Disclaimer: This is an independent review and its purpose is to share knowledge of things noticed and tracked when using the device. The integrity of the acquisitions made during this review were validated through MD5 hash values using EnCase (v6.11.2) and FTK Imager Lite (v2.5.4). Sorry, yet you are still responsible for your own testing and validation.

With two brand new Tableau Forensic Duplicators (TD1) on my desk, I thought I share my testing results. First I would like to point out some of the key features I immediately noticed.

  • Compact design
  • A large and clearly readable LCD display
  • Easy to navigate menu items
  • Ability to enter the investigator’s name which will show up in the log files created during acquisitions
  • Internal clock (date & time)
  • SATA interface for source and destination
  • IDE interface for source and destination

This round of testing focuses on the disk-to-disk and disk-to-file duplication feature. The Tableau Forensic Duplicator can be configured via its menu to default straight into disk-to-disk or disk-to-file acquisition mode. Ultimately turning the unit into a single button acquisition device, which makes training someone who only acquires drives very straight forward. What I really like about the TD1 is the fact that it has IDE and SATA interfaces for both the source and destination hard drives. It is possible to connect drives in any combination.

Disk-To-Disk Acquisition

The fastest acquisition method seems to be the disk-to-disk mode. Using this mode, I was able to image a 40.0 GB Western Digital IDE drive in 18 minutes. The image was done from IDE to IDE (see disk information at end of review) with MD5 and SHA1 calculation enabled. The LCD menu provides all necessary information during the imaging process. You see the percentage of completed transfers, MB/s rate, total size imaged. Upon completion the TD1 shows the information an examiner would expect: method of image, date, start time of acquisition, examiner name, source drive information, destination drive information, error counts, MD5 and SHA1 values.

The log information created in this mode only exists within the device itself and is somewhat limited compared to the log file created when using the disk-to-file mode. One shortcoming of this mode is that log information available via the LCD doesn’t show the end time stamp of the acquisition. I yet have to test if it is possible to download the log via the USB or 1394 interface to see if more information is actually captured than displayed on the LCD screen.

Disk-To-File Acquisition

The TD1 allows splitting the raw image files into 4 GB, 2 GB, 1 GB and 700 MB chunks. At this point the Tableau does not allow the creation of one single raw image. I was told that it might be available in future firmware upgrades. The TD1 allows spanning the image files onto different destination drives should the currently connected drive fill up.

I saw the following performance when imaging a 40.0 GB IDE drive onto a 160.0 GB IDE drive (see disk information at end of review). The images were accumulative onto the 160.0 GB drive to fill it up and test the spanning feature. Both MD5 and SHA1 was calculated.

  • 4 GB chunks
  • 11 chunks created
  • 28 minutes
  • 2 GB chunks
  • 21 chunks created
  • 29 minutes
  • 1 GB chunks
  • 41 chunks created
  • 32 minutes
  • 700 MB chunks
  • 58 chunks created
  • 37 minutes

As desired all hash values matched up and no errors were recorded.

Summary
Thus far, I like the Tableau Forensic Duplicator (TD1). The unit appears to be very solid and as expected performs well. There are still more tests to do from a duplication standpoint. Plus, other features like disk wipe, blank test, error handling are still on my to-do list. The TD1 is reasonably priced (~$1,200) and should be considered as a contender if you are looking for a new disk acquisition tool.

Device Tested

Source Drive

  • Model: WDC WD400BB-23DEA0 (40.0 GB)
  • Firmware Revision: 05.03E05
  • HPA in use: No
  • DCO in use: No
  • ATA Security in use: No
  • Cable/Interface type: IDE
  • ATA PIO mode: PIO 4
  • ATA DMA mode: UDMA 5

Destination Drive

  • Model: WDC WD1600AAJB-00PVA0 (160.0 GB)
  • Firmware Revision: 00.07H00
  • HPA in use: No
  • DCO in use: No
  • ATA Security in use: No
  • Cable/Interface type: IDE
  • ATA PIO mode: PIO 4
  • ATA DMA mode: UDMA 5