Atola TaskForce provides a complete feature set for has a forensically sound evidence acquisition process. Based on our own decade-long experience of working with data storage devices as well as the experience of our clients in digital forensics market we strongly recommend this workflow:
TaskForce is equipped with a fully-automated diagnostics module, which diagnoses all drive systems: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.
After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.
TaskForce detects hidden areas on the drive set via Host Protected Area (HPA) or Device Overlay Configuration (DCO) and can automatically recover/remove them. To avoid change the state of the drive, HPA or DCO reset until power cycle option is available with software version 2018.2.Automatic ATA password recovery and removal
TaskForce can recover and/or remove unknown ATA passwords (the feature will be delivered with 2018.2 version of the software). For most hard drives the unlocking process is fully automated. Some hard drives (for example, latest 2.5-inch Hitachi hard drives) require a degree of manual interference. Operator can choose whether to display the password or just remove it and unlock the drive. Both security levels (High or Maximum) are supported.
To ensure efficient imaging of both good and damaged drives, TaskForce is equipped with a sophisticated and powerful imaging module that creates a bit-to-bit copy of the evidence. Based on the diagnostics report, image drives with default settings or adjust them, should the media be damaged and require special treatment.
To ensure forensically sound evidence acquisition process, remember to calculate hash of the evidence and the image. It is essential way to prove image integrity.
With damaged devices, it is best to calculate hash during imaging (using segmented hashing). This way data on a fragile device is only read once, and less potential damage to the media is caused.