Atola Insight Forensic
Hard drive imaging is the most important part of the data acquisition process. Trying to extract files directly from a potentially failing media is dangerous because the media can stop working at any moment. This means the operator must transfer the data quickly and safely from the original HDD to a backup HDD and only then proceed with further evidence analysis using the backup copy.
The Atola Insight Forensic is the industry's most efficient system for imaging hard drives, SSDs and USB mass storage media quickly and safely. The system's maximum imaging speed is 500 MB/s.
Please note that this number represents the real measured speed that we have achieved on real hard drives (please see screenshot on the right) and not "theoretically achievable" speed that many other tools claim.
Table of contents:
Imaging damaged disk drives
Hard drives with physical damage require a quite complex imaging approach. Specifically, the following techniques are used in Atola Insight in order to achieve the best results:
A few words on block size control. While it is important to use small block sizes in order to get as much data as possible, using small blocks significantly slows down the imaging process. However, with Atola Insight's industry leading multi-pass imaging engine, it is possible to use large blocks with short timeouts on the first few passes, and then use the smallest block sizes on the last pass when only few sectors are left to be transferred.
This technique allows to achieve real imaging speeds of up to 500 MB/sec on good areas of the drive, while approaching bad areas in the most gentle way possible, thus achieving an unbeatable overall speed of disk imaging.
The best part is that Atola Insight will handle block sizes automatically, thus providing the best possible results in the shortest amount of time. This allows Atola Insight to be faster in virtually any job than any other data recovery or image acquisition tools commercially available.
Imaging to multiple targets
Atola Insight Forensic images source media to 1, 2 or 3 targets simultaneously. The following target types are supported:
Atola Insight Forensic searches for artifacts during imaging and allows on-the-fly overview, sorting and search of the found values. Supported artifacts include:
In the Artifacts tab at the bottom of Insight's window the numbers of artifacts and the corresponding diagram change on the go.
The Artifacts table displays each artifact with an assigned Id number, Values are shown in the context (20 bytes before and 20 bytes after the artifact in grey color) along with their LBAs and offsets to help locate each artifact.
The real-time data viewer shows the raw data that is being extracted from the source drive during imaging. There are two modes available:
- Automatic with refresh interval slider
- Manual by means of Read sector button
Automated sector analysis checks each sector for file system structures (NTFS File Record, boot sectors, etc.)
Atola Insight performs file signature analysis during imaging. It shows live stats of all found signatures while the data is being transferred with no negative effect on imaging performance. Moreover, you can easily check raw sector data for any found file using the HEX Viewer without even pausing the imaging process.
Customize every step of the process
The Atola Insight is able to image entire hard drives, select partitions or specific sector ranges. The newly created image can be stored either on a destination hard drive or the host computer. A data wipe function is also available to quickly and easily write any pattern to the destination hard drive if necessary to prepare it for a new image.
All parameters can be adjusted in a very simple way to fine-tune the process and meet the needs of a specific case. The Atola Insight is able to image damaged or unstable hard drives in the field that cannot be imaged by regular forensic products. This means forensic experts can image more storage devices in the field without needing to take them back to lab.
Multiple hashing methods are available and hashes are calculated on the fly.
Major Imaging Parameters
Visual representation of imaging status
The Atola Insight's real-time imaging status screen provides all vital information to the operator as well as allows full control over the process.
Visual feedback includes:
Based on the data being displayed throughout the imaging process, the operator has the option of making on-the-fly changes to the parameters. For example, the operator can add a specific behavior on a certain condition (power cycle after X errors, etc), or modify timeout settings.
The following actions can be performed during imaging:
When imaging completes, all status information is automatically sent to the Case Management and File Recovery modules.
Imaging report contains all necessary information including SMART table of source drive before and after imaging process.
Image file creation
Copying the source disk into an image file is fast and easy using the Atola Insight. Just select a storage location on the host PC and specify the image file size (put all data in a single image file or "chop" the data into a series of smaller chunks).
Data-Only copy option
This option gives the user the ability to only copy occupied sectors from the source hard drive. This can greatly reduce the time spent on data transfer and relieve strain on the source hard drive, as empty areas of the source hard drive will not be imaged.
Supported file systems: NTFS (all versions), Ext 2/3/4, HFS, HFS+, HFSX, ExFAT, FAT16, FAT32.
Metadata-Only copy option
This imaging mode allows copying of absolute minimum amount of data for file browsing to work, this allows for imaging of specific files.
Fully integrated with file recovery module
At the end of the imaging process, the Atola Insight creates a Bad Sector Map and stores it in the Case History. When the File Recovery module is started, it automatically refers to the Bad Sector Map, and marks all files hit by bad sectors.
A list of recovered files has already been recorded during imaging, and the data is ready for browsing, so there is no time loss on this stage. This system is much more efficient than using one product for imaging and another for file recovery.
Frequently Asked Questions
Click questions to expand text