Atola Insight Forensic Manual

Quickstart

Introduction

Unit & extensions

Installation & environment setup

Working with devices

Interface controls & indicators

Diagnostics

Imaging

Calculating & verifying hash

Unlocking devices

More features & special capabilities

Case management


Quickstart

Quickstart

Let us start from zero and learn how to image an evidence device safely in Atola Insight Forensic.

Step 1. Plug the source and target devices into the DiskSense system.

Take two SATA drives that will serve as your source and target devices. Plug them into the SATA source and SATA target ports.

Step 2. Launch Atola Insight.

Launch already installed the Atola Insight Forensic software.

You will see the following window asking you to select the desired action:

Select Close to avoid powering up the source SATA port for now.

Step 3. Diagnose first before imaging.

Presumably, we know nothing about the source device and its state. Maybe it is a good working drive, or maybe it is not. It may be a damaged one or it may die in a few hours. That is why we should begin with Automatic Checkup.

Click Diagnostics -> Automatic checkup, and then click the Start button.

It will take a couple of minutes to get to the Diagnostics report. In this particular case, we see that the source drive is in good state, and we can safely start imaging it.

Step 4. Select the imaging targets.

Click Imaging on the left side menu and then Create New Session. You will be asked to select the imaging targets, including the following:

  • Devices plugged into SATA/USB target ports of the DiskSense system
  • Image files
  • Local PC devices

Let us take advantage of imaging into two targets at the same time: SATA target drive and image file.

Click Add Image File and then confirm a selected filename. Then tick the SATA Target 1 device. In the end, you will get the a screen like this:

Click the Select button to confirm.

Step 5. Start imaging.

Imaging includes a wide variety of settings for tuning the process. Sometimes it is helpful when dealing with severely damaged evidence drives. However, the default imaging preset works great in most cases.

Here is just one button to click, Start Imaging, to get the duplication process running.

Bonus: Screencasts

Congratulations! You read the quickstart up to this section, and we have an award for you! :-) Here are a number of screencasts explaining specific features of Atola Insight Forensic.


Introduction

Forensic & Data Recovery Tool

Atola Insight Forensic offers complex data retrieval functions along with utilities for manually accessing hard drives at the lowest level, wrapped in a very simple and efficient user interface.

Atola Insight Forensic system includes:

  • Atola Insight Forensic software (runs on any Windows PC or laptop)
  • DiskSense hardware unit
  • Hardware extensions (optional)
  • Battery (optional)

Forensic and E-Discovery solution

All features of the system are designed to support damaged media. Where other Forensic data acquisition products stall or abort on media errors, Atola Insight Forensic can acquire a usable image.

When dealing with good (non-damaged) media, Atola Insight Forensic acquires data faster than any other data acquisition equipment commercially available.

The system has several key features for data capture in forensic and e-discovery cases:

DiskSense unit - Back
DiskSense unit - Left
DiskSense unit - Right
DiskSense Unit

Atola Insight Forensic workflow

Atola Insight Forensic covers all phases of the data acquisition process:

  1. Media diagnosis
  2. Media recovery (if needed)
  3. Image creation
  4. File recovery

1. Media diagnosis

Whenever you start working on a hard drive, the very first thing we recommend to do is to find out if the drive is damaged in any way, and if so, what is the extent of the damage.

The tool comes with fully automated hard drive diagnosis module. It diagnoses all hard drive components: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.

After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.

2. Media recovery

Automatic ATA password recovery and removal

Atola Insight Forensic can recover and/or remove unknown HDD passwords (also known as ATA-passwords). For most hard drives the unlocking process is fully automated. Some hard drives (for example, latest 2.5-inch Hitachi hard drives) require a degree of manual interference. Operator can choose whether to display the password or just remove it and unlock the drive. Both security levels (High or Maximum) are supported.

List of hard drives currently supported by automatic password recovery routine can be obtained at http://atola.com/products/insight/supported-drives.html

Manual firmware recovery

If there is firmware damage that cannot be fixed automatically, you will have to proceed with manual firmware recovery procedure. Generally speaking, firmware recovery process includes of the following steps:
1. Full firmware backup
2. Diagnosis
3. Recovery

Backup is a very important part of the process. Make sure you have full firmware backup before you make any change to the firmware area.

Basic diagnostics of the firmware area is done during Automatic Diagnostics process (see Automatic Diagnostics). More in-depth diagnostics is done during firmware backup process, after which any firmware damage that may exist will become obvious, as damaged modules will have either "Read Failure" or "Bad Checksum" mark. Some of these damaged modules can be recovered by right-clicking them and selecting Recover (module will be re-generated and written to the drive). In some rare cases, when Atola Insight Forensic cannot regenerate the module, you would have to copy it from a donor drive (you would need to locate a similar hard drive, save that module from that drive into a file, and then copy that file into the bad drive's firmware, replacing the damaged module).

Please note: if after the full firmware backup you find that there are many unreadable firmware modules (more than 10% of total number of modules), it might be a good indication that the head stack is malfunctioning. The best thing to do in this case is to reconfirm that the hard drive does not have a head damage before proceeding with firmware recovery attempt. Attempting firmware recovery on a hard drive with internal damage may result in an unrecoverable damage.

3. Image creation

Before you proceed with any file recovery attempt, it is very important that you have a sector-by-sector copy of the drive. This is done with the Imaging module available in the software.

Please see the following link for more information on imaging: http://atola.com/products/insight/disk-duplication.html

4. File recovery

After you made a copy of the original hard drive, you can start recovering files. File Recovery engine is able to show status of each file in the file browser, such as what percentage of file was imaged without errors. There's also an ability to create lists of files specifying the status of each file. After creation, the list may be presented for a review.

Learn more about File Recovery: http://atola.com/products/insight/file-recovery.html


Unit & extensions

Package contents


Please make sure that you have the following items in the package:




DiskSense unit
Power supply

4x HDD eSATAp cables
Hitachi password extraction adapter
3.5" to 2.5" IDE adapter

IDE power cable
IDE interface cable
Serial cable RS-232

Ethernet cat 5e or 6 cable
USB3 to Ethernet adapter
Flash card reader
If any of these items are missing, please contact the place of purchase.

DiskSense Forensic Unit

The DiskSense Unit utilizes the fastest and most efficient interface connections available, and is built-to-last using the highest quality components one could source. It includes a built-in oscilloscope for current monitoring (primarily used in diagnostic functions) and write protection switch for source media.

Technical Specifications

DiskSense unit inside

DiskSense Forensic technical specifications:

  • Dimensions: 7.7 x 7.2 x 2.1 in (196 x 182 x 54 mm)
  • Weight: 2.9 lb (1.3 kg)
  • Wide working temperature range: 0°C–50°C (32°F–122°F)
  • Source ports: SATA 3.0, USB 3.0, IDE
  • Write protection switch for source ports
  • 6 Target ports:
    • 3 SATA
    • 3 USB 3.0 (SuperSpeed)
  • Extension port:
  • Serial RS232 port
  • Operation LEDs for all ports and a buzzer
  • Two ethernet interfaces: RJ45 / 1Gbe. One of them can be used for Network Forensics.
  • Internal OS: Linux running a custom kernel
  • Control interface: Atola Insight Forensic (Windows application)
  • Supported hard drive interfaces: SATA I/II/III, USB 1.0/2.0/3.0, IDE
  • Flash card support via card reader attached to any USB port
  • Power consumption: 60 Watt average, 200 Watt peak
  • Supply Voltage: 100 - 240 VAC, 50-60 Hz

DiskSense: under the hood

DiskSense unit: under the hood
DiskSense is basically a very small computer running a Linux OS. However, neither normal computer's BIOS nor basic Linux kernel are suitable for handling of damaged hard drives, simply because neither was designed to handle hard disk failures very well. We have invested a significant amount of research and development efforts which allowed us to build a highly customized and fine-tuned Linux kernel that completely overcomes these issues. Additionally, this kernel features:
  • Full low-level control over SATA, USB and IDE ports
  • Full native SATA support
  • Reset and SATA PHY control for best handling of severely damaged hard drives
  • High-speed DMA data transfers, up to 500 MB/s
  • All BIOS and standard kernel functions are disabled
Back side of DiskSense Unit
DiskSense also features our proprietary circuitry for ultimate hard drive's power control:
  • Current sensor for in-depth hard disk diagnosis
  • Automatic overcurrent and short-circuit protection
  • Overvoltage protection
These features are a must when dealing with damaged hard drives.

For example, low-level control of the SATA, USB and IDE ports allows Atola Insight Forensic to deal with hard drives that do not properly initialize, have many bad sectors, or freeze frequently due to internal (mechanical) failures.

SATA PHY control allows resetting a frozen hard drive without a power cycle which saves quite a bit of time while imaging, and reduces the chances of further hard disk degradation and failure.

Current sensing allows Atola Insight to diagnose a failed hard drive even if it has electronic or mechanical damage. Please see Disk Diagnostics for more details on how this works.

Overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage.

Overvoltage protection circuit ensures that in the unlikely event of the DiskSense unit malfunction, the attached hard drives are not damaged in any way.

DiskSense unit is fully controlled by Atola Insight software via the Gigabit Ethernet interface, hence no Linux experience is required at all in order to operate it.

Extension modules

DiskSense system allows expanding its functionality via hardware extension modules.

How to plug an extension module

DiskSense system must be powered off before an extension module can be installed:

  1. Power off DiskSense system
  2. Plug extension module into Extension port
  3. Power on DiskSense system

SAS extension module

Technical specifications:

  • SAS interface: 6 Gbit/s
  • Max read/write speed: MB/s
  • Hotplug for SAS drives is supported
  • Current sensing is supported
  • Short circuit and overvoltage protection is active

Atola Insight Forensic allows to run most operations for a SAS drive plugged into DiskSense system. There are a few functions that are not available for SAS drives by their nature: Host Protected Area (HPA), Device Configuration Overlay (DCO), Security Features, and SSD Trim. Firmware recovery is also not supported.

Connecting a SAS drive to DiskSense via SAS extension module
  1. Plug the mini SAS connector into the extension module
  2. Plug the molex power connector into the IDE source power socket
  3. Plug the SAS connector into the drive

10 Gbit Ethernet extension module

The module accelerates the following operations executed with image files: Imaging, File Recovery, Compare, Write from File. For optimum performance please follow these instructions:

  1. Update the 10GbE driver on the PC workstation to the latest version
  2. Link 10GbE Ethernet extension module and 10GbE PC workstation LAN adapter with a Cat6 ethernet cable
  3. Open Windows Network and Sharing Center
  4. Click 'Change adapter settings' link
  5. Locate 10GbE Ethernet card and open its Properties accessible via right mouse button
  6. Click 'Configure button'
  7. Select 'Advanced' tab
  8. Change 'Jumbo Packet' value to 9014

Note that PC motherboard quality can have an impact on the resulting network performance. Also, please ensure that the PC drive is able to read/write at speeds above 300 MB/s.

Thunderbolt extension module

With the help of Thunderbolt extension module Insight supports imaging, hash calculation and verification, comparing, media scan, file recovery, write protection on all MacBooks with FireWire, Thunderbolt 2 and Thunderbolt 3 interfaces.

Connecting MacBook via Thunderbolt extension module
  1. Connect MacBook to DiskSense unit with the help of Thunderbolt extension and the FireWire cable. Use adapters if needed (included).
  2. To boot MacBook in Target Disk Mode, start it up while holding down the T key until you see a Firewire or Thunderbolt icon displayed on screen signifying Target Disk Mode.
  3. Start DiskSense unit and launch Atola Insight Forensic on your computer.
  4. Select Identify device option in the pop-up window.
  5. In Source - Select MacBook Case window click Add new case button.


Apple PCIe SSD extension module

This module supports custom proprietary PCIe SSDs from Apple MacBooks (Mid 2013 - 2015).

Important: Drive hotplug is not supported yet. DiskSense system must be powered off before installing or replacing drives.

M.2 PCIe/SATA SSD extension module

Only M key interface drives are supported by this module.

Connecting an M.2 PCIe drive via extension module

Important: Drive hotplug is not supported yet. DiskSense system must be powered off before installing or replacing drives.

Connecting an M.2 SATA drive via extension module
  1. Connect the source eSATAp cable end to the extension
  2. Power off source SATA port in Atola Insight Forensic
  3. Plug M.2 SATA drive into the extension and fix it in place with the plastic latch

Drive hotplug is supported. Before replacing hard drives the SATA power must be turned off via the software Power button (for safety reasons).

Battery for DiskSense unit

The battery allows the DiskSense unit to keep running forensic tasks without electrical grid. The battery cable is included in the package. Connection between battery and DiskSense unit is simple:

  1. Plug the battery cable's one end into DC OUT socket of the battery
  2. Plug the battery cable's another end into DC IN socket of the DiskSense unit

Using battery

There is the front panel with LEDs showing current charge level between 0% and 100%. When the charge level goes below 10%, the first LED starts blinking and a beeping sound is emitted. It means the battery will run out of charge soon. In this case plug the battery into the electrical grid via standard power adapter of the DiskSense unit.

When the battery fully runs out of charge, the best practice would be connecting it to the power adapter and waiting for 10 minutes. It is normal for all LEDs to be off during these first 10 minutes of charging.

Quiet mode

The quiet mode can be enabled using the switch at the front. It disables all LEDs and buzzer.

Charging battery

Use the power adapter of the DiskSense unit to charge the battery. Plug the power adapter into the battery's DC IN socket. There are two states:

  • Battery is charging. One of front panel LEDs is blinking. Others to the left are lit
  • Battery is 100% charged. The rightmost LED (Full) is on. Other LEDs are off.


Installation & environment setup

Atola Insight Forensic Downloads

Current version: 4.10
Release date: 2017/12/05
Full Changelog: Atola Insight Changelog

NOTE: You can find links to previous versions at the bottom of this page

We can send you an email when next Atola software update will come out. Subscribe via email to be instantly notified.

Download update only (EXE) or (ZIP) – 98 MB
This package can be used to update Atola Insight Forensic to the latest version. To update Atola Insight Forensic using this option, just download and launch the file; setup wizard will do the rest.

Full installation (EXE) or (ZIP) – 236 MB
This is the best option for initial installation of Atola Insight Forensic.

Updating Atola Insight Forensic

To update Atola Insight Forensic to the latest version, simply install an update over the existing installation. All settings are kept intact during the update procedure.

Additional links

Older versions

Atola Insight v4.9 (full installation)
Atola Insight v4.9 (update)

Atola Insight v4.8 (full installation)
Atola Insight v4.8 (update)

Atola Insight v4.7 (full installation)
Atola Insight v4.7 (update)

Atola Insight v4.6 (full installation)
Atola Insight v4.6 (update)

Atola Insight v4.5 (full installation)
Atola Insight v4.5 (update)

Atola Insight v4.4 (full installation)
Atola Insight v4.4 (update)

Atola Insight v4.3.1 (full installation)
Atola Insight v4.3.1 (update)

Atola Insight v4.3 (full installation)
Atola Insight v4.3 (update)

Atola Insight v4.2 (full installation)
Atola Insight v4.2 (update)

Atola Insight v4.1.1 (full installation)
Atola Insight v4.1.1 (update)

Atola Insight v4.0 (full installation)

Hardware and OS requirements

Minimum hardware specs:

  • Intel Celeron 2GHz/AMD Sempron CPU
  • 2 GB of RAM
  • one 100 MBit Ethernet port
  • 2 GB of free disk space

Recommended hardware specs for optimal performance:

  • Intel or AMD dual core CPU
  • 8 GB of RAM
  • one 1000 MBit (Gigabit, 1000BASE-T) Ethernet port
  • 10 GB of free disk space
  • Firewall and especially antivirus software disabled

Supported OS:

  • Windows 10 (32/64 bit)
  • Windows 8 (32/64 bit)
  • Windows 7 (32/64 bit)

DiskSense / HASP connection issues

DiskSense hardware system includes an internal HASP USB dongle. It contains unique activation and subscription information.

Having more than one DiskSense system in your network may result in HASP-related conflicts. These conflicts usually manifest as "Too many connections" or "Cannot located DiskSense unit" errors. The issue is caused by behavior of the HASP discovery system which by default picks a random HASP dongle on the network. In other words, one Atola Insight Forensic instance may establish the connection with one DiskSense system, however it will "use" the HASP dongle of another (random) system available on the network.

How to resolve multiple HASP connection issues

HASP discovery system offers a web administration tool where one can easily set up IP filter specifying HASP dongle search locations.

  1. Access the URL with your browser: http://localhost:1947
  2. Click 'Configuration' link in the left side menu
  3. Click 'Access to Remote License Managers' tab
  4. Untick 'Broadcast Search for Remote Licenses' checkbox
  5. Enter DiskSense unit IP address specified in Atola Insight Forensic: Insight menu -> DiskSense Information
  6. Click 'Submit'
After you perform the actions, the final screen should look like like this:

Note: 192.168.0.200 is used as an example.

Network database setup

Atola Insight Forensic enables working with remote database shared between many users. Here is the scenario how to setup such a network database and connect different PCs with Atola Insight to it.

1. Pre-install SQL Server 2012 or 2014 on the network server PC

2. Launch Atola Insight Forensic on the user PC

3. Navigate to Insight -> Database Connection Settings from the top menu

A. Select Server type: Remote

B. Specify network server name, select SQL server instance and database names

C. Enter SQL server login and password as shown in the picture below:

Network database Atola Insight Forensic

4. Click OK and re-launch Atola Insight Forensic on the user PC.

5. It will create the remote database and ask for the Work Folder name:

Local work folder in Atola Insight Forensic
Hint: Work Folder is necessary to store large files that do not fit into the database: imaging maps, logs, file recovery hash lists.

6. Change the Work Folder to the shared folder on the network server PC.

Network work folder in Atola Insight Forensic
Example: The network folder successfully selected

 

Now you have the Atola Insight network database prepared for remote use! You can connect Atola Insight Forensic software from the other PCs. Just set up the same database settings as you did in the step 3. No need to specify Work Folder anymore given Atola Insight will load it from the remote SQL server on the network server PC.

The only limitation: Two users will not be able to work on the same case simultaneously.

Atola Insight Forensic: Database backup and restore

To be able to backup and restore Atola Insight Forensic database, you will need Microsoft SQL Server Management Studio Express. You can download it here.

Backup

To backup the database, please follow these steps:
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Select "Databases" folder on the tree
4. Right-click AtolaInsightForensic and select Tasks->Back Up...
5. Check the backup destination and change it if desired
6. Click OK

Restore

This procedure will work only if you did not move backup file (for example, from another PC). If you are moving the database over to another PC, please see Restore when moving below.
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Select "Databases" folder on the tree
4. Right-click AtolaInsightForensic and select Tasks->Restore->Database...
5. Select the desired backup file
6. Click OK

Move

To move the database from one PC over to another, please follow these steps:
1. Backup your database on the source PC
2. Copy backup file over to destination PC
3. Restore the backup file on the destination PC (see below)

Restore when moving

1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Right-click "Databases" folder on the tree and select Restore Database
4. In the "To database:" field enter the following: "AtolaInsightForensic" (without quotes)
5. Select "From device" in "Source for restore"
6. Point to the database backup file
7. Click OK

If you only have .mdf and .ldf files

This may happen if your operating system has crashed and you are reinstalling everything from scratch. In this case you would need to copy AtolaInsightForensic.mdf and AtolaInsightForensic_log.LDF files from the old hard drive over to the new one. You may find these files in:

  • "C:\Users\*USERNAME*\AppData\Roaming\Atola\Insight Forensic\", if (localdb)\V11.0 instance is used (default)
  • "C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\", if SQLEXPRESS instance is used

After you have copied the database files, please follow these steps:
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Right-click "Databases" folder on the tree and select Attach...
4. Click "Add..." and select AtolaInsightForensic.mdf
5. Click OK


Working with devices

Supported Drives

Atola Insight Forensic supports all 1.8-inch, 2.5-inch, 3.5-inch IDE, SATA and USB hard drives, USB Flash media as well as SD, Compactflash, and Memory Stick cards via a generic USB Card Reader.

Atola Insight Forensic can also work with the following drive types using proprietary Atola extension modules:

  • SAS drives
  • the newest PCIe SSDs from Apple MacBooks (2013 - current models)
  • M.2 PCIe/SATA SSDs (M interface key only)

Most functions of the Atola Insight Forensic will work with any hard drive or flash card with either IDE, SATA-1/2/3 or USB-1/2/3 interface (including those attached via adapters).

However, there are three functions that only work with specific hard drive model families:

  • Automatic password removal
  • Head selection in Imaging and Media Scan
  • Full firmware access

1. Automatic password removal works for the following models:

  • SATA and IDE Seagate hard drives (including F3 series)
  • SATA and IDE Western Digital hard drives
  • SATA and IDE Toshiba hard drives: MG, MK, MQ, DT families
  • SATA and IDE Maxtor hard drives
  • SATA and IDE Samsung hard drives with the exception of old hard drives made prior to 2004 and some latest models
  • SATA and IDE Fujitsu hard drives with the exception of latest models (MHW and newer)
  • The following Hitachi hard drives are supported: HCxxxxxxxA7A3xx, HDxxxxxxxCLA3xx, HTxxxxxxxA9A3xx, HTxxxxxxxA9E3xx, HTxxxxxxxA9E6xx, HTxxxxxxxB9A3xx, HTxxxxxxxG9ATxx, HTxxxxxxxG9SAxx, HTxxxxxxxH9ATxx, HTxxxxxxxH9SAxx, HTxxxxxxxJ9ATxx, HTxxxxxxxJ9SAxx, HTxxxxxxxK9ATxx, HTxxxxxxxK9SAxx, HTxxxxxxxL9SAxx, HTxxxxxxxM9ATxx, HTS72xxxxA7E6xx, HUxxxxxxxCLA3xx, IC25NxxxATMRxx
  • The following Hitachi DK hard drives are supported: DK23DA, DK23EA, DK23FA.
  • The following Hitachi Endurastar hard drives are supported: J4K50 (HEJxxxxxxF9ATxx), N4K50 (HENxxxxxxF9ATxx).
Please note that due to the wide variety of firmware revisions released by hard drive manufacturers, it is impossible to guarantee that the password removal will always work. Hence, password removal may fail on a small percentage of hard drives.

2. Head selection works for the following models:

  • SATA and IDE Seagate hard drives (including F3 series)
  • SATA and IDE Western Digital hard drives
  • SATA and IDE Hitachi hard drives
  • SATA and IDE Toshiba hard drives: MG, MK, MQ, DT families

3. Full firmware access:

  • Western Digital hard drives: all IDE and SATA models are supported
  • Fujitsu hard drives: all IDE and SATA models are supported
  • Samsung hard drives: all IDE and SATA models are supported with the exception of old hard drives made prior to 2004
  • The following Hitachi hard drives are supported: A7A3, A9A3, A9E3, A9E6, ALA6, ATCS, ATDA, ATMR, AVER, AVV2, AVVA, AVVN, B9A3, CLA3, DADA, DARA, DBCA, DCXA, DHEA, DJNA, DJSA, DKLA, DLA3, DLAT, DPTA, DTCA, DTLA, DTTA, G9AT, G9SA, H9AT, H9SA, J9AT, J9SA, K9AT, K9SA, L9SA, M9AT, PLA3, PLAT, VLAT
  • Toshiba hard drives supported: DT family only

Attaching hard drives and starting Atola Insight Forensic

The purpose of this page is to provide information on Atola Insight Forensic start up procedure.

Source Device Selection dialog

Source Device Selection dialog is available from main menu (Source -> Select Source...) or via F3 shortcut key:

At this point you can select the port you'd like to work with (SATA, USB, IDE Master, IDE Slave).

After you select the device, Atola Insight Forensic switches to the main application window.

Attaching and detaching hard drives

You can attach and remove hard drives at any time without restarting the software or hardware unit.

When replacing hard drives, Atola Insight Forensic detects the change automatically. However, if you'd like to manually re-identify a hard drive, you can do one of the following:

  • Use Source Port Re-Identify button or press F2

  • Use Source->Select Source... menu item

The difference is that re-identification works only when the attached hard drive can return at least some identification data. When the hard drive has significant damage (for example, a burnt PCB) and therefore won't return identification data, Atola Insight Forensic will fail to automatically recognize such hard drive. In this case you would have to use Source->Select Source menu item to manually select the device. Atola Insight Forensic will still be able to diagnose a hard drive that is "completely dead" by relying on the current sampling.

Before disconnecting hard drives from the unit, we recommend to use Power Off button in Atola Insight Forensic software to properly shut down the drive:

Working with MacBooks via Thunderbolt extension module

Thunderbolt extension enables Insight to operate on all MacBooks with FireWire, Thunderbolt 2 and Thunderbolt 3 interfaces. There is no need to remove the SSD, Thunderbolt extension allows connecting the whole Apple laptop to Insight.

The extension module comes with:

  • Thunderbolt 3 to Thunderbolt 2 adapter (by Apple)
  • Thunderbolt 2 to FireWire adapter (by Apple)
  • FireWire cable

Connecting MacBook to DiskSense unit

1. Connect MacBook to DiskSense unit with the help of Thunderbolt extension and the FireWire cable (NB Both MacBook and DiskSense have to be turned off). Use the adapters to connect to the MacBooks with Thunderbolt 2 or Thunderbolt 3 interface.

2. Start DiskSense unit and launch Atola Insight Forensic on your computer.

3. Boot the MacBook in Target Disk Mode. To do that, start it up while holding down the T key. You should see a Firewire or Thunderbolt icon displayed on screen signifying that Target Disk Mode is detected and working.




4. Select Identify device option in the pop-up window.

5. In Source - Select MacBook Case window click Add new case button.




6. If this is the first time this MacBook is identified by Insight, you need to enter the Serial number of the MacBook in the pop-up window and click OK. The device has been identified. (NB MacBook's serial number can be found on the bottom case).


 

Now you can perform these operations with the connected MacBook:

  • imaging
  • hash calculation
  • hash verification
  • comparing
  • media scan
  • file recovery

When a MacBook is connected to Insight for a subsequent session, you can simply select the appropriate case from the table.

 

Interface controls & indicators

Atola Insight Forensic: Main Window

This page provides information on basic Atola Insight Forensic controls.

1. Back and Forward buttons

These buttons allow you to go to the previous screen of the program. This may be useful if you'd like to see previous output or quickly restart a process.

2. Main menu

You use this menu to navigate through different parts of the software.

3. Case

This panel shows the current case number or allows assigning a case number.

4. Source Port controls and indicators

The source port consists of several parts:

  • Power button. Allows to manually apply power to the hard drive attached to the DiskSense unit.
    • When power is on, single button click sends a spin down command first and after that performs power-off.
    • When power is on, you can click the button second time during spin down to instantly power the device off.
  • Re-Identify button. Used when you replace the hard drive.
  • HDD model, firmware, and serial number. Hard drive identification info.
  • Device interface type. Can be SATA, USB, IDE.
  • DCO. Indicates whether Device Configuration Overlay (DCO) is activated.
  • HPA. Indicates whether Host Protection Area (HPA) is activated.
  • PWD. Indicates if the hard drive is locked with an ATA password.

Port context (right-click) menu

  • Select Source... Allows choosing another source device (SATA/IDE/USB) (please see Attaching and detaching hard drives for more information).
  • Reset Resets hard drive's interface
  • Re-identify Should be used after you replace the drive
  • Spindown Sends "Spindown Immediate" ATA command to the drive
  • Current Oscilloscope Brings up the oscilloscope window
  • Terminal Brings up RS-232/serial terminal window
  • Assign Case Number... Allows assinging a specific number to the open case
  • Print... Print or Export the whole case history
  • Export... Save the entire case history into a single file
  • Import... Import case history from a previously exported file

5. Target Port controls and indicators

Target port has all features of Source port. Target port allows to plug one of the following:

  • Device attached to the hardware target port (SATA or USB)
  • PC device (hard drive attached directly to the host PC)
  • Image file

6. Source Menu

Source port menu allows performing the following operations:

  • Select Source... Allows choosing another source device (SATA/IDE/USB) (please see Attaching and detaching hard drives for more information).
  • Reset Resets hard drive's interface
  • Re-identify Should be used after you replace the drive
  • Spindown Sends "Spindown Immediate" ATA command to the drive
  • Current Oscilloscope Brings up the oscilloscope window
  • Terminal Brings up RS-232/serial terminal window
  • Assign Case Number... Allows assinging a specific number to the open case
  • Print... Print or Export the whole case history
  • Export... Saves the entire case history into a single file
  • Import... Imports case history from a previously exported file

7. Windows menu

This menu is used to open the Current Oscilloscope and Terminal windows.

  • Current Oscilloscope. Helps to keep track of hard drive power consumption levels, can be especially useful for remote hard drive diagnostics.
  • Terminal. Helps in accessing the firmware area of certain hard drive models for both manual and automatic firmware recovery modes. The serial port can also be used for certain diagnostic functions.

8. Selected device information

This panel shows detailed information about the currently attached device. View ID Sector link will open the full information on the ID sector returned by the hard drive.

9. Case history

Here you can see all actions that were done to the currently attached hard drive. If you'd like to get full details on an action, just click it and Atola Insight Forensic will show you the detailed report.

10. Attached Files

Insight Forensic allows attaching files to the case. Whenever you attach a picture, a thumbnail is added to the Home screen.

11. Status and Error registers

This panel displays raw contents of Status and Error ATA registers in real time.

Registers: what they mean

Link Register

It's only enabled when port powered on, device presence detected and PHY communication established.

Status Register

This register contains hard drive status information. It is updated after every single command sent to the drive.

ERR: means last command failed to execute. In this case the Error register contains more details on the specific error.
INDX: obsolete, used to trigger after each spindle revolution
CORR: obsolete, used to trigger after a bad sector was automatically corrected by ECC
DREQ (Data Request): is asserted when hard drive wants to exchange data with the host controller (in either direction)
DRSC (Device Seek Complete): is obsolete; always asserted on modern hard drives
FAULT (Write Fault): is obsolete
DRDY (Device Ready): is obsolete; always asserted on modern hard drives
BUSY: indicates that the hard drive is busy executing a command OR initializing (after power on or reset)

Error Register

Error register provides more details if the last command failed. This register is only valid when ERR bit of the Status Register is asserted.

AMNF: means Address Mark Not Found (usually occurs on failed read attempt)
T0NF (Track 0 Not Found): obsolete
ABRT: command aborted (unsupported command or other failure)
IDNF: sector ID not found (usually occurs on failed read attempt)
UNC: uncorrectable read error; the hard drive was unable to read data even after applying ECC recovery algorithms
ICRC (Interface CRC error): there was CRC error while transferring data between host and the hard drive (usually indicates bad interface cable)


Diagnostics

Automatic Diagnostics

Automatic Checkup feature diagnoses the following hard drive components:

  • Electronics (circuit board)
  • Motor
  • Heads
  • Media surface
  • Firmware area
  • Partitions and file systems

First, hard drive's electronics (printed circuit board or PCB) is diagnosed. The system applies power to the device and records and analyzes spin-up current curve. This allows to detect most issues with the PCB and the motor. Then, the contents of the hard drive's ATA registers and device identification sector are being analyzed:


After that, the head stack is tested. Several factors are taken into consideration when diagnosing heads: media access time for each head, power consumption curves, and internal hard drive's error reporting systems:


If head stack looks good, the system performs a short media scan. The purpose of this scan is to find out how many "bad sectors" (if any) there are on the surface:


Then, several firmware tests are performed:


If no issues found up to this point, a file systems checkup is performed:


After all tests are done, Atola Insight Forensic will display the full report. Diagnostics result message box contains a short summary of all tests:

Media Scan

Media scan can help detect two kind of hard drive damage:

  • Head stack damage
  • Read errors ("bad sectors")

Media scan can also be used to determine general condition of the hard drive's surface.

There are three methods of scanning:

  • Linear — from start LBA to end LBA
  • Backward — from end LBA to start LBA (in reverse)
  • Fast — from start LBA to end LBA. Please note that in this mode the software skips large numbers of sectors; this mode is to be used only to get a quick overview of the entire surface.

Let's scan a good hard drive and see what we get.

Good hard drive

There are two graphs; the top graph represents single block read time (one block is 2048 sectors which equals to 1 megabyte), and the bottom graph represents read speed for the entire surface.

Now let's have a look at some graphs taken from damaged hard drives.

Unstable hard drive

We call such hard drives "unstable". They usually do not have read errors, but at the same time media access times are very high and change sporadically. In most cases it is possible to create a clean image of such drive.

Hard drive with damaged head

You can observe patterns of delays which indicate head damage. However, please note that although the head is damaged, it can still read *some* sectors without errors, therefore it is possible to create a relatively good image of such hard drive by imaging data off good heads first, and then off the bad head.

Read errors

Read errors are displayed as vertical red bars. Please note that when scanning, Atola Insight Forensic shows the entire block as bad even when only one sector in that block is damaged.

Tracking a drive's SMART table status before and after imaging

Being able to evaluate the drive’s state before it has exhausted its resources can make all the difference between a case won or a case lost in a court of law.

SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure. Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).

To view SMART table of a drive:

  1. Go to View SMART subcategory of Diagnostics category of the left-side menu
  2. Click Read SMART button

SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:

  • Reallocated sectors count
  • Current pending sector count
  • Uncorrectable sector count

When RAW value of any of these attributes is greater than zero, Insight will highlight it in yellow.

The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.

To keep track of the changes occurring to the attributes of the SMART table, Insight records SMART table indices prior and after each imaging session.

To open both SMART tables for side-by-side comparison:

  1. Go to Imaging Results
  2. In SMART data line click View link.

By comparing the two tables, operator can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse.

Whenever you need to evaluate how the state of the drive has been changing long-term, you can go to previous imaging sessions and look up SMART table. Insight will store this information in its case management system.


Imaging

Multi-pass imaging of damaged drives

Atola Insight Forensic has a complex imaging functionality, which allows imaging even physically damaged hard drives, while avoiding further drive deterioration. Damaged drives require a complex imaging approach, which would balance thorough data extraction with forensics’ need in expediency and measured treatment of damaged media.

Most imagers have a linear imaging process, and whenever such imager encounters a bad sector on a drive, the process slows down drastically, which often causes the drive to freeze. To speed up imaging of damaged drives and maximize the amount of successfully retrieved data, Insight operates using a special imaging algorithm that provides deliberate timeout and block size control.

Using small block size pays off when you need to thoroughly retrieve maximum data from an unstable drive, but it also significantly slows down imaging process. What’s worse, such approach increases the possibility of causing further damage to the media. That's why Insight's multi-pass imaging engine uses large blocks with short timeouts on the first few passes, scheduling reads inside slow areas for later and then using the smallest block size on the last pass when fewer sectors are left to be read.

This technique helps achieve imaging speeds of 500 MB/sec in good areas of the drive, while approaching bad areas in the most gentle way possible and reaching unbeatable overall speed of disk duplication.

The best part is that Atola Insight Forensic will handle block sizes automatically, thus providing the best possible results in the shortest amount of time. This allows Atola Insight Forensic to be faster in virtually any job than any other data recovery or image acquisition tools commercially available.

Block sizes and timeouts are adjustable. However, the default settings of the passes are based on our decades-long experience in data recovery market to fit most problematic drives. Therefore, it is advisable to follow them, unless a particular drive requires specific settings.

On the first pass, Insight allows 1-second Timeout per block, and the Max read block size is set to 4096 sectors. The settings of the first pass allow smooth sequential imaging of all modern hard drives, whose media is sound. But when imaging damaged drives, these settings make Insight skip any areas that slow down reading and perform Jump on error by 1,000,000 sectors at a time. These settings ensure imaging data from the healthy areas of the drive at top speed, while forcing Insight to return to the problematic areas during the following passes, splitting such areas into smaller ones and allowing more time for reading the data within.

While Max read block size remains the same during the second and the third passes, the Jump on error is set to 20000 sectors and 4096 sectors respectively and slightly longer, 5-second Timeouts are allowed for attempted reading of the blocks.

On the fourth pass, both Jump on error and Max read block size are yet again reduced, this time to 256 sectors.

On the fifth pass Insight allocates 60-second Timeouts to read the Maximum block size of 256 with just 1-sector Jump on error. It is the last and the most scrupulous attempt to read the remaining bad areas of the drive.

After the final pass the Imaging Results report will appear to show the eventual number of errors on the drive and other detailed statistics.

When looking at the settings of the imaging passes, you will see the Reverse direction check boxes. With this function selected, Insight will approach skipped areas of the drive from the other side on any selected pass. This way Insight can get more data from a drive before entering a damaged zone, which needs to be concentrated on during the following passes.

Another option in the imaging pass settings, which is worth mentioning is Disable read look-ahead option. Most contemporary hard drives have read look-ahead functionality, which makes the drive sequentially read more blocks than requested by software. In good drives, this functionality helps the drive to operate faster by reading more data and caching them. But with bad drives, read look-ahead leads to bad areas being addressed more often, which slows down the process and may lead to a complete freeze of the drive. In such cases, disabling read look-ahead option is advisable.

Please note that when dealing with a damaged drive, we strongly recommend using Segmented hashing because this method supports multi-pass imaging and handling of bad sectors, and provides better resiliency against data corruption.

To read about the way Insight handles imaging of freezing damaged drives please follow this link.

Creating a logical image of a source drive

While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.

Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.

This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.

In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.

When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.

By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.

When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.

Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.

This will open the Target port.

  1. Click Scan partitions button
  2. Select any of the imaged partitions you want to
  3. Click Open partition button

In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.

Clip Target Drive to Source Evidence Size

When you image data from a drive involved in an investigation case, and the target drive will be holding a 1:1 clone of evidence data, in many cases it is critical that the target drive's capacity is identical to that of the source drive. Should there be a difference in size between the source and the target devices, their hashes will be different too.

However, if your SATA target drive has a larger capacity, you can limit its size to that of the source drive using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools as well as the end user.

To do that:

  1. Go to Imaging category of the left-side menu and click Create New Session link
  2. In Preset line click the Show settings link.
  3. In Miscellaneous tab tick the box next to Limit target disk size to source size using HPA (SATA target ports only) option.
Enabling HPA

You can now proceed with the Imaging process by clicking Start Imaging button.

When Imaging is complete, you will see that target disk port now contains an HPA indicator, thus informing you that HPA has been enabled on this drive. There will also be a report created in the Case History.

Target Drive Port

This report will contain information about the time when HPA was enabled, a detailed device description and how this action was initiated. It will also indicate the initial max address as well as the current one.

HPA Report

Now you can calculate hashes on both disks to make sure they are identical.

Please note that enabling HPA is an option available only for SATA target drives.

Imaging Drives with Damaged Heads

Hard drives with physical damage require a complex imaging approach. This guide will explain how to retrieve data with the minimal risk of data loss on a drive with a damaged head stack.

If an Automatic Checkup report indicates that there is a problem with the heads, look at the status of each head.

Diagnostics report

If the status of a head or multiple heads is Degraded or Damaged, the drive will not be able to read all the data. What’s worse, even more sectors may soon become unavailable due to incorrect functioning of the drive’s hardware.

We recommend that you start by imaging the heads, whose status is OK, as soon as possible. To do that:

Step 1. Go to Imaging category of the left-side menu, click on Create New Session link and select the device or file to which the data will be imaged.
Step 2. In the Start new imaging session page go to Heads line and click on Select heads to use link.
Step 3. Unselect the damaged head.
Step 4. Click on Start Imaging button. Unselect Degraded Head

As a result, you get as much data from the drive’s viable heads as possible before even beginning to work with the damaged head. This way the risk of losing data on the working part of the head stack is minimized.

Imaging Result with 3 Good Heads

Now that this data has been successfully retrieved, you have two options:

  • To have the head stack replaced before imaging the remaining data. However, as a result of head stack replacement data on the drive can become unreadable.
  • To attempt Imaging data with the Degraded or Damaged head. Follow the same procedure as with the good heads, only this time, during Step 3 unselect all the working heads and leave only the Degraded/Damaged one(s) before clicking on Start Imaging.
Unselect 3 Working Heads

Atola Insight Forensic’s sophisticated functionality enables users to retrieve maximum data even from the severely damaged drives.

Unselect 3 Working Heads

Now that you have an image of the source evidence including the data copied from the damaged head, you can take the risk and get the head stack fixed. Afterwards, you can start a new session to complete the initially created image with data from previously unreadable sectors.

Imaging Freezing Damaged Drives

When Atola Insight Forensic performs Imaging, it approaches bad sectors in the most gentle yet thorough way with high overall speed. But most importantly, Insight is unbeatable at imaging severely damaged drives, while providing all the necessary tools for evidence verification and proper data storage formats. Insight's ability to succeed even with the drives that freeze in the course of imaging makes it indispensable for forensic specialists.

So why do damaged drives freeze?

When a drive receives and runs a Read sectors command, and comes across a physically or logically damaged sector, the device is unable to return a good result. Therefore it goes into Retry mode, repeatedly attempting to retrieve data from the damaged area.

However, often the drive is unable to read data from the damaged sectors and the Retry mode can last for a very long time before it decides to give up on a particular sector and return an Error.

How does Insight handle this issue?

If Insight simply waited for each Read sectors command to be completed:

  • it would take ages to get an Image of a drive with numerous errors;
  • it could cause the drive to slip into complete freeze;
  • in the worst-case scenario, further damage could be caused to the data on the drive.

For these reasons, Insight issues a Reset command whenever a drive attempts to read a block of sectors for longer than allowed by the pre-configured TimeoutReset is a device interface operation, using which Insight (the host) stops the previously sent Read sectors (or any other) ATA command so that Insight continues imaging from the next planned block on the drive.

If the device is still running Read Sectors command, even after Reset attempt, Insight will wait 3 seconds and perform another Reset command. At the moment of the second Reset, a new entry will appear in the Imaging Log reading Device hangs while reading block X – Y.

Imaging Freezing Damaged Drives

If 20 seconds after the second Reset, the drive has not been able to abandon the current block, Insight will perform Power cycle by forcibly cutting power to the drive for 5 seconds. At this point Insight will add two entries to the log:  Performing power cycle... (when the power is cut off) and Waiting for the device to become ready… (when the power is switched back on).

Should Power cycle prove successful and the drive become ready to accept the next command, there will be a final log entry for this problematic block of sectors saying: Cannot read block of data at X – Y (Timeout).

If Power cycle is ineffective, it means that the drive is still in Busy state that prevents it from becoming ready to run the next command. After that, Insight will make one or more additional power cycles.  In Insight’s default settings the Max consecutive Power Cycles option is set to five. Should all five Power cycles be unsuccessful, Imaging will be automatically terminated. It can be resumed afterwards, and Insight will continue to image all remaining sectors.

While users are able to change the default maximum numbers of Resets and Power cycles, these are set based on our decades-long experience and balance the need of data retrieving with the risk of further data loss.

NB If prior to Imaging, you applied Change Max Address temporarily (until power cycle) option, the Power cycles performed in the course of Imaging will not affect it. The Host Protected Area will remain accessible throughout the Imaging process. Insight will temporarily remove HPA max address restriction after each Imaging-related Power cycle.

The same is true for Reset Password until power cycle option. Insight will keep the password reset throughout the Imaging process, without regard to the Power cycles applied.

Imaging a Source Drive to an E01 File with MD5 and SHA-1 Hashes

In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To image a source evidence drive to an E01 file you have to add a new target file.

Selecting a new E01 file

1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Add Image File link.

2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.

3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):

4. Click on Select button in the Target Device Selection window.

As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).

Imaging & calculating the hashes

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. In Preset line click on the Show settings link
  3. In Passes and Hash tab check the Hash source during imaging box
  4. In Hash method drop-down menu select Linear
  5. In Hash type drop-down menu select MD5 and SHA-1
  6. Click on Start imaging button
 

Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page:

Splitting an imaging session to separate targets

A situation may occur when multi-target imaging is paused to be continued later, but one or more targets become unavailable. The drive may need to be taken and used by another technician or broken, or the server with the image file may become unavailable. But you may need to finish the imaging to the remaining target asap to start working on the evidence.

It is for such cases that we have added the splitting imaging sessions functionality to the 4.9 release of Atola Insight Forensic.

With the source drive connected to Insight, go to Imaging category and view the details of the interrupted imaging session to several targets. If not all target drives and image files are available, it is impossible to simply resume imaging. However it is possible to split the previous imaging session into separate ones: one per each target. To do that click Split all sessions to separate targets link.

Once the session has been split, it is possible to resume imaging to each separate target by clicking Resume button in each target’s Imaging Session.

The resumed imaging session will skip all sectors imaged to the target within the previous session.

This way one can complete imaging to all targets at different times, as they become available.

NB Please note that if a target becomes unavailable during imaging, the process will automatically stop running, and you can try to either resume imaging to all targets, or split imaging sessions should it be necessary.

Insight's Case Management system records every step of data acquisition process saving them into reports grouped by cases.

To view the whole list of cases and their devices:

  1. Go to Case category in the top menu
  2. Click on Search/Open option

In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.

It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.

Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.

Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.

The case opens as a separate port in the Top Bar of the Insight window.


Calculating & verifying hash

Segmented Hashing

Segmented hashing is a new hashing concept, which enables to hash damaged source drives and avoid losing a target image if part of the data gets corrupted. This hashing method can be used during multi-pass imaging of damaged drives.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges of the image. The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.

Segmented hashes are saved in a CSV file in this format:

Hash,start LBA,end LBA

Example:


75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

... And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing method prevents imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Segmented hashing allows the use of multiple passes and a more efficient handling of damaged drives, while hashing all good areas.

Hashes are calculated only for the imaged areas, while all bad sectors are excluded from the calculation.

Segmented hashing in Imaging

Better resiliency

Another reason to use segmented hashes is to ensure better resiliency against data corruption in the image. If your acquired evidence image gets damaged in the future, with a regular linear hash you will get a hash mismatch upon verification, and the entire image will become useless. With segmented hashes only the hash for one segment in the set will become invalid.

Example: Imaging with segmented hashing

Here are imaging results including a link to the file with segmented hashes.

Segmented hashes are saved in a CSV file in "Hash,start LBA,end LBA" format:

Segmented hashes in CSV file

Verifying damaged images with segmented hashing

Last November Atola Technology team presented a new hashing method called Segmented hashing. Unlike the conventional linear hashing, segmented hashing produces not a single hash, but a list of hashes of corresponding LBA ranges of the image saved into a CSV file in this format:
Hash, start LBA, end LBA

By validating all hashes on the list, you can prove that the entire image has not been modified. For more information about this hashing method, please follow this link: Segmented Hashing.

While this method of hashing has a number of benefits for forensic specialists, among its strongest advantages is its applicability to damaged drives.

For one, this non-linear hashing method allows calculating hashes of the good areas of evidence media, while bad areas that are impossible to read and image, are left out of the calculation.

Secondly, if your acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only the hash of the damaged segment will become invalid. For example, in the case of a 4TB hard drive, if the default 4GB segment size is applied, one invalid hash will account for only 0.1% of the drive, while the remaining 99.9% of hashes can still be verified.

Verifying segmented hashes

For instance, you have imaged a source drive and calculated its segmented hashes, the CSV file is stored on your computer. Now let's simulate a change of the evidence image to see how Segmented hashing helps us identify the areas, whose integrity has not been compromised.

Step 1. Select the target image in the top Port bar. In the Disk Editor subcategory of Device Utilities category of the left-side menu, we can open any sector of the drive. There we can change one byte in sector #35,000,000.

Change one byte in Disk Editor  

Step 2. In the Hashing category of the left-side menu there is Verifying Segmented Hashes subcategory. This is an automated way to verify the segmented hashes in an existing CSV file against the target image. Select the file with segmented hashes calculated during imaging and click Start.

 

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress  

Step 4. Hash verification finishes with the proper case report automatically created, also in CSV format.

Segmented hash verification report

This is how segmented hashing helps you avoid the whole image being compromised when a small area of the evidence target is damaged.

Calculating Hash During Imaging

Atola Insight Forensic supports hash calculation of both source and target devices in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures as well as avoid causing further damage to fragile media.

To view the hashing options:

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. Select the target device or file
  3. In Preset line click on the Show settings link
  4. In the upper part of the Passes and Hash tab there are three checkboxes:
  • Pre-hash source device
  • Hash source during imaging
  • Post-hash target device(s)

Multiselect is available, which allows an operator to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, Insight only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. Therefore ticking Hash source during imaging checkbox and selecting Linear or combined Linear and Segmented option in Hashing method drop-down menu leads the number of passes to be limited to one. When dealing with a damaged drive, we strongly recommend using Segmented hashing, as this method supports multi-pass imaging and handling of bad sectors and provides better resiliency against data corruption. For more details please follow this link: Segmented hashing.

Post-hash target device(s) option allows to properly record the calculated hash in the case. Since this operation does not require reading the source drive, it is safe to use this option while imaging either good or damaged drives.

Calculating MD5 and SHA1 hashes of an existing E01 file

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not only the physical or logical copy of the source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To view the hash calculated for an E01 file with Atola Insight Forensic, open the file by pressing the Plus icon in the port bar and then selecting E01 image files (*.E01) file extension in the drop-down menu to view existing files with this extension.

 

In the Home page look through the File History and click on the Imaging target link.

 

This will open an Imaging target report, at the bottom of which you will be able to see both hashes calculated during the imaging session.

You may leave this window open or save the report as a pdf file to compare the hash with the newly calculated one later.

Then go to Calculate Hash page in Hashing category of the left-side menu and select Linear in Hash method drop-down menu and MD5 and SHA-1 in Hash type drop-down menu.

 

Once the hashes have been calculated, you can make sure that the two sets of hashes are identical.

Comparing Hashes of Source and Target to Find Modified Data

So you have a Source evidence drive and its image on a different device, and you have a record that their hash values were identical in the past.

If you get a different hash value when you calculate the hash of the target now, it could be due to hardware failure, or because the device containing your image was used by a third party.

To understand how substantial these changes are, you will want to locate the sectors that have been modified.

  1. In the Disk Utilities category click Compare subcategory.
  2. Make sure that the whole range of sectors of the drive and radio button next to Device on DiskSense Target Port option is selected
  3. Click Compare button.

Atola Insight Forensic's high-performance compare function will compare the source and the target and will help you identify and locate the modified sectors:


Unlocking devices

Extracting and Resetting an Unknown ATA Password

Insight can recover and/or remove unknown HDD passwords (also known as ATA passwords) and for most hard drives the unlocking process is fully automated.

When a device is connected and identified as locked with an ATA password, there is a corresponding PWD indicator displayed in the port, and Security Status in the Home page says Locked, High or Locked, Maximum. High and maximum are password protection levels that the operator who locked the device selected. Although information about it may be relevant to the investigator, both security levels are supported by Insight's password recovery functionality, therefore this information is not important for the purpose of this guide.

 

To perform a complete Diagnostics, Insight needs to have a hard drive unlocked. Therefore we suggest that when dealing with a locked device, password recovery is performed before running the Automatic Checkup.

Password Extraction, Reset and Reset until power cycle

Under Device Recovery category of the left-side menu select Password Recovery subcategory. There are 3 options of dealing with a locked hard drive:

  • To display the password without unlocking the device at this moment, click Extract button. This option does not require write protection on the source port to be switched off.
  • To work with the data on the drive without permanently resetting the password, tick Reset Password until power cycle checkbox and then click on Reset button. This way write protection stays enabled on the source port, and no changes can be made to the drive.

NB. If Reset Password until power cycle option is selected, no power cycles that are executed in the course of automatic checkup, imaging or other operations will affect the temporary unlocked status of the device. Only a deliberate power cycle, such as clicking on Power button, will change the Security status of the drive back to Locked.

  • Finally, to permanently unlock the device, switch off write protection and then click on Reset button.

For the list of hard drives currently supported by Insight's automatic password recovery, please follow this link.

Please note that this guide is applicable to all supported Samsung, Toshiba and Western Digital hard drives. To unlock a Seagate drive, please connect the device to the Serial port of the DiskSense unit and then follow the same steps. Hitachi drives require the use of the password extraction adapter: for more information please follow this link.

Connecting Seagate Drives to Serial Port

If you need to extract or reset an unknown password or perform drive recovery on a Seagate hard drive, use a Serial cable to connect the drive to the DiskSense unit.

Take a minute to familiarize yourself with the Serial cable’s three connectors. On one side of the cable, there are two connectors. Both are 2-pin RX-TX (receive-transmit) connectors. The slightly larger one has 2.5-mm pin pitch and is used for IDE drives. The smaller one has 2-mm pin pitch and is used for SATA drives.

Serial Cable Connectors Close Up

On the opposite side of the Serial cable, there is a 3-pin TX-RX-GND (transmit-receive-grounding) connector. This connector is inserted in the Serial port on the back side of the DiskSense unit.

DiskSense Back Side

Connecting 3.5-inch and 2.5-inch Seagate SATA drives

When you look at a Seagate SATA drive (either 3.5-inch or 2.5-inch), there is a 4-pin jumper block right next to the SATA port.

seagate sata 3.5 seagate sata 2.5

Connect the 2-mm RX-TX end of the serial cable to the two jumper pins located closest to the SATA port so that the red RX (receive) wire is connected to the pin closer to the SATA port.

seagate sata connected seagate sata 2.5 connected

Connecting 3.5-inch Seagate IDE drives

Desktop IDE drives have an 8-pin jumper block between IDE port and Power port. For the purpose of this manual, we shall call the pair of pins located closest to the IDE port and used for Master/Slave settings the first pair of pins. The next, second pair of pins is usually used for Cable Select settings. The third pair of pins is the one we will connect the Serial cable to.

Please note that IDE hard drives must be set to Master mode for password extraction and reset or drive recovery. To use the drive in Master mode, place a jumper on the first pair of pins (closest to the IDE port), as shown in the picture below.

seagate IDE 3.5

Attach the 2.5-mm RX-TX connector to the third pair of jumper pins, as shown in the picture below. Make sure that red RX (receive) wire is facing down and the black TX (transmit) wire is facing up. The second pair and the fourth pair of pins must be left open.

seagate IDE 3.5 connected

Connecting 2.5-inch Seagate IDE drives

Similar to desktop hard drives, laptop Seagate hard drives also must be set to Master mode to perform password extraction and reset or drive recovery. Master mode on a 2.5-inch device is set by removing all jumpers.

Seagate IDE 2.5

There is a 3.5"-to-2.5" IDE adapter included in the package with the DiskSense unit. It consists of the following components:

  • IDE port J1 for IDE interface cable
  • 2.5-inch IDE port J2 to connect the drive to
  • Power port J3 for IDE power cable
  • 4-pin block J4, where each pin is marked with letter A, B, C, and D.
2.5 to 3.5 IDE adapter

Use the adapter to connect the drive to IDE interface cable and IDE power cable. Then attach the 2.5-mm RX-TX connector to pins marked A and C, as shown in the picture below. Make sure that the black TX (transmit) wire is connected to the pin A, and red RX (receive) wire is connected to the pin C.

Seagate IDE 2.5

Please note that to use the 2.5-inch Seagate IDE drive in Slave mode, the 2.5-mm RX-TX connector must be detached from the adapter and instead a jumper must be placed on pins A and B.

Configuring the Baud rate

Once the Seagate hard drive is connected to the unit, follow these instructions to configure the Baud rate of Seagate Terminal, which allows you to use an extensive set of commands on a Seagate drive:

  1. If there is only one source drive connected to the DiskSense unit, it will automatically be identified and displayed in the Source disk port. However, if there are multiple hard drives connected to the DiskSense unit as Source drives, go to Source category of the top level menu, click on Select Source and choose the Seagate drive.
  2. Power down the selected drive.
  3. In the Windows category of the top level menu click on Terminal and in the COM Port Settings window select the Baud rate compatible with the drive. Please note that for Seagate 7200.10 and older Baud rate will be 9600; for 7200.11 and newer Baud rate will be 38400 (Atola Insight Forensic will suggest the baud rate by setting a default value in the Terminal window for the drive connected to it).
  4. Then click OK. But do not close the Terminal window just yet.
  5. Power on the drive again. There must be a valid output in the Terminal window (see the picture below).
Terminal output

Should there be no output in the Terminal window or should it consist of random symbols, try to change the Baud rate until you get a good response.

Now proceed with password extraction or send Seagate Terminal commands to the drive.

Recovering Seagate 7200.11 hard drives

First of all, please connect the hard drive's serial port to DiskSense unit by following instructions on the Serial Port Connection page.

Open the Terminal window, select the DiskSense COM port (usually the one that is displayed by default is the correct one). 38400 is the proper speed for 7200.11 hard drives:

Once everything is set up, click OK. Make sure that you have attached everything correctly by applying power to the drive (you should see a meaningful output in the terminal window).

Note: if you make an mistake while entering commands, you will get the following message:


Invalid Diag Cmd Parameter


In this case simply re-enter the command and double-check that you are entering everything exactly as shown in this manual.

Once everything is ready and you have powered on the drive, you should see the following (or very similar) output in the terminal window:


Rst 0x20M

(P) SATA Reset


At this point press CTRL+Z. You should receive the command prompt:


F3 T>



Fixing zero capacity problem

1. Type the following: m0,2,2,0,0,0,0,22 and then press ENTER.
2. At this point the drive will stop responding for a while.
3. After some time (1-5 minutes) you will get several messages from the drive similar to these:


Max Wr Retries = 00, Max Rd Retries = 00, Max ECC T-Level = 00, Max Certify Rewrite Retries = 0000

User Partition Format Successful - Elapsed Time 0 mins 00 secs


4. Wait some more time until you see the command prompt again:


F3 T>


5. Type the following: /2 and then press ENTER. You will see the following output:


F3 T>/2

F3 2>

6. Type capital Z and press ENTER:


F3 2>Z

Spin Down Complete
Elapsed Time 10.543 secs
F3 2>

7. At this point you have to re-power the drive. The procedure is complete.


Fixing HDD always BUSY problem

This problem is also known as "LED:000000CC problem". This is because when you apply power, you will usually see the following output:


Rst 0x10M
LED:000000CC FAddr:0025BF67


To fix this issue, please follow these steps:

1. Power off the drive
2. Remove two screws as shown on the picture below (you will need a Torx T6 screwdriver):

3. Put a piece of paper as shown on the picture below (the goal is to separate spindle motor contacts from the pcb):

4. If you detached any cables from the drive, this is the right time to attach them back.

5. Apply power to the drive (with screws removed and paper inserted) and wait for the drive to become ready (usually no more than one minute)

6. You will see the following (or very similar) output in the terminal:


Rst 0x20M


7. Press CTRL+Z. You will get the command prompt:


F3 T>


8. Type the following: /2 and then press ENTER. You will see the following output:


F3 T>/2

F3 2>


9. Type capital Z and press ENTER:


F3 2>Z

Spin Down Complete
Elapsed Time 0.132 msecs
F3 2>


10. Now remove the paper, put all screws back and tighten them (do not power off the drive!):

11. Type capital U and press ENTER:


F3 2>U

Spin Up Complete
Elapsed Time 6.604 secs
F3 2>


12. Type the following: /1 and then press ENTER. You will see the following output:


F3 2>/1

F3 1>


13. Type the following: N1 (capital N and one) and then press ENTER. You will see the following output:


F3 1>N1

F3 1>


14. Re-power the drive (press Power Off button on the DiskSense unit; wait 10-15 seconds; press Power On button) and wait until it initializes:


Rst 0x20M

(P) SATA Reset


15. Press CTRL+Z. You will get the command prompt:


F3 T>


16. Type the following: i4,1,22 and then press ENTER. You will see the following output:


F3 T>i4,1,22

F3 T>


17. At this point do not re-power the drive, scroll to the top of this page and go through Fixing zero capacity problem starting from step 1.

Unlocking Hitachi hard drives with Atola Insight Forensic


DISCLAIMER: BY FOLLOWING THESE INSTRUCTIONS YOU ACKNOWLEDGE THAT NO ONE IS RESPONSIBLE FOR ANY DAMAGE THAT CAN BE DONE TO THE HARD DRIVE OR OTHER DEVICES OR EQUIPMENT DURING THIS PROCEDURE.

PLEASE MAKE SURE THAT YOUR PC AND ATOLA DISKSENSE UNIT ARE PLUGGED VIA A UPS (Uninterruptible Power Supply). PLEASE ALSO MAKE SURE YOU DO NOT HAVE ANY OTHER PROGRAMS RUNNING. INTERRUPTION OF THE UNLOCKING PROCESS MAY RENDER THE HARD DRIVE INOPERABLE.

BEFORE YOU PROCEED WITH UNLOCKING, PLEASE LOOK THROUGH FOLLOWING INFORMATION. IF YOU ARE NOT COMFORTABLE WITH THE PROVIDED INFORMATION, PLEASE DO NOT PROCEED.

Password extraction on Hitachi SATA drives

Hitachi drives require the use of the password extraction adapter which is included in the product package. The adapter plugs straight into the IDE port located on the front side of the DiskSense Forensic unit.

2.5-inch SATA hard drives (HGST models)

The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.

1. Connect Hitachi password extraction adapter to the IDE Source port of DiskSense unit.

2. Connect the source Hitachi HDD to Hitachi password extraction adapter.

3. Place the hard drive as shown on the picture (no need to disconnect any cables):

4. Use a T4 screwdriver to remove four screws as shown below:

5. Put a piece of paper between the circuit board and the hard drive assembly:

6. Do not remove paper; proceed with unlocking

7. To disable the Safe Mode, first remove the paper and then put all screws back:

8. Continue with the unlocking process.


2.5-inch SATA hard drives (old models)

The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.

1. Connect Hitachi password extraction adapter to the IDE Source port of DiskSense unit.

2. Connect the source Hitachi HDD to Hitachi password extraction adapter.

3. Place the hard drive as shown on the picture (no need to disconnect any cables):

4. Use a T4 screwdriver to remove two screws as shown below:

5. Put a piece of paper between the circuit board and the hard drive assembly:

6. Do not remove paper; proceed with unlocking

7. To disable the Safe Mode, first remove the paper and then put all screws back:

8. Continue with the unlocking process.


3.5-inch SATA hard drives

The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.

1. Place the hard drive as shown on the picture (no need to disconnect any cables):

You may see the orange cable connected to the PCB being fastened by the latch.



2. Important: Power off the drive.

3. Unlock the latch as it is shown below:



4. Disconnect the cable to activate Safe Mode.



5. Proceed following Atola Insight instructions.

6. Important: Power off the drive.

7. To deactivate Safe Mode, plug the orange connector into the PCB socket and fasten it with the latch.



8. Follow Atola Insight instructions.


IDE hard drives

1. You will need the Atola 2.5-inch to 3.5-inch adapter:

If you have such an adapter, please skip to step 4.

2. Disconnect the drive and place it as shown on the picture:

You do not need to perform this step if you have Atola 2.5-inch to 3.5-inch adapter (see step 1)

3. Locate a jumper that fits 2.5-inch HDD jumper pins:

And then install the jumper into position as shown below:

You do not need to perform this step if you have Atola 2.5-inch to 3.5-inch adapter (see step 1)

4. If you're using Atola 2.5-inch to 3.5-inch adapter, then install a jumper between pins A and C (on the adapter).

5. Attach the hard drive back to the Atola DiskSense unit and proceed with unlocking.

6. To disable the Safe Mode, simply remove the jumper:

7. Plug the hard drive back to the Atola DiskSense unit and continue with unlocking.



More features & special capabilities

Multitasking Capabilities of Atola Insight Forensic

With each passing year, speed becomes a yet bigger issue for forensic specialists: while the capacity of hard drives grows exponentially, their speed does not keep up. A common 4TB drive's speed constitutes up to 200 MB/s or 12 GB/min, which translates to more than 5 hours of imaging. And it may take prohibitive amounts of time to image a drive with damaged zones. Therefore, the ability to simultaneously run different operations on several devices is more vital than ever.

To provide users with greater productivity, Atola Insight Forensic's high-capacity multi-core CPU supports up to 15 concurrent tasks, that can be assigned to different drives or image files.

You can start Imaging process from a Source drive to one or multiple Target drives and/or image files. Then you can click on the Plus icon and open another target drive to start another operation.

 

For example, you can launch Fill/Erase on this Target drive to get it ready for the next imaging session:

 

It is also possible to Calculate Hash on yet another Target drive:

Other long-running operations you can perform simultaneously include:

  • Automatic Checkup
  • Verifying Segmented Hashes
  • File Recovery
  • Scripting (e.g. search files, files types, words, phrases or patterns, specific information type like email address, telephone, address, GPS coordinates etc.).
  • Comparing data on drive with a pattern
  • Media Scan

Wiping multiple drives simultaneously

Erasing data on destination drives guarantees accuracy of the imaged data and helps verify that the drive has no errors. In the course, all sectors are overwritten with the help of selected pattern or method.

When you need to prepare multiple hard drives for imaging, Insight's multitasking capabilities enable you to do so much faster by launching Erase/Fill on multiple drives simultaneously, including those connected to the source port.

To wipe the drive connected to the source port, remember to switch off write protection on the port so that the indicator above the switch is off and there is a notification right below the port bar saying Note: Write protection of currently attached device is OFF (see the picture below).

Then follow these steps:

  1. 1. Under Device Utilities select Fill or Erase.
  2. 2. Select Fill method among the wide range of options and click on Next button.
  3. 3. Select the range of sectors to be erased on the drive and click on Start Fill / Erase button.
  4. 4. Finally, confirm that you want to erase data on the disk in the pop-up window.

To run a concurrent Fill/ Erase process on another drive, click on the + (plus) icon in the port bar and select a drive connected to a Target port:

Then repeat the same steps to launch the process on this device:

By following the same steps you can wipe data from one source drive and three target drives, all at the same time, as shown in the picture below.

This ability to perform Fill/Erase on multiple drives makes Insight exceptionally useful for forensic units dealing with multiple cases, where evidence acquisition is an ongoing activity.

Lifting HPA and DCO restrictions

Both HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

When you connect a hard drive to the DiskSense unit, in addition to the standard Identify device command, Atola Insight Forensic automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO or HPA, Insight will draw attention to these changes by adding corresponding red indicators to the DiskSense Source Port.

To get more details about the modifications that have been made to the drive’s firmware, run Automatic Checkup and see the Firmware section of the Diagnostics report.

There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

  1. The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
  2. Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
  3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.

To disable any limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Device Utilities category of the left-side menu and click on Unclip button.

Please note that Write Protection switch needs to be disabled on the DiskSense unit to perform this operation, as Unclip HPA/DCO implies making changes to the drive's firmware, and Write Protection won't let perform such changes.

Atola Insight Forensic lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

Lift HPA until power cycle

Often, due to internal procedures, forensic specialists are not allowed to make any changes to the drive, therefore they cannot disable HPA and DCO restrictions and access data in the hidden areas. But with Atola Insight Forensic it is possible to lift HPA limitation until the next power cycle, which helps avoid permanent changes to the drive.

To use this feature, go to Host Protected Area subcategory of the Device Utilities category of the menu and click Read HPA parameters link. By clicking Set as current link you will automatically change Current Max Address value to that of Native Max Address. Then tick the Change Max Address temporarily (until power cycle) checkbox and click Change Max Address button.

This will allow access to the data in the area previously protected by HPA, yet as soon as you power off or detach the drive, the HPA will be in place again.

NB If the drive contains damaged areas and Insight needs to perform power cycles during imaging, such power cycles will not affect the temporarily disabled HPA: Insight will temporarily remove HPA max address restriction after each imaging-related power cycle, and HPA will remain accessible throughout the imaging process.

For more information about imaging of freezing drives, please follow this link.


Case management

Case Management system

Insight's Case Management system records every step of data acquisition process: every operation is automatically added to the case from the moment a device is identified including date, time, media map and hash values. When a hard drive is imaged, its media map is recorded detailing all the sectors that have been skipped. Case notes can be added at any time to log information such as the case technician or owner of the hard drive.

Whenever an operator connects a hard drive to the DiskSense unit, Atola Insight Forensic makes an automatic database lookup and retrieves all past records associated with that particular hard drive. New entries will be added seamlessly to the database. You do not need to enable Case Management or take any additional actions for it to start functioning; it is fully embedded into Atola Insight Forensic and works at all times.

Case number can be assigned and changed at any time. The system also allows browsing through all cases and records within the cases, without corresponding devices being connected to the unit.

Finding and opening a case

Insight's Case Management system records every step of data acquisition process saving them into reports grouped by cases.

To view the whole list of cases and their devices:

  1. Go to Case category in the top menu
  2. Click on Search/Open option

In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.

It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.

Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.

Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.

The case opens as a separate port in the Top Bar of the Insight window.

Print reports from a case

Insight’s Case Management system includes flexible printing functionality. To print a report click the Print link in the case’s Home page.

In the Print Case History window you get all the reports listed, sortable by date or by reported operation. It is possible to tick just some of the reports or select all reports in the case by ticking the check box in the header of the list. Below there are all pictures attached to the case, which you can also select to be printed.

At the top of the Print Case History window there are four check boxes with report listing and printing settings (click on the Case Management arrow to view all check boxes):

  • Insert page break after every report on print
  • Also show miscellaneous reports hides/displays all reports of seemingly minor importance, yet essential to some forensic specialists in accordance with their internal procedures
  • Also print CSV logs allows the printed version of the reports to include operation logs saved in CSV format
  • Also print segmented hashes also enables segmented hash saved in CSV files to be included in the printed version of the reports

It is possible to print or save the selected reports and pictures in a PDF, HTML or RTF file by clicking Save to file… or Print buttons.

If you have ticked the two later options, this is how the log and the segmented hashes will be displayed in the report:

Changing details in a case

Insight's case management system has been created to help users efficiently keep track of hard drive-related information.

Even if a hard drive has already been used for a while, imaging and hashing have already been performed, it is still possible to open the case and make adjustments to its details.

Click the Plus icon next to the Case Number in the top right corner.

Now you can enter or change the Case Number and Description. To save your changes click OK button.

You will see the description visible next to the Case History. For quick changes, you can also click Change link located right below the description.

A little lower there is a green Plus icon, which you can click to add a document or an image to the case.

In the Attach File window enter the file location path and leave a comment in the corresponding field.

If you tick the Copy to work folder check box, the file will be copied to the same folder where any other related files are located, e.g. tables with segmented hashes, logs, imaging maps, file signature lists etc.

You can now see all the uploaded files in the case's Homepage below the description, and you can view all the details and change them when necessary by clicking Manage attached files link.


Attached Files window contains the list of files including an icon representing the file type, the name, the folder where the file is located, the date when the file was attached to the case and the comment added by the user.

Right-clicking a file provides the Edit option enabling a user to edit the Comment or copy the file to the case folder at any time.

Exporting and importing cases from one computer to another

It is possible to transfer all or some of the cases stored in one Insight's case management system to another one. The only requirement is that both computers have the same version of Insight installed.

Whenever cases need to be transferred from one computer to another one, start by exporting the cases.

1. Go to Cases category of the top level menu and click Export.

2. In the Export Cases window select folder where the cases should be stored, then select the cases you would like to be exported and click Save button.

3. The cases are now saved as a package in a zip file (with the default name Cases.Package.zip), which can later be copied to a different computer.

NB Whenever a case is exported, a record about it is added to the case’s history.

Importing cases

To import cases from a zip file into Insight on a different computer.

1. Click Import in Cases category of the top menu of Insight.

2. Click Browse icon and select path and name of the zip file.

3. Select some or all of the cases in the table and click Import button.

Please note that if there is a match between existing case numbers and the imported ones, Insight will prompt you to either cancel the import or save the case that causes the conflict as a copy.