Artifacts search

Imaging is a time-consuming part of the evidence acquisition process, especially when dealing with damaged drives.

Even though Atola Insight Forensic is the fastest forensic imaging tool in the world (there is literally no penalty on a drive speed when you image it with Insight!), we want to help expedite forensic process even further. The artifact search feature allows analysis of data from an evidence device in the course of imaging.

Unlike most forensic analysis tools that parse the file structure, Insight does sector-level parsing, which allows getting data even from the spaces of the drive that are not associated with any file (e.g. remnants of previously deleted documents), thus providing you with clues that are omitted by most analysis tools. Artifact finder uses Intel Hyperscan engine, which makes it the fastest possible tool for primary data analysis.

Artifacts settings

On the sidebar, click Imaging.
Click Create New Session.
In the Target Device Selection dialog, select target device.
Open the Artifacts tab.

In this tab it is possible to view, select or deselect the artifacts you want to be searched in the course of imaging.

For each of these artifacts we have not only applied well-known algorithms including the Luhn formula used to validate credit card numbers, but also applied our own smart filters to eliminate false results (for example, if there are two slashes near the number that has preliminarily been identified as a credit card number, that will eliminate it from the search results, as it is likely to be a part of a URL).

Keywords and regular expressions can be added to the search parameters in a txt file with one artifact per line. Next to the Keywords category on the Artifacts tab, click the View link before imaging and make sure the keywords are displayed correctly. Keyword encoding can be adjusted to Unicode, Unicode (UTF-8), Unicode (Big-Endian) or US-ASCII.

A few of the artifacts are selected by default, namely: GPS, MAC, Phone numbers, URL. You can adjust these default settings and click the Save settings button. This will affect all future imaging sessions (including those on new source drives) unless you re-adjust the settings or restore the default settings by clicking the corresponding link. The paths to the files with keywords and regular expressions will also remain saved, although should any changes by made to the txt files in the saved directory, the changes will be uploaded at the start of each imaging session.

It is advisable that no more than 4 artifacts are selected at a time, otherwise imaging will slow down considerably. Also, keywords consisting of less than 4 symbols or regular expressions consisting of less than 6 symbols; large number of keywords (more than 2000) or regular expressions (more than 10) may also slow down imaging process. This is due to the large number of results such search parameters are capable of producing.

Once you have ticked the boxes next to the artifacts you would like to be searched for, click the Start Imaging button.

Browse through the artifacts in the course of imaging

Once imaging has begun, go to the Artifacts tab in the bottom part of Insight window and watch the selected artifacts being found: the numbers of artifacts and the corresponding diagram change on the go.

To see the artifacts in a list, press on any of the categories or the diagram.

In the table, each artifact is assigned an Id number, each found Value is shown in the context (including 20 bytes before and 20 bytes after the artifact in grey color), the LBA and the Offset are also displayed in the table to help locate the artifact.

There are many options to help find, sort, filter and view the artifacts: it is possible to view one or a few categories of artifacts in one list, use the Search bar to find a specific value (search examples are provided in the bottom right corner of the window), filter results for unique values by clicking the Show unique artifacts link.

The latter option is quite valuable as it helps identify the values most frequently occurring on the drive: to sort the results click Count in the table header.

To promptly find the sector where an artifact is located, you can double click the artifact you would like to examine more thoroughly.

Export artifacts

The Export to CSV button is disabled during imaging. You can wait until imaging is completed or pause it, make an export and restart imaging, should it be necessary to start analyzing the current artifact search output with an external tool:

Pause imaging.
On the Imaging results screen, click the Artifacts link.
On the Artifacts screen, select the artifacts you would like to be exported (for example, one or multiple artifact categories, unique artifacts or only those fitting certain search criteria).
Click the Export to CSV file button.
Select the path for the file and click Export.
Once the export is completed (which normally takes no longer than a few seconds), restart imaging.

Now, in the Imaging category on the Sidebar, there is the Export artifact link. If the source drive was imaged in multiple sessions, and artifact lists were created during different imaging sessions, by clicking this link you can download a merged list of artifacts from multiple imaging sessions.