Tableau® TD3 Version 1.5 User's Guide
Contents
1. a Profilel Profile Lock Timeout a NY 15 minutes V a p y 30 minutes A J a NY 1 hour NG A a NY On change of profile A Back Admin Settings Tap to make administrative changes to the TD3 Admin Settings includes the following o Change Default Profile Tap to select the default duplication profile from the list of available profiles a Profilel Select Default Profile Profilel Albert Agent Ollie Operative Prompt For Profile Back o Delete Profile Tap to delete a profile from the profile list a Profilel Delete Profile 2 14 PM Ollie Operative Cancel Delete ii at 24 Tableau TD3 Version 1 5 User s Guide o Add Profile Tap to add a profile to the profile list a Profilel Add Profile 2 14 PM Profile Cancel he at Add j o Change Profile Password Tap to change the password of the active profile Tap the active profile name for the list of inactive profiles After selecting a profile enter the administrator password and new profile password Reenter the new password for confirmation a Profilel Change Password 2 13 PM a Old Password k P a N New Password J d NY rn New Password J Cancel Change o Change Admin Password Tap to change the administrator password Enter the old password and new p2. TD3 Kit Contents The TD3 ships in a boxed kit that includes the items shown in the following table 8 Tableau TD3 Version 1 5 User s Guide lt lt lt Tableau TD3 Version 1 5 User s Guide kem model The TP5 provides power to the TD3 and most common combinations of source and destination hard disks The TPS uses a universal 2 pin figure 8 TD3 Forensic Duplicator style AC line cord and is compatible with 110 240V AC line voltages worldwide The TP5 comes with multiple output adapters designed to fit various Tableau products TDS2 Tool less removable SATA storage module for destination SATA hard disk Supports adding twinning functionality by stacking two TDS2 units TDPX5 Forensic IDE expansion module to adapt to IDE source hard disks TDPX8 RW USB 3 0 Read Write Expansion NE module allowing USB 3 0 drives to be used as a destination Overview 9 9 Model Hem gt TC2 8 R2 Hard disk power cable to connect IDE and some legacy style SATA hard disks to the TD3 3M to Molex TC3 8 SATA signal cable to connect SATA a hard disks to the TD3 TC4 8 R2 SATA SAS power signal cable to SATA SAS signal and 3M power 2 pieces This unified cable connects to newer SATA hard disks with a unified connector TC5 8 R2 Hard disk power cable to connect 15 pin SATA power connectors to the TD3 SATA to 3M TC6 8 IDE signal cable to connect IDE hard disks to the TD3 Do not use the TC6 8 IDE cable to connect
3. Back 5 Determine if this iSCSI target should be used as a source or destination drive and select the appropriate option An iSCSI target can also be bookmarked and set up to be connected automatically on startup after the active profile has been authenticated Using the TD3 51 6 Scroll down to the bottom of the screen and enable the iSCSI target An iSCSI icon displays on either the left source or right destination side of the Main Menu screen Profilel Main Menu 5 13 PM 7 In cases where multiple sources or destinations are available tap the appropriate source destination icon and click Select as Source drive or Select as Destination drive amp Profilel Source Disk Info 5 21 PM et Select as Source drive V KG F Source iScsi Vendor MSFT Model Virtual HD Revision 6 2 Serial Number 16A2ABBC 08FF 4044 A9D7 A0818D iscsi Address ian 1991 05 com microsoft win 7k58af Back 8 The selected drive is designated by a green arrow on the Main Menu screen as shown below amp Profilel Main Menu You can now use the iSCSI target like a regular disk For more information regarding iSCSI targets see the iSCSI section on page 12 If an iSCSI target is set up under a profile the TD3 prompts you for the profile password to automatically mount the iSCSI target on startup 52 Tableau TD3 Version 1 5 User s Guide Using a CIFS Share 1 Select Settings gt C
4. GUIDANCE SOFTWARE Tableau TD3 User s Guide Fa y User s Guide G Lil Gr dance TWARE Copyright 2011 Present Guidance Software Inc All rights reserved EnCase EnScript Tableau FastBloc Guidance Software and EnCE are registered trademarks or trademarks owned by Guidance Software in the United States and other jurisdictions and may not be used without prior written permission All other marks and brands may be claimed as the property of their respective owners Products and corporate names appearing in this work may or may not be registered trademarks or copyrights of their respective companies and are used only for identification or explanation into the owners benefit without intent to infringe Any use and duplication of this work is subject to the terms of the license agreement between you and Guidance Software Inc Except as stated in the license agreement or as otherwise permitted under Sections 107 or 108 of the 1976 United States Copyright Act no part of this work may be reproduced stored in a retrieval system or transmitted in any form or by any means electronic mechanical photocopying recording scanning or otherwise Product manuals and documentation are specific to the software versions for which they are written For previous or outdated versions of this work please contact Guidance Software Inc at http www guidancesoftware com Information contained in this work is furnished for informatio
5. Overview 11 The Main Menu screen of the TD3 displays a sliding icon list for initiating the various functions Duplicate Hash Verify HPA DCO Disable Blank Check Format Wipe Logs Settings From the Main Menu screen tap an icon to access a function screen A function screen provides a set of graphic icons from which you can select options and suboptions add and change information or initiate a task A button on each screen takes you back to the previous screen or to the Main Menu screen Across the top of the display the TD3 continually shows the chosen profile and its locked unlocked status the screen title and the time The TD3 ships with a Quick Start card that illustrates the layout of the display connectors and power switch on the TD3 Keep the Quick Start card with the TD3 as you familiarize yourself with its operation Reading the LEDs On Off indicator LED The top of the TD3 has one light emitting diode LED indicating that the unit is turned on DC In LED The back of the TD3 near the power connector has one LED indicating that the power supply is plugged in Network Interface LED The right side of the TD3 on the RJ 45 Ethernet connector has two LEDs The following table provides details for interpreting the status of these network interface card LEDs Green Yellow LED LED 1000 Mbps Link No On Off Activity 1000 Mbps Link On Blink Activity 100 Mbps Link No Off Off Activity 100
6. TD3 Serial Number Shows the TD3 unit s serial number TD3 Ethernet IP Address Shows the IP address of the TD3 s internal Ethernet port TD3 Ethernet MAC Address Shows the Media Access Control address on the TD3 s internal network interface card Ethernet port TDPXE Ethernet 1 IP Address Shows the IP address of an attached TDPXE s Ethernet 1 port TDPXE Ethernet 1 MAC Address Shows the Media Access Control address on the attached TDPXE s Ethernet 1 network interface card TDPXE Ethernet 2 IP Address Shows the IP address of an attached TDPXE s Ethernet 2 port TDPXE Ethernet 2 MAC Address Shows the Media Access Control address on the attached TDPXE s Ethernet 2 network interface card iSCSI Initiator Shows the iSCSI qualified name IQN for iSCSI targets exposed by the TD3 NAND Hash Shows the MD5 hash of the internal NAND flash that can be verified at www guidancesoftware com tableau www guidancesoftware com tableau Uboot Version Shows the version of the firmware resident within the TD3 View Licenses Shows the license agreements for various open source software packages used within the TD3 amp Profilel Duplicator Info 9 02 PM TD3 Serial Number 000ecc0O1d3608c IP Address 192 168 190 3 MAC Address 00 0e cc d3 60 8c iSCSI Initiator iqn 1996 06 com tableau sn 000ecc01 NAND Hash le44399dc1245e90b4954319e6e89ca8 Uboot Version 1 View Licenses b A Back 22 Tableau TD3 Version 1 5 User s
7. fi lename DMG instead of filename 001 All other segments have standard segment names for example filename 002 filename 003 and so on A LOG file is generated by the TD3 for each disk to file acquisition yyyy mm dd hh mm ss is the duplication task start date time The next five characters nnnnn are generated from the internal log ID number assigned to the log by the TD3 The TTTTT in the filename refers to the type of task as listed in the following table Type of Log Entry Task Disk to Disk Duplication Verify Disk Image 48 Tableau TD3 Version 1 5 User s Guide Disk To Disk Cloning During disk to disk duplication the contents of the subject disk are copied to the destination sector for sector If a destination disk is not blank the TD3 prompts for confirmation to overwrite the contents of the destination disk This reduces the risk of overwriting valuable data The following steps describe how to perform a disk to disk duplication 1 Follow the steps listed in Connecting Hard Disks on page 26 and turn on the TD3 If you want two copies of the disk you must connect two TDS2 SATA Disk Enclosures to the TD3 2 From the Main Menu screen tap Duplicate The Duplicate screen displays amp Profilel Duplicate 10 20 PM Source SATA In Destination SATA Out O cD Type Disk to File File Format E01 EnCase format O oe Case Notes Case notes for this inv Duplicate Mai
8. l Recert Places uw 4 r Evidence F A Ubranes pa oO al Documents KP ala GR Tre 5 amp Music w Pictures i a Videos w M Computer v amp SSD OS Drive C fio items Wiping Destination Media a Profilel Wipe Disk 1 59 PM Disk iSCSI g Wipe Mode One Pass Verification Mode None Case Notes enter some really long cz eo se Main Menu Settings h wt hn The TD3 provides three options for wiping destination media One pass wipe Multi pass wipe Secure erase SSD media only 63 1 Follow the steps listed in Connecting Hard Disks on page 26 and turn on the TD3 No source disk is necessary 64 Tableau TD3 Version 1 5 User s Guide 2 From the Main Menu screen navigate to Wipe gt Settings amp Profilel Wipe Settings Examiner gt A a Case ID a Er N Case Notes Case notes for this investigation P EE p a arr Wipe Mode One Pass gt LG J REESE EERSTE N Verification Mode None P E PE Back a Profilel Wipe Verify Setting All Passes Back a h Using the TD3 65 4 Navigate back to the Wipe Settings screen and tap the Wipe button The Wipe Disk Status screen displays amp Profilel Wipe Disk Status 10 53 AM Status Wiping Disk Elapsed Time 3 min 0 sec Time Remaining 17 min Progress ME 14 3 Average Rate 105 9 MB sec Current Rate 106 1 MB sec Cancel Secu
9. 67
10. option for either canceling the duplication or proceeding When performing disk to file duplication the TD3 checks whether the destination image directory already exists on the disk If the intended duplication would overwrite an existing image directory the duplication is aborted You may either go to Settings and specify a different directory for duplication or go to Duplication Settings and remove the existing directory in the Destination Directory navigation screen The Verify module verifies the integrity of an existing image file The following procedure provides the steps for verifying an image file on a destination disk amp Profilel image Verify Source SATA Out 2017 07 10 20 45 22 2017 07 Path 10 20 45 22 packed log Case Notes Case notes for this inv Main Menu Settings 56 Tableau TD3 Version 1 5 User s Guide 1 Inthe Main Menu screen navigate to Verify gt Settings amp Profilel Verify Settings 2 N Examiner x J A Case ID amp r k Case Notes Case notes for this investigatior b lt A N Path 2017 07 10 20 45 22 2017 07 10 20 45 22 packed log b J Back 2 Specify the source and path of the image file you want to verify and navigate back to the Image Verify screen 3 Tap the Verify button The Verify Status screen displays a Profilel Verify Status 1 17 PM Status Verifying Elapsed Time 3 sec Ti
11. second image fr ur This icon indicates whether the target is bookmarked first image or not bookmarked second image ISCSI Login Profilel iSCSI Login Login Username Login Password Bookmark Target OFF Back Source Drive and Destination Drive Determines whether the iSCSI target is logged in to as a source or destination drive One must be selected The default is Source Drive Login Username and Login Password If a username and password are required to login to the target enter it here These fields can be optional Bookmark Target Set to ON to bookmark a target for future use Connect at Startup This option is valid only if the target has been bookmarked If this is set to ON as soon as you log in to the TD3 with your profile the TD3 attempts to connect to this share in the background Nickname This option is valid only if the target has been bookmarked You can enter an alphanumeric string here to give the target a nickname displayed with the full target name Target Enable After verifying that all of the above options are correct switch this to ON to begin logging in to the target When complete it displays the Source iSCSI Targets screen Source ISCSI Target List amp Profilel Source iSCSI Targets 9 18 PM 4 r i iqn 2011 03 example org istgt target one v7 b C sai J ig N my_share iqn 2011 03 e gt target two vr k C 2 Back Setting up the TD3 19 Any t
12. 6 AM Monday 4 PM Friday GMT Guidance Software offers several support options including Live Chat Support Request Forms Email Telephone Live Chat From the Guidance Software Support Portal at https support guidancesoftware com you can chat live with a Technical Services engineer From the Support Portal main page select Live Chat to connect directly to an engineer Technical Support Request Forms Use the Online Request Form to request assistance from a Technical Services engineer To access the form click Request Form https support guidancesoftware com node 381 in the Support Portal Note that all fields are mandatory and filling them out completely reduces the amount of time it takes to resolve an issue Email Although technical support is available by email you will receive more thorough and faster service when you use the online Technical Support Request Form available at https support guidancesoftware com node 381 To request assistance by email send your message to technicalsupport guidancesoftware com Include as much detail as possible about the issue and the best way to contact you 82 Tableau TD3 Version 1 5 User s Guide Telephone Telephone technical support is available 24 hours a day excluding weekends and holidays All technical support calls are automatically routed to the open US or UK office 10 PM Sunday 7 PM Friday US Pacific time 6 AM Monday 3 AM Saturday UK time US
13. Certificate Error Internet Explorer displays a page similar to the following Certificate error 103 Web Lo X Certificate Invalid The security certificate presented by this website has errors This problem might indicate an attempt to fool you or intercept any data you send to the server We recommend that you close this webpage About certificate errors View certificates Authenticating SSL Connection You can view the authenticity of the TD3 SSL certificate in a limited way by checking the fingerprint or thumbprint of the certificate To do so click View Certificate or the equivalent selection in the browser you are using A window with the information on the certificate appears ih BS pr u AD Gudane ERE dl Bars ar Da TT Se aa PE Kari ee ek f FT AJ 47 YF Subject Tron ad Path Lent a Select the Details tab and look for Thumbprint or something similar The Thumbprint algorithm should display as shai 38 Tableau TD3 Version 1 5 User s Guide On the TD3 device select Settings from the main menu screen Click System Settings gt Web UI SSL The SSL screen appears amp Profilel SSL 6 54 PM Common Name td3 example con Current Certificate Fingerprint SHAl Fingerprint EO 04 60 70 05 04 83 40 02 90 69 68 FE 50C 43 12 F6 21 2E 53 Back Make Self Signed Make CSR Load Cert If the fingerprints displayed by the web browser and TD3 are identica
14. Logged in Source Targets and Logged in Destination Targets Display all the targets you are logged in to as a source or destination respectively Setting up the TD3 17 ISCSI Discover Profilel iSCSI Discover Address IP or Hostname Discovery Username Discovery Password Discover Press to discover targets gt i Back Address IP or Hostname The IP address or Hostname of the server where the iSCSI targets are located This field is required Discovery Username and Discovery Password Some iSCSI servers require a username and password to perform the discovery process on them and some do not These may or may not be the same username and password used to log into the targets These fields are optional Discover Displays the Discovered iSCSI targets screen and a list of targets discovered on the server Discovered iSCSI Targets amp Profilel Discovered iSCSI targets 9 14 PM iqn 2011 03 example org istgt target one 5 4 ig p d m iqn 2011 03 example istgt target three X LY p iqn 2011 03 example org istgt target two X der gt f Back Any target listed Selecting any of the targets listed on this screen displays the iSCSI Login screen where you can log into that share Each target listed has two status icons in its button shown below 18 Tableau TD3 Version 1 5 User s Guide S This icon indicates whether the target is logged in first image or logged out
15. START ule Mount all volumes in readonly mode Enable wong pupae bot end 3 waku V Arig deve letter automabcally 6 Confirm that the ext has been successfully mounted by confirming the volumes on the main screen Fide Edit Tools Help Volume Type Fin sytem Toaisize Usedsze Codepage Physica object A lt gt JE Bata NTFS 250 GB 112GB Devece Harddith Vohmed lt gt Fi Banc NTFS 1146 GB 331 GB Vence HaddukVokmet gt fl Banc NTFS 143GB 87 GB DevceHadduk Vokmet P Baw NTFS 465 GB 83GB Device Haddi Vokme lt gt G Banc FAT s71 GB 713G8 Device Marddink Volumet E El arts t SMe ME Carvers dk Vokt m b Type Fie system Toas sze Usod ze Codepage Partition type A DISK 0 E Banc NTFS 250 G8 11268 HPFS NTFS FI Banc NTFS 1146 GB 331 GB HPFS NTFS E DISK 1 hy Base NTFS 143 G8 87 G8 HPFS NTFS DISK 2 D Banc NTFS 223 G8 1568 HPFSANTFS DISK 3 Banc NTFS I MB 23 MB HPFS NTFS I Bane NTFS 7468 46 GB HPFS NTFS VOLUME HE EXTS Devece HarddiskVolumell Oct 15 2012 16 23 42 Using the TD3 7 Using Windows Explorer browse to the volume letter indicated in this example H and browse to the evidence files JE oo 2 Fa i Computer v p I Se P WY gt ee File Edit View Tools Help Organize System propertes Uninstall or change program E B SSD EvidenceCache D a W Favorites ME Desktop i ee OG 4 Jp Downloads PROGRAMSn Cases E
16. Server DNS and Dynamic Host Configuration Protocol DHCP systems Updating the DNS and DHCP permanently associates the TD3 with the name stored in the CSR Note Moving the SD card to another TD3 will not allow the TD3 to keep the same name which is usually tied to the MAC address of the Ethernet port After you obtain the FQDN connect a USB drive to the Read Write USB port of the TD3 and click Make CSR Profilel 25 Are you sure you want to generate a CSR If you do it will be saved as CSR csr to the attached USB Back Make Self Signed Make CSR Load Cert This creates a CSR file on the attached USB drive Ask your network administrator to use the CSR file to create a trusted certificate Copy the trusted certificate to the root directory of the USB drive and rename it certificate cert With the USB drive connected to the Read Write USB port on the TD3 click Load Cert amp Profilel SSL 6 58 PM Common Name td3 example com Are you sure you want to load a cert certificate cert in the base directory of the USB Back Make Self Signed Make CSR Load Cert 40 Tableau TD3 Version 1 5 User s Guide The new certificate will be loaded into the web UI server and used for all future communications Navigating TD3 Modules and Options You can navigate the various modules and options of the TD3 by sliding the module list back and forth and tapping the module icons The following outline maps
17. Settings on page 15 Sounds Enables audio alerts for TD3 operations 24 Hour Time Enables 24 hour time display for the TD3 clock Web UI Access Enables the web based user interface Date amp Time Sets the date and time for the TD3 clock Brightness Sets the brightness of the TD3 touchscreen display Factory Reset Resets the TD3 to factory default settings Network Settings Network Settings provides options for the following Profilel Network Settings 7 59 PM Interface TD3 Ethernet gt MTU 1500 a tt Apply Settings d Back On Tableau TD3 Version 1 5 User s Guide Interface Switches which Ethernet interface you are currently modifying the settings for Use DHCP Enables automatic network configuration using the DHCP protocol if turned on otherwise you are required to enter IP address Netmask and Gateway values MTU Displays the Maximum Transmission Unit the largest packet size the connected network can support Contact your network administrator before switching this value from the default value of 1500 Acceptable values range from 68 to 9000 Larger values of MTU may improve performance if switches and servers on the network support it IP Address Netmask and Gateway Sets the respective values for IP address netmask and gateway Consult your network administrator for these settings Incorrect or inappropriate values can cause issues not only for the TD3 but also for other users o
18. and determine whether the case is tightly secured Testing the New Battery After you have securely fastened the TD3 case return it to its normal upright position and attach just the power supply Turn the TD3 on and observe the startup sequence You should not see a battery warning dialog but you will probably see a date time warning to reset the RTC To reset the date time from the TD3 Main Menu select Settings gt System Settings gt Date and Time After resetting the date time turn the TD3 off wait two minutes then turn the TD3 on The time located in the upper right corner of the display should be correct Troubleshooting and Support 81 Support This section provides information on our support for you through Technical Support Online Support Portal Professional Services Training Technical Support Support for your Tableau product is provided by the vendor who sold the device You can also find additional support by visiting the support pages on the Tableau Web site at www guidancesoftware com tableau The support pages contain answers to common questions information regarding specific compatibility issues and firmware updates for the TD3 Forensic Imager If you purchased your device from Guidance Software technical support is available 24 hours a day excluding weekends and holidays All technical support inquiries are automatically routed to the open US or UK office 10 PM Sunday 6 PM Friday US Pacific time
19. tap the View Log button to Print or Erase the log amp Profilel Duplication Status 10 46 AM Status Duplication complete Elapsed Time 1 min 43 sec Data Imaged 10 0 GB 00 Average Rate 96 3 MB sec MD5 beOff9ed3e879f79bc9aaG6ca01c13517 SHA1 69d148c9394c59b93ebb634ee2dacf8lca68edb5 Disk To File Duplication Imaging During disk to file duplication the contents of the source disk are copied to the destination disk This process creates a set of files e01 ex01 or RAW DD on the destination disk that you can examine on a host computer If you format a destination disk with a supported file system the TD3 uses that file system Otherwise you must format the destination disk before beginning the duplication process To perform disk to file duplication 1 Follow the steps listed in Connecting Hard Disks on page 26 and turn on the TD3 If you want two copies of the image and two TDS2 SATA Disk Enclosures are connected to the TD3 the TDS2 disk set must be formatted together on the TD3 Using the TD3 2 From the Main Menu screen tap Duplicate The Duplicate screen displays P Profile 1 Duplicate Source USB In Destination USB Out Type Disk to File File Format E01 EnCase format Main Menu s ettings 3 Tapthe Settings button The Duplication Settings screen displays amp Profilel E Examiner we Case ID k Ww Wei Duplication Settings Duplicate 10 1
20. the drive is blank Note A sector is considered blank if it contains only the same repeated two byte pattern Any non repeating pattern is considered to be non blank However each individual sector may contain different repeating patterns If any sector is found to not be blank the drive is not considered blank and the blank check will stop The Fast and Smart blank check options do not perform exhaustive checks of the entire drive It is possible for a drive to appear to be blank according to the Fast or Smart check while still storing forensically relevant information You should treat blank source disks with some caution and use other tools such as a Tableau write blocker to examine the drive to determine whether it contains forensically relevant information Formatting Destination Drives When using disk to file imaging you must format the destination drive with a file system that is recognizable by the TD3 Currently the TD3 supports destination disks that are formatted as ext2 ext4 or exFAT Use of ext4 is recommended for best performance while exFAT is recommended for ease of accessing image files with Microsoft Windows You can format USB drives connected to the read write port on the right side of the TD3 with ext2 ext4 exFAT or FAT32 Profilel Format 1 57 PM Pa Format Disk iScsl Partition Table MBR Filesystem Ext4 Main Menu Settings From the Format menu you can manually format the desti
21. 3 1 Connect the Tableau SATA Storage Module Disk Enclosure TDS1 or TDS2 to the bottom of the TD3 by sliding the TD3 on top of the disk enclosure from left to right until it is securely connected If you want two copies of the data use two TDS2 SATA Disk Enclosures to allow for twinning mode See Twinning Mode on page 29 for more information 2 On the back of the TD3 connect the TP4 or TP5 power supply to the TD3 power input 3 Using the appropriate line cord plug your TD3 into an AC power source The green DC In LED on the back of the TD3 indicates that power is available at the power connector Confirm that the TD3 power switch is off the Power LED will be off For a SATA source disk connect the drive directly to the TD3 using the appropriate cable TC4 8 R2 SATA drive unified cable connected to the SATA power port on the front edge 6 For an IDE hard disk attach the TDPX5 expansion module to the left side of the TD3 Connect the source disk with its signal cable to the TDPX5 signal input using the appropriate cable TC6 8 IDE signal cable connected to the TDPX5 IDE Expansion Module on the left side TC2 8 R2 hard disk power cable connected to the power connector on the side of the TDPX5 IDE Expansion Module on the left side 7 Turn on the TD3 by pressing the TD3 power switch located on the front of the unit to the lower left The green Power LED indicates that the duplicator is turned on Note When connecting an ID
22. 4 PM __ Case Notes Duplication Type Destination Dir Back 4 Specify the following a re an so 3 a Examiner Case ID Case Notes Duplication Type Disk to File Destination Destination Dir ectory Image Dir Naming Image File Naming File Format File Size Error Granularity Error Retry Verification BE BT v v v 45 46 Tableau TD3 Version 1 5 User s Guide 5 Tap the Back button The Duplicate screen displays amp Profilel Duplicate 10 20 PM Source SATA In Destination SATA Out oo OIO iO Type Disk to File Oleg O File Format E01 EnCase format Case Notes Case notes for this inv ERR Duplicate Main Menu Settings 6 Tap the Duplicate button The Duplication Status screen displays and imaging begins To abort the process press the Cancel button Profilel Duplication Status 10 47 AM Status Duplicating Elapsed Time 13 sec Time Remaining 1 min 24 sec Data Imaged 1 3 GB wm 13 Average Rate 100 6 MB sec Current Rate 104 8 MB sec Cancel i J 7 When disk duplication is complete tap the View Log button to Print or Erase the log Profilel Duplication Status 10 46 AM Status Duplication complete Elapsed Time 1 min 43 sec Data Imaged 10 0 GB JU Average Rate 96 3 MB sec MD5 beOff9ed3e879f79bc9aaGca01c13517 SHA1 69d148c9394c59b93ebb634ee2dacf8lca68e
23. D3 prior to duplication 54 Tableau TD3 Version 1 5 User s Guide Disk to Disk or Disk to File Type Source Disk HPA Source Disk DCO Destination Disk HPA or DCO Destination Disk Too Small Disk to Disk Source Disk May Be Blank Destination Disk Is Not Blank Disk to Disk Destination Disk Does Not Contain A Supported File Disk to File Explanation Reports that HPA is in use on the source disk Note The TD3 automatically removes HPA on the source disk This warning serves to notify you that an HPA was present on the source disk Reports that DCO is in use on the source disk The TD3 does not automatically remove DCO on the source disk Removing DCO requires a permanent modification of the source disk This dialog allows removal of the DCO before imaging the drive and then restores it after completion of the operation The DCO could also be left in place for the operation or the imaging operation could be canceled The DCO can be manually removed before this operation using the HPA DCO Removal operation from the Main Menu screen Reports that either HPA or DCO is in use on the destination disk The TD3 does not automatically remove HPA or DCO on the destination disk This warning serves to notify you that the duplicator will not be using the total size of the destination disk If the source disk is larger than the destination you may opt either to duplicate the portion of the source disk
24. DS2 SATA Disk Enclosures to the TD3 Using the TD3 2 From the Main Menu screen tap Duplicate The Duplicate screen displays amp Profilel Duplicate Source SATA In Destination SATA Out Type Disk to File File Format E01 EnCase format Case Notes Case notes for this inv Main Menu Settings 3 Tap the Settings button The Duplication Settings screen displays B Profilel Duplication Settings 10 14 PM Pa Examiner e a X Case ID ma Case Notes b a d Duplication Type fe he ml Destination Dir b 0 J 10 20 PM Duplicate Back 4 Specify the following 5 Tap the Back button The Duplicate screen displays AT om moO ao oD Examiner Case ID Case Notes Duplication Type Disk to Disk Destination Dir Image Dir Naming Image File Naming File Format File Size Error Granularity Error Retry Verification 43 44 Tableau TD3 Version 1 5 User s Guide 6 Tap the Duplicate button The Duplication Status screen displays and imaging begins To abort the process press the Cancel button amp Profilel Duplication Status 10 47 AM Status Duplicating Elapsed Time 13 sec Time Remaining 1 min 24 sec Data Imaged 1 3 GB nn 13 amp Average Rate 100 6 MB sec Current Rate 104 8 MB sec Cancel 7 When disk duplication is complete
25. E source disk to the TD3 always connect the blue end of the IDE cable TC6 2 or TC6 8 to the TD3 and the black end to the hard disk If using a cable not supplied by Tableau ensure that the colored stripe on the cable aligns with Pin 1 on the hard disk Failure to do so can result in unreliable communication between the hard disk and the TD3 Connecting Notebook Hard Disks To connect a 1 8 or 2 5 notebook hard disk use the TC6 2 IDE signal cable in conjunction with one of the following notebook adapters TDAS 18 1 8 notebook adapter Setting up the TD3 27 TDA5 25 2 5 notebook adapter TDAS ZIF 1 8 ZIF adapter and cables TC20 3 2 ZIF cable for 0 2mm ZIF connectors TC20 3 3 ZIF cable for 0 3mm ZIF connectors Note Use only the shorter TC6 2 2 IDE cable when connecting a notebook drive adapter to the TD3 Do not use the longer TC6 8 8 IDE cable with notebook drive adapters ZIF drives and some notebook drives require avery short data path between the drive and the controller so using anything except the 2 cable can result in unreliable communication between the disk drive and the TD3 Drive Detection After initialization the TD3 begins drive detection Icons display on the left and right sides of the Main Menu indicating the types of source and destination drives that have been recognized Source drives are shown on the left side of the screen and destination drives on the right Depending on the type of operation to be
26. Guide Profile Management Profile Management provides options for managing duplication profile information and privileges You can configure each profile with default settings The TD3 administrator can set a default profile Profile Management includes the following options Change Current Profile Tap to activate a duplication profile from the list of available profiles The factory default profile is Profilel The default password for Profile1 is password a Profilel Change Current Profile 2 13 PM ra Profilel v a Albert_Agent x ra Ollie Operative XX Back Lock Unlock Current Profile Tap to lock or unlock the active profile using its password You must unlock a profile before making changes to it Change Profile Password Tap to change the active profile s password To change the password enter the old password and the new password Reenter the new password for confirmation ae Profilel Change Password 2 13 PM g k Old Password A a NY New Password x y a y Confirm New Password L dA Cancel Change Setting up the TD3 23 Change Profile Lock Timeout Tap to set the profile lock timeout period to 15 minutes 30 minutes 1 hour or when changing the profile This time period determines how long a profile remains unlocked before the TD3 automatically locks it An unlocked profile can be changed by any user with physical access to the TD3
27. IFS Windows File Share and enter the IP Address Share name username and password for the CIFS share f Profilel CIFS Settings 5 35 PM lt c lt JD IK K EEEEEEE i CIFS Windows File Share IP Address 192 168 190 29 Share User TT YT a ME VE MP E Password rc Back 2 Slide the button on the top to turn on the CIFS Windows File Share Note the TD3 supports using a CIFS share as a destination only 3 ACIFS icon displays on the right side of the main menu If more than one destination is available select one and enable it A destination is designated with a green arrow amp Profilel Main Menu 5 43 PM NY SS 7 it pith i HO Sree silog Duplicate Hash L L HPA DCO Disable Blank Check Gu You can now use the CIFS share as a destination Note the following restrictions ACIFS share takes the form of a filesystem You cannot perform a disk to disk duplication to a CIFS share The Wipe Blank Check and Format options are not available when a CIFS share is selected as a destination However you can use Duplicate Disk to File and Verify with a CIFS share as the destination Using the TD3 53 Hashing a Profilel Source USB Case Notes enter some really long cz Main Menu S ettings Forensic practitioners may need to calculate the hash values or fingerp
28. Language Groups French Arabic German Spanish Japanese Chinese Korean 84 Tableau TD3 Version 1 5 User s Guide Forum Groups User Group Consultant and Practitioner Computer Forensic Hardware Issues EnScript Forum Product Specific Groups EnCase Neutrino Enterprise Field Intelligence Model FIM eDiscovery These groups are available only to customers who have purchased the respective products Enter a group by clicking the group name f EnCase User s Group Exchange information and tips with other EnCase users Posting to a Group To create a new post click the eS icon Click the 59 icon to reply to a post or use the Quick Reply icon at the bottom of each post OD AE Searching The forums contain over ten years of accumulated information Use the Search button to search for keywords or click Advanced Search for more specific search options EE Show Threads C Show Posts Advanced Search Bug Tracker Troubleshooting and Support 85 Use Bug Tracker to submit and check the status and priority of submitted defect and enhancement requests It is broken down by product showing the current number of bugs enhancements and public bugs for each product To access the Bug Tracker click Bug Tracker in the Support Portal at https support guidancesoftware com forum project php Home Forum Knowledge Base lt Bug Tracker My Profile Request Form Support Portal Tutorial Log
29. Mbps Link Activity 10 Mbps Link No Off Activity 10 Mbps Link Activity No Link 12 Tableau TD3 Version 1 5 User s Guide Interpreting Audio Feedback The TD3 plays one of two sounds to alert you of the end of a disk operation There is a chime to indicate successful completion of the operation and a buzzer to indicate a failure to complete the operation You can turn sounds off from the System Settings submenu in the Settings menu USB Keyboard Support You can connect a standard USB keyboard to the USB port on the right side of the TD3 Using an external keyboard can be more convenient than entering data using the touchscreen keyboard on the TD3 Remote Web Based User Interface The TD3 has a web based user interface capable of most of the functions that are available on the LCD display CHAPTER 2 Setting up the TD3 Y Vv V WV v Startup Sequence Configuring the TD3 Connecting Hard Disks Drive Detection Twinning Mode 14 Tableau TD3 Version 1 5 User s Guide Startup Sequence The TD3 is optimized for the needs of forensic practitioners and computer forensic processes When you turn on the TD3 for the first time an initialization screen displays for about 20 seconds followed by a prompt to create an administrator password The TD3 then loads the initial profile detects any connected devices and displays the Main Menu The TD3 displays icons indicating connected devices special settings an
30. Out Administer 100 mE 45 04 30 200 8 EnCase Forensic he mie Knowledge Base You can find answers to frequently asked questions FAQs and other useful product documentation in the Knowledge Base You can also submit your own articles to help other EnCase users To access the Knowledge Base click Knowledge Base in the Support Portal at https support guidancesoftware com directory Home Forum Knowledge Base gt Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer From here you can browse search and write Knowledge Base articles Online Technical Support Request Form Please use the Request Form for assistance from a Technical Services engineer To access the form click Request Form in the Support Portal at https support guidancesoftware com node 381 Home Forum Knowledge Base Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer Message Boards The Guidance Software message boards are resources for the computer forensics community to exchange ideas ask questions and give answers The message boards are a valuable resource for the forensic investigator Discussions range from basic acquisition techniques to in depth analysis of encrypted files and more Thousands of experienced and skilled users are registered on the boards reviewing posts every day and providing their expertise on all Guidance Software products More information about the messa
31. Settings Logs Module Whenever the TD3 performs an operation of forensic relevance it creates a log entry to record that operation The TD3 has internal flash memory with the capacity to store very large numbers of logged operations The Logs module lets you view print save and erase log entries Viewing Logs Tapping Logs from in the Main Menu screen displays a list of the logs currently recorded in the TD3 internal flash memory The most recent log entry is displayed at the top of this list with the oldest log entry at the bottom of the list Log entries display as shown below amp Profilel Log List 13 04 54 2013 13 04 33 2013 13 04 14 2013 13 03 32 2013 13 03 22 2013 13 02 47 2013 Main Menu Delete Old Save All The first part of the line specifies the type of entry The second part specifies the day date and time The last part specifies the result of the logged operation Sample Log The TD3 maintains detailed logs for each task initiated by the user Here is a sample of an error free log for a Disk to File acquisition Task Disk Image Status OK Using the TD3 67 Created Thu Dec 8 11 27 18 2011 Started Thu Dec 8 11 27 18 2011 Closed Thu Dec 8 11 46 31 2011 Elapsed 19 min User lt lt not entered gt gt Case ID lt lt not entered gt gt Case Notes lt lt not entered gt gt Imager App TD3 Imager Ver Preview Release Interface SATA Model WDC WD740GD 00FLA2 Firmware r
32. T Report Button brings up the Source Disk s SMART Info for examination Setting up the TD3 29 Profilel SMART Info 11 37 PM smartctl 5 40 2010 10 16 r3189 arm unknown Linux gnu local bui Copyright C 2002 10 by Bruce Allen http smartmontools source START OF READ SMART DATA SECTION SMART overall health self assessment test result PASSED SMART Attributes Data Structure revision number 1 Vendor Specific SMART Attributes with Thresholds ID ATTRIBUTE NAME FLAG VALUE WORST THRESH TYPE 5 Reallocated Sector Ct 0x0033 100 100 010 Pre fail 9 Power On Hours 0x0032 099 099 000 Old age 12 Power Cycle Count 0x0032 099 099 000 Old age Back Save LE N Tapping the Save button copies this information to the log Twinning Mode When two Tableau TDS2 SATA Disk Enclosures are connected to the TD3 they are automatically put in twinning mode This allows for a source to be copied to two destinations with little to no performance penalty Occasionally one disk might be recognized before the other disk If this happens wait for the second disk to be recognized Disk Icon on the right with only one TDS2 connected Profilel Main Menu 11 08 AM HPA DCO Disable Blank Check Gi 30 Tableau TD3 Version 1 5 User s Guide Disk Icon on the right with two TDS2s connected Profilel Main Menu HPA DCO Disable Blank Check Disk Information screen when in twinning mode Tap the SATA Out ico
33. a Windows XP or higher forensic computer and have successfully installed Ext2FSD v0 51 or higher You have a secondary hard drive that is Windows compatible and formatted as FAT32 exFAT or NTFS The secondary storage drive has enough space to store all the evidence files currently on the TD3 ext2 ext3 or ext4 evidence drive If using a FAT32 formatted secondary drive the file size limit is 2000 MB or 2 GB per file If the TD3 was configured to write segments RAW DD E01 or Ex01 larger than 2 GB you must choose a different format This method is recommended only for copying the files to a physical Windows compatible secondary hard drive not for running EnCase against the mounted ext2 ext3 or ext4 TD3 evidence drive itself Guidance Software recommends testing these processes first before using them on live evidence 60 Tableau TD3 Version 1 5 User s Guide Procedure for Mounting ext Volumes Because Ext2FSD v0 51 can parse ext2 ext3 and ext4 partitions it can be used to view the files as long as Windows can see the physical disk of the TD3 evidence drive You can browse to the mounted Ext partition in Windows and copy the evidence files directly to a Windows compatible evidence drive 1 Connect the TD3 ext2 or ext4 evidence drive to the forensic machine using a write blocker optional but recommended 2 If Windows asks to format the drive click No or Cancel on S You need to format the disk in drive H before
34. arate physical locations For this situation the TD3 supports using an iSCSI target as a source or destination disk and a CIFS share as a destination disk The TD3 must be connected to a network before using either iSCSI or CIFS settings Using an iSCSI Target 1 Select Settings gt iSCSI First turn iSCSI on then click Discover New Targets Profilel 4 46 PM Export Source Drive Export Destination Drive r Siscavar New Targets CEE Taranto Back 50 Tableau TD3 Version 1 5 User s Guide 2 Next enter the IP address of the iSCSI target and the username and password optional amp Profilel iSCSI Discover 4 53 PM a i EET i NY Address IP or Hostname j a a Discovery Username ka F a gt Discovery Password Pha il NY Discover ets gt Me il Back 3 After entering the iSCSI target information press Discover Some Windows servers may require that you give the TD3 access to the iSCSI share After being successfully connected a list of available iSCSI shares displays amp Profilel Discovered iSCSI targets 5 03 PM 4 k iqn 1991 05 com mic efgv Igiscsi target 3 yy P Y A Back 4 Click the iSCSI target Profilel iSCSI Login 5 05 PM a BO Source Drive vA K ner a Destination Drive pa A g Login Username pa NY Login Password W E il Bookmark Target OFF
35. arget listed Depending on which button you selected on the iSCSI Settings screen this screen displays all your bookmarked targets all the targets logged in to as a source or all the targets logged in to as a destination Pressing any of the targets in this screen displays the iSCSI Target Options screen where you can log in to or out of the target and edit its settings Each target button has two status icons as shown below S This icon indicates whether the target is logged in first image or logged out second image 1 This icon indicates whether the target is bookmarked first image or not second image ISCSI Target Settings Profilel iSCSI Target Settings 9 19 PM Source Drive y L J Fr y Destination Drive a i Discovery Username W r Discovery Password amp Login Username A hy tN Back Source Drive and Destination Drive Determine whether the iSCSI target is logged in to as a source or destination drive One must be selected The default is Source Drive Discovery Username and Discovery Password Some iSCSI servers require a username and password for the discovery process and some do not These may or may not be the same username and password used to log in to the targets These fields can be optional Login Username and Login Password If a username and password are required to log in to the target enter it here These fields can be optional Connect at Startup If set to ON a
36. assword Reenter the new password for confirmation a Profilel Change Admin Password Old Password New Password Confirm New Password Fa h Setting up the TD3 25 Languages m Profilel Language Setting 3 39 PM Portuguese Back na Pi You can configure the TD3 for the following languages English Spanish French German Brazilian Portuguese Russian Simplified Chinese Information such as case notes names etc can also be entered in any of these languages with the exception of Simplified Chinese After you select a language the TD3 restarts in that language In the following example Chinese was selected displaying the Main Menu as follows amp Profilel 4 22 PM HPA 1 DCO AMEE 26 Tableau TD3 Version 1 5 User s Guide Updating TD3 Firmware The TD3 loads its firmware from an SD card located on the back of the unit When a TD3 firmware update becomes available on the Tableau Web site you can use the Tableau Firmware Update utility for Windows TFU to update the SD card To remove the SD card turn the TD3 power off then firmly push the SD card inward and release The SD card pops out Gently remove the card and store it safely Connecting Hard Disks The following procedure provides the necessary steps for safely connecting hard disks to the TD3 This procedure applies to typical 3 5 SATA and IDE hard disks To connect hard disks to the TD
37. ated properly in the hard disk s SATA connector Tableau has tested the TD3 with an extensive in house library of different hard disks spanning many years of hard disk development but there may be compatibility issues with some hard disks Tableau issues firmware updates to address most compatibility issues If your hard disk is not recognized by the TD3 check the Support pages on www guidancesoftware com tableau to see if any firmware updates are available for the TD3 Replacing the Backup Battery for the Real Time Clock The TD3 uses a real time clock RTC with a backup battery The battery has a shelf life of 12 18 months If you use the TD3 regularly expect the battery to last longer than 18 months As the battery discharges the TD3 displays a low battery warning message This section provides an illustrated procedure for replacing the RTC backup battery Compatible Batteries The TD3 uses an ANSI NEDA type 5012LC battery The following table lists common batteries compatible with this type Manufacturer Model 80 Tableau TD3 Version 1 5 User s Guide Opening the TD3 It is necessary to open the TD3 case to replace the battery You need a 1 Phillips screwdriver to open the TD3 case and a small flat blade screwdriver to remove the battery The following procedure describes the steps for opening the TD3 1 Disconnect the power supply and all cables from the TD3 before opening the TD3 case Never connect the power su
38. ation Is Successful Because Operating Systems Are Wenk Welcome o Open Source Dutdassing 123 reads pen Source Outdassit Home Router Vendor Ds Frmw re Ag Hello EnCase Users Guidance Software ts please to announce our new collaboration forensic solution for government users called EnCase Lab Edition Readmore 202 reads _ The Support Portal s landing page contains a section of useful links including Guidance Software Home Page Download Center to download software hardware manuals boot disks support articles etc My Account to register your dongle id to receive up to date software by email NVD National Vulnerability Database Information and Responses Guidance Product Version Matrix for checking compatibility of different product versions Hardware Recommendations for EnCase Forensic and EnCase Enterprise E Subscribe to Public Bugs Professional Services The Guidance Software Professional Services Division PSD combines world leading computer investigation experts with world leading forensic technology to deliver turnkey solutions to forensic investigations Guidance Software has combined its industry leading computer investigation technology with a team of the most highly trained and capable investigators in the world to bring you complete turnkey solutions for your business When you face investigative issues that go beyond your n to respond either remotely or by comin
39. ccess other functions while an operation is running from the web interface Q ii apcees here a r operaban Curfettly underway on the TOS deve Would you ihe 20 vew Me state of tw Operation 36 Tableau TD3 Version 1 5 User s Guide TD3 Secure Communication HTTPS SSL The TD3 uses SSL to protect data transmitted over the network The TD3 has a default self signed SSL certificate that is not in the chain of trust of any Certificate Authority CA After entering the IP address of the TD3 you will receive a warning message from your internet browser similar to the page below e 5 FESTET TNT OE Canons Enos iniii IX here is problem with thes website s security certificate We recommend that you dose this webpage and do net contimrue to this website chee here to close this webpage Lontruigse bo this sette not recommended More miormaton If you choose to ignore this warning and continue on by clicking the Continue to this website not recommended link the browser will continue to warn that the certificate is not trusted In Internet Explorer you will see a Certificate error warning TD3 Web Login gt Other web browsers will display similar warnings that the certificate is not trusted In the Chrome browser the warning will look like the one below TD3 Web Login E ok betps 192 168 190 11 Using the TD3 37 To view the contents of the certificate click More Information or
40. ce our new collaboration forensic solution for government users called EnCase Lab Edition e Hardware Recommendations Subscribe to public bugs Readmore 202 reads Registration Registration requires you to choose a unique username and password Provide all requested information including dongle ID phone email address organization etc This helps us identify you as a registered owner of EnCase You will receive an email reply within 24 hours You must follow the link in that email before you can post on the forums Once you have verified your email address you are added to the Registration List Please allow 24 business hours for your account to be approved Once your registration is approved you can access the Support Portal at https support guidancesoftware com The Support Portal provides an overview tutorial of the site Home Forum Knowledge Basew Bug Tracker My Profile Request Form Support Portal Tutorial gt Log Out Administer User Product and Foreign Language Forums To access the forums click the Forum tab in the Support Portal at https support guidancesoftware com forum Home Knowledge Base Bug Tracker My Profile Request Form Support Portal Tutorial Log Out Administer The forums allow registered users to post questions exchange information and hold discussions with Guidance Software and other users in the EnCase community Several discussion groups are available including Foreign
41. d warning messages about any detected faults Configuring the TD3 The TD3 has a variety of options and settings you can configure and customize to your individual needs Scroll to the right to see the Settings icon on the Main Menu Screen Tap the Settings icon to display the Settings menu Settings The Settings module provides selections for configuring TD3 options System Settings Changes the way the TD3 hardware is configured iSCSI Configures the iSCSI settings for the system Source and Destination CIFS Configures a windows share as a destination drive Duplication Settings Changes the duplication settings Duplicator Info Displays information about the TD3 hardware and firmware Profile Management Creates edits and deletes profiles Language Changes the language used for displaying text on the TD3 LCD Profilel Settings System Settings G iSCSI Enabled b CIFS Windows File Share Disabled gt Duplication Settings P Duplicator Info Back Setting up the TD3 15 System Settings System Settings Start Screen Sounds a y F u 24 Hour Time OFF Web Ul Access OFF Back System Settings provides options for the following Start Screen Select default Start Screen one click configuration by choosing one of the following options o Main Menu o Duplicate o Hash o Verify o Wipe Network Changes the settings for the Ethernet port see Network
42. db5 Files Created During Disk to File Duplication When performing disk to file duplication or imaging the TD3 creates files on the destination hard disk that contain the data copied from the source hard disk Each of these files is called a segment Segments are written to the destination disk according to the following convention root dir Using the TD3 47 directory name filename E01 filename E02 filename E99 yyyy mm dd hh mm ss nnnnn TTTTT LOG directory name is the name generated by the TD3 for each separate acquisition The directory name can be auto generated by the TD3 or you can enter it yourself Auto generated names can be based on the date time the serial number of the source device or the model and serial number of the source device The filename can also be auto generated or you can choose to set it to a constant value filename 001 is the first segment or portion of the data copied from the source disk The segment size is a user settable option and may also be specified in the Settings gt Duplication Settings gt File Size screen When creating a DD image you can also specify DMG naming for segments A DMG file extension can be specified by selecting Main Menu gt Settings gt Duplication Settings gt File Extension Setting DMG refers to a file naming convention used by Apple operating systems If the DMG naming option is selected the first segment is named
43. e Additionally the format operation puts a special file on each disk to associate them as a disk set for duplication The TD3 can wipe both drives It wipes them one at a time CHAPTER 3 Using the TD3 gt Overview gt Web Based User Interface gt Navigating TD3 Modules and Options gt Duplicating gt Hashing gt Preconditions Checking gt Verifying gt Disabling HPA and DCO gt Blank Checking gt Formatting Destination Drives gt Accessing ext2 ext3 and ext4 Destination Partitions in Windows gt Wiping Destination Media gt Secure Erasing gt Logs Module 34 Tableau TD3 Version 1 5 User s Guide Overview This chapter covers detailed procedures and information for using the TD3 Web Based User Interface The following are necessary to access the web based interface Network connection Connect the Gigabit Ethernet portion of the TD3 to the network switch IP address If the network does not have a DHCP server set the IP address and other network parameters via the LCD interface User profile Change the password on the default profile to one that cannot be guessed easily Similarly any new profiles that are added should have a secure password Enable Web UI access In the Settings gt System Settings menu of the TD3 set the Web UI Access to ON Type in the IP address of the TD3 in a web browser for the web interface to become available The IP address is visible in the Duplica
44. ecccceesececceeesececsseeeceesauseceesseaseceesaaaseeeesaeaeeeessees U nene TOPAT eae aa E E E N Troubleshooting and Support Troubleshooting Common ProbleMS wiredeccniscessndvcaderevasdectedoandocicuandivaedsneddabebaswinndeinadesievsat NERE NERENN Pep ISSUES asnasa iara nann ere Problems with Disk Detection ccccccesecccesseccceeccccesececeececcenececeuneceseueceeeeeceeeueceseuecesseecessueeeseneceesgnesets Replacing the Backup Battery for the Real Time Clock ccccccsssecccccsssececceessecceseeesececseeaseceesuaeeeessaaaeees 6 6 EE EEE PE A EE E A ER HET ANC A SO OM EE EE EN MEIN POLES SION Es ko ER NE EN NE 1 111 EE EEE Index 69 70 70 70 72 72 73 74 75 75 77 78 78 78 79 81 81 82 86 87 89 Preface 4 Tableau TD3 Version 1 5 User s Guide About this Guide This guide presents a wide range of technical information and procedures for using the TD3 It is divided into the following chapters Overview Provides general information about the TD3 as well as unpacking starting up and navigating the TD3 s menus and LEDs Setting up the TD3 Provides system overview information about the TD3 as well as procedures for configuring and connecting the TD3 Using the TD3 Provides detailed information and procedures for TD3 operation Expansion Modules Describes the expansion modules that extend the product imaging and network capabilities of the TD3 Troubleshooting and Supp
45. etwork performance while supporting multiple network connections to the same or different networks Built for high performance ease of use and reliability in forensic imaging applications each module snaps in and attaches to the expansion port on the left side of the TD3 No separate power supply or cables are required The standard TD3 kit ships with a TDPX5 IDE source and TDPX8 RW USB 3 0 output module You can purchase the TDPX6 SAS and TDPXE Gigabit Ethernet modules separately Contact Guidance Software or your authorized Tableau reseller for more details TDPX5 Expansion Module for IDE Drives The TDPX5 allows acquisition of IDE Integrated Drive Electronics also known as Parallel ATA or PATA drives by the TD3 Imaging system TABLEAU TDPX5 IDE Protocol Module amp 2 ae Using the TDPX5 1 Connect the TDPX5 to the TD3 by sliding it into the left side of the TD3 Note The TDS2 and TDS1 SATA storage enclosures are keyed for proper expansion module alignment Expansion Modules 71 2 Connect an IDE drive via the TC6 8 ribbon cable blue connector goes to the TDPX5 and TC2 8 R2 power cable 3 Power on the TD3 Profilel Main Menu Blank Check 4 Anicon displays on the left side of the TD3 screen indicating that an IDE drive is recognized and is ready for use 72 Tableau TD3 Version 1 5 User s Guide TDPX6 Expansion Module for SAS Drives The TDPX6 allows ac
46. evision 31 08F31 Serial number WD WMAKE1826691 Capacity in bytes 74 355 769 344 74 3 GB Block Size 512 bytes Block Count 145 226 1L12 Power ON Block Count 145 226 112 HPA Block Count 145 226 112 DCO Block Counts 145 226 112 Output file format dd raw Destination filename convention Default Chunk size in bytes 0 0 bytes Chunks written I Filename of first chunk 2011 12 08 11 27 18 image 001 Total errore gt 0 7 ACQUISITION MDS 3al6239739230dl3bce6 c6edc3r6ddlt Acquisition SHA 1 blba2b21b8874fceQebtchdfvaas5bca0c 14c61721 If the TD3 detected any bad sectors on the source drive it would have added a section at the end of the TD3 log This additional section would list the sector address and sector length of each unreadable region of the source disk Saving Logs You can save all logs to a USB storage device connected to the right side USB port After connecting a USB storage device tap the Save All button Logs are saved in an ASCII text format Use a text editor to view the logs Writing Logs to a USB Storage Device The TD3 can write logs to a USB storage device attached to the USB port on the right side of the TD3 1 To see the log list from the Main Menu screen tap Logs 2 To save all logs in the log list tap the Save All button then the Browse button to specify a path 68 Tableau TD3 Version 1 5 User s Guide 3 You can tap the New Folder button to use the TD3 s stamps for date time serial
47. g on site to provide the right technology and computer investigation personnel for the job internal capabilities our professional services group ca Internal Investigations Theft of intellectual property Intrusion reconstruction Wrongful termination suit Compliance Sarbanes Oxley PII risk assessment California SB 1386 eDiscovery Pending litigation Responsive production Submit Image Submit News Submit Poll Other Useful Links Softv re Home Page load Center e My Account e W Y D Information amp Responses e Guidance Product Version Matrix e Hardware Recommendatio Subscribe to public bugs Troubleshooting and Support 87 Forensic preservation Information Security Compromise of system integrity Policy review Unauthorized use Forensic lab implementation Training Guidance Software offers a variety of professional courses for the beginner intermediate and advanced user of all its applications In addition to providing a solid grounding in our software we also provide our students with accepted best practices for investigation report generation and evidence preservation Guidance Software offers courses for law enforcement agencies organizations concerned with forensics and incident response and gives training in advanced topics for all users Information about all Guidance Software training offerings is available at http www g
48. ge boards including information on how to join the message board is located at http www guidancesoftware com support messageboards asp Downloads When you receive your product register with Guidance Software to receive updates Registration is located at https www guidancesoftware com myaccount registration aspx If you have difficulties registering your product contact Customer Service If you have difficulties downloading the updates once registered contact Technical Support 86 Tableau TD3 Version 1 5 User s Guide Other Useful Links CERIAS News D ai By e Notes about the Faculty 9 23 Workshop on Secure Software Development The Guidance Software Support forums our new bug tracking system a knowledge base and other important tools and links This site brings valuable resources and message boards into one convenient location allowing law enforcement and corporate security professionals to exchange ideas ask questions and provide solutions Thousands of skilled and experienced users are registered on the boards reviewing posts every day and can offer their expertise on the functionality of EnCase softwere forensic hardware issues and EnScript writing The Guidance Software Support Portal is an important resource for the forensic analyst oftware Portal includes the EnCase User Hardware and EnScnpt e New Record for the Largest CVE Entry e ALpok at MITREST Os OVAL Schemas A Weak Proof of Complignee inualz
49. he serial number of the source disk identifies the duplication o Serial Model Number The model and serial number of the source disk identifies the duplication o User Defined A predefined alphanumeric string identifies the duplication File Format Choose the file format for a disk to file duplication o DD raw binary data The source disk data is coded as an uncompressed bit for bit replica of the raw sector content o E01 EnCase format The source disk data is coded as a legacy EnCase evidence file This is the default setting o Ex01 EnCase 7 format The source disk data are coded as an EnCase Version 7 compatible evidence file File Size The source segment size for a series of image files in a disk to file duplication The default setting is 2 GB Error Granularity The granularity of failed reads The default setting is Exhaustive which attempts to recover data down to a single sector otherwise the TD3 only retries at a 64 sector resolution Error Retry The number of times to retry a failed read The default setting is Retry once Verification Enables verification of the generated image The default setting is Off Setting up the TD3 21 Duplicator Info Duplicator Info provides the following system information TD3 F W Version Shows the current firmware version of the TD3 Firmware is installed on the SD card located at the back of the unit TD3 Build ID Shows the build identifier for this firmware
50. ings Change Current Profile Change Default Profile Delete Profile Add Profile Change Profile Password Change Admin Password Duplicating The TD3 duplicates hard disks by either cloning or imaging them Disk to File Imaging Imaging also known as disk to file duplication is the process of copying a source disk to a series of files on a destination disk The TD3 supports e01 ex01 and RAW DD for disk to file imaging with compression enabled on e01 and ex01 If the destination disk is smaller than the source a RAW DD image will not fit on the destination drive However if using e01 or ex01 the source disk may fit on a smaller disk because these formats compress the data before writing to the destination disk There is no guarantee that the data will be compressed enough to fit on a smaller destination drive Use extreme caution when attempting to copy a source disk to a smaller destination disk Disk To Disk Cloning During disk to disk duplication the contents of the subject disk are copied to the destination sector for sector If a destination disk is not blank the TD3 prompts for confirmation to overwrite the contents of the destination disk This reduces the risk of overwriting valuable data The following steps describe how to perform a disk to disk duplication 1 Follow the steps listed in Connecting Hard Disks on page 26 and turn on the TD3 If you want two copies of the disk you must connect two T
51. intuitive modular forensic imaging system using a touch screen graphical user interface The TD3 provides many of the functions traditionally found in general purpose IT oriented hard disk duplicators while also providing features and functions that serve specialized needs of the digital computer forensic industry including Sustained data transfer rates of up to 7 2 GB minute while performing calculations of MD5 and SHA 1 hash values also known as fingerprints Native support for SATA USB 3 0 and FireWire hard disks from the source interface Additional support for SAS and IDE hard disks using expansion modules Native support for connecting to network storage CIFS and iSCSI shares Network based read only write blocked access to attached storage media Detailed log generation for case documentation Automatic blank checking of source and destination drives HPA and DCO support for the detection and handling of hidden protected data areas on source drives Remote web based user interface The TD3 was designed as a flexible modular imaging system As shown above the TD3 can stand alone and interface with SATA USB 3 0 and FireWire source disks a SATA destination disk and network shares You can also easily combine the TD3 with an Expansion Module and a TDS1 or TDS2 SATA Storage Module for additional capability The TD3 is shown below connected directly to one of the Expansion Modules and the TDS2 SATA Storage Module Overview
52. l it is likely that communication between the two is secure and has not been intercepted by a third party If the numbers do not match the connection is not secure and has been compromised Self Signed Certificate You can create a self signed SSL certificate on the TD3 or other systems without the need for a CA However your browser will warn you that the connection is not guaranteed to be secure because these certificates do not have a chain of trust to a verifiable CA You can create a new self signed certificate from the TD3 at any time To create a self signed certificate click Make Self Signed from the SSL panel Common Name td3 example com K re you sure you want to make a new self signed certificate This will overwrite any other certificates Back Make Self Signed Make CSR Load Cert This creates a new public and private key that is used to encrypt and decrypt data Creating a new self signed certificate irreversibly removes any previous certificate that was installed on the system so proceed with caution Using the TD3 39 Trusted Certificate With the help of your network administrator you can load a trusted certificate into the TD3 This involves creating a Certificate Signing Request CSR which your network administrator can use to create the trusted certificate Ask your network administrator for the TD3 s fully qualified domain name FQDN which should be added to the appropriate Domain Name
53. me Remaining 8 sec Data Verified 268 4 MB 26 Average Rate 84 8 MB sec Current Rate 85 6 MB sec n K Cancel ks rd 4 When image verification is complete click the View Log button a Profilel Verify Status 1 17 PM Status Verify complete Elapsed Time 10 sec Data Verified 999 8 MB NG RL00 0 n Bl Average Rate 101 4 MB sec MD5 4727492305b8e7cc09e6bf2ffdf3674 SHAL 4e114addc39606a5fa766eded86f9cba3251602b OK View Log Using the TD3 57 Disabling HPA and DCO The TD3 automatically detects the use of the ATA HPA host protected area and DCO device configuration overlay feature sets Both HPA and DCO feature sets can be used to reduce the apparent capacity of a hard disk From a forensic point of view it is valuable to know if HPA or DCO are in use With that knowledge the forensic practitioner can make an informed decision about whether or not to acquire data in the hidden regions of the drive You can disable HPA without making a permanent modification to the drive so the TD3 automatically disables HPA on any hard disk connected to the source side of the duplicator It is not however possible to disable DCO without making a permanent modification to the hard disk For this reason the TD3 does not automatically disable DCO on the source hard disk The TD3 never makes automatic changes to HPA and DCO ona destination hard disk The TD3 is designed to give the forensic practitioner complete cont
54. n Menu Settings 3 Tap the Settings button The Duplication Settings screen displays Profilel Duplication Settings 10 14 PM E Examiner A Y Case ID a Case Notes T w Duplication Type a T wF ME ae E Destination Dir Back 4 Specify the following a Examiner Error Granularity Error Retry Verification b Case ID c Case Notes d Duplication Type Disk to Disk e Destination Dir f Image Dir Naming g Image File Naming h File Format i File Size j k l 5 Tap the Back button The Duplicate screen displays Using the TD3 49 6 Tap the Duplicate button The Duplication Status screen displays and imaging begins To abort the process press the Cancel button amp Profilel Duplication Status 10 47 AM Status Duplicating Elapsed Time 13 sec l Time Remaining 1 min 24 sec Data Imaged 1 3 GB E 13 6 amp Average Rate 100 6 MB sec Current Rate 104 8 MB sec Cancel j j Pi 7 When disk duplication is complete tap the View Log button to Print or Erase the log amp Profilel Duplication Status 10 46 AM Status Duplication complete Elapsed Time 1 min 43 sec Data Imaged 10 0 GB DO Average Rate 96 3 MB sec MD5 be0ff9ed3e879f79bc9aa6ca0l1c13517 SHA1 69d148c9394c59b93ebb634ee2dacf8lca68edb5 7 m Cm A r Duplication Over a Network Sometimes it is safer or easier to have source or destination disks in sep
55. n the network Apply Settings Applies network settings to the configuration of the Ethernet port iSCSI iSCSI Settings provide selections for the following options amp Profilel iSCSI Settings iSCSI on Export Source Drive Export Destination Drive Baabmseloaad Tarnate Back iSCSI Enables or disables iSCSI capabilities When set to OFF all TD3 iSCSI functionality is disabled Export Source Drive Enables or disables iSCSI sharing of SATA IDE USB and FireWire source drives connected to the TD3 When these options are set to ON the source destination disk physically attached to the TD3 is exported as a read only iSCSI target This allows a remote computer to connect to these disks over iSCSI Note For additional information on setting up an iSCSI initiator see the Microsoft TechNet article at http technet microsoft com en us library ee338476 v ws 10 aspx Export Destination Drive Enables or disables iSCSI sharing of SATA destination drives connected to the TD3 as read only iSCSI targets Discover New Targets Displays the iSCSI Discover screen This initiates the process of discovering targets on a remote machine and logging into them Bookmarked Targets Logged in Source Targets and Logged in Destination Targets Displays the iSCSI Target List screen and a list of targets o Bookmarked Targets displays all the targets currently bookmarked whether they are logged in or not o
56. n to view this fim amp Profilel Destination Disk Info 2 21 PM Select as Destination drive Description SATA Disk Set Disk Count 2 Filesystem Type Ext4 Capacity 78 7 GB In Use 168 5 MB Free 74 5 GB Back ke Scroll down to see information about the individual drives connected Profilel Destination Disk Info 5 55 PM Disk One Model Hitachi HD5721680PLA380 Disk One Revision P210ABEA Disk One Serial PVHF04ZJ1392TT Disk One Capacity 80 0 GB Disk Two Model WDC WD1001FALS 00Y6A0 Disk Two Revision 05 01D05 Disk Two Serial WD WCATR2120979 Fa Back hs The following table highlights the differences that are encountered when in twinning mode Setting up the TD3 31 Duplicate The source drive will be copied to both SATA drives in the TDS2 enclosures Both destination drives can then be used on separate machines and the resulting images not necessarily disks will have identical hashes In cases where drives do not have matching storage capacities the smaller drive will limit the amount of data that can be copied A format must be done before a disk can be duplicated to the destination disk set Format Both drives will be formatted at the same time and the maximum size will be dependent on the smaller drive For example if you run format on a 1000GB and 500GB drive each drive will have one 500GB partition The 1000GB drive would then be left with 500GB of unused spac
57. nal use only and is subject to change at any time without notice Contents Preface PTS ELVIS UE EEE EEE Disk Capacity and Transfer Rate Measurement CONVENTIONS ccccccssssscccceessecceceeeseccesaeuseceeseuasecessaeeeeeseeees Overview TN VS MON KEN Se 1 4 E D REE EEE tants E E E T RR Interpretine Audio Feedback Laug vvevsekkannGaeeGNN GIKK GRE nauedeit USB Keyboard SUDO ON EE EE NEEE ENA ENAERE Remote Web Based User Interface ccccccccsssseccccsessecceceeseccccaaeseccceseasecessauaseceeseueecessueaeeeeseeaeeessaaaeeeesenees Setting up the TD3 Startup SENER Conneunne ihe DE EEE EE TE EE AE NE SE EE EEE EE EEE Updating TD3 Firmware EEE ENN Connecting Notebook Hard DisksS rrrrrnnnnnnnrnnnnnnnnrrnnnnnnnrrnrnnnnnennnnnnnssnnnnnnnsnnnnnnnnssnnnnnnnssnnnnnnsssnnnnnnssnnnnnnseene DVE DEEE aie cetp etc ie ates ic erate tve ac vince 5 DE Ta ao MOUE EE EEE oa oa ete sealants EE cvs ea paved eo EE AE NE Using the TD3 NTN Web Based User NterfaCE EEE TD3 Secure Communication HTTPS S5l aseenaan anina a aa aE EEA Aa aaan REEE Navigating DS Modules and Options sosssnnsssseensssseerssserersssreersssreresssreresssrersssseeesssreresssrerossereessseresseeeresseeee DN PN DEE NN DEN NN Bee eee eg a ao EEE EE BJE RER LB 4748 01 gy EE EE EE ENE eee D plication Over a NetWOTK saja eN Gea FV ASIA TUR A EE EAE E NE E E E A REN A E E Preconditions CHECKING saacincasrsnssameeeenvcnsunpss vonsinsanateuensapestuo
58. nation disk 1 Inthe Main Menu screen navigate to Format gt Settings 2 Specify settings for Partition Table and Filesystem Note Microsoft Windows can use non removable drives only if they have a partition table Oo Using the TD3 59 Navigate back to the Format screen and tap the Format button The formatting task begins a Profilel Format 1 59 PM Status Format completed Progress Accessing ext2 ext3 and ext4 Destination Partitions in Windows One method of accessing the evidence files written to the destination drive is by connecting the destination drive to a host computer using a Tableau write blocker Microsoft Windows does not natively support ext partitions Therefore you must use a third party driver when accessing the files on a destination drive which has an ext2 ext3 or ext4 partition created using disk to file imaging on the TD3 This section describes how to use a free open source application and driver called Ext2FSD to mount the ext2 ext3 or ext4 TD3 evidence drive from Windows You can download the application and driver from the Ext2Fsd Project site http sourceforge net projects ext2fsd files Ext2fsd 0 51 Prerequisites Assumptions and Limitations You have successfully created e01 ex01 or RAW DD images on the evidence storage drive using the TD3 The TD3 does not contain any error messages reader threads read errors or write errors in the logs or the display You have
59. nected to two additional Ethernet networks Performance of the TDPXE module is superior to the built in Gigabit Ethernet port when used with switches and servers that support Jumbo Packets TABLEAU TOPXE Gigabit Ethernet Protocol Module Using the TDPXE 1 Connect the TDPXE to the TD3 and slide it into the left side of the TD3 76 Tableau TD3 Version 1 5 User s Guide 2 Connect one or more of the RJ45 ports to your network or networked device 3 Turnon the TD3 4 Navigate to the network settings screen and set up each of the network ports as needed Consult with the network administrator before connecting this system to a network or if you need help with the settings necessary to use this module correctly amp Profilel Network Settings 7 59 PM Interface TD3 Ethernet p Use DHCP ov g MTU 1500 Apply Settings p Back i CHAPTER 5 Troubleshooting and Support gt Troubleshooting Common Problems gt Support 78 Tableau TD3 Version 1 5 User s Guide Troubleshooting Common Problems This section covers the following troubleshooting issues and solutions Power supply issues Problems with disk detection Replacing the backup battery for the real time clock Power Supply Issues The power supply provided with the TD3 is capable of powering the TD3 and nearly all combinations of one two or three hard disks The TD3 also employs staggered power sequencing for the source and de
60. ned ansnwosnesiconcaurtmnanbaed uosahalinvenedpesinoatganesindunendtensenrieracsantweds Ve BIE et TAP UNO DCO RE R EEE ER REMOVING HPA and DCO uravsevdee saker SEG SC REE EE EN Formatting Destination DIvesLuurasemsemmrmuam nearismmvktsdamannmieuneidrodsbisandnde at Accessing ext2 ext3 and ext4 Destination Partitions in Windows ccccseccccssecccessecceescceeeecesseseceeeueeetseness Prerequisites Assumptions and Limitations rronnnrrnrnnnnnrrnrnnnnnrrnnnnnnnrrnnnnnnnrrnnnnnnerrnrnnssennnnnnesennnnnnssnnnnnnee 13 14 14 14 26 26 26 27 29 Procedure for Mounting ext VOIUMES ccccccssssecccceesecccceeeececseusuececeueaececsseseceesauaseceessaaeceesuaaeeeessaasees Wiping Destination Medid EE EEE EE NE SS IGS al EE EN EN KE NE ET EE OE NE EE Loe EEE VEL SE 10019 Ka EEE EEE NE EE EN SAVINO 0 EE NE NE EE EE EE dg LOOS EE EE EE slo RE VE ETE Expansion Modules NTN TDPX5 Expansion Module for IDE Drives rrrnrnrrnnnnnnnrrnnnnnnnrrnnnnnnnrrnnnnnnnsrnnnnnnnsrnnnnnnsnrnnnnnsssnnnnnnsssnnnnnnessnnnnnsssennnn Verne NN TDPX6 Expansion Module for SAS Drives rrrrnnnnrrrrnnnnnnnrrnrnnnnnrrnnnnnnnrrnnnnnnnsrnnnnnnsnrnnnnnsssnnnnnnsssensnnnessnnsnnsssennnn me PN TDPX8 RW USB 3 0 Expansion Module for USB Destination DIives cccccsssscccccsseeccceesecceeseeeeeceeseeeeeeeseees VEN SN aoa asec nade inti A E A AE EE E T E E AR TDPXE Gigabit Ethernet Expansion MOdule cccccsssscccccsss
61. notebook drive adapters to the TD3 Use the shorter TC6 2 IDE cable shown with the TKA5 AD adapter pack below TC7 6 6 6 pin FireWire cable to connect FireWire storage media devices as source disk TCA7 6 9 FireWire cable adapter to adapt from 1394A 6 pin to 1394B 9 pin Used to connect FireWire devices with 1394A 6 pin connectors TC USB3 18 USB 3 0 cable A to B to connect USB 3 0 storage media as source disk TC3 22 18 Unified SATA cable 22 pin male to 22 pin female to connect a destination SATA hard disk Used when imaging to a bare SATA hard disk instead of to TDS1 TDS2 10 Tableau TD3 Version 1 5 User s Guide Model TDA Multipack Adapter pack for notebook hard disks Includes TC6 2 TDA3 1 TDA3 2 TDA3 LIF with 2 LIF cables TDA5 18 TDA5 25 and TDAS ZIF with TC20 BNDL cables in a black TB4 bag TQS TD3 Quick Start card for TD3 kit Do not discard the foam packaging as it is designed to fit several industry standard hard sided carrying cases If you received the TD3 kit in the cardboard box shipped by Tableau you can buy a hard sided case and reuse the foam insert directly into that case Navigating the TD3 Use the TD3 s touchscreen display to navigate from module to module and choose or modify options Use the touchscreen keyboard or a USB keyboard see USB Keyboard Support on page 12 to enter alphanumeric text when prompted amp Profilel Main Menu Duplicate HPA DCO Disable
62. number or model number Use a keyboard or the touchscreen to enter a folder name manually After you specify a path for your logs tap OK to get back to the Save Logs screen 5 Tap the Save Logs button to save all logs in the log list Printing Logs You can print logs to a USB printer attached to one of the TD3 USB ports After connecting a USB printer to one of the TD3 USB ports tap a log in the Log List then tap the Print button The TD3 is compatible with USB printers which support the USB Printer Class Specification The USB printer must support raw ASCII printing Erasing Logs You can erase logs by tapping a log in the Log List and tapping the Erase button You can erase all but the 20 most recent logs by pressing the Delete Old button on the Log List CHAPTER 4 Expansion Modules gt Overview gt TDPX5 Expansion Module for IDE Drives gt TDPX6 Expansion Module for SAS Drives gt TDPX8 RW USB 3 0 Expansion Module for USB Destination Drives gt TDPXE Gigabit Ethernet Expansion Module 70 Tableau TD3 Version 1 5 User s Guide Overview This chapter describes the Tableau TD3 expansion modules which extend imaging and network capabilities in an easy to connect and use manner The TDPX5 and TDPX6 expansion modules support forensic imaging of IDE and SAS storage devices respectively Users desiring the convenience of imaging to USB 3 0 devices can use the TDPX8 RW module The TDPXE Gigabit Ethernet module improves n
63. office hours are Monday Thursday 5 AM 10 PM Pacific time Friday 5 AM 7 PM Pacific time Telephone 626 229 9191 Option 4 Fax 626 229 9199 1055 East Colorado Boulevard Pasadena CA 91106 UK Office hours are Monday Friday 6 AM 4 PM UK time Teephonel 44 0 175 355 2252 Option 4 Fax 44 0 175 355 2232 Thames Central 5th Floor Hatfield Road Slough Berkshire UK SL1 1QE For your convenience the following numbers are provided to our English based support Germany 0 800 181 4625 China 10 800 130 0976 Australia 1 800 750 639 Hong Kong 800 96 4635 New Zealand 0 800 45 0523 Japan 00 531 13 0890 Online Support Guidance Software offers a Support Portal to our registered users providing technical forums a knowledge base a bug tracking database and an Online Request form The portal gives you access to all support related issues in one site This includes User product beta testing and foreign language forums message boards Knowledge Base Bug Tracker Technical Services Request form Downloads of previous software versions drivers etc Other useful links Although technical support is available by email you will receive more thorough and faster service when you use the online Technical Support Request Form https support guidancesoftware com node 381 Note that all fields are mandatory and filling them out completely reduces the amount of time it takes to resolve an issue Tr
64. ort Provides a brief list of potential problems and solutions For more complete and current troubleshooting information as well as answers to frequently asked questions FAQ visit the Tableau web site at www guidancesoftware com tableau Disk Capacity and Transfer Rate Measurement Conventions The computer industry generally adheres to two different conventions for the definitions of the terms megabyte MB and gigabyte GB For computer RAM 1 MB is defined as 229 1 048 576 bytes and 1 GB is defined as 230 1 073 741 824 bytes For disk storage 1 MB is defined as 106 1 000 000 bytes and 1 GB is defined as 10 1 000 000 000 bytes These two conventions are known as powers of two and powers of ten respectively Microsoft deviates from the hard disk Capacity measurement convention and uses the powers of two convention for its operating systems Tableau reports disk capacities and transfer rates according to the industry standard powers of ten convention In TD3 screens reports and documentation a 4 GB hard disk stores up to 4 000 000 000 bytes a hard disk with a 150 MB sec transfer rate transfers 150 000 000 bytes per second CHAPTER 1 Overview gt Tableau TD3 gt TD3 Kit Contents gt Navigating the TD3 gt Reading the LEDs gt Interpreting Audio Feedback gt USB Keyboard Support gt Remote Web Based User Interface 6 Tableau TD3 Version 1 5 User s Guide Tableau TD3 The Tableau TD3 is a powerful
65. oubleshooting and Support 83 If you do not have access to the Support Portal use the Support Portal registration form https support guidancesoftware com forum register php do signup gt b Sart CERIAS News a By o Notes about the Faculty Workshop on Secure Software Development The Guidance Software Portal includes the EnCase User Hardware and EnScnpt Support e New Record for the Largest rums our new bug tracking system knowledge base and other important tools and links This site CVE Entry brings valuable resources and message boards into one convenient location allowing law e ALpok at MITRESD Os O enforcement and corporate security professionals to exchange ideas ask questions and provide 53 OVAL Schemas A Weak Proof of solutions Thousands of skilled and experienced users are registered on the boords reviewing posts every day end can Compliance offer their expertise on the functionality of EnCase softwere forensic hardware issues and EnScript writing The e Virtualization is Successful Guidance Software Support Portal is an important resource for the forensic analyst Because Operating Systems Are Weak 123 reads e Open Source Outdassing Home Router Vendor dos Frmw re Guidance Software Home Page enter i Account e NALD Information amp Responses e G nce Pro Version trix Hello EnCase Users Guidance Software ts please to announ
66. performed you must select a source or destination drive before an operation can be performed Operations that require a source drive require that a single source is selected if more than one source drive is present Similarly operations that require a destination require that a single destination be selected if more than one destination is available If there is only one source or destination it is automatically selected and used amp Profilel Main Menu Duplicate Tapping a drive icon on the left source or right destination of the Main Menu displays additional information about the drives connected 28 Tableau TD3 Version 1 5 User s Guide amp Profilel Destination Disk Info 11 46 PM Description SATA Disk Model Tableau TDS2 Disk Count 1 Filesystem Type exFAT Capacity 2 0 TB In Use 17 1 GB Free 1 9 TB Back amp Profilel Source Disk Info 11 37 PM Source SATA Model Samsung SSD 840 PRO Series Revision DXM04B0Q Serial Number S12PNEAD411525E Capacity 128 0 GB Sector Size 512 Bytes Capacity in Sectors 250069680 Back On the bottom of the Source Disk Info screen is a View SMART Report button amp Profilel Source Disk Info 11 37 PM INO VIDIV IN a LA TN ETER LA SA AG Serial Number S12PNEAD411525E Capacity 128 0 GB Sector Size 512 Bytes Capacity in Sectors 250069680 a Supports Smart Yes r zren SMART Report Back Tapping the View SMAR
67. pply or operate the TD3 when the case is open Remove the SD card from the rear of the TD3 3 Turn the TD3 upside down on a clean work surface 4 Remove the four case screws and set them aside The SATA connector on the bottom of the TD3 is a tight fit This prevents you from lifting the rear half of the case in a straight direction 5 Carefully lift the rear half of the plastic case away from the TD3 pulling it toward you while gently pressing down on the SATA connector Keep the TD3 secure on your work surface Lifting or tilting the TD3 might move the main circuit board or loosen a connector and cause a system failure 6 Carefully set the rear half of the TD3 case aside Replacing the Battery 1 Using the flat blade screwdriver pry the battery gently from the battery holder 2 Using acompatible battery replace the RTC backup battery For a list of compatible batteries see Compatible Batteries Note Make sure the positive terminal of the battery is facing upward Closing the TD3 To replace the TD3 case 1 Gently lower the rear case into position pay particular attention to the SATA connector on the circuit board connected to the main PCB Tilt the bottom edge of the rear case into position 2 Ensure that the case and main circuit board are aligned and replace the four case screws The four screws that hold the TD3 case together also secure the main circuit board 3 After replacing the four case screws inspect the TD3
68. quisition of SAS Serial Attached SCSI drives by the TD3 Imaging system TETT ETT TABLEAU TDPX6 SAS Protocol Module Using the TDPX6 1 To connect the TDPX6 to the TD3 slide it into the left side of the TD3 2 Connect an SAS drive via the TC4 8 R2 cable Expansion Modules 73 3 Turnon the TD3 amp Profilel Main Menu HPA DCO Disable Blank Check ie 4 Anicon displays on the left side of the TD3 screen indicating that an SAS drive is recognized and is ready for use TDPX8 RW USB 3 0 Expansion Module for USB Destination Drives The TDPX8 RW allows use of USB 3 0 storage media as a destination drive for the TD3 Imaging system TDPX8 RW is a read write expansion module as denoted by its bold yellow labeling 74 Tableau TD3 Version 1 5 User s Guide Using the TDPX8 RW 1 2 3 Connect the TDPX8 RW to the TD3 and slide it in to the left side of the TD3 Connect a USB drive via the TC USB3 18cable to the TDPX8 RW module If the drive s power requirements exceed that of the USB 3 0 specification 5V 900mA use an external power source PT Pe AA EE Turn on the TD3 amp Profilel Main Menu Blank Check is 4 An icon displays on the right side of the TD3 screen indicating that a USB drive is recognized and is ready for use as a destination drive Expansion Modules 75 TDPXE Gigabit Ethernet Expansion Module The TDPXE allows the TD3 imaging system to be con
69. rd disks should be set for Master or Single Drive disk You can connect typical 3 5 IDE hard disks to the TD3 using either the 8 TC6 8 IDE cable or the 2 TC6 2 cable In either case you must connect the blue end of the IDE TD3 does not detect a 3 5 IDE hard cable to the TD3 disk Hard disk does not spin up You must not use an IDE cable longer than 8 with the TD3 Always use the Tableau provided high quality 80 conductor TC6 8 or TC6 2 cable TD3 does not detect a notebook IDE When using one of the notebook drive adapters provided Troubleshooting and Support 79 hard disk with the TD3 model TDA5 18 TDA5 25 or TDA5 ZIF you must always use the 2 TC6 2 IDE cable When using a notebook drive adapter do not use the 8 TC6 8 IDE cable or any non Tableau IDE cable When using notebook drive adapters you must connect the blue end of the TC6 2 IDE cable to the TD3 and you must connect the black end of the cable to the notebook drive adapter There are several models of ZIF hard disks When using the TDAS5 ZIF kit provided with the TD3 refer to the Support pages on www guidancesoftware com tableau for documentation regarding the proper selection and orientation of ZIF cables TD3 does not detect a ZIF style notebook IDE hard disk Use only the 8 TC3 8 SATA cable provided by Tableau TD3 does not detect a SATA hard With some SATA hard disks the SATA connector may be disk loose Ensure that the TC3 8 cable is se
70. re Erasing Secure Erase completely deletes all data on a solid state drive SSD This operation usually takes less than ten seconds The Secure Erase option displays in all TD3 settings but works only on SSDs that support it The TD3 does not support Secure Erase on rotating hard disk drives Many manufacturers of rotating media hard disks claim they support Secure Erase but not all implement this feature properly A hard disk may be rendered permanently inoperable when this feature is improperly implemented or if the command is interrupted If you attempt to use Secure Erase on a drive that does not support it the following dialog displays amp Profilel Wipe Disk Disk SATA Out You have selected the Secure Erase wiping method but 4 this drive does not support the commands necessary for Secure Erase Press Single Pass Wipe to erase the disk with a single pass or press Cancel to change the disk wiping settings Single Pass Wipe cancel Main Menu Settings 66 Tableau TD3 Version 1 5 User s Guide If you attempt to use Secure Erase on a rotating media hard drive that claims to support this feature the following dialog displays Profilel Wipe Disk Disk SATA Out The Secure Erase method is available for solid state disks only Press Single Pass Wipe to erase the attached disk with singlepass wipe or press Cancel to quit Single Pass Wipe cancel Main Menu
71. rints for a source disk without making a copy of the disk The TD3 Hash module generates MD5 and SHA 1 hash values for a source disk To calculate hash values for a source disk tap the Hash icon from the Main Menu screen and in the Hash screen tap the Hash button You can cancel the hashing operation at any time by tapping the Cancel button Profilel Hash Status 10 48 AM Status Hashing Elapsed Time 11 sec Time Remaining 1 min 11 sec Data Processed 1 3 GE BE 13 gt Average Rate 120 1 MB sec Current Rate 127 2 MB sec Cancel If the source disk has an HPA protected region the TD3 automatically disables the HPA before performing the hash calculation The TD3 functions the same way during duplication If you compare the hash values produced when duplicating a disk and when using the Hash module the results should be the same When the hashing operation is finished tap the View Log button to view the MD5 and SHA 1 hash results at the bottom of the log Preconditions Checking Before starting a Disk to Disk or Disk to File duplication the TD3 automatically checks for a number of preconditions Some preconditions are warnings and you can choose to continue or cancel after viewing each one Some preconditions are fatal and require that the duplication process be aborted One condition pauses the process and prompts you to intervene The following table summarizes the preconditions checked by the T
72. rocedure for Mounting ext Volumes 60 Professional Services 86 Profile Management 22 R Reading the LEDs e 11 Remote Web Based User Interface 12 Remove DCO amp HPA e 57 Removing HPA and DCO e 57 Replacing the Backup Battery for the Real Time Clock 79 Replacing the Battery 80 S Sample Log 66 Saving Logs 67 Secure Erase 65 Secure Erasing 65 Self Signed Certificate 38 Setting up the TD3 e 13 Settings 14 Source 18 Startup Sequence 14 Support e 81 System Settings 15 T Tableau TD3 6 TD3 Kit Contents e 7 TD3 Secure Communication HTTPS SSL 36 TDPX5 Expansion Module for IDE Drives 70 TDPX6 Expansion Module for SAS Drives 72 TDPX8 RW USB 3 0 Expansion Module for USB Destination Drives 73 TDPXE Gigabit Ethernet Expansion Module 75 Technical Support 81 Technical Support Request Forms 81 Telephone 82 Testing the New Battery 80 Training 87 Troubleshooting and Support 77 Troubleshooting Common Problems 78 Trusted Certificate 39 Twinning Mode e 29 U Updating TD3 Firmware 26 USB Keyboard Support 12 Using a CIFS Share 52 Using an iSCSI Target 49 Using the TD3 e 33 Using the TDPX5 70 Using the TDPX6 e 72 Using the TDPX8 RW e 74 Using the TDPXE e 75 V Verify amp 55 Verifying 55 Viewing Logs 66 W Web Based User Interface 34 wipe e 63 Wiping Destination Media 63 Writing Logs to a USB Storage Device
73. rol over the destination hard disk If you choose to restrict the destination drive capacity using HPA or DCO the TD3 will not override that decision The options within the HPA and DCO Removal screen allow you to permanently disable the DCO and HPA on the source hard disk under user control You can access this module by tapping HPA DCO Disable in the Main Menu screen Removing HPA and DCO You cannot remove a DCO protected region on a hard disk without also removing any HPA protected region If you want to permanently remove both the HPA and DCO on the source hard disk use this option Blank Checking The Blank Check module does a quick blank check on the source drive Profilel Blank Check 11 37 PM Source SATA In pr NY Fast JY Smart T Complete L Blank Check Main Menu To do a blank check tap the Blank Check icon in the Main Menu screen and select Fast Smart or Complete described in the following table After selecting a blank check option tap the Blank Check button on the right to begin the blank check 58 Tableau TD3 Version 1 5 User s Guide Fast Quickly checks to determine if the disk appears to be blank by reading in and checking the sectors in the Master Boot Record the Primary GPT and the Secondary GPT Smart Fast and reads in 10 of the available sectors randomly to determine whether they are blank Reads in 100 of the available sectors to check if
74. s soon as you log in to the TD3 with your profile the TD3 attempts to connect to this share in the background Nickname You can enter a string here to give the target a nickname displayed with the full target name 20 Tableau TD3 Version 1 5 User s Guide Duplication Settings Profilel Duplication Settings 10 14 PM z Examiner ko f N Case ID pa a z Case Notes pa g Duplication Type fe Mr A fc Destination Dir b o P Back Duplication Settings provides options for the following Examiner The name of the case examiner Case ID The case ID number Case Notes Miscellaneous information about the case or duplication process for future reference Duplication Type Either Disk to File imaging or Disk to Disk cloning duplication The default is Disk to File Destination Dir The path on the destination disk for a disk to file duplication Image Dir Naming The directory naming convention for a collection of disk to file duplications o Date Time A time stamp identifies the directory This is the default setting o Serial Number The serial number of the source disk identifies the directory o Serial Model Number The model and serial number of the source disk identifies the directory Image File Naming The file naming convention for a disk to file duplication o Date Time A time stamp identifies the duplication This is the default setting o Serial Number T
75. stination hard disks With staggered sequencing power is first provided to one hard disk as it spins up then to the second hard disk as it spins up and finally to the third hard disk It is normal to hear the source and destination drives spin up separately During power on initialization and self test the TD3 checks the output voltages of the power supply If the voltage is below the minimum specification the TD3 displays a warning There is a green DC power LED on the rear edge of the TD3 next to the female DC power barrel connector If the power supply is connected properly to the TD3 and to AC power the green LED illuminates If you are having difficulty turning the TD3 on check the status of the DC power LED to ensure that the TD3 is receiving power from the power supply Problems with Disk Detection When using a product like the TD3 the most common problem you may encounter is a failure to achieve drive detection Most drive detection problems are the result of improper cabling The following table lists the most common drive detection problems and corrective actions Corrective Action Check the power connection between the TD3 and the hard disk Be especially careful to ensure that the 4 pin power connectors are properly seated in the connectors on the TD3 and on the hard disk if using cable model TC2 8 The blue connectors should be fully inserted not loose in the TD3 and hard disk TD3 does not detect an IDE hard IDE ha
76. that will fit on the destination or to cancel the duplication The TD3 checks selected sectors on the source disk by looking for non blank data patterns If all of the checked sectors appear to be blank the TD3 warns that the source may be blank This does not mean that the source is blank but it could mean that either the source has been partially wiped or an ATA password has been set for the source drive The TD3 checks selected sectors on the destination disk looking for non blank data patterns If the destination disk is not blank it could be unintentionally overwritten This warning provides the opportunity to abort the duplication When performing disk to file duplication the TD3 requires a supported file system If the destination disk already contains a supported file system the TD3 proceeds with duplication without overwriting existing files If the destination disk does not have a supported Disk to Disk or Disk to File Type Destination _ o Image Directory is in Disk to File Use Verifying Using the TD3 55 Explanation file system the TD3 aborts the duplication You may either manually switch the destination disk or format the destination disk with the Format module on the Main Menu screen When performing disk to file duplication the TD3 checks the available space on the destination disk If the content of the source exceeds the capacity of the destination the TD3 issues a warning and provides an
77. the TD3 module options structure Main Menu Screen Duplicate o Settings Hash Examiner Case ID Case Notes Duplication Type Destination Dir disk to file only Image Dir Naming disk to file only Image File Naming disk to file only File format disk to file only File Size disk to file only Error Granularity Error Retry Verification o Settings Verify Examiner Case ID Case Notes Error Granularity Error Retry o Settings Examiner Case ID Case Notes Path HPA DCO Disable Blank Check Format o Settings Partition Table Filesystem Wipe o Settings Examiner Case ID Case Notes Disk Wipe Mode Verification Mode Logs o Delete Old o Save All Settings o System Settings Start Screen Network o Sounds 24 Hour Time Date amp Time Brightness Factory Reset Duplication Settings Examiner Case ID Case Notes Duplication Type Destination Dir disk to file only Image Dir Naming disk to file only Image File Naming disk to file only File Format disk to file only File Size disk to file only Error Granularity Error Retry Verification o0000000000O Duplicator Info Profile Management Using the TD3 41 42 Tableau TD3 Version 1 5 User s Guide Change Current Profile Unlock Current Profile Change Profile Password Change Profile Lock Timeout O90 Onchange of profile o Admin Sett
78. tor Info screen The web interface will attempt to connect over the HTTP port but will then be rerouted to the secure HTTPS port Use the profile name and password methodology mentioned above to log in to the system See below for details on the SSL Secure Sockets Layer based HTTPS connection used by the TD3 to protect all communication between the TD3 and the web browser Using the TD3 35 Once you log in the main screen similar to the one on the TD3 LCD appears Almost all functionality on the LCD is available through this web based user interface which behaves in the Same manner as the LCD interface If the font size is too large or small and needs to be modified Using a mouse with a wheel hold down the CTRL key and turn the wheel to increase or decrease the font size Using a mouse without a wheel hold down the CTRL key and press or to change the font size Press 0 to reset the font back to the default size Note As seen below the status of operations initiated from the web interface can be viewed from the TD3 LCD These operations may be canceled from either interface but normal navigation from the LCD is not possible while an operation is underway A yellow transfer icon at the top of the web interface indicates an operation is in progress on the LCD Clicking this icon allows users to view the operation Simultaneous operations are not permitted by the TD3 but users may browse logs view drive information or a
79. uidancesoftware com computer forensics training htm Index A About this Guide e 4 Accessing ext2 ext3 and ext4 Destination Partitions in Windows e 59 Authenticating SSL Connection 37 B Blank Check 57 Blank Checking 57 C Closing the TD3 80 Compatible Batteries 79 Configuring the TD3 e 14 Connecting Hard Disks 26 Connecting Notebook Hard Disks 26 D Disabling HPA and DCO e 57 Disk Capacity and Transfer Rate Measurement Conventions e 4 Disk to Disk Cloning 42 Disk To Disk Cloning 42 48 Disk To File Duplication Imaging 44 Disk to File Imaging 42 Drive Detection 27 Duplicate 42 Duplicating 42 Duplication Over a Network e 49 Duplication Settings 18 Duplicator Info amp 21 E Email e 81 Erasing Logs 68 Expansion Modules 69 F Files Created During Disk to File Duplication amp 46 Format 58 Formatting Destination Drives 58 H Hash 53 Hashing 53 HPA DCO Disable 57 Interpreting Audio Feedback 12 iSCSI 16 ISCSI Discover 17 L Languages 25 Live Chat 81 Logs 66 Logs Module 66 N Navigating TD3 Modules and Options 40 Navigating the TD3 e 10 Network Settings 15 O Online Support 82 Opening the TD3 e 80 Overview 5 34 70 P Power Supply Issues 78 Preconditions Checking 53 Preface 3 Prerequisites Assumptions and Limitations 59 Printing Logs 68 Problems with Disk Detection 78 P
80. you Can use it Do you want to format a 3 Confirm that Windows can see the physical drive in Drive Management File Acton vew Help e926 ahs a fl System Tools Task Scheduler i Evert Viewer a Shared Folders Ad Performance d Device Manager to es and Appkcations FATI2 Hest venn va Nig Partion NTFS Healthy Primary Partition Healthy Active Primary Partition NTFS Heakhy Primary Partaion Healthy Primary Partition Heathy Primary Parttion NTFS Heakhy Primary Partition Heakhy Boot Crash Dump Primary Partition 7443 GB Healthy System Active Primary Partipon 931 50 GB 149 01 GB 465 76 GB 290 24 GB 223 57 GB f F Banc NTFS 1146 GB w Banc NTFS 149 GB Pi Bane NTFS 223 GB Barc NTFS 93 MB IC Ban NTFS 74GB 11568 28 MB 46 GB Phyyiacal object A Device Hadik Vokaal Device Harddisk Volumet Device Harddisk Volume E Devce Hadd Voks Device Hard Volumet Device Harddisk Volumet Devra Harddisk Voume Devico Hadik Vokt HPFS NTFS HPFS NTFS E HPFS NTFS HPFS NTFS HPFS NTFS HPFS NTFS VOLUME D NTFS Device HarddiskVolumel Oct 15 2012 16 21 42 Using the TD3 5 Click Start to start the mounting service Click Apply to close the dialog box 61 62 Tableau TD3 Version 1 5 User s Guide EF sd Sevice Management Serace tast SERVICE SYSTEM
Download Pdf Manuals
Related Search