Extracting files directly from a potentially failing storage device is dangerous because the media can stop working at any moment. The best practice from both forensic and data recovery standpoints is to image the data quickly and safely from the original drive. Afterwards proceed with further evidence analysis using the backup copy.
DiskSense 2 is an updated version of Atola Insight's hardware unit that is capable of running 3 forensic imaging sessions in parallel. No matter the health status of the drive, Insight will image 3 drives in a fast and reliable fashion thanks to its state-of-the-art server-grade hardware.
Atola Insight Forensic can run 3 parallel imaging sessions. The unit's server-grade motherboard, CPU and ECC RAM sustain fast and reliable evidence acquisition of multiple drives, either damaged or healthy.
DiskSense 2 unit is equipped with 6 Source ports:
Remote image acquisition is available via iSCSI protocol.
Physically damaged hard drives require a complex imaging approach. The imaging engine uses these techniques to achieve the best results:
A few words on block size control. While using small block sizes helps in retrieving as much data as possible, it also significantly slows down the imaging process. Atola Insight's multipass imaging engine allows using large blocks with short timeouts on the first few passes. On the last passes, when only few sectors are left to be imaged, Insight uses the smallest block sizes.
This technique allows achieving real imaging speeds of up to 500 MB/sec on good areas of the drive, while approaching the bad areas in the most gentle way possible, thus achieving an unbeatable overall imaging speed.
Atola Insight Forensic handles block sizes automatically to provide the best possible results in the shortest amount of time.
Insight images source media to up to 3 targets simultaneously. The following target types are supported:
Artifact Finder module seeks for artifacts during imaging on the sector level. This allows on-the-fly overview, sorting and search of the found data in all source evidence drive areas, including unallocated space.
Supported artifacts include:
In the Artifacts tab, at the bottom of the interface, the numbers of artifacts and the corresponding diagram update in the course of imaging.
The Artifacts table displays each artifact with an assigned Id number. The values are shown in the context (20 bytes before and 20 bytes after the artifact in grey color) along with their LBAs and offsets to help locate each artifact.
The real-time data viewer shows the raw data extracted from the source drive during imaging. There are two modes available:
Automated sector analysis checks each sector for file system structures (NTFS File Record, boot sectors, etc.)
The imager performs file signature analysis during imaging. It shows live stats of all found signatures while the data is being transferred, with no negative effect on imaging performance. Moreover, you can easily check raw sector data for any found file using the HEX Viewer without even pausing the imaging process.
The imaging module searches for 390+ default file signatures in the course of image acquisition. In addition to that, you can also add custom file signatures via CSV file.
Format of custom signature file:
Each line describes one signature. The line consists of 4 parts divided by a comma: Name, Bytes in Hex codes, Extension, Tag The last field "Tag" is optional. Example:
DjVu document, 41 54 26 54 46 4F 52 4D, djvu
Tape Archive, 75 73 74 61 72, tar
Works for Windows spreadsheet, FF 00 02 00 04 04 05 54, wks
7-Zip File Format, 37 7A BC AF 27 1C, 7z, Archive
The entropy is an indicator of randomness, which measures the amount of variation and unpredictability in the data. Insight calculates it on-the-fly while imaging. The light pink color means a low entropy level close to 0%. Most likely, you have sectors filled with binary zeroes or a pattern there. As opposed to that, the dark purple color indicates the maximum data randomness. Typically, it is a sign of:
The parameters of each task in Insight can be easily adjusted to fine-tune every step and meet the requirements of a specific case or organization, for example:
Multiple hashing methods are available and hashes are calculated on the fly.
The real-time imaging status screen shows all necessary information, thus providing full control over the process.
Visual feedback includes:
You are able to make on-the-fly changes to the parameters based on the information. For example, add a specific behavior on a certain condition (power cycle after X errors, etc), or modify timeout settings.
You can perform these actions during imaging:
Once the imaging is over, all status information is automatically sent to the Case Management and File Recovery modules.
An imaging report contains all necessary information including SMART table of the source drive before and after imaging process.
Atola Insight can image a source drive into an image file. Just select a storage location on host PC and specify the image file size: put all data in a single image file or "chop" the data into a series of smaller chunks.
Supported image file types:
This option allows imaging only the sectors containing data from the source drive. The empty areas of the source drive will be skipped. This can substantially reduce the time spent on data transfer, relieve strain on the source drive and save space on the target.
Supported file systems: NTFS, APFS (with encrypted volumes), XFS, ext4/3/2, ExFAT, Btrfs, HFS/HFS+, FAT32, FAT16
This imaging option allows copying the absolute minimum amount of data for file browsing to work. Once metadata has been imaged, choose specific files to be imaged in full.
At the end of the imaging process, Atola Insight creates a Bad Sector Map and stores it in the Case history. The File Recovery module automatically refers to the Bad Sector Map, and marks all files hit by bad sectors.
It is a big time-saver: a list of recovered files has already been recorded during imaging, and the data is ready for browsing. Atola Insight is a 2-in-1 product that performs both imaging and file recovery.
For DiskSense units (manufactured in 2014 - 2020), check out this page about Drive Imaging.