tableau disk monitor users' guide · 1. introducing tableau disk monitor tableau, llc,...

Tableau Disk Monitor Users’ Guide Tableau, LLC N8 W22195 Johnson Drive, Suite 100 Waukesha, WI 53186 www.tableau.com © 2006 Tableau, LLC. All rights reserved. Tableau is a registered trademark of Tableau, LLC.

Table of Contents

1. INTRODUCING TABLEAU DISK MONITOR...............................................4 1.1 Compatibility ..................................................................................................... 4 1.1.1 Operating System....................................................................................................... 4 1.1.2 Forensic Bridges (Write Blockers).............................................................................. 4 1.1.3 Why Does Tableau Disk Monitor Work Better with a Tableau Forensic Bridge?....... 4

2. USING THE TABLEAU DISK MONITOR ....................................................5 2.1 The Main Program Window .............................................................................. 6 2.2 Menu Items in the Main Program Window........................................................ 8 2.2.1 The File Menu............................................................................................................. 8

2.2.1.1 Exit (Ctrl+Q) .........................................................................................................................8 2.2.2 The Actions Menu ...................................................................................................... 8

2.2.2.1 View Details (Ctrl+D) ............................................................................................................8 2.2.2.2 Copy Details (Ctrl+C) ...........................................................................................................8 2.2.2.3 Export Details to File (Ctrl+E)...............................................................................................8 2.2.2.4 Print Details (Ctrl+P) ............................................................................................................8 2.2.2.5 Disable DCO (Tableau Forensic Bridges Only) ....................................................................8

2.2.3 The Help Menu........................................................................................................... 9 2.2.3.1 About....................................................................................................................................9

2.3 The Disk Information Details Window............................................................. 10 2.3.1 Disk Status ............................................................................................................... 11

2.3.1.1 Disk ready? ........................................................................................................................11 2.3.2 Disk Information (General) ....................................................................................... 11

2.3.2.1 Vendor (Tableau Forensic Bridges only) ............................................................................11 2.3.2.2 Model .................................................................................................................................11 2.3.2.3 Revision .............................................................................................................................11 2.3.2.4 Serial number (Tableau Forensic Bridges only) .................................................................11 2.3.2.5 Bus type .............................................................................................................................12 2.3.2.6 Device type ........................................................................................................................12 2.3.2.7 Removable Media? ............................................................................................................12 2.3.2.8 Sector size .........................................................................................................................12 2.3.2.9 HPA in use? (Tableau Forensic Bridges only)....................................................................13 2.3.2.10 DCO in use? (Tableau Forensic Bridges only) ...............................................................13 2.3.2.11 Security extensions in use? (Tableau Forensic Bridges only) ........................................13 2.3.2.12 Reported capacity ..........................................................................................................14 2.3.2.13 HPA capacity, DCO capacity (Tableau Forensic Bridges only) ......................................14

2.3.3 Disk Information (Windows-Specific) ....................................................................... 14 2.3.3.1 Cylinders. Tracks per cylinder, Sectors per track, Bytes per sector ...................................14 2.3.3.2 Windows disk size ..............................................................................................................14

2.3.4 Forensic Bridge Information (Tableau Forensic Bridges only)................................. 15 2.3.4.1 Vendor................................................................................................................................15 2.3.4.2 Model .................................................................................................................................15 2.3.4.3 Serial number .....................................................................................................................15 2.3.4.4 Bus type .............................................................................................................................15 2.3.4.5 Bridge access mode...........................................................................................................15 2.3.4.6 Read-only declaration ........................................................................................................15 2.3.4.7 Write error declaration........................................................................................................15 2.3.4.8 Firmware stepping..............................................................................................................16 2.3.4.9 Firmware build date, Firmware build time...........................................................................16 2.3.4.10 Firmware build type ........................................................................................................16

2.4 Menu Items in the Disk Information Details Window ...................................... 17 2.4.1 The File Menu........................................................................................................... 17

2.4.1.1 Export to File (Ctrl+E).........................................................................................................17 2.4.1.2 Print (Ctrl+P) ......................................................................................................................17 2.4.1.3 Close (Ctrl+W)....................................................................................................................17

Tableau Disk Monitor Users’ Guide p. 2 Revised November 17, 2006

2.4.2 The Edit Menu .......................................................................................................... 17 2.4.2.1 Copy (Ctrl+C) .....................................................................................................................17 2.4.2.2 Select All (Ctrl+A)...............................................................................................................17

3. SUPPORT..................................................................................................18


1. Introducing Tableau Disk Monitor Tableau, LLC, developed the Tableau Disk Monitor to provide concise, relevant information which is useful to computer forensics practitioners. Tableau's Disk Monitor tracks the physical storage devices currently attached to your computer, giving you the ability to display a range of technical information about each storage device. When used in conjunction with Tableau Forensic Bridges, the Tableau Disk Monitor provides enhanced information and control capabilities. These help pages contain a wealth of information about the Tableau Disk Monitor, the kinds of information it can display, and the ways in which it extends the capabilities of Tableau Forensic Bridges. We hope you find this information useful as you navigate the capabilities of the Tableau Disk Monitor.

1.1 Compatibility 1.1.1 Operating System The Tableau Disk Monitor is designed specifically for Microsoft Windows 2000/XP or later versions of Windows. The Tableau Disk Monitor is not compatible with older versions of Microsoft Windows. 1.1.2 Forensic Bridges (Write Blockers) The Tableau Disk Monitor can be used whether or not you also use Tableau Forensic Bridges (write blockers). However, the range of viewable information and available features is limited when you are not using a Tableau Forensic Bridge.

NOTE: The Tableau Disk Monitor requires that your Tableau Forensic Bridges be updated to recent firmware. Failure to update the firmware in your Tableau Forensic Bridges may prevent the Tableau Disk Monitor from detecting or working properly with your Tableau Forensic Bridge.

Firmware updates for Tableau products can be found through the following link:

http://www.tableau.com/support The Tableau Disk Monitor will not recognize write blockers from other vendors. 1.1.3 Why Does Tableau Disk Monitor Work Better with a Tableau Forensic Bridge? Tableau's Forensic Bridges have direct, unfettered access to the attached storage device. This direct access makes it possible for Tableau to extract information from the storage device which is sometimes difficult or impossible to retrieve in a forensically sound manner when using the operating system's standard drivers. Moreover, Tableau Forensic Bridges have the ability to handle advanced functionality (i.e., HPA and DCO), again, while ensuring that the attached storage device is accessed only in a forensically sound way.

NOTE: Tableau Forensic Bridges expose a proprietary set of protocols by which the Tableau Disk Monitor communicates with the bridge to facilitate enhanced capabilities. Even though these protocols are proprietary in nature, they have been designed specifically to ensure the forensic integrity of Tableau’s products.


http://www.tableau.com/support

2. Using the Tableau Disk Monitor The Tableau Disk Monitor can be used in either of two ways. 1. The Tableau Disk Monitor can launch automatically whenever you start your computer. When started

in this mode, the Tableau Disk Monitor runs in the background, silently monitoring your system and looking for the attachment or removal of storage devices. When a storage device is attached, the Tableau Disk Monitor displays a notification. The main Tableau Disk Monitor display can be invoked at any time by double-clicking on the Tableau Disk Monitor icon in the Windows tool tray.

2. Or, the Tableau Disk Monitor can be launched on demand. In this mode, the Tableau Disk Monitor is

like any other application. You launch it when you need it and you close it when you're done. In either mode, the Tableau Disk Monitor has two main displays, the main program window and a disk information details window.


2.1 The Main Program Window The main program window displays a list of the storage devices currently attached to your computer.

Figure 1. Tableau Disk Monitor Main Window The main window is organized into five columns: 1. In the first column a connectivity icon displays how the storage device is attached to the computer.

An empty (undecorated) disk icon means the storage device is attached to the computer through one of the computer's internal, or built-in interfaces.

A disk icon with the FireWire(tm) symbol means the storage device is attached to the computer through a FireWire (also known as IEEE-1394) interface.

A disk icon with the USB symbol means the storage device is attached to the computer through a USB interface.

NOTE: Tableau Forensic Bridges support FireWire or a combination of FireWire and USB. The icons in the first column of the Disk Monitor display are designed to show you at a glance which interface is in use, and this often will help you to spot visually the devices connected through a forensic bridge.

2. A "Disk ID" column shows the "PhysicalDisk" number assigned by Windows to the storage device.

Generally, PhysicalDisk 0 is assigned to your computer's primary built-in hard disk. Your system may have other built-in PhysicalDisk devices, including additional hard disks, memory card readers, and the like. These additional built-in devices are generally numbered 1, 2, and so forth. Externally attached devices, such as forensic bridges, generally have higher PhysicalDisk numbers than the built-in devices. It is not uncommon for an external device to have a Disk ID of 2, 5, or even higher.


3. A "Disk Size" column displays the storage capacity for each Disk ID. This is another piece of information which helps you identify, at a glance, the storage devices which are of interest in your forensic examination.

Sometimes, a given storage device will not be "ready". A common example is a memory card reader in which no media is inserted. No size information is displayed for devices which are not "ready".

The Tableau Disk Monitor may also show you some very useful additional information in the disk size column when you are using a Tableau Forensic Bridge. If the Tableau Forensic Bridge detects that HPA or DCO is being used to reduce the apparent size of the storage device, the Tableau Disk Monitor will display a yellow warning icon in this column and will highlight the fact that HPA, DCO, or perhaps both are in use on a given drive.

4. A "Disk Information" column displays the make, model, and interface type (i.e., SATA, IDE, SCSI, or

USB) of the attached storage device. The serial number of the storage device is also displayed in this column.

When using a Tableau Forensic Bridge, the Tableau Disk Monitor can also highlight if ATA "security extensions" are in use on a given IDE or SATA drive. If the Tableau Forensic Bridge detects that security extensions are in use - which might prevent you from obtaining a sound forensic image of the storage device - then a yellow warning icon is also displayed in the Disk Information column.

5. Finally, a "Forensic Bridge Information" column displays additional details if the Tableau Disk Monitor

detects that a Tableau Forensic Bridge is being used in conjunction with a given storage device. This information includes the make, model, serial number, and firmware version of the Tableau Forensic Bridge.

If the Tableau Forensic Bridge is switched into a read-write mode of operation (the factory configuration for "yellow-case" Tableau products), the Tableau Disk Monitor will display a yellow warning icon in the Forensic Bridge Information column. This is designed to highlight the use of read-write Tableau Forensic Bridges, further helping you to ensure that you are using read-only and read-write forensic devices in the appropriate contexts.

You are free to re-size and even re-order the columns in the main window. The Tableau Disk Monitor will remember the column sizing and order the next time you launch the program.


2.2 Menu Items in the Main Program Window 2.2.1 The File Menu 2.2.1.1 Exit (Ctrl+Q) This menu item closes/exits the Tableau Disk Monitor application. 2.2.2 The Actions Menu NOTE: The items in the Actions menu can also be displayed by right-clicking on the line corresponding to any storage device in the main Tableau Disk Monitor window. 2.2.2.1 View Details (Ctrl+D) This menu item will open the disk information details window for the currently selected/highlighted storage device.

NOTE: The disk information details window can also be opened by double-clicking on any storage device in the Tableau Disk Monitor main window.

2.2.2.2 Copy Details (Ctrl+C) This menu item copies the entire details report for the selected/highlighted storage device to the Windows clipboard. 2.2.2.3 Export Details to File (Ctrl+E) This menu item exports the entire details report for the selected/highlighted storage device to an ASCII (text) file. Selecting this menu item brings up a "Save As" dialog box in which you can select the name of the output file. 2.2.2.4 Print Details (Ctrl+P) This menu item prints the entire details report for the selected/highlighted storage device. Selecting this menu item brings up a standard Print dialog through which you can select the desired printer, number of copies, etc. 2.2.2.5 Disable DCO (Tableau Forensic Bridges Only) This menu item is enabled only when the storage device is attached to a Tableau Forensic Bridge and the Tableau Forensic Bridge has detected that DCO (Device Configuration Overlay) is in use on the storage device. Overriding DCO settings on an IDE or SATA storage device requires sending a command to the storage device which makes a permanent change. Obviously, this has potentially serious repercussions when the storage device in question contains legally relevant evidence. For this reason, if you need to override DCO settings on a storage device, selecting this menu item will bring up a dialog box in which you are required to type the word "yes" before any change will be made to the storage device. This design helps prevent accidental or careless changes to the DCO settings on a device.


2.2.3 The Help Menu 2.2.3.1 About About displays an information page for the Tableau Disk Monitor, including version and support contact information.

Figure 2. The Tableau Disk Monitor About Screen


2.3 The Disk Information Details Window By selecting the action View Details (Ctrl+D) or by double-clicking on a row in the main window, you can display the disk information details window for a given storage device.

Figure 3. Disk Information Details Window


The disk information details window displays a range of very technical, but useful information for each storage device. The list of technical information is longer when the storage device in question is attached to a Tableau Forensic Bridge. You can have multiple disk information details windows open simultaneously, one for each storage device which is currently attached to your computer.

NOTE: Certain items in the disk information details window may require your special attention. In these cases, the items will be preceded by a yellow warning icon.

The following sections describe the information displayed in each disk information details window. 2.3.1 Disk Status 2.3.1.1 Disk ready? This line indicates whether the attached storage device is ready or not. Generally, the only time a storage device is not ready is when the device supports removable media (like a memory card slot) and there is no media inserted in the slot.

NOTE: If a device is not ready, you will not see any additional information in the details window.

2.3.2 Disk Information (General) 2.3.2.1 Vendor (Tableau Forensic Bridges only) When used in conjunction with a Tableau Forensic Bridge, this field displays the name of the vendor of the storage device (e.g., "Maxtor"). Depending on the design of the storage device itself, you will sometimes see the vendor name in the Model field, described below. 2.3.2.2 Model This field displays the model of the storage device. In the case of hard disks, this field often - but not always - matches the model name as printed on the label affixed to the hard disk itself. 2.3.2.3 Revision The Revision field reports the version of the storage device as defined by the storage device's manufacturer. The Revision field may be formatted in a wide variety of different ways by various manufacturers. 2.3.2.4 Serial number (Tableau Forensic Bridges only) The Serial number field reports the serial number of the storage device as assigned by the manufacturer of the storage device. Not all manufacturers assign serial numbers to all devices, so sometimes this field will be reported as "(empty)" by the Tableau Disk Monitor.

NOTE: This serial number should not be confused with the serial number of the Tableau Forensic Bridge which is reported in a later section.


2.3.2.5 Bus type Bus type reports the type of interface implemented by the storage device. This will generally be "IDE", "SATA", "SCSI", or "USB". However, if the storage device is an IDE or SATA device which is connected directly to the computer, it may not be possible for the Tableau Disk Monitor to determine whether the device is actually IDE or SATA. In this case the Tableau Disk Monitor simply reports a bus type of "ATA". 2.3.2.6 Device type The Device type field indicates the "device type" as reported by the attached storage device. This will generally be "disk", "RBC", or the like. A partial list of device types, along with their numeric codes, is given below:

Device Type Code Device Type0 Disk 1 Tape 2 Printer 3 Processor 4 Write-Once 5 DVD/CD-ROM 6 Scanner 7 Optical 8 Media Changer 9 Communications12 RAID 14 RBC/Disk

NOTE: When viewing details for a storage device connected to a Tableau Forensic Bridge, you will probably see only the device types "Disk" (type 0) or "RBC/Disk" (type 14).

2.3.2.7 Removable Media? This field reports whether the attached storage device supports removable media. This will typically be true for memory card readers, ZIP drives, and the like. 2.3.2.8 Sector size Most storage devices use a standard sector size of 512 bytes per sector. However, some devices may use a different sector size. This field reports the sector size in use on the storage device.


2.3.2.9 HPA in use? (Tableau Forensic Bridges only) This field gives you a direct indication that HPA (Host Protected Area) is being used to reduce the apparent size of the storage device. If a Tableau Forensic Bridge detects that HPA is in use, the forensic bridge automatically overrides the HPA (without making any permanent modifications to the storage device). So, even though HPA is in use, you do not need to take any special steps to gain access to the region of the hard disk which is nominally protected by the HPA. HPA is so named for a set of "ATA" (AT Attachment) commands. These are commands which may be sent to an IDE or SATA hard disk and which may be used to reduce the apparent size of the disk. PC manufacturers are the primary users of HPA. PC manufacturers use the HPA to hide an area at the "top" (or end) of the hard disk in which they have stored a recovery partition. Recovery partitions allow a user in the field to restore some or all of their system to its original factory state and eliminate the need for separate "recovery CDs" or other recovery media. Tableau believes it is generally unlikely that HPA will be used to hide forensically relevant information. 2.3.2.10 DCO in use? (Tableau Forensic Bridges only) This field gives you a direct indication that DCO (Device Configuration Overlay) is being used to reduce the apparent size of the storage device. DCO is so named for a set of "ATA" commands. These are commands which may be sent to an IDE or SATA hard disk and which may be used to reduce the apparent capabilities of the disk, one of which is the apparent size of the disk. DCO is similar to, but more powerful than HPA, in that it alters other apparent capabilities of a hard disk and not merely its apparent size. Like HPA, DCO is a capability which would be used almost exclusively by PC manufacturers during the integration of a hard disk into a computer. If a Tableau Forensic Bridge detects that DCO is in use, the forensic bridge does not automatically override the DCO. While HPA makes it possible to override settings temporarily, overriding DCO requires that commands with permanent effects be sent to the hard disk. As a write blocker manufacturer, Tableau does not believe it is appropriate for the forensic bridge to send such commands to a subject device except at the explicit direction of the forensic examiner. See the Section 2.2.2.5 for a discussion of using the Tableau Disk Monitor to override DCO on a subject hard disk. 2.3.2.11 Security extensions in use? (Tableau Forensic Bridges only) This field gives you a direct indication that ATA security extensions are in use and may affect your ability to acquire a forensically sound image of the storage device. Security extensions refer to a set of "ATA" commands which can be used to password-protect access to a hard disk. If security extensions are in use, and the correct password has not been provided, then hard disks will often return zeroes instead of legitimate data when reading the hard disk. There is no automatic way by which a device, including a Tableau Forensic Bridge, can override security extensions.


2.3.2.12 Reported capacity This field displays the capacity of the storage device as reported by the device at power-ON. Under normal conditions (i.e., when the storage device is attached directly to the host computer without a forensic bridge), this field represents the capacity that is recognized by the operating system. By comparing the Reported capacity with the HPA capacity or DCO capacity (see below), the forensic practitioner can determine if part of the storage device is hidden from the OS under normal operating conditions. 2.3.2.13 HPA capacity, DCO capacity (Tableau Forensic Bridges only) If HPA, DCO, or both are used to reduce the apparent capacity of a hard disk, the Tableau Disk Monitor will display separate lines showing: 1) the capacity of the storage device as revealed by HPA commands (i.e., the "HPA capacity"), and 2) the capacity of the storage device as revealed by DCO commands (i.e., the "DCO capacity"). If the storage device does not support either HPA or DCO, then the corresponding capacity fields are not displayed. Reported capacity, HPA capacity, and DCO capacity are subject to the following equation: Reported capacity ≤ HPA capacity ≤ DCO capacity That is, the reported capacity can never be larger than the HPA capacity and the HPA capacity can never be larger than the DCO capacity. 2.3.3 Disk Information (Windows-Specific) 2.3.3.1 Cylinders. Tracks per cylinder, Sectors per track, Bytes per sector Windows has long used the now-antiquated idea of "disk geometry" when formatting/partitioning hard disks. These fields report the Windows-specific values for the disk geometry. 2.3.3.2 Windows disk size The Windows disk size field reports the storage device capacity as recognized by the Windows operating system. The capacity is listed in round terms such as "18.6 GB", and as an actual byte count such as "20,003,880,960 bytes". The Tableau Disk Monitor follows Microsoft's convention for reporting disk capacities in which 1KB = 1024 bytes, 1MB = 1024 * 1024 = 1,048,576 bytes, 1GB = 1,024 * 1,024 * 1,024 = 1,073,741,824 bytes, and so forth. By following Microsoft's convention, the Tableau Disk Monitor ensures that disk capacities as viewed by the program will match disk capacities as reported by other Windows tools.

NOTE: If the storage device is attached to a Tableau Forensic Bridge and the forensic bridge detects that HPA or DCO is in use, then the reported Windows disk size might be different than the capacity which Windows would report if you were to attach the storage device directly to the computer. In this situation, the Tableau Disk Monitor reports additional fields (HPA capacity and DCO capacity) as documented in Section 2.3.2.13; and these additional fields can help you to verify the real capacity of the storage device.


2.3.4 Forensic Bridge Information (Tableau Forensic Bridges only) 2.3.4.1 Vendor For a Tableau Forensic Bridge this field will always be "Tableau". 2.3.4.2 Model This field displays the model of the Tableau Forensic Bridge attached to the selected storage device. Tableau models have names like "T5", "T14", etc. 2.3.4.3 Serial number The serial number reported in this field is the serial number of the Tableau Forensic Bridge. This serial number should not be confused with the serial number of the storage device itself. 2.3.4.4 Bus type This bus type field reports the type of bus used to connect the Tableau Forensic Bridge to the computer. This field will generally be "IEEE 1394 (FireWire)" or "USB". 2.3.4.5 Bridge access mode Some Tableau Forensic Bridges can be configured in read-only or read-write modes of operation while others (e.g., the Tableau T8 Forensic USB Bridge) are always read-only. This field gives you an explicit confirmation of whether the forensic bridge is in read-only or read-write mode.

NOTE: If the Tableau Forensic Bridge is in read-write mode, the Tableau Disk Monitor displays a yellow warning icon next to this field. This is a cautionary warning, designed to ensure that you are using a forensic bridge which is configured as appropriate for your application. Some examiners use one forensic bridge in read-only mode to acquire a subject device and a second forensic bridge in read-write mode to write a copy of the data to another storage device. In this situation it is entirely appropriate that the second forensic bridge be in read-write mode.

2.3.4.6 Read-only declaration Tableau Forensic Bridges have the ability to work in read-only mode while not revealing that fact to the host computer. The default mode of operation for Tableau Forensic Bridges is "Declares Read-Only". The alternate mode is "Suppresses Read-Only". Documentation regarding these modes and recommendations for when to use the factory and alternate settings may be found on Tableau's web site. 2.3.4.7 Write error declaration Tableau Forensic Bridges have the ability to work in read-only mode while not reporting errors on write attempts to the host computer. The default mode of operation for Tableau Forensic Bridges is "Declares Write Errors". The alternate mode is "Suppresses Write Errors". Documentation regarding these modes and recommendations for when to use the factory and alternate settings may be found on Tableau's web site.


2.3.4.8 Firmware stepping Firmware stepping is an numeric code which is used internally by Tableau to determine the capabilities of a given firmware release. This number is not generally of interest to end users. 2.3.4.9 Firmware build date, Firmware build time The firmware build date and time are used to identify uniquely each build of Tableau Forensic Bridge firmware. The Tableau web site has exhaustive documentation showing the build dates and times for all publicly released versions of Tableau firmware, and the changes from one version to the next. 2.3.4.10 Firmware build type The Firmware build type is "Release" for all publicly released versions of Tableau firmware. Special, diagnostic firmware may have a build type of "Debug".


2.4 Menu Items in the Disk Information Details Window 2.4.1 The File Menu 2.4.1.1 Export to File (Ctrl+E) The entire details report can be exported to an ASCII (text) file. Selecting this menu item brings up a "Save As" dialog box in which you can select the name of the output file. 2.4.1.2 Print (Ctrl+P) The entire details report can be printed. Selecting this menu item brings up a standard Print dialog through which you can select the desired printer, number of copies, etc. 2.4.1.3 Close (Ctrl+W) This menu item closes the disk information details window. 2.4.2 The Edit Menu 2.4.2.1 Copy (Ctrl+C) The contents of selected information in the details window can be copied to the Windows clipboard. This provides an easy way to cut-and-paste selected information into another application, editor, etc. 2.4.2.2 Select All (Ctrl+A) Select All is used to select all information in the disk information details window. This command is generally used in conjunction with Copy in order to cut and paste information into another application.


3. Support If you have problems using the Tableau Disk Monitor, we strongly encourage you to visit the support pages on Tableau's web site.

http://www.tableau.com/support Frequently, the documentation and FAQ (Frequently Asked Questions) pages will help solve your problems. e-mail support for the Tableau Disk Monitor is available through:

[email protected] We are sorry, but Tableau does not provide technical support by phone.


http://www.tableau.com/support

tableau disk monitor users' guide · 1. introducing tableau disk monitor tableau, llc,...

Documents