What are the PC requirements for Atola Insight Forensic?
Atola Insight Forensic software requires a Windows PC. More details are available in the Atola Insight Forensic Manual
Does Insight utilize BIOS and/or Operating System functions in the hardware unit to image data?
Insight's hardware runs a Linux OS with a highly-customized and fine-tuned kernel that allows blocking all BIOS and standard Linux I/O operations for the lowest-level control for SATA, USB and IDE ports.
Does Insight image mobile phones, tablets, IoT devices, etc.?
Atola products are designed to handle HDDs, SSDs and other detachable media. We never developed our systems to support mobile devices like phones or tablets. This approach allows us to be the best at handling the media we focus on and progress fast in developing high-performance imaging and innovative features for our customers.
Does Insight repair damaged drives?
Insight can handle damaged drives with varying degrees of success depending on the severity and type of damage, namely:
Insight is equipped with various functionality for damaged media:
However, the system does not perform drive repair. We advise that a drive's hardware-related problems are forwarded to data recovery labs.
How do I image an NVMe drive?
Insight hardware unit does not have an NVMe port. However, there is an adapter with JMS583 bridge chip by JMicron that was tested on various NVMe drives and approved for use by our QA team. This NVME to USB adapter allows imaging of NVMe drives via any USB port.
However, the adapter does not allow detecting the NVMe drive's model and serial number. These details can be entered manually when you create a new case or start an operation:
Insight will automatically open the Source - Select NVMe Device Case window when one selects a source/target USB port with the adapter plugged into it to start any session (imaging, hashing, wiping, etc.) with the exception of diagnostics. Automatic checkup works in its low-level way: identifies the adapter and runs NVMe drive checks via the adapter.
How do I image a drive soldered into a laptop?
Insight supports imaging of specific models of MacBooks Pro and Air released in 2016-2017. Here is an article in the manual explaining how to image them using a Thunderbolt extension.
Other than that, Insight does not support remote imaging from a laptop. The product is based on a low-level native IO, which requires that the source drive is plugged into it. The easiest way to image a laptop's soldered-in SSD is to create a boot drive with a forensic boot image with a tool available in the market.
How do I image to split (segmented) raw files?
Segmented imaging into RAW files is supported. You can split the image into segments (chunks) at the home page of the target image port. Follow these step-by-step instructions:
What is the difference between a standard IMG and a preallocated IMGP image file created?
IMGP file contents are identical to those of an IMG file: it is the same raw bit-to-bit source copy. The only difference is that Insight preallocates space within an IMGP file filling it with zeros until the last LBA so that the IMGP file is the same size as the source even before the imaging has begun.
IMGP file is the way to claim the space on a target media. Our customers use it when they have a remote server storing all image files of organization. When image file grows to its final size, it is guaranteed that there will not be a lack of space.
To mount it to any other forensic software, one can just change IMGP target file image extension to .img, .dd, .raw or any other file extensions they want.
NB to continue working with an IMGP file in Insight after changing extension, one must edit the image file extension back to .imgp.
When should I use All sectors with data and All sectors with metadata imaging options?
These options define the scope of imaging.
All sectors with data is used to image only the sectors belonging to files of all detected partitions. The exception is partitions that Insight cannot parse (rare types, e.g. UFS, ReiserFS), which will be imaged in their entirety.
All sectors with metadata results in a complete directory tree with files without the file data. Partitions store metadata in specific structures (e.g. $MFT for NTFS). Metadata includes file name, access/modification timestamps, attributes and the exact sector numbers of the corresponding file data. This screencast explains how to make use of metadata imaging.
How do I make sure Target HEX Viewer does not save any data on persistent storage?
Here is how Target HEX Viewer internals work. It has two modes:
1. Automatic refresh is performed when Freeze checkbox is inactive. Every time a block of data is imaged, one sector of this block is sent to Windows software via Ethernet. Insight's software receives the sector and shows it in Target HEX Viewer wiping the previous one. So it executes an automatic refresh on-the-fly and does not save any data on persistent storage, i.e. hard drive.
2. Manual Read Sectors can only be run by clicking on Read Sector... button. It will initiate reading a specified sector from one of target devices. Then the read sector resides only in RAM for a time interval while it is being shown in Target HEX Viewer. Similarly to the Automatic refresh, no data is saved on any persistent storage during manual read sectors.
How do I create or format an NTFS partition on a target drive?
Insight supports creating exFAT partitions (including encrypted ones) on target drives for subsequent imaging to files stored on it. However, we have not supported the creation or formatting of NTFS partitions.
How do I decrypt a BitLocker volume in Insight?
For the time being, Insight supports only decryption of APFS partitions with a known password or recovery key.
As for BitLocker partitions, Insight detects BitLocker volumes and displays its GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encounters it.
How much variation is there in data transfer speed during imaging?
Insight can reach speeds up to 520 MB/sec, but the speed may be as slow as 50 MB/sec (3 GB per minute) when working with older or slower HDD models.
Does Insight always image at the max speeds listed on this website?
The max speeds have been lab-tested for accuracy on modern storage devices. The speed of imaging always depends on the native speed of the individual devices used in the process. During the drive-to-drive imaging, the slower device will determine the actual data transfer rate because one drive can only receive data as fast as the other can send it, and vice versa. When imaging to or from the network, another potential bottleneck is the bandwidth.
How do I achieve the best performance when imaging to the network?
To avoid potential bottlenecks, make sure of the following:
Other things that could affect transfer speeds are network adapter drivers, motherboard drivers, antivirus software and so on. However, complying with the rules above is enough for most cases.
How do I verify the data transfer rate from Insight to the network?
Follow these steps:
If everything is working properly, the speeds will be between 50 MB/s and up to 520 MB/sec depending on the native speed of the source drive.
Does Insight support damaged SSD drives?
Atola Insight Forensic does support damaged SSDs. It can automatically diagnose SSDs very well, creating a nicely designed and well-thought report. Surely Insight's imaging will get any data that is readable from solid-state drives using multi-pass and read error recovery subsystems. It's fair to say you receive pretty much the same functionality as with standard HDDs. The only exception: unknown password removal and firmware recovery are not supported for SSDs.
In addition to that, Insight Forensic allows working with the custom PCIe SSDs from Apple MacBooks. It works fast via proprietary Atola extension.
When should I use reverse imaging option and is there a downside to it?
Normally, reverse imaging is beneficial when there is a spot/scratch resulting in a number of bad sectors on the surface area. Reverse imaging (from the inner to the outer tracks) on one of the imaging passes helps you narrow down the bad area faster. It also allows getting more data from the good areas of the drive before entering the damaged zone and digging into it to retrieve data.
As for the downsides, reverse imaging leads to a speed decrease because HDD's heads have to make additional moves to perform it, and caching is impossible.
How do I change timeout in the imaging settings on-the-fly?
Changing timeout is only possible when you are creating a new session. Here is how to go around it:
NB The new imaging session will complement the previous one and will only attempt retrieving data from the sectors that have not yet been copied.
Some of the imaging pass settings can be adjusted on the fly: e.g. enabling reverse imaging on the following pass.
How do I identify which of the imaged files contain bad sectors?
NB If the imaging session was interrupted or the range of sectors scheduled for the session did not cover the whole partition (and therefore some of the files), the list of partially imaged files may contain both files with bad sectors and those not covered by the imaging session.
How do I find where the bad sectors are located within a file?
When imaging, Insight automatically creates a Media Map that reflects the status of all sectors imaged during a given session, namely:
To look up the Media Map:
Does Insight support mounting of a damaged APFS partition?
Partition search in Insight is quite advanced; it is more than just looking into MBR/GPT records and involves our unique heuristic algorithm.
It means that Insight should be able to find a partition, and the partition should not be damaged. For cases of damaged partitions, our customers use forensic software that performs file carving or DR software (e.g. R-Studio).
The only File Recovery functionality that works when there is data missing, is finding deleted files in several partition types including NTFS, HFS, FAT.
What is the success rate of File recovery?
You can recover up to 100% of files imaged with Insight only if the internal file system structure has been successfully imaged. Follow these steps:
How do I compare the files on a source and a target using their hashes?
To compare the files on the two devices:
In the end, you get two complete file lists and can compare them using third-party software, e.g. Compare++
How do I use black and white hash lists to filter data?
Watch this screencast about using hash lists in Insight. And here is the full workflow:
You can find two use cases in White/Black hash lists section in our blog.
How do I look up a drive's G-List with Insight?
Firmware recovery has not been our focus for many years now; therefore Insight has a limited firmware recovery functionality. While some models may give out information about the G-List (see 3. Full firmware access), G-List is not a kind of information you automatically see on the screen. You would need to manually find G-List among firmware modules, which requires a certain level of data recovery knowledge.
How does diagnostics work and how accurate is it?
The automatic diagnostic function applies a sophisticated system that analyzes electrical currents as they enter and leave the hard drive, examines the hard drive’s responsiveness to low-level commands and incorporates firmware information (if it is accessible). Our studies had shown that this approach is accurate in pinpointing malfunctions in at least 95% cases.
How do I analyze electrical currents from the oscilloscope if I received no training?
Some data from the oscilloscope is straightforward to understand (for example, when HDD power fails, the lines go flat). Users can learn to understand more complex oscilloscope information by seeking advice from other data recovery technicians, seeking professional training, or simply through gaining experience in the field.
While current monitoring technology plays an important role in the Insight’s operation, no specific skills are required because the system performs current analysis automatically.
Can RAID arrays be diagnosed as a single HDD?
Insight can diagnose only the drives that are directly connected to the hardware unit. Hard drives from RAID arrays must be diagnosed and recovered individually.
Atola TaskForce is capable of automated assembly RAID drives in a single virtual device even when RAID configuration is unknown.
Why is there a difference in the quantity of errors and performance between Media Scan and Imaging?
The short explanation: Imaging uses different commands and level of reading thoroughness rather than Media Scan.
Imaging reads data and sends it over data cable (SATA, PATA, USB). At the same time, Media Scan utilizes low-level Verify command that checks a block of sectors for an error with no data transfer involved.
The two operations are not equally thorough. Media Scan verifies drive surface block by block (2048 sectors per block). It does not dig in searching for specific bad sectors in a 2048-sector error block.
As opposed to that, the imaging engine has a goal to image as much data as possible. The multi-pass system is used during imaging.
However, if linear hashing is enabled, imaging switches to one pass with a 4096-sector block size by default using this algorithm:
How does Insight detect the capacity of hybrid drives?
There are two types of hybrid drives.
How do I calculate hash during imaging and do I need to use both linear and segmented hashing?
Hashing is disabled in the default settings. Simply tick Hash source during imaging option in the Default (5 passes) preset.
Segmented hashing is the only tried and proven way to verify an image of a damaged source drive. Segmented hash can be calculated during a multi-pass imaging, which allows getting more data while covering all imaged intervals with a set of hashes, and this ability has proven crucial for our customers in courts.
Besides, with segmented hashing, image remains usable even if some of the data gets corrupt over time (due to people, other buggy software, hardware, power losses etc.): it allows you to identify the segment of data that got corrupt and continue using the good parts of the image.
How does hashing work in parallel with imaging?
When Insight images and calculates hash in parallel, here is how our imaging engine works:
Two important rules:
Why do I need to wipe/erase target before imaging data onto it?
Certain forensic evidence acquisition or data recovery scenarios require the target hard drive to be wiped/erased prior to imaging. It ensures that the software being used to recover files won’t extract old data that was previously on the destination HDD.
How does write verification work in Fill/Erase?
Here is how the algorithm used during the wiping process in Insight:
How does SSD Trim work and does it wipe a drive completely?
SSD Trim doesn't instantly wipe sectors (NAND memory cells) of a drive. It instructs SSD's firmware which sectors can be wiped by marking them as 'dirty'.
Time of erasure of 'dirty' sectors depends on the SSD manufacturer and firmware. For instance, recent Samsung SSDs have a so-called foreground garbage collection. It wipes any erased file almost immediately thanks to a TRIM command proactively executed by the operating system. In older SSDs, trimmed sectors can remain intact for minutes or even hours.
The most secure way to erase an SSD entirely is running Secure Erase, which is available in Insight as a method of Fill/Erase. The drive's internal SecureErase implementation is vendor-specific. In most drives, it ensures full erasure of an SSD including non-addressable areas.
How do I copy Insight database to another PC?
Yes, it is possible: Go to Cases > Export for that and select All cases. A single file will be generated, which can later be imported via Cases > Import.
How can I tell who worked with the drive if I am working on a previously created case?
You can open any operation performed with a hard drive by clicking on the corresponding link in the case history. In the report header, you can see which computer was used, and thus you can deduce which user worked on this phase of the case.
How do I add notes to the case history after a case was closed?
The quickest and easiest way is to open case history Cases > Search/Open and click Add note.
Can 2 hard drives share the same case number if they are related?
Yes, it is possible to assign the same case number to multiple hard drives. It helps keep track of hard drives related to the same investigation.
Firmware Recovery. Which hard drive models does the Insight support firmware recovery for?
There are two ways in which Insight provides firmware recovery: by automatically repairing firmware and providing direct access to firmware files for manual repair. Different sets of hard drive models are supported for each of these approaches due to differences in firmware design by the hard drive manufacturers. For a complete and up to date list of supported hard drive models for firmware recovery, see the supported drives page.
Firmware Recovery. How commonly do modern hard dives experience firmware corruption?
Less than 10% of data recovery cases with modern hard drives involve firmware corruption. Occasionally, a manufacturer will release a hard drive with flawed firmware and data recovery labs will see a spike in firmware recovery jobs for a period of time.
Firmware Recovery. What is the difference between firmware files stored on the HDD platter and ROM/EEPROM/NVRAM?
This depends on the HDD manufacturer and hard drive model. Each hard drive has its own preferences for where firmware data is stored.
Password Removal. How do hard drives become locked with ATA passwords?
ATA passwords can be set through computer’s BIOS or by using special products like the Insight.
Password Removal. Which hard drives is password removal supported for?
Automatic password removal works for most hard drives available on the market. For more specific information, please refer to the Supported Drives List.