Forensic data recovery of files is the part of the Atola Insight Forensic system that provides file extraction capabilities for both good and damaged drives. It supports all versions of the most popular operating systems: Windows, Mac OS X and Linux.
Supported file systems:
NTFS, APFS (with encrypted volumes), Ext 2/3/4, HFS, HFS+, ExFAT, FAT16, FAT32
Recovery of deleted files supported for:
NTFS (all versions), FAT16, FAT32, HFS, HFS+, HFSX
While being a very powerful tool on its own, the File Recovery module in Atola Insight Forensic has even more power with the help of tight integration with the imaging module – the process for disk imaging. This makes Insight the ultimate forensic data recovery tool.
During the forensic imaging process, Insight analyzes data on the source drive and saves information about copied sectors and errors found on the source device. This information is used in File Recovery to find and extract a file's data and to provide additional details regarding file status.
Atola Insight Forensic allows the user to select any supported media item attached to the DiskSense unit or host computer for file recovery. The user can also select any image file stored on any connected media. Device search and item selection are quick and easy.
When disk imaging with Atola Insight Forensic is completed, File Recovery shows the status of each file on target in file browser, indicating the percentage of file data successfully imaged from the source. This way you can assess which files are damaged and to what degree.
Atola Insight Forensic creates lists of files specifying the status of each file. When created, the list may be presented to the examiner for a review. The examiner can then tell whether all files that are significant to the case are fully recovered or not.
Finding the exact part of the file that was not imaged is easy. With one click, you have access to the file's sector map. In this map, you get a color-coded representation of all the parts of the file that were imaged correctly and the parts that were not imaged due to bad sectors. It allows you to immediately estimate the file's condition and attempt another imaging of the specific sectors of a file.
With this feature, you can import text files with massive lists of file hashes. Those can be treated as white or black hashes. The concept of white and black hash lists is simple:
File Recovery compares every calculated file hash against the database. If a file hash matches with a hash in either white or black list, there will be a special mark to the left of the file hash value.
Example: The picture below shows Black and Unknown hash filters activated. Thus, more than 1300 White hash files from "/usr/bin" folder are filtered out. So you can notice there are two suspicious files in the end.
File Recovery possesses advanced search capabilities helping to quickly find files you need. The search file mask includes wildcards as well as regular expressions. Search results are filtered by various conditions/filters that can be easily combined:
Each of these can be specified many times with different values and operation (more/less than, equals, between, etc.)
After File Recovery is completed, a full report is automatically created listing files successfully recovered, files not successfully recovered, and files with skipped sectors. This report is automatically stored in Atola Insight's case management system.
Click questions to expand text
The speed of DiskSense unit affects the speed of scanning of the entire hard drive as well as the speed of forensic data recovery process. Please note that the hard drive does not need to be scanned by the File Recovery module if it has already been duplicated/imaged using the Atola Insight Forensic because the Disk Imaging module automatically creates all data structures for the File Recovery module to reference.