±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 0 Visitors: 139

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Tableau TX1 - incorrect acquisition dates reported

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

benhy
Newbie
 

Tableau TX1 - incorrect acquisition dates reported

Post Posted: Jun 05, 18 08:15

Is anyone else using Tableau TX1s for imaging? We bought 3 recently as upgrades to our TD3s, but have encountered a serious problem when imaging hard drives during our validation tests. The 'acquisition date' is being reported in X-Ways (19.5 and 19.6) as either some time in the 17th century or just '?', and FTK Imager gives 01/01/1980. This is consistent across all the TX1s with a few different disks, none of which had a problem on the TD3s. Encase 8 and ewfinfo give the correct date. We're imaging to E01.

If it was just one software tool then I'd dismiss it as a problem with that, but for two to be doing it seems to indicate a problem with the way the TX1 is storing the date. Has anyone else noticed this issue?

Our supplier is speaking to Guidance for us but if it's not resolved soon we're going to have to send them back.  
 
  

thefuf
Senior Member
 

Re: Tableau TX1 - incorrect acquisition dates reported

Post Posted: Jun 05, 18 09:07

Our supplier is speaking to Guidance for us but if it's not resolved soon we're going to have to send them back.


Also, don't forget to send all TD3 units back. Guidance Software (now OpenText) wasn't able to fix the issue with a TD3 unit writing to a suspect drive through a "write blocked" port for more than a year.  
 
  

athulin
Senior Member
 

Re: Tableau TX1 - incorrect acquisition dates reported

Post Posted: Jun 05, 18 16:53

- benhy
The 'acquisition date' is being reported in X-Ways (19.5 and 19.6) as either some time in the 17th century or just '?', and FTK Imager gives 01/01/1980.


'Some time in the 17th century' is too imprecise to be of any use. What is the expected time stamp, and what is the observed one?

However ... as you state that EnCase 8 and ewfinfo gives you to correct date ... I don't clearly see that you have grounds for complaint against Tableau TX1 alone. You have not showed that the problem is not with X-Ways or with FTK-Imager.

If the E01 files follow the Expert Witness format documented, the acquisition date should be somewhere after byte 76 in the 'header' section, and look something like "2002 3 4 10 19 59" (for March 4, 2002 10:19:59). It should be followed by a 'system date'.

If that's reasonably close to what you have in the E01 file, there's no excuse for any tool to mistranslate it. But note that in this case it's the tool that mistranslates, not Tableau.

If you have a malformed time stamp ("0000 0 0 00 00 00" or "2018 14 15 34 56 89") there may be some reason to but the blame on Tableau for not producing a correct timestamp, but a fairly large portion of blame must also rest with the tools for not catching and reporting the illegal timestamp in the first place.

If you have something else entirely, you may have a Ex01 file -- I know nothing about that format.

On the assumption that ewfinfo gets things right (it seems to support Ex01), your problem seems to be not with Tableau, but with X-Ways and FTK Imager.

If it was just one software tool then I'd dismiss it as a problem with that, but for two to be doing it seems to indicate a problem with the way the TX1 is storing the date. Has anyone else noticed this issue?


This happens to be one of my favourite problems with forensic tools -- mistranslation of time stamps, that is, not lack of support for E01 or Ex01. And yes ... you'll find it all over the place if you have the right tools to detect it. (If you are validating X-Ways and FTK Imager and other tools, you might be interested in sourceforge.net/projec...est/files/ -- though perhaps more for information and approach to tests -- or possibly articles.forensicfocus...imestamps/ even though it refers to file timestamps not acquiry time stamps. Still, the documented mistranslations may show that the basic problem is not isolated.)

Our supplier is speaking to Guidance for us but if it's not resolved soon we're going to have to send them back.


I would be interested to know the outcome. Myself, I suspect that as EnCase 8 and ewfinfo both gets the dates right, your quarrel may not be with Guidance/Tableau.  
 
  

athulin
Senior Member
 

Re: Tableau TX1 - incorrect acquisition dates reported

Post Posted: Jun 06, 18 09:44

- athulin
If you have something else entirely, you may have a Ex01 file -- I know nothing about that format.


And, as I trusted a note somewhere that registration was necessary to obtain the specification, I didn't investigate further.

However, I see that the specification is available from Guidance, from the support page, without any registration.

It makes clear that the time specification is a 'Date' which is '[a]n Integer32 with the number of seconds since January 1, 1970.' It's still in textual form, but now it seems to be in Unicode. Still, it should be possible to inspect the files for the 'raw' timestamp, and then convert it into a legible format manually or by the use of a trusted tool. (DCode might work ... but I haven't tested it enough to trust it for anything serious.)  
 
  

kastajamah
Senior Member
 

Re: Tableau TX1 - incorrect acquisition dates reported

Post Posted: Jun 06, 18 12:50

- athulin

(DCode might work ... but I haven't tested it enough to trust it for anything serious.)


I have used DCode a lot in my work. I have found it to be reliable.  
 

Page 1 of 1