Join Us!

Tableau TX1 - incor...
 
Notifications
Clear all

Tableau TX1 - incorrect acquisition dates reported  

  RSS
benhy
(@benhy)
New Member

Is anyone else using Tableau TX1s for imaging? We bought 3 recently as upgrades to our TD3s, but have encountered a serious problem when imaging hard drives during our validation tests. The 'acquisition date' is being reported in X-Ways (19.5 and 19.6) as either some time in the 17th century or just '?', and FTK Imager gives 01/01/1980. This is consistent across all the TX1s with a few different disks, none of which had a problem on the TD3s. Encase 8 and ewfinfo give the correct date. We're imaging to E01.

If it was just one software tool then I'd dismiss it as a problem with that, but for two to be doing it seems to indicate a problem with the way the TX1 is storing the date. Has anyone else noticed this issue?

Our supplier is speaking to Guidance for us but if it's not resolved soon we're going to have to send them back.

Quote
Posted : 05/06/2018 9:15 am
thefuf
(@thefuf)
Active Member

Our supplier is speaking to Guidance for us but if it's not resolved soon we're going to have to send them back.

Also, don't forget to send all TD3 units back. Guidance Software (now OpenText) wasn't able to fix the issue with a TD3 unit writing to a suspect drive through a "write blocked" port for more than a year.

ReplyQuote
Posted : 05/06/2018 10:07 am
athulin
(@athulin)
Community Legend

The 'acquisition date' is being reported in X-Ways (19.5 and 19.6) as either some time in the 17th century or just '?', and FTK Imager gives 01/01/1980.

'Some time in the 17th century' is too imprecise to be of any use. What is the expected time stamp, and what is the observed one?

However … as you state that EnCase 8 and ewfinfo gives you to correct date … I don't clearly see that you have grounds for complaint against Tableau TX1 alone. You have not showed that the problem is not with X-Ways or with FTK-Imager.

If the E01 files follow the Expert Witness format documented, the acquisition date should be somewhere after byte 76 in the 'header' section, and look something like "2002 3 4 10 19 59" (for March 4, 2002 101959). It should be followed by a 'system date'.

If that's reasonably close to what you have in the E01 file, there's no excuse for any tool to mistranslate it. But note that in this case it's the tool that mistranslates, not Tableau.

If you have a malformed time stamp ("0000 0 0 00 00 00" or "2018 14 15 34 56 89") there may be some reason to but the blame on Tableau for not producing a correct timestamp, but a fairly large portion of blame must also rest with the tools for not catching and reporting the illegal timestamp in the first place.

If you have something else entirely, you may have a Ex01 file – I know nothing about that format.

On the assumption that ewfinfo gets things right (it seems to support Ex01), your problem seems to be not with Tableau, but with X-Ways and FTK Imager.

If it was just one software tool then I'd dismiss it as a problem with that, but for two to be doing it seems to indicate a problem with the way the TX1 is storing the date. Has anyone else noticed this issue?

This happens to be one of my favourite problems with forensic tools – mistranslation of time stamps, that is, not lack of support for E01 or Ex01. And yes … you'll find it all over the place if you have the right tools to detect it. (If you are validating X-Ways and FTK Imager and other tools, you might be interested in https://sourceforge.net/projects/compfortest/files/ – though perhaps more for information and approach to tests – or possibly https://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/ even though it refers to file timestamps not acquiry time stamps. Still, the documented mistranslations may show that the basic problem is not isolated.)

Our supplier is speaking to Guidance for us but if it's not resolved soon we're going to have to send them back.

I would be interested to know the outcome. Myself, I suspect that as EnCase 8 and ewfinfo both gets the dates right, your quarrel may not be with Guidance/Tableau.

ReplyQuote
Posted : 05/06/2018 5:53 pm
athulin
(@athulin)
Community Legend

If you have something else entirely, you may have a Ex01 file – I know nothing about that format.

And, as I trusted a note somewhere that registration was necessary to obtain the specification, I didn't investigate further.

However, I see that the specification is available from Guidance, from the support page, without any registration.

It makes clear that the time specification is a 'Date' which is '[a]n Integer32 with the number of seconds since January 1, 1970.' It's still in textual form, but now it seems to be in Unicode. Still, it should be possible to inspect the files for the 'raw' timestamp, and then convert it into a legible format manually or by the use of a trusted tool. (DCode might work … but I haven't tested it enough to trust it for anything serious.)

ReplyQuote
Posted : 06/06/2018 10:44 am
kastajamah
(@kastajamah)
Member

(DCode might work … but I haven't tested it enough to trust it for anything serious.)

I have used DCode a lot in my work. I have found it to be reliable.

ReplyQuote
Posted : 06/06/2018 1:50 pm
Share: