I just received the new Tableau Forensic Duplicator (TD1) to put it through its paces. So the first test was a to image a 40GB drive. I did so by using the 2GB DD image file options. The imaging with the unit went as expected.

When adding the DD images to EnCase I ran into a little snag however. Wrote a song about it, wanna hear it? Here it goes…

Started EnCase, created case, opened the “Add Raw Image” dialog.

Then went ahead and opened the dialog to add the “Component Files”.

Selected “Image.001″ + SHIFT + selected “Image.021″.

Clicked “Open” in the dialog box, and clicked “OK” to add the raw image.

The result: Nothing, nada, nichts; well if you call Unused Disk Area nothing.

So I tried again. This time by only selecting the first of the raw DD images. No luck either. This time I got at least an error message.

I began to question the Tableau’s DD format. So I fired up FTK Imager and tried loading the image, which worked without any problem.

Not wanting to give up I reached out to EnCase support and it turns out there is a simple, yet very important way to add raw image files.

I did everything right up until selecting the actual raw image files.

The critical thing to remember is the ORDER in which the raw image files appear in the “Component Files” window when adding raw image files. So in my case above, notice that on #1 position it shows “image.021″. Not good.

Solution:

The trick is to actually select the raw DD image files in reverse order such as:

Select “Image.021″ + SHIFT + select “Image.001″.

If you select files any other way, you can drag and drop the various component files within the “Add Raw Image” window if needed.

Hope this helps others.