Forensic Data Recovery

Forensic data recovery is a part of Atola Insight Forensic that provides file extraction capabilities for both good and damaged drives. It supports partition types of the most popular operating systems: Windows, Mac OS X and Linux.

Supported file systems:
NTFS, APFS (with encrypted volumes), XFS, ext4/3/2, ExFAT, HFS/HFS+, FAT32, FAT16

Recovery of deleted files supported for:
NTFS (all versions), FAT16, FAT32, HFS, HFS+, HFSX

Forensic data recovery: partitions and files

All-in-one solution

Atola Insight being a very powerful tool on its own, with File Recovery module tightly integrated into its imaging module, Insight becomes the ultimate forensic data recovery tool.

During the imaging process, Insight analyzes data on the evidence drive and saves information about the imaged sectors and the errors found on the source. This information is used in File Recovery to find and extract each file's data and to provide additional details regarding the file status.

Atola Insight Forensic allows you to select any supported drive attached to the DiskSense 2 unit or the host computer for file recovery. You can also select any image file stored on any connected media. Device search and item selection are quick and easy.

File status

Once imaging is completed, File Recovery shows the status of each file on the target in the file browser, indicating the percentage of file data successfully imaged from the source. This way you can assess which files are incomplete and to what degree.

Image checked function allows for imaging those files (their sectors) which Copied status is below 100%.

File status for further forensic data recovery

File map

Finding the exact missing part of a file is easy. With one click, you have access to the file's sector map. In this map, you get a color-coded representation of all the parts of the file that were imaged correctly and the parts that were not imaged due to bad sectors. It allows you to immediately estimate the file's condition and attempt another imaging of the specific sectors of a file.

Hash list

With this feature, you can import text files with massive lists of file hashes. Those can be treated as white or black hashes. The concept of white and black hash lists is simple:

File Recovery compares every calculated file hash against the database. If a file hash matches with a hash in either white or black list, there will be a special mark to the left of the file hash value.

Example: The picture below shows Black and Unknown hash filters activated. Thus, more than 1300 White hash files from "/temp" folder are filtered out. So you can notice there are two suspicious files in the end.

Hash filters activated

Powerful forensic file search

File Recovery possesses advanced search capabilities helping to quickly find files you need. The search file mask includes wildcards as well as regular expressions. Search results are filtered by various conditions/filters that can be easily combined:

Each of these can be specified many times with different values and operations (more/less than, equals, between, etc.)

Search by file hash set and date range

File list creation

Atola Insight Forensic creates lists of files specifying the status of each file. When created, the list can be presented to you for review. This helps conclude whether all files that are significant to the case are fully recovered or not.

Creating list of imaged files for forensic data recovery

Effective reporting

After File Recovery is completed, a full report is automatically created listing files successfully recovered, files not successfully recovered, and files with skipped sectors. This report is automatically stored in Atola Insight's case management system.

Forensic data recovery report