FAQ and Troubleshooting

What is the advantage of using Atola Insight Forensic compared to other forensic imagers?

We produce the only solution that is specifically designed to support damaged media. Here is how it stands out:

Our users usually start with automatic diagnostics of an evidence drive. It takes a couple of minutes but saves a lot of time and energy. It detects drive issues such as PCB instability, problems with the motor, a short circuit, firmware errors, degraded or even non-working heads, and physical media surface damage. Based on the results, you can decide on the next steps for handling the evidence drive.

Even if you work with a severely damaged source device, the imaging engine enables you to:

• disable damaged heads
• automatically overcome much more serious problems than the so-called 'software bad sectors'
• track drive state before, during and after imaging
• have every imaging event logged in a forensically sound manner

Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).

Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.

What are the advantages of Atola Insight Forensic compared to software data recovery tools?

There are many advantages. Let's take ddrescue, for example. Here are some of the functions that Atola Insight Forensic provides but ddrescue lacks:

1. For Insight, we have developed a functionality that specifically helps image freezing damaged drives.
2. Insight's diagnostics function identifies damaged heads, while advanced imaging settings allow head selection to perform imaging in a fast and, most importantly, careful manner to avoid causing further damage to the evidence drive.
3. Insight can image to multiple targets at the same time, including both hard drives and files.
4. Forensic procedures require hash calculation to be a part of the acquisition process. Insight has a very flexible hash calculation functionality: it can simultaneously calculate MD5 and SHA hashes of the source before, during or after imaging, and the target drive's hash can be calculated in conjunction with imaging or as a separate action. Additionally, Insight has the segmented hashing feature, which can verify an image of a damaged drive—something that is impossible with a standard linear hashing.
5. Built-in write protection.
6. Insight's in-depth diagnostics help identify the drive status and, based on that, the right way to handle the drive for successful data acquisition.
7. Insight's overcurrent protection detects when a hard drive draws an abnormal current and stops the hard drive to prevent any further damage to the system and the drive.
8. Insight's function can access ATA-locked drive in less than two minutes with just a few mouse clicks.
9. Locate Sectors finds the exact location of specific sectors and detects which files and partitions they belong to. On top of that, it gives you a list of files that were impacted by bad sectors.

These are just some of the key features that Insight offers. For more details, see the full product overview.

What are the PC requirements for Atola Insight Forensic?

Atola Insight Forensic software requires a Windows PC. More details are available in the Atola Insight Forensic Manual

Does Insight utilize BIOS and/or operating system functions in the hardware unit to image data?

Insight's hardware runs a Linux OS with a highly-customized and fine-tuned kernel that allows the blocking of all BIOS and standard Linux I/O operations to enable the lowest-level control of SATA, USB and IDE ports.

Does Insight image mobile phones, tablets, IoT devices, etc.?

Atola products are designed to handle HDDs, SSDs and other detachable media. We have never developed our systems to support mobile devices like phones or tablets. This approach allows us to be the best at handling the media we focus on and progress quickly in developing high-performance imaging and innovative features for our customers.

Does Insight repair damaged drives?

Insight can handle damaged drives with varying degrees of success depending on the severity and type of damage, including:

• Degraded or damaged heads
• Drive freezing after a read attempt
• Scratches on the media surface
• Firmware issues
• Magnetic layer wear
• Bad sectors (ECC errors)

Insight is equipped with various functionality for damaged media:

• Automatic checkup to identify the damage
• Complex multipass imaging algorithms
• Disabling damaged heads for faster and safer imaging
• Control of read look-ahead and other device features
• Calculation of segmented hashes for image verification
• Reset and power cycle commands for imaging freezing drives
• Overcurrent and short-circuit protection
• Bad sector recovery for sectors with damaged ECC fields

However, the system does not perform drive repair. We advise that a drive's hardware-related problems be referred to data recovery labs.

Is Atola planning to discontinue the support for DiskSense units (manufactured between 2014 and 2021)?

Atola Insight Forensic is in high demand and has a strong user base. We are not planning to discontinue either of these imaging system. W e have several years' worth of exciting new features planned for both systems.

DiskSense hardware units (the first generation of hardware for Atola Insight Forensic imager) will continue to be supported in the foreseeable future and will include the same features as the new, higher-capacity DiskSense 2 hardware units.

We at Atola stand by our products. Remember that your system is covered by a lifetime warranty for as long as you keep your subscription active. The subscription's other benefits include software updates and fast and effective support from our team of engineers who develop the software and know all the ins and outs of the product.

Why does my DiskSense hardware unit not boot?

It is very likely that there is a USB device plugged into the unit, which is preventing it from booting properly. Try detaching all USB cables and restarting the hardware unit. If that has not worked, follow these steps to fully reset:

1. Power the hardware unit off.
2. Detach any cables and devices (including PSU cable, Extension module, all SATA cables and any USB devices or cables).
3. Leave it powered off for 3-5 minutes to reset fully. A few internal circuits need up to a minute to fully reset, but waiting a bit longer may help.
4. Plug in only the power cable (do not connect network, USB, or SATA cables yet).
5. Power the system on and check the PWR LED on the back side of the unit after 15 seconds.

The previous boot attempt was interrupted and now the unit does not boot. What should I do?

Connect a monitor directly to the unit's HDMI or VGA port. If you see a BIOS message saying Would you like to restore Fastboot on the next boot? (Y/N), it is likely that the previous boot was interrupted at a specific stage.

The most straightforward solution here is to plug a USB keyboard into one of the USB ports and press the N key. After the unit has booted successfully, please restart it again to make sure the next boot cycle is smooth.

Insight software is stuck in the 'Searching for the DiskSense unit' window. How can I solve this issue?

It appears that your unit's HASP is not detected. Please check if you can still ping the DiskSense unit's IP address from Windows PC. Then try the following steps:

1. Open http://localhost:1947 in a web browser.
2. Click Configuration in the left menu.
3. Click Access to Remote License Managers.
4. Enable the following two options:
• Broadcast Search for Remote Licenses
• Aggressive Search for Remote Licenses
5. Wait a minute.

The Remote License Search Parameters field must be either empty or contain the DiskSense unit's IP address (the latter is preferable).

Why does Windows 10 (32-bit) show a hardlock.sys error during installation?

It looks like a HASP dongle run-time installation issue. You can install the newest run-time by following an alternative procedure:

1. Download the new HASP run-time version from this page.
2. Unzip it.
3. Temporarily disable firewall and antivirus.
4. Run Command Prompt as Administrator and change the folder to the one containing the downloaded file (from step 1).
5. Execute the following commands:
   haspdinst.exe -r -fr -kp -fss -purge
haspdinst.exe -i -fi -kp -fss
6. Launch Atola Insight Forensic.

Windows crashes with a blue screen when launching Atola Insight Forensic. How can I fix this?

Microsoft updated Windows 10 (October 2020), and it broke the support of the HASP run-time v6.60.

The issue was fixed in Atola Insight Forensic version 4.17. For software versions 4.16 and older, please download and install the newest run-time following these steps:

1. Download the newest HASP run-time version.
2. Unzip it.
3. Run and install HASPUserSetup.exe.
4. Launch Atola Insight Forensic.

How to fix an error "To run this application you must install .NET" (Insight 5.1–5.3 versions only)?

Atola Insight Forensic versions 5.1–5.3 are based on .NET 5. To resolve this issue, install the latest version of .NET 5 64-bit Desktop Runtime:

Download .NET Desktop 5.0.17

How do I reset the IP address of the hardware unit?

You can reset the DiskSense unit's IP address by holding the small IP RST button on the back. You should keep holding the button until the PWR LED stops blinking. Then the unit's IP address will be reset to 192.168.0.188 and 10.0.0.188.

How to change the hardware unit's IP address?

The system has been designed to work in the most commonly used networks and has the IP addresses 10.0.0.188, 172.16.0.188, 192.168.0.188, 169.254.0.188.

If your network uses one of these subnets (10.0.0.*, 172.16.0.*, 192.168.0.*, 169.254.0.*), and the IP address ending in 188 is free, you can simply connect the unit to the network. Then run the Insight software, select the default unit IP ending in 188, and click Insight > Modify DiskSense Unit IP.

If your network has a different subnet address, follow these steps:

1. Connect your PC to the DiskSense unit with an Ethernet cable.
2. Go to Settings > Network & Internet > Change adapter options.
3. Find the Ethernet connection with the unit, right-click it and click Properties.
4. Find Internet Protocol Version 4 (TCP/IPv4) in the list, select it and click the Properties button.
5. Select the Use the following IP address option, enter 192.168.0.5 and click OK.
6. Disable other Ethernet and Wi-Fi connections to avoid IP conflicts.
7. Change the IP address to the one you need.
8. If your PC and the unit belong to different subnets, the connection will be lost. Re-enable the connection in Network and Internet.
9. Connect the DiskSense unit to your network with an Ethernet cable and run Atola Insight Forensic.

I connected the DiskSense unit directly to my PC's second Ethernet card, but I cannot ping it or connect to it. What should I do?

First and foremost, check whether you can ping the unit when it is connected directly via your second Ethernet adapter.

1. If ping attempts are unsuccessful, double-check the IP address of the Ethernet adapter. It should be in the same subnetwork as the unit. The default unit IP addresses (if unchanged) are: 192.168.0.188, 10.0.0.188.
2. Check if you have another network connection and its IP address.

3. If another connection exists, assign a static IP address from a different subnet to the Ethernet adapter.

   Examples:

   • Other network card's IP address on your PC: 192.168.0.5 — set the IP address to 10.0.0.200.
   • Other network card's IP address on your PC: 10.0.0.5 — set the IP address to 192.168.0.5.

4. Connect to the DiskSense unit by specifying its address in Atola Insight Forensic:

   • 10.0.0.188 — if you set 10.0.0.200 as the second Ethernet adapter's IP address
   • 192.168.0.188 — if you set 192.168.0.5 as the second Ethernet adapter's IP address

I am able to ping the Insight's hardware unit but cannot connect to it. Why?

Here are the possible reasons:

• The unit has two Ethernet ports, but only the ETH1 port can be used to interact with the Insight software. Make sure the Ethernet cable is connected to the DiskSense unit's ETH1 port.
• Firewall or anti-malware software may be blocking communication (while ping might work, other ports could be filtered). Try disabling the firewall or anti-malware software and restart the Insight software.
• IP address conflict. Please double-check the IP address of your PC's Ethernet card. The fourth digit in it must be different from that of the DiskSense unit. For example, if the DiskSense unit's IP address is 192.168.0.188, then the PC's IP address should be different—such as 192.168.0.100.
• The HASP drivers have not been installed correctly. To verify this, visit the localhost:1947 page. (It may take up to 5 minutes for the HASP keys to appear after powering on the unit.) There is a HASP dongle inside the unit that the Atola Insight software connects to. If you do not see any HASP keys in the list, this indicates the problem. Rerun the installation and make sure to click OK in all pop-up windows as one of them should be the HASP installation. This step will only succeed if a HASP key appears in the web browser.
• The router or switch your unit is connected to may not be configured correctly, especially if it is a Wi-Fi router. Try connecting the unit directly to your PC using an Ethernet connection. You can use the USB-to-Ethernet adapter included in the package.

If these steps prove ineffective, try updating your PC's Windows installation.

How can I prevent connection losses when I use a USB-to-Ethernet adapter (NIC)?

Certain platforms may experience issues with these adapters, especially after large amounts of data have been transferred.

This may be a USB-related issue, for example, a memory leak in the USB driver that builds up after several days of high-speed transfers.

Try replacing the adapter with a similar one:

• ASIX AX88179 chipset
• aRTL8153 chipset

The USB flash drive or USB port is not working. What could be the issue?

It's very unlikely that your DiskSense system is faulty. Also, keep in mind that all USB ports are native to the motherboard, with no adapters in between. Nevertheless, let's run diagnostics to determine what is working and what is not:

1. Remove all USB flash drives.
2. Power-cycle the DiskSense system to reset USB ports to their initial state.
3. Take a new USB flash stick which is good and working.
4. Plug it into the USB Target port.
5. Press F4 and wait until target device scanning is complete.
6. Plug the same USB flash drive into the USB Source port.
7. Press F3 and wait until source device scanning is complete.

This is a reliable test for checking USB ports. It would be great if you can run the scenario several times using different USB flash drives. Note that the second step (power-cycling the DiskSense system) is essential for accurate test results.

Does write protection work only for SATA source drives?

Write protection works for all source ports: SATA, IDE, USB and extensions.

How do I image an NVMe drive?

Use the M.2 extension module.

How do I image a drive soldered into a laptop?

You can add up to 3 remote network drives simultaneously and image them in parallel using the iSCSI protocol.

To image a remote device via the iSCSI protocol, follow these steps:

1. Expose a physical or logical drive via iSCSI on a network. For that task, you can use our Python script that automatically creates iSCSI targets for all drives except the boot device.
2. In Insight, go to Source > Select Source.
3. In the Source Device Selection window, click the Add iSCSI device link and follow the instructions.

Insight also supports imaging of specific models of MacBooks Pro and Air released in 2016-2017. Here is a manual article on how to image them using a Thunderbolt extension.

Why could the mapped network drive be unavailable during Image File selection?

The shared folder mapped as a network drive on the local PC is unavailable. This issue occurs in Windows 10 and is caused by Microsoft's native components we use to select files.

Microsoft explains this with UAC being enabled and suggests editing the Windows registry as a workaround.

Note that the mapped network drive is just a shortcut for the longer network path. Always select the Network part of the tree view and choose the same network folder. Insight will remember the last selected path and open it when you select another image file.

How do I image into split (segmented) raw files?

Segmented imaging into RAW files is supported. You can split the image into segments (chunks) on the home page of the target image port. Follow these step-by-step instructions:

1. In the sidebar, click Imaging.
2. Click Create New Session.
3. In the Target device selection window, click Create image file.
4. Click the Select button.
5. On the top port panel, select the Image file port.
6. Click Edit file options.
7. Change Chunk size to a preferred value in the combo box.
8. On the top port panel, select the Source port.
9. Click the Start Imaging button.

What is the difference between a standard IMG and a preallocated IMGP image file?

An IMGP file's contents are identical to those of an IMG file: it is the same raw bit-for-bit source copy. The only difference is that Insight preallocates space within an IMGP file, filling it with zeros until the last LBA, so that the IMGP file is the same size as the source even before imaging begins.

An IMGP file is used to preallocate space on the target media. Our customers use it when storing image files on a remote server for the entire organization. This ensures that, as the image file grows to its final size, there will be no risk of running out of space.

To mount it to any other forensic software, one can just change IMGP target file image extension to .img, .dd, .raw or any other file extensions they want.

To continue working with an IMGP file in Insight after changing its extension, change the image file extension back to .imgp.

When should I use All sectors with data and All sectors with metadata imaging options?

These options define the scope of imaging.

All sectors with data is used to image only the sectors belonging to files of all detected partitions. The exception is partitions that Insight cannot parse (rare types, e.g. UFS, ReiserFS), which will be imaged in their entirety.

All sectors with metadata results in a complete directory tree with files without the file data. Partitions store metadata in specific structures (e.g. $MFT for NTFS). Metadata includes file name, access/modification timestamps, attributes and the exact sector numbers of the corresponding file data.

This screencast explains how to make use of metadata imaging.

How do I create or format an NTFS partition on a target drive?

Insight supports creating exFAT partitions (including encrypted ones) on target drives for subsequent imaging to files stored on them. However, creation or formatting of NTFS partitions is not supported.

How do I ensure that Target HEX Viewer does not save any data to persistent storage?

Here is how Target HEX Viewer works internally. It has two modes:

1. Automatic refresh is performed when Freeze checkbox is inactive. Every time a block of data is imaged, one sector from this block is sent to the Windows software via Ethernet. Insight's software receives the sector and displays it in the Target HEX Viewer wiping the previous one. Thus, it performs an automatic refresh on-the-fly and does not save any data to persistent storage (e.g., a hard drive).

2. Manual Read Sectors can only be run by clicking on the Read Sector... button. This initiates the reading of a specified sector from one of the target devices. The read sector resides only in RAM temporarily while it is displayed in the Target HEX Viewer. Similarly to the Automatic refresh, no data is saved to any persistent storage during manual read sectors.

Will an E01 file created by Insight open in Encase?

E01 files may fail to open in Encase typically due to a file handle held by Insight. It can manifest itself in CRC errors during Encase verification. To resolve this, close the E01 file's port in the Insight's top panel before opening the file in Encase.

Note that Encase caches unsuccessful verification results for the E01 file (or E01 file with the same metadata). Therefore, you may need to clear the cache or start a new case in the EnCase application.

How to solve an issue with the max path length / folder length?

Make sure that the path length does not exceed the limit set in Windows API.

Atola Insight supports file paths up to 32,767 characters in length.

If you are unable to move the files using Windows Explorer, you can use the subst command to shorten the file path. Follow these steps to resolve the issue:

1. Substitute the folder that has a long file path with a drive letter to shorten the overall character count for the files contained in the folder.
2. Copy or move the files to a different folder with a shorter path that does not exceed the Windows path length limit.
3. Delete the mapped folder.

Why does the artifact finder not find artifacts in files (.pdf, .pst, .docx, etc.)?

Artifact finder performs a low-level, sector-by-sector search without parsing file structure or interpreting specific file formats (.pdf, .pst, .docx).

Instead, Insight's search engine detects keywords, IP addresses, URLs, and other artifacts in raw drive space. This way, it complements the traditional analysis via Magnet AXIOM, X-Ways Forensics, etc.

Another benefit of Insight's artifact search is that it scans the entire drive, including unallocated space. It helps find evidence at the sector level, where other tools could miss it.

Why does a USB drive imaging produce read errors?

To rule out cable issues, consider using short, high-quality USB 3.0 cables. Longer or lower-quality USB 3.0 cables may cause read errors during acquisition.

How do I achieve the best performance when imaging to the network?

To avoid potential bottlenecks, make sure of the following:

• You are using a 10Gbit Ethernet adapter.
• All the network cables are 5e category or higher.
• The network switch supports 10Gbit Ethernet and is configured correctly (if Insight is not connected directly to a PC).
• For maximum performance, connect Insight directly to the PC's Ethernet adapter without intermediate network switches.

Other factors that could affect transfer speeds are network adapter drivers, motherboard drivers, antivirus software and so on. However, following the guidelines above is sufficient for most cases.

Does Insight always image at the max speeds listed on this website?

The max speeds have been lab-tested for accuracy on modern storage devices.

However, actual imaging speed depends on the native performance of the devices involved. During the drive-to-drive imaging, the slower device will determine the actual data transfer rate because one drive can only receive data as fast as the other can send it, and vice versa. When imaging to or from the network, another potential bottleneck is the bandwidth.

How much does data transfer speed vary during imaging?

Insight can reach speeds of up to 500 MB/sec, but speeds may drop to as low as 50 MB/sec (3 GB per minute) when working with older or slower HDD models.

How do I verify the data transfer rate from Insight to the network?

Follow these steps:

1. Launch Atola Insight Forensic software.
2. Connect a fast SSD (e.g. Samsung 860 PRO/EVO or any other that can image at 500+ MB/sec) to the SATA Source port of the DiskSense unit.
3. Go to Imaging and select the Imaging to File option.
4. In the file selection dialog, enter null file name. This special file name will make Insight read the source at the highest possible speed and skip writing, so that target write speed does not affect the measurement, while data is still transferred through Ethernet.
5. Start imaging.

If everything is working properly, the speeds will be between 50 MB/s and 500 MB/sec, depending on the native speed of the source drive.

You claim that Atola Insight Forensic is capable of imaging even bad drives. What does a bad drive mean?

By bad drives, we imply various types of drive issues, namely:

• Scratches on the media surface
• Magnetic layer wear-out
• Degraded or even non-working head
• Drive freeze after reading attempt
• Firmware issues
• Bad sectors
• Short circuit on PCB

How exactly does the Atola Insight imaging process handle damaged drives?

We have two goals here when dealing with severely damaged source drives:

1. Get as much data as possible.
2. Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive.

Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time.

Atola Insight's ability to disable damaged heads can save your evidence! Other imagers may cause further damage to the media during such imaging.

Imagine having seven out of eight good heads. You can image data with all of them except the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky endeavor.

The imaging engine contains multiple automatic rules. For example, it resets or power-cycles the device when a source drive freezes. It can apply a reverse imaging direction in particular cases. A helpful feature when working with damaged evidence is that two imaging reports are generated: one before and one after the process. Both include not only the imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.

Learn more in these articles:

• Multipass imaging of damaged drives
• Imaging drives with damaged heads
• Imaging freezing damaged drives
• Imaging a shorted drive

Does Insight support damaged SSD drives?

Atola Insight Forensic does support damaged SSDs. It can automatically diagnose SSDs and generate a detailed, well-structured report. Insight's imaging process can retrieve all readable data from solid-state drives using multipass and read error recovery subsystems. It's fair to say you receive pretty much the same functionality as with standard HDDs. The only exception: password-locked SSDs are not supported.

In addition to that, Insight Forensic supports custom PCIe SSDs from Apple MacBooks. It works fast via a proprietary Atola extension.

Can Atola imagers acquire evidence from damaged SSDs?

As is true with any type of media, the degree of damage will inform how we can help with data recovery from a specific device. SSD failures fall into three major categories: logical errors, hardware issues, and firmware failure.

Atola imagers may be able to image data from an SSD with logical errors or hardware issues (e.g. NAND flash wear-out) using our multipass imaging system. A good predictor of success can be the Media Scan stage of the diagnostics process.

What is the success rate of File recovery?

You can recover up to 100% of files imaged with Insight only if the internal file system structure has been successfully imaged. Follow these steps:

1. Select an acquired image on the Target port.
2. Go to File Recovery.
3. Try to open all the imaged partitions.
4. If partitions do not open, use dedicated DR software to recover the files (e.g. R-Studio).
5. If the partitions do open, you have two options:
   • Select and recover all files. Then use the Create file list button to generate a list of partially imaged files.
   • Alternatively, manually select all files with 100% values in the Copied column. Some hints for you:
     • By sorting the files in the Copied column you can group 100% of imaged files from a specific directory.
     • Selection of multiple objects is available.

Can you recover data from a deleted file?

Even if a user deletes a file from a computer or even the Recycle Bin, it does not mean that all file data has been erased from the drive. While the record of the file in the filesystem has been removed, the data from the file remain in the sectors to which it had been recorded.

However, over time, the old data may be overwritten with new files and their data. Therefore the more the drive is being used, the lower the likelihood that data from a deleted file remains intact.

Here is how Insight can help retrieve this data

If you know any details from the file contents, search for keywords or other artifacts in Insight's Artifact Finder. Unlike most other forensic analysis tools, Insight's Artifact Finder parses data not on the file system level but on the sector level. This gives you the advantage of finding data from deleted files.

The File Recovery module can recover deleted files in these file systems: NTFS (all versions), FAT16, FAT32, HFS, HFS+, HFSX.

Modern SSDs wipe the sectors belonging to the deleted files at the command of an operating system (Windows, Linux, macOS) shortly after the files have been deleted:

1. The operating system sends the Trim command to the sectors belonging to the deleted files.
2. The SSD controller decides when to wipe them.
3. The trimmed sectors are replaced by new ones from the over-provisioning zone.
4. Trimmed sectors are then shortly used for new data.

This means that SSDs provide a much lower chance of recovering such data from deleted files.

Does Insight support mounting of a damaged APFS partition?

Partition search in Insight is quite advanced; it is more than just looking into MBR/GPT records and involves our unique heuristic algorithm.

It means that Insight should be able to find a partition, and the partition should not be damaged. For cases of damaged partitions, our customers use forensic software that performs file carving or DR software (e.g. R-Studio).

The only File Recovery functionality that works when there is missing data is the ability to find deleted files in several partition types including NTFS, HFS, FAT.

How do I identify which of the imaged files contains bad sectors?

1. Select the target device or image file. Alternatively, on the Imaging results screen, click the Analyze target image button.
2. Go to File Recovery and open the partition.
3. Click Create file list and select All files.
4. Select Files that were partially imaged and click Create for the list to be saved in a .CSV file.

NB If the imaging session was interrupted or the range of sectors scheduled for the session did not cover the whole partition (and therefore some of the files), the list of partially imaged files may contain both files with bad sectors and those not covered by the imaging session.

How do I find where the bad sectors are located within a file?

When imaging, Insight automatically creates a Media Map that reflects the status of all sectors imaged during a given session, namely:

• imaged sectors
• unimaged sectors (with errors or those beyond the imaged range)
• sectors imaged without ECC

To look up the Media Map:

1. In the Imaging results screen, click the Analyze target image button. Or select the target device or file.
2. Go to File Recovery and open the partition.
3. By clicking the individual files, look up an individual File Map and see which of the sectors have or have not been successfully imaged.

When encountering bad sectors on the source drive during imaging, how does Insight handle the corresponding sectors on the target drive?

Such sectors can be either left alone (skipped) or filled with a pattern. The default pattern used to fill unreadable sectors is 00. However, you can enter any other pattern or load a pattern (of any length) from a file. To use this option:

1. Go to Imaging > Create New Session.
2. Select your target device.
3. On the imaging settings screen, in the Preset section, click the Show settings link.
4. On the Error handling tab, select the Fill unreadable sectors with the following pattern (HEX) option.
5. Leave the default pattern as it is or enter/upload a new one.
6. To make this new pattern the default one, click the Save settings button. Otherwise, simply click the Start imaging button.

How do I compare the files on a source and a target using their hashes?

To compare the files on the two devices:

1. Select the Source device.
2. In the sidebar, go to File Recovery.
3. Click Hash all files.
4. If the hash column is missing, enable it in Preferences > File Recovery.
5. Select all files.
6. Click Create file list and select All files.
7. Select the Show file hash option.
8. Repeat steps 1-5 for the target drive.

In the end, you get two complete file lists and can compare them using third-party software, for example Compare++.

How do I use black and white hash lists to filter data?

Watch this screencast about using hash lists in Insight.

For the full step-by-step guidance, see Hash lists to filter good & bad files.

Also, you can find two use cases in White/Black hash lists section in our blog.

When should I use the reverse imaging option, and is there a downside to it?

Normally, reverse imaging is beneficial when there is a spot/scratch resulting in a number of bad sectors on the surface area. Reverse imaging (from the inner to the outer tracks) on one of the imaging passes helps you narrow down the bad area faster. It also allows you to get more data from the good areas of the drive before entering the damaged zone and digging into it to retrieve data.

As for the downsides, reverse imaging leads to a speed decrease because HDD's heads have to make additional moves to perform it, and caching is impossible.

How do I change timeout in the imaging settings on-the-fly?

Changing timeout is only possible when you are creating a new session. Here is how to work around it:

1. Pause the current imaging session by clicking the Pause button.
2. Click the Add New Session link.
3. Open imaging settings and change timeout of the following pass(es).

NB The new imaging session will complement the previous one and will only attempt to retrieve data from the sectors that have not yet been copied.

Some imaging pass settings can be adjusted on the fly—for example, enabling reverse imaging for the next pass.

How do I look up a drive's G-List with Insight?

Firmware recovery has not been our focus for many years now; therefore, Insight has limited firmware recovery functionality. While some models may provide information about the G-List (see 3. Full firmware access), the G-List is not a kind of information you automatically see on the screen. You would need to manually find the G-List among firmware modules, which requires a certain level of data recovery knowledge.

Can I turn off bad sector reallocation (or clear the G-List) for a Seagate drive?

Unfortunately, Insight does not handle bad sector reallocation automatically. You may find more info on data recovery forums by searching for:

• your Seagate drive model
• G-List cleaning
• bad sector reallocation

Here is the information about terminal commands for modern Seagate drives.

What should I do if Insight can't identify a Seagate drive and shows an inaccurate device capacity?

Zero-capacity typically implies firmware issues, which may be corrected via the serial port in the case of Seagate drives. Atola Insight Forensic enables you to take advantage of a serial connection.

We do not have many guides about fixing specific Seagate issues, which would require extensive knowledge of the Seagate terminal command system. But here is another article in the manual that may be helpful.

How does diagnostics work, and how accurate is it?

The automatic diagnostic function applies a sophisticated system that analyzes electrical currents as they enter and leave the hard drive, examines the hard drive's responsiveness to low-level commands and incorporates firmware information (if it is accessible). Our studies have shown that this approach is accurate in pinpointing malfunctions in at least 95% of cases.

How do I analyze electrical currents from the oscilloscope if I received no training?

Some data from the oscilloscope is straightforward to understand (for example, when HDD power fails, the lines go flat). Users can learn to understand more complex oscilloscope information by seeking advice from other data recovery technicians, seeking professional training, or simply by gaining experience in the field.

While current monitoring technology plays an important role in Insight's operation, no specific skills are required because the system performs current analysis automatically.

How does Insight detect the capacity of hybrid drives?

There are two types of hybrid drives.

1. Dual-drive hybrid systems. In this case, Insight shows the total capacity, which is the sum of the volumes of both drives. All sectors are addressable and readable.
2. Solid-state hybrid drive (SSHD). For such drives, Insight detects and displays only the capacity of the HDD because the internal SSD is designed to be inaccessible without a chip-off procedure. Hybrid drives of this type use NAND memory (small SSD) for cache. The cached data resides in both the HDD and the NAND chip. What is cached and how it is cached depends on the drive model and firmware algorithms.

Can RAID arrays be diagnosed as a single HDD?

Insight can diagnose only the drives that are directly connected to the hardware unit. Hard drives from RAID arrays must be diagnosed and recovered individually.

Atola TaskForce is capable of automatically assembling RAID drives into a single virtual device even when the RAID configuration is unknown.

Why is there a difference in the quantity of errors and performance between Media Scan and Imaging?

The short explanation: Imaging uses different commands and a different level of reading thoroughness than Media Scan.

Imaging reads data and sends it over a data cable (SATA, PATA, USB). At the same time, Media Scan utilizes a low-level Verify command that checks a block of sectors for an error with no data transfer involved.

The two operations are not equally thorough. Media Scan verifies the drive surface block by block (2048 sectors per block). It does not dig in searching for specific bad sectors in a 2048-sector error block.

As opposed to that, the imaging engine has a goal to image as much data as possible. The multipass system is used during imaging.

However, if linear hashing is enabled, imaging switches to one pass with a 4096-sector block size by default using this algorithm:

1. Read 4096 sectors.
2. If a read error occurs, re-read the sector range using a 256-sector block.
3. Read the first 256 of 4096 sectors.
4. If there is a read error, re-read the 256-sector range sector by sector.
5. Read the first sector of the 256 (within the original 4096).

How do I calculate a hash during imaging, and do I need to use both linear and segmented hashing

Hashing is disabled in the default settings. Select the Hash source during imaging option in the Default (5 passes) preset.

Here are the guides on calculating linear hash during imaging and segmented hashing.

Segmented hashing is the only tried-and-tested way to verify an image of a damaged source drive. A segmented hash can be calculated during multipass imaging, which lets you retrieve more data while covering all imaged intervals with a set of hashes,—an ability that has proven crucial for our customers in court.

Besides, with segmented hashing, the image remains usable even if some of the data gets corrupted over time (due to human error, buggy software, hardware issues or power loss): it allows you to identify the segment of data that was corrupted and continue using the good parts of the image

Do courts of law accept segmented hashing as a valid way of verifying data?

Yes, segmented hashing has been a principle that forensic examiners successfully follow in their work. This principle is well laid out in academic works and is also widely used in cryptography and secure data modification. Meanwhile, in digital forensics, several vendors who support AFF4 image files have adopted the same principle. Among them are X-Ways, Magnet Axiom, GetData Forensic Explorer, Encase Forensic, etc.

Most importantly, with the forensic examiner's proper understanding of the concept and ability to demonstrate it to the court, segmented hashing is as good a verification method as any.

How does hashing work in parallel with imaging?

When Insight images and calculates hash in parallel, here is how our imaging engine works:

1. Read block A from the source to RAM.
2. Hash block A + Write block A to the target + Read block B from the source - all these three actions execute in parallel.
3. Hash block B + Write block B to the target + Read block C from the source...
4. and so on

Two important rules:

• If read block fails with an error/timeout, the block is replaced by an unreadable pattern (it can be set by the user).
• If write block fails, Insight stops imaging and reverts the hash state one block backwards.

Why do I need to wipe/erase the target before imaging data onto it?

Certain forensic evidence acquisition or data recovery scenarios require the target hard drive to be wiped/erased prior to imaging. It ensures that the software being used to recover files won't extract old data that was previously on the destination HDD.

How does write verification work in Fill/Erase?

Here is how the algorithm works during the wiping process in Insight:

1. 100 individual sectors selected evenly across the range are filled with the verification pattern Atola Insight.
2. The whole drive or a selected range of sectors on it are wiped applying the method selected by the user (Erase with pattern by default).
3. The 100 sectors filled with Atola Insight during the first step are read to ensure that none of them contains the pattern.

How does SSD Trim work and does it wipe a drive completely?

SSD Trim doesn't instantly wipe sectors (NAND memory cells) of a drive. It instructs the SSD's firmware which sectors can be wiped by marking them as 'dirty'.

Time of erasure of 'dirty' sectors depends on the SSD manufacturer and firmware. For instance, recent Samsung SSDs have what is called foreground garbage collection. It wipes any erased file almost immediately thanks to a TRIM command proactively executed by the operating system. In older SSDs, trimmed sectors can remain intact for minutes or even hours.

The most secure way to erase an SSD entirely is using one of the following methods:

• Secure Erase - for SATA drives
• Format NVM or Sanitize - for NVMe drives

The drive's internal implementation of these commands is vendor-specific. In most drives, it ensures the full erasure of an SSD, including non-addressable areas.

How do I change the path to the Work Folder?

To change the path to the Work Folder, go to Insight > Preferences > Work folder path, change the directory and click the Apply button.

How do I free up storage space in the Work folder?

Depending on the features and settings you use, Insight saves different kinds of data in its Work Folder.

• Make sure to disable an on-the-fly artifact search in the imaging settings. Storage space is consumed most aggressively when artifact search is enabled. When artifact search is enabled in the imaging settings, you may be gathering and storing substantial amounts of data.
• The same goes for File Signatures. Disabling this setting results in much less data being stored, yet it may accumulate and become considerable over time. This setting can be disabled in the Miscellaneous tab of the imaging settings.
• Last but not least, if you no longer need the results of a previously performed artifact search, you can delete all ArtifactFinder subfolders to free up space. ArtifactFinder subfolders are located at paths similar to this: C:\Atola Insight Forensic\Work\02_ST1500DM003\ArtifactFinder, where:
  • C:\Atola Insight Forensic\Work - work folder path
  • \02_ST1500DM003 - device case subfolder

After I changed the Work folder, how do I move files from the previously created cases to the new folder?

This can be done manually:

1. In the top right corner, click the Case Number button.
2. The Change Case Details window opens. The Case Home Path in it indicates the directory where case files will be moved.
3. Click OK. The Case Home Path has now been changed in the database and all case files have been moved to the new case folder.

How can I tell who worked with the drive if I am working on a previously created case?

You can open any operation performed with a hard drive by clicking on the corresponding link in the case history. In the report header, you can see which computer was used, and thus deduce which user worked on this phase of the case.

Can two hard drives share the same case number if they are related?

Yes, it is possible to assign the same case number to multiple hard drives. It helps keep track of hard drives related to the same investigation.

How do I add notes to the case history after a case was closed?

The quickest and easiest way is to open case history Cases > Search/Open and click Add note.

How do I copy Insight database to another PC?

Yes, it is possible: go to Cases > Export and select All cases. A single file will be generated, which can later be imported via Cases > Import.

Why are some cases missing in the Search window after database setup?

Most likely, you selected either an incorrect Work Folder or SQL Server.

Insight's database consists of SQL Server data and Work folder files. Large files like imaging maps, file signatures, artifacts and report logs are saved in the Work folder, while the case information, including report data, is stored on the SQL Server.

Two Insight settings refer to that:

• Work folder
• Database connection settings

\\networkpath\Atola is the work folder we need. First of all, it must be specified in Insight > Preferences > Work folder path setting.

1. Open Insight > Database Connection Settings.
2. Select server type: Remote (in some cases, it can be Local).
3. Enter the Computer name from the work folder's network path.
4. Click the Search link next to the SQL server name field.
5. Select one of the found SQL servers.
6. Click the Search link next to the Database name field.
7. Select one of the found databases.
8. Click OK.
9. Restart Atola Insight Forensic software.
10. Check Cases > Search/Open for your cases.

If cases do not appear, try different combinations of the database name, the SQL server name, and the computer name.

I don't seem to be able to unlock an SSD or a USB drive with Insight. What could be the issue?

Insight supports unlocking passwords of a limited range of drives. While we would like to provide you with maximum support, it is impossible due to the firmware of different drive families being very vendor-specific. Please check the list of supported drives.

We have primarily developed this functionality for hard drives, but extending this functionality to SSDs or USBs would require a prohibitive amount of work to support the huge range of firmware types and controllers. Unfortunately, this functionality has not been the focus of our attention.

How do I decrypt a BitLocker volume in Insight?

For the time being, Insight supports only the decryption of APFS partitions with a known password or recovery key.

As for BitLocker partitions, Insight detects BitLocker volumes and displays their GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encountering it.

How do hard drives become locked with ATA passwords?

ATA password can be set through the computer's BIOS. In addition, specialized utilities—both commercial and freeware—can set or modify ATA passwords. Examples include commercial tools like Insight, as well as free utilities such as hdparm (Linux) and Victoria HDD (Windows). These tools communicate directly with the drive’s firmware, allowing users to set, change, or remove ATA passwords outside of the BIOS environment.

For which hard drives is accessing ATA-locked drives supported?

Automatic accessing ATA-locked drives is supported for at least 30% of hard drives available on the market. For details about specific models, see Supported drives.

Can Atola imagers retrieve data from water-damaged hard drives?

Depending on many factors, the impact on the drive can vary considerably. The kind of contact (which can range from sprinkles to complete submergence), the duration of such impact and even the composition of the water (if there is residue in the form of salts) all matter. Additionally, the disk might have been damaged before the drowning, so water may not be the only problem.

Therefore, we recommend that you bring such drives to a cleanroom. At the cleanroom, engineers will perform drying, the initial damage assessment, repair, and cleaning. When drying, it's better to keep the temperature at a reasonable level, such as 100-200 degrees Celsius. Do not heat the PCB to the point where the solder or plastic starts to melt.

I'm having trouble unlocking the Seagate drive connected to the Serial COM port (RS-232). What could help?

First and foremost, we recommend double-checking that the serial cable connection and selected baud rate are correct. Here is the easiest way:

1. Power off the Seagate drive.
2. Connect cables.
3. In Insight, open Windows > Terminal.
4. Select baud rate: 38400 (most likely for modern drives)
5. Power on the Seagate drive.

Firmware recovery: Which hard drive models does the Insight support firmware recovery for?

There are two ways in which Insight provides firmware recovery: by automatically repairing firmware and by providing direct access to firmware files for manual repair.

Different sets of hard drive models are supported for each of these approaches due to differences in the firmware design by the hard drive manufacturers. For a complete and up-to-date list of supported hard drive models for firmware recovery, see Supported drives.

Firmware recovery: How common is firmware corruption in modern hard drives?

Less than 10% of data recovery cases with modern hard drives involve firmware corruption. Occasionally, a manufacturer will release a hard drive with flawed firmware, and data recovery labs will see a spike in firmware recovery jobs for a period of time.

Firmware recovery: What is the difference between firmware files stored on the HDD platter and those stored in ROM/EEPROM/NVRAM?

This depends on the HDD manufacturer and hard drive model. Each hard drive has its own specifications for where firmware data is stored.