------------- Model: WDC WD3000GLFS-01F8U0 S/N: WD-WXL508028462 Firmware Revision: 03.03V01 Capacity in sectors reported Pwr-ON: 586,072,368 (300.0 GB) Capacity in sectors reported by HPA: 586,072,368 (300.0 GB) Capacity in sectors reported by DCO: 586,072,368 (300.0 GB) HPA in use: No DCO in use: No ATA Security in use: No Cable/Interface type: SATA ATA PIO mode: PIO 4 ATA DMA mode: UDMA 5 Peak power: +5V : 4.74 V 746 mA +12V: 12.5 V 298 mA --------------------------End of Tableau TD2 Log entry------------------- If the TD2 had detected any bad sectors on the source drive, it would have added a section at the end of the TD2 log. This additional section would list the sector address and sector length of each unreadable region of the source disk. Save All Logs (Menu 8.2) You can save all logs to a USB storage device connected to one of the TD2's USB ports. After connecting a USB storage device to one of the TD2's USB ports, select the Save All Logs option to save the logs. Logs are saved in an ASCII text format. Use a text editor of your choice to view the logs. 42 Tableau TD 2 Versio n 4 .0 1 User's Guide Writing Logs to a USB Storage Device The TD2 lets you write logs to a USB storage device and adheres to the following directory and naming conventions: (root dir)/ TD2_IMG/ LOGS/ SSSSSSSS/ yyyy-mm-dd hh-mm-ss nnnnn TTT.LOG Here, SSSSSSSS is the short-form serial number for the duplicator. This eight-digit serial number is the same as the serial number you find printed on the bottom of the TD2. 01D1000C is an example of a valid TD2 serial number. The format of the .LOG filename is described in Files Created During Disk-to-File Duplication on page 27. Print All Logs (Menu 8.3) You can print all logs to a USB printer attached to one of the TD2's USB ports. After connecting a USB printer to one of the TD2's USB ports, select the Print All Logs option to print the logs. After selecting Print All Logs you will be asked to select whether logs should be printed in the order of Newest to Oldest or in the order of Oldest to Newest. The TD2 is compatible with USB printers which support the USB Printer Class Specification. The USB printer must support raw ASCII printing. Erase Logs (Menu 8.4) If you want to erase the logs stored in the TD2's internal flash memory, selecting the Erase Logs option performs a physical erase of the flash memory in which the logs are stored. It is not possible to recover the logs after Erase Logs is finished. Resetting and Clearing Internally Stored Information Some forensic and security applications require that the user be aware of the kinds of information that the duplicator can store. In some cases, you may want to know what, if any, information is preserved by the unit from one acquisition to the next. Or you might be in security-sensitive environments and need to be able to sanitize equipment before that equipment can be removed. The TD2 has three separate non-volatile memories. The first non-volatile memory is a flash device which is used to store the TD2's firmware and serial number. The firmware can be updated using the Tableau Firmware Update utility (available from Tableau's Web site). This flash device is never used to record any user-specific or acquisitionspecific information. Using the TD 2 43 The second non-volatile memory is a separate flash device used to store two different types of information: configuration settings and logs. Configuration settings include the following. User/operator name (entered via Configuration Wizard or Setup Menu). Startup mode of operation (entered via Configuration Wizard or Setup Menu). Error handling settings (error recovery strategy and error counter limits). Default directory naming conventions for disk-to-file duplication (directory name format). Default file naming conventions for disk-to-file duplication (file name format). Default file format conventions (segment size, etc.). Last-used case ID and case notes (if case information is enabled). User preferences for prompts (directory name, file name, case information). This second flash also records up to 59 of the most recent tasks performed by the duplicator. A task in this context is any operation which operates on a disk device, including duplication, formatting, wiping, hashing, blank checking, and HPA/DCO operations. Logs include detailed information about each disk device attached to the TD2; this includes the make/model, serial number, capacity, and so on. The third and final non-volatile memory is the on-board real-time clock (RTC) with battery backup. The real-time clock records the date and time as set by the user. The real-time clock does not record any user-specific or acquisition-specific information. The following table lists the reset/clear information stored internally by the TD2. Non-Volatile Memory Information Stored TD2 firmware User or Case-Specific Info None Flash #1 TD2 serial number None Ability to Reset/Clear Firmware cannot be erased, but can be updated using the Tableau Firmware Update program, which can be downloaded from Tableau's Web site. It is not possible to change the TD2 serial number in the field. All configuration settings can be erased and restored to factory defaults by selecting Setup > Factory Reset. TD2 configuration User-specific TD2 configuration Case-specific (if case ID/notes are enabled) Flash #2 Configuration settings (excluding user name and startup mode) can be reset to defaults using Setup > Imaging Options > Restore Options. All configuration settings can be erased and restored to factory defaults by selecting Setup > Factory Reset. 44 Tableau TD 2 Versio n 4 .0 1 User's Guide Non-Volatile Memory Information Stored User or Case-Specific Info Ability to Reset/Clear Alternately, the Case ID/Notes can be disabled through Setup > Case Info Options. All logs can be erased by either selecting Logs > Erase Logs or Setup > Factory Reset. TD2 logs Real-Time Clock Date/Time User-specific and Case-specific None Alternately, logs can be erased individually. When viewing a specific log entry, select the [Options] soft key, then select Erase Log. The Date/Time cannot be restored to a factory default state. However, after performing a Factory Reset, the TD2 prompts you to change the Date/Time within the Setup Wizard. The Date/Time can also be changed by selecting Setup > Date and Time. The Factory Reset and Erase Logs options physically erase the flash memory corresponding to each item. It is not possible to recover settings or log entries after the flash memory has been physically erased. CHAPTER 4 TROUBLESHOOTING AND SUPPORT In This Chapter Troubleshooting Common Problems Support 46 Tableau TD 2 Versio n 4 .0 1 User's Guide Troubleshooting Common Problems This section provides the following troubleshooting issues and solutions: Power Supply Issues Problems with Disk Detection Replacing the Backup Battery for the Real-time Clock Power Supply Issues The TP4 power supply provided with the TD2 is a 24-volt (16V-28V) power supply that uses a barrel connector to interface with the TD2. It is capable of powering the TD2 and nearly all combinations of one, two, or three hard disks. The TD2 also employs staggered power sequencing for the source and destination hard disks. With staggered sequencing, power is first provided to one hard disk as it spins up, then to the second hard disk as it spins up, and finally to the third hard disk. It is normal to hear the source and destination drives spin up separately. During power-On initialization and self-test, the TD2 will check the output voltages of the TP4 power supply. If the voltage is below the minimum specification, the TD2 displays an on-screen warning. There is a green DC power LED on the rear edge of the TD2, next to the female DC power barrel connector. If the TP4 power supply is connected properly to the TD2 and to AC power, the green LED illuminates. If you are having difficulty turning the TD2 On, check the status of the DC power LED to ensure that the TD2 is receiving power from the TP4 power supply. Problems with Disk Detection When using a product like the TD2, the most common problem users encounter is a failure to achieve drive detection. Most drive detection problems are the result of improper cabling. The following table lists the most common drive detection problems and corrective actions. Problem Hard disk does not spin up. Corrective Action Check the power connection between the TD2 and the hard disk. Be especially careful to ensure that the 4-pin power connectors are properly seated in the connectors on the TD2 and on the hard disk (if using cable model TC28). The blue connectors should be fully inserted, not loose, in the TD2 and hard disk. TD2 does not detect IDE hard disk. IDE hard disks should be set for Master or Single Drive. TD2 does not detect 3.5" IDE hard disk. Normal 3.5" IDE hard disks can be connected to the TD2 using either the 8" TC6-8 IDE cable or the 2" TC6-2 cable. In either case, the blue end of the IDE cable must be connected to the TD2. You must not use an IDE cable longer than 8" with the TD2. Always use the Tableau-provided, high-quality, 80- Tro ublesho o ting and Suppo rt Problem TD2 does not detect notebook IDE hard disk. 47 Corrective Action conductor TC6-8 or TC6-2 cable. When using one of the notebook drive adapters provided with the TD2 (model TDA5-18, TDA5-25, or TDA5-ZIF), you must always use the 2" TC6-2 IDE cable. When using a notebook drive adapter, do not use the 8" TC6-8 IDE cable or any non-Tableau IDE cable. When using notebook drive adapters, the blue end of the TC6-2 IDE cable must be connected to the TD2, and the black end of the cable must be connected to the notebook drive adapter. TD2 does not detect ZIF-style notebook IDE hard disk. There are several models of ZIF hard disks. When using the TDA5-ZIF kit provided with the TD2, refer to the Support pages on Tableau's Web site for documentation regarding the proper selection and orientation of ZIF cables. TD2 does not detect SATA hard disk. Use only the 8" TC3-8 SATA cable provided by Tableau. With some SATA hard disks, the SATA connector might be loose. Ensure that the TC3-8 cable is seated properly in the hard disk's SATA connector. Tableau has tested the TD2 with an extensive in-house library of different hard disks spanning many years of hard disk development, but there might be compatibility issues with some hard disks. Tableau issues firmware updates to address most compatibility issues. If your hard disk is not recognized by the TD2, check the Support pages on Tableau's Web site to see if any firmware updates are available for the TD2. Replacing the Backup Battery for the Real-time Clock The TD2 uses a real-time clock (RTC) with a backup battery. The battery has a shelf life of 12-18 months. If you use the TD2 regularly, expect the battery to last longer than 18 months. As the battery discharges, the TD2 displays a low battery warning message. This section provides an illustrated procedure for replacing the RTC backup battery. Compatible Batteries The TD2 uses an ANSI/NEDA type 5012LC battery. The following table lists several common batteries compatible with this type. Manufacturer Duracell Model # DL1220 Energizer CR1220 Rayovac CR1220 48 Tableau TD 2 Versio n 4 .0 1 User's Guide Opening the TD2 It is necessary to open the TD2 case in order to replace the battery. You need a #1 Phillips screwdriver to open the TD2 case and a small flat-blade screwdriver to remove the battery. The following procedure provides the steps for opening the TD2. 1. Disconnect all the power supply and all cables from the TD2 before opening the TD2 case. Never connect the power supply or operate the TD2 when the case is open. 2. After disconnecting the power supply and all cables, turn the TD2 upside down on a clean work surface. 3. Remove the four screws and set them aside. The following photograph shows the location of the four case screws. The rear half of the plastic enclosure partially surrounds the 1394 connector. This prevents you from lifting the rear half of the case in a straight direction. 4. Carefully lift the rear half of the plastic case away from the TD2 by tilting and pulling it toward you. Keep the TD2 secure on your work surface. Lifting or tilting the TD2 might move the main circuit board, loosen a connector, and cause a system failure. 5. Carefully set the rear half of the TD2 case aside. The following photograph shows the exposed main circuit board. Tro ublesho o ting and Suppo rt 49 Note: Lifting the main TD2 circuit board away from the front half of the enclosure might loosen the flex cable connector and cause a system failure. Reattaching the flex cable requires special skill. 6. Carefully lift the back of the main circuit board (left side in the above photograph), and using the flex cable as a pivot, spread the main circuit board flat, as shown in the photograph below. 50 Tableau TD 2 Versio n 4 .0 1 User's Guide The backup battery is located on the back of the main circuit board, as shown in the photograph below. Replacing the Battery The following photograph shows details of the battery location, highlighted in red. 1. Using the flat-blade screwdriver, pry the battery gently from the battery holder. 2. Using a compatible battery, replace the RTC backup battery. For a list of compatible batteries, see Compatible Batteries on page 47. Note: Make sure the positive terminal of the battery is facing upward. Tro ublesho o ting and Suppo rt 51 Closing the TD2 Because of the shape of the 1394 connector, replacing the rear half of the TD2's case requires some care. To replace the TD2's case: 1. Tilt the bottom edge of the rear case into position. 2. Tip the case downward while simultaneously aligning the USB and 1394 connectors at the bottom of the case. 3. Ensure that the case and main circuit board are aligned and replace the four case screws. The four screws that hold the TD2 case together also secure the main circuit board. 4. After replacing the four case screws, inspect the TD2 and determine whether the case is tightly secured. Testing the New Battery After you have securely fastened the TD2's case, return it to its normal upright position and attach just the TP4 power supply. Turn the TD2 On and observe the startup sequence. You should not see a battery warning dialog, but you will probably see a date/time warning to reset the RTC. To reset the date/time, from the TD2 Main menu, select Setup > Date and Time. For detailed information about setting the date and time, see Date and Time (Menu 9.1.3). After resetting the date/time, turn the TD2 Off, wait two minutes, and turn the TD2 ON. The date/time, located in the upper-left corner of the Main menu should be correct. Support Overview Guidance Software is committed to providing our customers with the best user experience possible. There are a variety of ways for you to get the help you need, when you need it. This section provides information on our various support resources. Find Support Online Guidance Software provides an array of resources to help you find answers to your questions online. To access online support, navigate to www.guidancesoftware.com and click Support. SALES Links under Sales enable you to: Contact sales by phone or form submission Request a demo Call a sales representative Request a quote 52 Tableau TD 2 Versio n 4 .0 1 User's Guide Locate your nearest reseller TECHNICAL SUPPORT Links under Technical Support enable you to: Find contact hours, phone numbers, and hours of availability Browse FAQs Call a technical support agent Register your product to receive future downloads Access customer community forums Join the customer community where you can: o Access forums o Read knowledge base articles o Log and track issues o Chat with a representative o Download documentation o Download products Register your account CUSTOMER SERVICE Links under Customer Service enable you to: Find contact hours, phone numbers, and hours of availability Browse FAQs Call a technical support agent Register your product to receive future downloads Receive help immediately in the event of a breach Access customer community forums Join the customer community where you can: o Access forums o Read knowledge base articles o Log and track issues o Chat with a representative o Download documentation o Download products Register your account Access the Customer Community The customer community is an online meeting place where you can: Register your product Access forums Tro ublesho o ting and Suppo rt 53 Read knowledge base articles Log and track issues Chat with a representative Download documentation Download products To access the customer community navigate to www.guidancesoftware.com and click Support > Technical Support > Customer Community. View Customer Forums The Guidance forums provide a rich repository of information, including: EnCase App Central user-created applications for free download General discussion forums that provide information about products and specific issues Non-English language forums In these forums you can learn from other community members, ask questions, and share your own expertise with others. To access the forums navigate to www.guidancesoftware.com and click Support > Technical Support > Customer Community > Forums. Browse the Knowledge Base The knowledge base consists of articles on a variety of topics about Guidance Software products. You can search to find articles that help you, and you can also submit your own articles to help other users. To access the knowledge base, navigate to www.guidancesoftware.com and click Support > Technical Support > Customer Community > Knowledge. Log and Track Issues Create a new support case, track existing cases, or request a new feature through the customer community. To create a new technical support case, navigate to www.guidancesoftware.com and click Support > Technical Support > Customer Community > Submit an Issue under Technical Support. To create a new customer service case, navigate to www.guidancesoftware.com and click Support > Customer Service > Customer Community > Submit an Issue under Customer Service. To access your previous cases, navigate to www.guidancesoftware.com and click Support > Technical Support > Customer Community > Cases. Register your Product Register your Guidance Software product to receive product updates. To register your product, navigate to www.guidancesoftware.com and click Support > Technical Support > Register Product. 54 Tableau TD 2 Versio n 4 .0 1 User's Guide If you have trouble registering your product, contact Customer Service. If you have trouble downloading updates after registering, contact Technical Support. Register your Account Registered owners of Guidance Software products gain access the forums, knowledge base articles, and other support resources contained within the Customer Community. To register your account, navigate to www.guidancesoftware.com and click Support > Technical Support > Register Account. A registration form displays. Provide all requested information. This helps us identify you as a registered owner of a Guidance Software product. After you complete the registration form, click Register. After submitting your form, you will receive an email. Once you have verified your email address, your account will be reviewed and approved within 24 business hours. Once your registration is approved, you can access the Customer Community by navigating to www.guidancesoftware.com and clicking Support > Technical Support > Customer Community. Contact Guidance Software There are many ways to contact Guidance Software if you want help, more information, or to provide feedback. Contact Sales BY TELEPHONE: 626-229-9191 888-999-9712 BY ONLINE REQUEST: Navigate to www.guidancesoftware.com and click Support > Sales to request a demo, speak to a member of our sales team, or request a quote. Contact Customer Service BY TELEPHONE: 626-463-7964 (Monday through Friday, 7 am to 5 pm, Pacific Time) 866-229-9199 BY ONLINE REQUEST: Navigate to www.guidancesoftware.com and click Support > Customer Service > Contact. Contact Technical Support Guidance Software provides telephone technical support 24 hours a day, excluding weekends and holidays, through the regional support numbers listed below. All technical support inquiries are automatically routed to either our US or UK office, depending on the time of day. Tro ublesho o ting and Suppo rt 55 UNITED STATES: Monday–Thursday 5 AM–10 PM Pacific time, Friday 5 AM–7 PM Pacific time Phone: +1 (866) 973-6577 or (626) 463-7977 Fax: +1 (626) 229-9199 1055 E. Colorado Blvd. Pasadena, CA 91106 UNITED KINGDOM: Monday–Friday 6 AM–4 PM UTC/BST Phone: +44 (0) 1753-552252, Option 4 Fax: +44 (0) 1753-552232 Thames Central, 5th Floor Hatfield Road Slough, Berkshire UK SL1 1QE EMEA AND APAC: +800-4843-2623 For customers in the following countries, use your country's local exit code and call: +800-GUIDANCE (4843-2623). Do not dial US country code 1. Australia Belgium China-North China-South Denmark Finland France Germany Hong Kong Italy Japan Malaysia Netherlands New Zealand Norway Poland Singapore South Korea Spain Sweden If you do not know your exit code, refer to http://www.howtocallabroad.com/codes.html http://www.howtocallabroad.com/codes.html. Dial your country's exit code, then dial 800-48432623. 56 Tableau TD 2 Versio n 4 .0 1 User's Guide Chat with a Technical Services Engineer Live chat is available with technical service engineers from between 10 pm Sunday to 6 pm Friday, Pacific Time. To chat, navigate to www.guidancesoftware.com and click Support > Technical Support > Customer Community. On the Customer Community home page, open the left sidebar with the ALT + S keyboard command, or by clicking the arrow in the left margin. The sidebar displays. In the Live Chat area, click Start Chat. INDEX A L About this Guide • 3 Advanced Format Support • 32 Large Disk Support • 32 LCD Contrast • 7 Logs (Menu 8) • 37 B Blank Check (Menu 5) • 34 C Closing the TD2 • 51 Compatible Batteries • 47 Configuring the TD2 • 10 Connecting Hard Disks • 16 Connecting Notebook Hard Disks • 17 Conventions Used in this Guide • 3 D Dest Free Space (Menu 7.3) • 36 Disk Capacity and Transfer Rate Measurement Conventions • 3 Disk Information (Menu 6) • 35 Disk Utilities (Menu 7) • 36 Disk-to-Disk/Cloning (Menu 1.1) • 22 Disk-to-File/Imaging (Menu 1.2) • 24 Drive Detection • 17 Duplicate Disk (Menu 1) • 22 E Erase Logs (Menu 8.4) • 42 Error Recovery Modes • 15 F Factory Reset (Menu 9.4) • 15 Files Created During Disk-to-File Duplication • 27 Format Dest (Menu 2.1) • 31 Format Disk (Menu 2) • 31 Format USB (Menu 2.2) • 33 H Hash Utilities (Menu 4) • 34 I Imaging Options (Menu 9.2) • 12 Initialization • 10 M Multi Pass Write (Menu 3.2) • 33 N Navigating the TD2 • 4 O One Pass Write (Menu 3.1) • 33 Opening the TD2 • 48 Overview • 20 OVERVIEW • 1 P Power Supply Issues • 46 Preconditions Checking • 28 PREFACE • 3 Print All Logs (Menu 8.3) • 42 Problems with Disk Detection • 46 R Reading the LEDs • 6 Removal of DCO and HPA Regions • 36 Remove DCO & HPA (Menu 7.1) • 36 Remove HPA (Menu 7.2) • 36 Replacing the Backup Battery for the Realtime Clock • 47 Replacing the Battery • 50 Resetting and Clearing Internally Stored Information • 42 S Sample TD2 Log • 39 Save All Logs (Menu 8.2) • 41 SETTING UP THE TD2 • 9 Setup (Menu 9) • 11 Startup Sequence • 10 Status Information • 37 Swapping Destination Hard Disks during Disk-to-File Duplication • 28 System Options (Menu 9.1) • 11 T Tableau TD2 • 2 TD2 Info (Menu 9.3) • 15 TD2 Kit Contents • 2 TD2 Menus and Options • 20 Testing the New Battery • 51 TROUBLESHOOTING AND SUPPORT • 45 Troubleshooting Common Problems • 46 U USB Keyboard Support • 6 User-Selected Startup Mode • 11 USING THE TD2 • 19 V View Logs (Menu 8.1) • 38 W Wipe Disk (Menu 3) • 33 Writing Logs to a USB Storage Device • 42
© Copyright 2026 Paperzz