FAQ

What are the PC requirements for Atola Insight Forensic?

Atola Insight Forensic software requires a Windows PC. More details are available in the Atola Insight Forensic Manual

Does Insight utilize BIOS and/or Operating System functions in the hardware unit to image data?

Insight's hardware runs a Linux OS with a highly-customized and fine-tuned kernel that allows blocking all BIOS and standard Linux I/O operations for the lowest-level control for SATA, USB and IDE ports.

Does Insight image mobile phones, tablets, IoT devices, etc.?

Atola products are designed to handle HDDs, SSDs and other detachable media. We never developed our systems to support mobile devices like phones or tablets. This approach allows us to be the best at handling the media we focus on and progress fast in developing high-performance imaging and innovative features for our customers.

Does Insight repair damaged drives?

Insight can handle damaged drives with varying degrees of success depending on the severity and type of damage, namely:

• Degraded or damaged head
• Drive freeze after reading attempt
• Scratches on the media surface
• Firmware issues
• Magnetic layer wear-out
• Bad sectors (ECC)

Insight is equipped with various functionality for damaged media:

• Automatic checkup to identify the damage
• Complex multi-pass imaging algorithms
• Disabling damaged heads for faster and safer imaging
• Control of read look-ahead and other device features
• Calculation of segmented hashes for image verification
• Reset and power cycle commands for imaging of freezing drives
• Overcurrent and short-curcuit protection
• Bad sector recovery for sectors with damaged ECC field

However, the system does not perform drive repair. We advise that a drive's hardware-related problems are forwarded to data recovery labs.

How do I image an NVMe drive?

Use M.2 extension module.

How do I image a drive soldered into a laptop?

Insight supports imaging of specific models of MacBooks Pro and Air released in 2016-2017. Here is an article in the manual explaining how to image them using a Thunderbolt extension.

Other than that, Insight does not support remote imaging from a laptop. The product is based on a low-level native IO, which requires that the source drive is plugged into it. The easiest way to image a laptop's soldered-in SSD is to create a boot drive with a forensic boot image with a tool available in the market.

How do I image to split (segmented) raw files?

Segmented imaging into RAW files is supported. You can split the image into segments (chunks) at the home page of the target image port. Follow these step-by-step instructions:

1. Click Imaging in the left-side taskbar
2. Click Create New Session
3. Click Create image file in the Target device selection window
4. Click Select button
5. Select the Image file port at the top bar panel
6. Click Edit file options
7. Change Chunk size to a preferred value in the combobox
8. Select the Source port at the top port bar
9. Click the Start Imaging button

What is the difference between a standard IMG and a preallocated IMGP image file created?

IMGP file contents are identical to those of an IMG file: it is the same raw bit-to-bit source copy. The only difference is that Insight preallocates space within an IMGP file filling it with zeros until the last LBA so that the IMGP file is the same size as the source even before the imaging has begun.

IMGP file is the way to claim the space on a target media. Our customers use it when they have a remote server storing all image files of organization. When image file grows to its final size, it is guaranteed that there will not be a lack of space.

To mount it to any other forensic software, one can just change IMGP target file image extension to .img, .dd, .raw or any other file extensions they want.

NB to continue working with an IMGP file in Insight after changing extension, one must edit the image file extension back to .imgp.

When should I use All sectors with data and All sectors with metadata imaging options?

These options define the scope of imaging.

All sectors with data is used to image only the sectors belonging to files of all detected partitions. The exception is partitions that Insight cannot parse (rare types, e.g. UFS, ReiserFS), which will be imaged in their entirety.

All sectors with metadata results in a complete directory tree with files without the file data. Partitions store metadata in specific structures (e.g. $MFT for NTFS). Metadata includes file name, access/modification timestamps, attributes and the exact sector numbers of the corresponding file data. This screencast explains how to make use of metadata imaging.

How do I make sure Target HEX Viewer does not save any data on persistent storage?

Here is how Target HEX Viewer internals work. It has two modes:

1. Automatic refresh is performed when Freeze checkbox is inactive. Every time a block of data is imaged, one sector of this block is sent to Windows software via Ethernet. Insight's software receives the sector and shows it in Target HEX Viewer wiping the previous one. So it executes an automatic refresh on-the-fly and does not save any data on persistent storage, i.e. hard drive.

2. Manual Read Sectors can only be run by clicking on Read Sector... button. It will initiate reading a specified sector from one of target devices. Then the read sector resides only in RAM for a time interval while it is being shown in Target HEX Viewer. Similarly to the Automatic refresh, no data is saved on any persistent storage during manual read sectors.

How do I create or format an NTFS partition on a target drive?

Insight supports creating exFAT partitions (including encrypted ones) on target drives for subsequent imaging to files stored on it. However, we have not supported the creation or formatting of NTFS partitions.

How do I decrypt a BitLocker volume in Insight?

For the time being, Insight supports only decryption of APFS partitions with a known password or recovery key.

As for BitLocker partitions, Insight detects BitLocker volumes and displays its GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encounters it.

How much variation is there in data transfer speed during imaging?

Insight can reach speeds up to 500 MB/sec, but the speed may be as slow as 50 MB/sec (3 GB per minute) when working with older or slower HDD models.

Does Insight always image at the max speeds listed on this website?

The max speeds have been lab-tested for accuracy on modern storage devices. The speed of imaging always depends on the native speed of the individual devices used in the process. During the drive-to-drive imaging, the slower device will determine the actual data transfer rate because one drive can only receive data as fast as the other can send it, and vice versa. When imaging to or from the network, another potential bottleneck is the bandwidth.

How do I achieve the best performance when imaging to the network?

To avoid potential bottlenecks, make sure of the following:

• the network switch supports 10Gbit Ethernet and is configured correctly (if Insight is not connected to a PC directly)
• all the network cables are 5e category or higher
• for maximum performance, connect Insight to PC's Ethernet adapter without intermediate network switches.

Other things that could affect transfer speeds are network adapter drivers, motherboard drivers, antivirus software and so on. However, complying with the rules above is enough for most cases.

How do I verify the data transfer rate from Insight to the network?

Follow these steps:

1. Launch Atola Insight Forensic software
2. Connect a fast SSD (e.g. Samsung 860 PRO/EVO or any other that can image at 500+ MB/sec) to SATA Source port of the DiskSense unit
3. Navigate to Imaging and select Imaging to File option
4. In the file selection dialog enter null file name. This special file name will make Insight read the source at the highest possible speed and skip writing, so that target write speed does not affect the measurement, while data is still transferred through Ethernet.
5. Start imaging

If everything is working properly, the speeds will be between 50 MB/s and up to 500 MB/sec depending on the native speed of the source drive.

Does Insight support damaged SSD drives?

Atola Insight Forensic does support damaged SSDs. It can automatically diagnose SSDs very well, creating a nicely designed and well-thought report. Surely Insight's imaging will get any data that is readable from solid-state drives using multi-pass and read error recovery subsystems. It's fair to say you receive pretty much the same functionality as with standard HDDs. The only exception: unknown password removal and firmware recovery are not supported for SSDs.

In addition to that, Insight Forensic allows working with the custom PCIe SSDs from Apple MacBooks. It works fast via proprietary Atola extension.

When should I use reverse imaging option and is there a downside to it?

Normally, reverse imaging is beneficial when there is a spot/scratch resulting in a number of bad sectors on the surface area. Reverse imaging (from the inner to the outer tracks) on one of the imaging passes helps you narrow down the bad area faster. It also allows getting more data from the good areas of the drive before entering the damaged zone and digging into it to retrieve data.

As for the downsides, reverse imaging leads to a speed decrease because HDD's heads have to make additional moves to perform it, and caching is impossible.

How do I change timeout in the imaging settings on-the-fly?

Changing timeout is only possible when you are creating a new session. Here is how to go around it:

1. Pause the current imaging session by clicking the Pause button
2. Click Add New Session link
3. Open imaging settings and change timeout of the following pass(es)

NB The new imaging session will complement the previous one and will only attempt retrieving data from the sectors that have not yet been copied.

Some of the imaging pass settings can be adjusted on the fly: e.g. enabling reverse imaging on the following pass.

How do I identify which of the imaged files contain bad sectors?

1. Select the target device or image file or click Analyze target image button in the Imaging results screen.
2. Open the partition in File Recovery
3. Click Create file list and select All files
4. Select Files that were partially imaged and click Create for the list to be saved in .CSV file.

NB If the imaging session was interrupted or the range of sectors scheduled for the session did not cover the whole partition (and therefore some of the files), the list of partially imaged files may contain both files with bad sectors and those not covered by the imaging session.

How do I find where the bad sectors are located within a file?

When imaging, Insight automatically creates a Media Map that reflects the status of all sectors imaged during a given session, namely:

• imaged sectors
• unimaged sectors (with errors or those beyond the imaged range)
• sectors imaged without ECC

To look up the Media Map:

1. Click Analyze target image button in the Imaging results screen or select the target device or file.
2. Navigate to File Recovery and open the partition.
3. By clicking the individual files, look up an individual File Map and see which of the sectors have or have not been successfully imaged.

Does Insight support mounting of a damaged APFS partition?

Partition search in Insight is quite advanced; it is more than just looking into MBR/GPT records and involves our unique heuristic algorithm.

It means that Insight should be able to find a partition, and the partition should not be damaged. For cases of damaged partitions, our customers use forensic software that performs file carving or DR software (e.g. R-Studio).

The only File Recovery functionality that works when there is data missing, is finding deleted files in several partition types including NTFS, HFS, FAT.

What is the success rate of File recovery?

You can recover up to 100% of files imaged with Insight only if the internal file system structure has been successfully imaged. Follow these steps:

1. Select an acquired image on the Target port.
2. Go to File Recovery
3. Try to open all the imaged partitions
4. If partitions do not open, use special DR software to recover the files (e.g. R-Studio)
5. If the partitions do open, you have two options:

• Select and recover all files. Then use Create file list button to generate a list of partially imaged files
• Alternatively, manually select all files with 100% values in Copied column. Some hints for you:
  • By sorting the files in Copied column you can group 100% of imaged files from a specific directory
  • Selection of multiple objects is available

How do I compare the files on a source and a target using their hashes?

To compare the files on the two devices:

1. In the Source's menu, go to File Recovery.
2. Click Hash all files.
3. If the hash column is missing, it can be enabled in Preferences -> File Recovery.
4. Select all the files
5. Click Create file list and select All files.
6. Tick Show file hash option
7. Repeat steps 1-5 for the target drive

In the end, you get two complete file lists and can compare them using third-party software, e.g. Compare++

How do I use black and white hash lists to filter data?

Watch this screencast about using hash lists in Insight. And here is the full workflow:

1. Open Insight > Preferences
2. Upload a CSV hash list of files
3. Mark it as White or Black.
   • White hash term stands for a known good file created by known software.
   • Black hash is for known bad files. It could be malware, a hacking script, a hidden illicit data file.
4. Go to File Recovery
5. Next, you have two options:
   • Click Add filter in the top right corner, select Black or White
   • Click Search panel button and add Hash List filter

You can find two use cases in White/Black hash lists section in our blog.

How do I look up a drive's G-List with Insight?

Firmware recovery has not been our focus for many years now; therefore Insight has a limited firmware recovery functionality. While some models may give out information about the G-List (see 3. Full firmware access), G-List is not a kind of information you automatically see on the screen. You would need to manually find G-List among firmware modules, which requires a certain level of data recovery knowledge.

How does diagnostics work and how accurate is it?

The automatic diagnostic function applies a sophisticated system that analyzes electrical currents as they enter and leave the hard drive, examines the hard drive’s responsiveness to low-level commands and incorporates firmware information (if it is accessible). Our studies had shown that this approach is accurate in pinpointing malfunctions in at least 95% cases.

How do I analyze electrical currents from the oscilloscope if I received no training?

Some data from the oscilloscope is straightforward to understand (for example, when HDD power fails, the lines go flat). Users can learn to understand more complex oscilloscope information by seeking advice from other data recovery technicians, seeking professional training, or simply through gaining experience in the field.

While current monitoring technology plays an important role in the Insight’s operation, no specific skills are required because the system performs current analysis automatically.

Can RAID arrays be diagnosed as a single HDD?

Insight can diagnose only the drives that are directly connected to the hardware unit. Hard drives from RAID arrays must be diagnosed and recovered individually.

Atola TaskForce is capable of automated assembly RAID drives in a single virtual device even when RAID configuration is unknown.

Why is there a difference in the quantity of errors and performance between Media Scan and Imaging?

The short explanation: Imaging uses different commands and level of reading thoroughness rather than Media Scan.

Imaging reads data and sends it over data cable (SATA, PATA, USB). At the same time, Media Scan utilizes low-level Verify command that checks a block of sectors for an error with no data transfer involved.

The two operations are not equally thorough. Media Scan verifies drive surface block by block (2048 sectors per block). It does not dig in searching for specific bad sectors in a 2048-sector error block.

As opposed to that, the imaging engine has a goal to image as much data as possible. The multi-pass system is used during imaging.

However, if linear hashing is enabled, imaging switches to one pass with a 4096-sector block size by default using this algorithm:

1. Read 4096 sectors
2. If a read error occurs, re-read the sector range using 256-sector block
3. Read the first 256 of 4096 sectors
4. If there is a read error, re-read 256-sector range sector by sector
5. Read the first sector of 256 (of 4096)

How does Insight detect the capacity of hybrid drives?

There are two types of hybrid drives.

1. Dual-drive hybrid systems. In this case, Insight shows the total capacity, which is a sum of the volumes of both drives. All sectors are addressable and readable.
2. Solid-state hybrid drive (SSHD). For such drives, Insight detects and displays only the capacity of the HDD because the internal SSD is designed to be inaccessible without SSD chip off. Hybrid drives of this type use NAND memory (small SSD) for cache. The cached data resides in both the HDD and the NAND chip. What is cached and how it is cached depends on the drive model and its firmware's algorithms.

How do I calculate hash during imaging and do I need to use both linear and segmented hashing?

Hashing is disabled in the default settings. Simply tick Hash source during imaging option in the Default (5 passes) preset.

Here are the guides about calculating linear hash during imaging and segmented hashing.

Segmented hashing is the only tried and proven way to verify an image of a damaged source drive. Segmented hash can be calculated during a multi-pass imaging, which allows getting more data while covering all imaged intervals with a set of hashes, and this ability has proven crucial for our customers in courts.

Besides, with segmented hashing, image remains usable even if some of the data gets corrupt over time (due to people, other buggy software, hardware, power losses etc.): it allows you to identify the segment of data that got corrupt and continue using the good parts of the image.

How does hashing work in parallel with imaging?

When Insight images and calculates hash in parallel, here is how our imaging engine works:

1. Read block A from source to RAM
2. Hash block A + Write block A to target + Read block B from source - all these three actions execute in parallel
3. Hash block B + Write block B to target + Read block C from source
4. and so on

Two important rules:

• If read block fails with error/timeout, the block is replaced by unreadable pattern (it can be set by the user).
• If write block fails, Insight stops imaging and reverts hash state one block backwards.

Why do I need to wipe/erase target before imaging data onto it?

Certain forensic evidence acquisition or data recovery scenarios require the target hard drive to be wiped/erased prior to imaging. It ensures that the software being used to recover files won’t extract old data that was previously on the destination HDD.

How does write verification work in Fill/Erase?

Here is how the algorithm used during the wiping process in Insight:

1. 100 individual sectors selected evenly across the range are filled with verification pattern Atola Insight.
2. The whole drive or a selected range of sectors on it are wiped applying the method selected by user (erase with pattern by default).
3. the 100 sectors filled with Atola Insight during the first step are read to ensure that none of them contains the pattern.

How does SSD Trim work and does it wipe a drive completely?

SSD Trim doesn't instantly wipe sectors (NAND memory cells) of a drive. It instructs SSD's firmware which sectors can be wiped by marking them as 'dirty'.

Time of erasure of 'dirty' sectors depends on the SSD manufacturer and firmware. For instance, recent Samsung SSDs have a so-called foreground garbage collection. It wipes any erased file almost immediately thanks to a TRIM command proactively executed by the operating system. In older SSDs, trimmed sectors can remain intact for minutes or even hours.

The most secure way to erase an SSD entirely is running Secure Erase, which is available in Insight as a method of Fill/Erase. The drive's internal SecureErase implementation is vendor-specific. In most drives, it ensures full erasure of an SSD including non-addressable areas.

How do I copy Insight database to another PC?

Yes, it is possible: Go to Cases > Export for that and select All cases. A single file will be generated, which can later be imported via Cases > Import.

How can I tell who worked with the drive if I am working on a previously created case?

You can open any operation performed with a hard drive by clicking on the corresponding link in the case history. In the report header, you can see which computer was used, and thus you can deduce which user worked on this phase of the case.

How do I add notes to the case history after a case was closed?

The quickest and easiest way is to open case history Cases > Search/Open and click Add note.

Can 2 hard drives share the same case number if they are related?

Yes, it is possible to assign the same case number to multiple hard drives. It helps keep track of hard drives related to the same investigation.

Firmware Recovery. Which hard drive models does the Insight support firmware recovery for?

There are two ways in which Insight provides firmware recovery: by automatically repairing firmware and providing direct access to firmware files for manual repair. Different sets of hard drive models are supported for each of these approaches due to differences in firmware design by the hard drive manufacturers. For a complete and up to date list of supported hard drive models for firmware recovery, see the supported drives page.

Firmware Recovery. How commonly do modern hard dives experience firmware corruption?

Less than 10% of data recovery cases with modern hard drives involve firmware corruption. Occasionally, a manufacturer will release a hard drive with flawed firmware and data recovery labs will see a spike in firmware recovery jobs for a period of time.

Firmware Recovery. What is the difference between firmware files stored on the HDD platter and ROM/EEPROM/NVRAM?

This depends on the HDD manufacturer and hard drive model. Each hard drive has its own preferences for where firmware data is stored.

Password Removal. How do hard drives become locked with ATA passwords?

ATA passwords can be set through computer’s BIOS or by using special products like the Insight.

Password Removal. Which hard drives is password removal supported for?

Automatic password removal works for most hard drives available on the market. For more specific information, please refer to the Supported Drives List.