Home > Uncategorized > Imaging with the Tableau T35e and Encase

Imaging with the Tableau T35e and Encase

The Tableau T35e is a SATA/IDE forensic write blocker and allows imaging of 3.5″ and 2.5″ IDE and SATA drives. The kit comes with a 2.5″ hard drive adapter for imaging notebook drives.

The below image shows the T35e connected to a 2.5″ 120GB Western Digital drive. The Tableau is then connected to an imaging workstation (out of picture) via the provided USB cable. Power is provided to the WD drive via the Tableau device as shown. For correct connectivity the IDE Detect, Host Detect and Write Block LEDs should be illuminated.

Below screenshot shows the Tableau software on the imaging workstation confirming Tableau connectivity to the target drive.

Note that under ‘Forensic Bridge Information’ the entry for the T35e says ‘Read Only Mode’. On the underside of the Tableau there is a 4-position DIP switch that can be used to set a variety of configurations. The switches are accessed by removing a small knockout panel on the bottom edge of the bridge’s plastic enclosure. The default READ-ONLY mode can be used to take forensically sound images from subject hard disks. In most circumstances Windows XP handles Tableau READ-ONLY bridges correctly with switches 2 and 3 in the OFF (default) state. See the T35e User’s Guide for more details.

Imaging was done using Encase and is detailed in the following screenshots.

1. Launch Encase

2. Create a New Case

3. Click Add Device

4. Uncheck ‘Sessions’ check box

5. Blue check ‘Local Drives’

6. Allow Encase to process locally attached drives

The following screenshot shows the list of local drives processed by Encase.

7. Blue check the drive to be Previewed and then Click Next and Finish as in the screenshot below.

8. The activity LED on the Tableau device should flicker red as the drive is being previewed

9. When completed the preview will be added to the case

10. You can then acquire a physical image of the drive by right clicking and choosing ‘Acquire’

A full bit for bit, forensically sound image will be taken of your target drive. The image is stored in Encase E01 format. Make sure to save the case before you exit.

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: