Assuming you have Atola Insight Forensic software installed and activated, let us start from zero and learn how to image an evidence device safely in Atola Insight Forensic.
Step 1. Plug the source and target devices into the DiskSense system.
Take two SATA drives that will serve as your source and target devices. Plug them into the SATA source and SATA target ports.
Step 2. Launch Atola Insight.
Launch already installed the Atola Insight Forensic software.
You will see the following window asking you to select the desired action:
Select Close to avoid powering up the source SATA port for now.
Step 3. Diagnose first before imaging.
Presumably, we know nothing about the source device and its state. Maybe it is a good working drive, or maybe it is not. It may be a damaged one or it may die in a few hours. That is why we should begin with Automatic Checkup.
Click Diagnostics -> Automatic checkup, and then click the Start button.
It will take a couple of minutes to get to the Diagnostics report. In this particular case, we see that the source drive is in good state, and we can safely start imaging it.
Step 4. Select the imaging targets.
Click Imaging on the left side menu and then Create New Session. You will be asked to select the imaging targets, including the following:
Let us take advantage of imaging into two targets at the same time: SATA target drive and image file.
Click Create Image File and then confirm a selected filename. Then tick the SATA Target 1 device. In the end, you will get a screen like this:
Click the Select button to confirm.
Step 5. Start imaging.
Imaging includes a wide variety of settings for tuning the process. Sometimes it is helpful when dealing with severely damaged evidence drives. However, the default imaging preset works great in most cases.
Here is just one button to click, Start Imaging, to get the imaging process running.
Congratulations! You read the quickstart up to this section, and we have an award for you! :-) Here are a number of screencasts explaining specific features of Atola Insight Forensic.
Atola Insight Forensic offers complex data retrieval functions along with utilities for manually accessing hard drives at the lowest level, wrapped in a very simple and efficient user interface.
The tool is developed by a team of industry renowned data recovery engineers in collaboration with law enforcement agencies and forensic experts from around the globe.
All features of the system are designed to support damaged media. Where other Forensic data acquisition products stall or abort on media errors, Atola Insight Forensic can acquire a usable image.
When dealing with good (non-damaged) media, Atola Insight Forensic acquires data faster than any other data acquisition equipment commercially available.
The system has several key features for data capture in forensic and e-discovery cases:
Atola Insight Forensic covers all phases of the data acquisition process:
Whenever you start working on a hard drive, the very first thing we recommend to do is to find out if the drive is damaged in any way, and if so, what is the extent of the damage.
The tool comes with fully automated hard drive diagnosis module. It diagnoses all hard drive components: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.
After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.
Atola Insight Forensic can recover and/or remove unknown HDD passwords (also known as ATA-passwords). For most hard drives the unlocking process is fully automated. Some hard drives (for example, latest 2.5-inch Hitachi hard drives) require a degree of manual interference. Operator can choose whether to display the password or just remove it and unlock the drive. Both security levels (High or Maximum) are supported.
List of hard drives currently supported by automatic password recovery routine can be obtained at https://atola.com/products/insight/supported-drives.html
If there is firmware damage that cannot be fixed automatically, you will have to proceed with manual firmware recovery procedure. Generally speaking, firmware recovery process includes of the following steps:
1. Full firmware backup
2. Diagnosis
3. Recovery
Backup is a very important part of the process. Make sure you have full firmware backup before you make any change to the firmware area.
Basic diagnostics of the firmware area is done during Automatic Diagnostics process (see Automatic Diagnostics ). More in-depth diagnostics is done during firmware backup process, after which any firmware damage that may exist will become obvious, as damaged modules will have either "Read Failure" or "Bad Checksum" mark. Some of these damaged modules can be recovered by right-clicking them and selecting Recover (module will be re-generated and written to the drive). In some rare cases, when Atola Insight Forensic cannot regenerate the module, you would have to copy it from a donor drive (you would need to locate a similar hard drive, save that module from that drive into a file, and then copy that file into the bad drive's firmware, replacing the damaged module).
Please note: if after the full firmware backup you find that there are many unreadable firmware modules (more than 10% of total number of modules), it might be a good indication that the head stack is malfunctioning. The best thing to do in this case is to reconfirm that the hard drive does not have a head damage before proceeding with firmware recovery attempt. Attempting firmware recovery on a hard drive with internal damage may result in an unrecoverable damage.
Before you proceed with any file recovery attempt, it is very important that you have a sector-by-sector copy of the drive. This is done with the Imaging module available in the software.
Please see the following link for more information on imaging: https://atola.com/products/insight/disk-duplication.html
After you made a copy of the original hard drive, you can start recovering files. File Recovery engine is able to show status of each file in the file browser, such as what percentage of file was imaged without errors. There's also an ability to create lists of files specifying the status of each file. After creation, the list may be presented for a review.
Learn more about File Recovery: https://atola.com/products/insight/file-recovery.html
Please make sure that you have the following items in the package:
The DiskSense Unit uses the fastest and most efficient interface connections available, and is built to last using the highest quality components one could source. It includes a built-in oscilloscope for current monitoring and write protection switch for source media.
Atola DiskSense Unit is effective for bad disk forensic imaging. To ensure high quality and efficiency of our hardware tools, we test them on hundreds of storage devices.
DiskSense is basically a very small computer running a Linux OS. However, neither normal computer's BIOS, nor basic Linux kernel are suitable for handling of damaged hard drives. It is because neither of them were designed to handle hard disk failures very well. We have invested a significant amount of R&D efforts to build a highly customized and fine-tuned Linux kernel that completely overcomes these issues. Additionally, this kernel features:
DiskSense also features our proprietary circuitry for ultimate hard drive's power control:
These features are a must when dealing with damaged hard drives.
For example, low-level control of the SATA, USB and IDE ports allows Atola Insight Forensic to deal with hard drives that do not properly initialize, have many bad sectors, or frequently freeze due to internal (mechanical) failures.
SATA PHY control allows resetting a frozen hard drive without a power cycle. This reduces the time while imaging, and the chance of further hard disk degradation and failure.
Current sensing allows Atola Insight to diagnose a failed hard drive even if it has electronic or mechanical damage. Please see Disk Diagnostics for more details on how this works.
Overcurrent protection detects when the hard drive draws abnormal current and stops the attached device to prevent further damage.
Overvoltage protection circuit ensures that in the unlikely event of the DiskSense unit malfunction, the attached hard drives are not damaged in any way.
DiskSense unit is fully controlled by Atola Insight software via the Gigabit Ethernet interface, hence no Linux experience is required at all in order to operate it.
DiskSense system allows expanding its functionality via hardware extension modules.
DiskSense system must be powered off before an extension module can be installed:
Technical specifications:
Atola Insight Forensic allows to run most operations for a SAS drive plugged into DiskSense system. There are a few functions that are not available for SAS drives by their nature: Host Protected Area (HPA), Device Configuration Overlay (DCO), Security Features, and SSD Trim. Firmware recovery is also not supported.
SAS extension
The module accelerates the following operations executed with image files: Imaging, File Recovery, Compare, Write from File. For optimum performance please follow these instructions
Note that PC motherboard quality can have an impact on the resulting network performance. Also, please ensure that the PC drive is able to read/write at speeds above 300 MB/s.
10Gb extension
With the help of Thunderbolt extension module Insight supports imaging, hash calculation and verification, comparing, media scan, file recovery, write protection on MacBooks with these interfaces:
Thunderbolt extension
This module supports custom proprietary PCIe SSDs from Apple MacBooks (Mid 2013 - 2015).
Apple PCIe SSD extension
Features | M.2 SATA | M.2 PCIe |
---|---|---|
All Insight operations | Partial (see below) | |
Drive hotplug | ||
Power management |
M.2 PCIe SSD extension
Drive hotplug is supported. Before replacing hard drives the SATA power must be turned off via the software Power button (for safety reasons).
M.2 SATA SSD extension
Please note that M.2 extension currently does not support NVMe drives.
To image an NVMe drive, please follow this guide.
Step 1. Download and install the latest software from this page.
Step 2. Configure your computer’s network to use the following settings:
IP address: 192.168.0.XXX, where X can be any number from 1 to 254.
Network mask: 255.255.255.0
Gateway and DNS server can be left empty or set to any value.
Step 3. Make connection between your computer’s network port and the ETH 1 port of the hardware unit.
Step 4. Power on the unit and allow 20-30 seconds for it to boot (Unit Ready LED on the back of the unit should stop blinking).
Step 5. Launch the Atola Insight Forensic software. When asked for activation details, you will need to key in the unit’s serial number. It is located on the bottom sticker of the DiskSense unit.
If you’d like to plug the unit into a USB port instead of an Ethernet port, then we recommend using a USB-to-Ethernet adapter based on an ASIX AX88179 chipset (included in the package).
We have tested Atola Insight with these adapters and they cause no noticeable speed degradation (imaging speed decreases only by 1-2%), and they have shown to be very reliable.
Note that you will need a USB 3.0 (SuperSpeed) port in your computer in order to achieve full imaging speeds.
Use these instructions if you are migrating from Atola Insight with previous-gen DiskSense USB or DiskSense Ethernet hardware units and would like to preserve the existing case management records.
IMPORTANT: this process is not reversible. After the migration, you will not be able to use the same database with the old (v3.x) software. If you want to continue using the old (v3.x) tool, then you would have to create a new (empty) database for the old tool.
Step 1. Record old database settings.
Launch your old copy of Atola Insight v3.x and open Database Connection settings menu. Write down all database connection information from the screen (or take a screenshot).
Step 2. Alter database settings of the newly installed Atola Insight Forensic v4.x software.
Launch your new Atola Insight Forensic (v4.x) software and open Database Connection settings menu. Modify all settings to match v3.x settings noted in Step 1.
Step 3. The software will ask you if you want to perform the upgrade. Click OK and the upgrade will be performed automatically. A backup copy of the old database will also be created before upgrade.
There are two ways to purchase Atola Insight Forensic subscription:
In both of these scenarios, you will be able to activate the new subscription even in a network-free environment.
NB If your subscription has not yet expired, you can still purchase and activate a new one: the new subscription period will commence the day following the current subscription’s expiration date.
What you will need: another device with Internet connection (PC or mobile).
1. Click Help in Insight’s top level menu and select Extend Subscription.
2. Select Extend subscription offline by code and click Continue.
3. Use another device (PC or mobile) with Internet access to purchase the subscription extension online here, from there you will be redirected to a website where you can enter your payment credentials.
4. A subscription key will be sent in an email shortly after the purchase, to the email address you indicated in the payment form.
5. Using the internet-connected device, go to this page.
6. Enter the Subscription Key, and fill in all other fields on the web page (you can copy them from the Extend Subscription window)
7. Click the Submit button on the activation server page. An activation code will be generated and displayed on the screen and also sent to you in an email.
8. In the Insight interface, enter the Activation code in the respective field and click Continue.
If your activation has not been completed successfully, the contact information you provided in the online activation form will be used by our support team to contact you and assist in completing your activation.
What you will need: another PC with Internet connection and a flash memory stick.
If your subscription expired but you installed a version of Insight software that is not covered by your expired subscription, you can do one of the following:
DiskSense hardware system includes an internal HASP USB dongle. It contains unique activation and subscription information.
Having more than one DiskSense system in your network may result in HASP-related conflicts. These conflicts usually manifest as "Too many connections" or "Cannot located DiskSense unit" errors. The issue is caused by behavior of the HASP discovery system which by default picks a random HASP dongle on the network. In other words, one Atola Insight Forensic instance may establish the connection with one DiskSense system, however it will "use" the HASP dongle of another (random) system available on the network.
HASP discovery system offers a web administration tool where one can easily set up IP filter specifying HASP dongle search locations.
After you perform the actions, the final screen should look like like this:
Note: 192.168.0.200 is used as an example.
Atola Insight Forensic enables working with remote database shared between many users. Here is the scenario how to setup such a network database and connect different PCs with Atola Insight to it.
1. Pre-install SQL Server 2012 or 2014 on the network server PC
2. Launch Atola Insight Forensic on the user PC
3. Navigate to Insight -> Database Connection Settings from the top menu
4. Click OK and re-launch Atola Insight Forensic on the user PC.
5. It will create the remote database and ask for the Work Folder name:
Hint: Work Folder is necessary to store large files that do not fit into the database: imaging maps, logs, file recovery hash lists.
6. Change the Work Folder to the shared folder on the network server PC.
Example: The network folder successfully selected
Now you have the Atola Insight network database prepared for remote use! You can connect Atola Insight Forensic software from the other PCs. Just set up the same database settings as you did in the step 3. No need to specify Work Folder anymore given Atola Insight will load it from the remote SQL server on the network server PC.
The only limitation: Two users will not be able to work on the same case simultaneously.
To be able to backup and restore Atola Insight Forensic database, you will need Microsoft SQL Server Management Studio Express. You can download it here .
To backup the database, please follow these steps:
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Select "Databases" folder on the tree
4. Right-click AtolaInsightForensic and select Tasks->Back Up...
5. Check the backup destination and change it if desired
6. Click OK
This procedure will work only if you did not move backup file (for example, from another PC). If you are moving the database
over to another PC, please see
Restore when moving below.
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Select "Databases" folder on the tree
4. Right-click AtolaInsightForensic and select Tasks->Restore->Database...
5. Select the desired backup file
6. Click OK
To move the database from one PC over to another, please follow these steps:
1. Backup your database on the source PC
2. Copy backup file over to destination PC
3. Restore the backup file on the destination PC (see below)
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Right-click "Databases" folder on the tree and select Restore Database
4. In the "To database:" field enter the following: "AtolaInsightForensic" (without quotes)
5. Select "From device" in "Source for restore"
6. Point to the database backup file
7. Click OK
This may happen if your operating system has crashed and you are reinstalling everything from scratch. In this case you would need to copy AtolaInsightForensic.mdf and AtolaInsightForensic_log.LDF files from the old hard drive over to the new one. You may find these files in:
After you have copied the database files, please follow these steps:
1. Launch Microsoft SQL Server Management Studio Express
2. Establish database connection (with default settings)
3. Right-click "Databases" folder on the tree and select Attach...
4. Click "Add..." and select AtolaInsightForensic.mdf
5. Click OK
Atola Insight Forensic supports all 1.8-inch, 2.5-inch, 3.5-inch IDE, SATA and USB hard drives, USB Flash media as well as SD, Compactflash, and Memory Stick cards via a generic USB Card Reader.
To ensure high quality and efficiency of our tools, we test them on hundreds of storage devices.
Atola Insight Forensic can also work with the following drive types using proprietary Atola extension modules:
Most functions of the Atola Insight Forensic will work with any hard drive or flash card with either IDE, SATA-1/2/3 or USB-1/2/3 interface (including those attached via adapters).
However, there are three functions that only work with specific hard drive model families:Please note that due to the wide variety of firmware revisions released by hard drive manufacturers, it is impossible to guarantee that the password removal will always work. Hence, password removal may fail on a small percentage of hard drives.
The purpose of this page is to provide information on Atola Insight Forensic start up procedure.
Source Device Selection dialog is available from main menu (Source -> Select Source...) or via F3 shortcut key:
Source device selection
At this point you can select the port you'd like to work with (SATA, USB, IDE Master, IDE Slave).
After you select the device, Atola Insight Forensic switches to the main application window.
Y ou can attach and remove hard drives at any time without restarting the software or hardware unit.
When replacing hard drives, Atola Insight Forensic detects the change automatically. However, if you'd like to manually re-identify a hard drive, you can do one of the following:
Source device menu
The difference is that re-identification works only when the attached hard drive can return at least some identification data. When the hard drive has significant damage (for example, a burnt PCB) and therefore won't return identification data, Atola Insight Forensic will fail to automatically recognize such hard drive. In this case you would have to use Source->Select Source menu item to manually select the device. Atola Insight Forensic will still be able to diagnose a hard drive that is "completely dead" by relying on the current sampling.
Before disconnecting hard drives from the unit, we recommend to use Power Off button in Atola Insight Forensic software to properly shut down the drive:
Source power button
Thunderbolt extension enables Insight to operate on all MacBooks with FireWire, Thunderbolt 2 and Thunderbolt 3 interfaces. There is no need to remove the SSD, Thunderbolt extension allows connecting the whole Apple laptop to Insight.
The extension module comes with:
Cable adapters
1. Connect MacBook to DiskSense unit with the help of Thunderbolt extension and the FireWire cable ( NB Both MacBook and DiskSense have to be turned off). Use the adapters to connect to the MacBooks with Thunderbolt 2 or Thunderbolt 3 interface.
2. Start DiskSense unit and launch Atola Insight Forensic on your computer.
3. Boot the MacBook in Target Disk Mode. To do that, start it up while holding down the T key. You should see a Firewire or Thunderbolt icon displayed on screen signifying that Target Disk Mode is detected and working.
MacBook drive and DiskSense unit connected
4. Select Identify device option in the pop-up window.
5. In Source - Select MacBook Case window click Add new case button.
Select MacBook Case
6. If this is the first time this MacBook is identified by Insight, you need to enter the Serial number of the MacBook in the pop-up window and click OK. The device has been identified. ( NB MacBook's serial number can be found on the bottom case).
MacBook's serial number
Now you can perform these operations with the connected MacBook:
When a MacBook is connected to Insight for a subsequent session, you can simply select the appropriate case from the table.
Open existing MacBook case
This page provides information on basic Atola Insight Forensic controls.
These buttons allow you to go to the previous screen of the program. This may be useful if you'd like to see previous output or quickly restart a process.
You use this menu to navigate through different parts of the software.
This panel shows the current case number or allows assigning a case number.
The source port consists of several parts:
Target port has all features of Source port. Target port allows to plug one of the following:
This menu is used to open the Current Oscilloscope and Terminal windows.
Here you can see all actions that were done to the currently attached hard drive. If you'd like to get full details on an action, just click it and Atola Insight Forensic will show you the detailed report.
Insight Forensic allows attaching files to the case. Whenever you attach a picture, a thumbnail is added to the Home screen.
This panel displays raw contents of Status and Error ATA registers in real time.
It's only enabled when port powered on, device presence detected and PHY communication established.
This register contains hard drive status information. It is updated after every single command sent to the drive.
ERR: means last command failed to execute. In this case the Error register contains more details on the specific
error.
INDX: obsolete, used to trigger after each spindle revolution
CORR: obsolete, used to trigger after a bad sector was automatically corrected by ECC
DREQ (Data Request): is asserted when hard drive wants to exchange data with the host controller (in either direction)
DRSC (Device Seek Complete): is obsolete; always asserted on modern hard drives
FAULT (Write Fault): is obsolete
DRDY (Device Ready): is obsolete; always asserted on modern hard drives
BUSY: indicates that the hard drive is busy executing a command OR initializing (after power on or reset)
Error register provides more details if the last command failed. This register is only valid when ERR bit of the Status Register is asserted.
AMNF: means Address Mark Not Found (usually occurs on failed read attempt)
T0NF (Track 0 Not Found): obsolete
ABRT: command aborted (unsupported command or other failure)
IDNF: sector ID not found (usually occurs on failed read attempt)
UNC: uncorrectable read error; the hard drive was unable to read data even after applying ECC recovery algorithms
ICRC (Interface CRC error): there was CRC error while transferring data between host and the hard drive (usually
indicates bad interface cable)
Automatic Checkup feature diagnoses the following hard drive components:
One-button start of Diagnostics
First, hard drive's electronics (printed circuit board or PCB) is diagnosed. The system applies power to the device and records and analyzes spin-up current curve. This allows to detect most issues with the PCB and the motor. Then, the contents of the hard drive's ATA registers and device identification sector are being analyzed:
Measuring hard drive's currents
After that, the head stack is tested. Several factors are taken into consideration when diagnosing heads: media access time for each head, power consumption curves, and internal hard drive's error reporting systems:
Head stack test
If head stack looks good, the system performs a short media scan. The purpose of this scan is to find out how many "bad sectors" (if any) there are on the surface:
Checking media surface for bad sectors
Then, several firmware tests are performed:
Firmware checks
If no issues found up to this point, a file systems checkup is performed:
Short analysis of filesystems
After all tests are done, Atola Insight Forensic will display the full report. Diagnostics result message box contains a short summary of all tests:
Final diagnosis
Media scan can help detect two kind of hard drive damage:
Media scan can also be used to determine general condition of the hard drive's surface.
There are three methods of scanning:
Let's scan a good hard drive and see what we get.
Drive without bad sectors
There are two graphs; the top graph represents single block read time (one block is 2048 sectors which equals to 1 megabyte), and the bottom graph represents read speed for the entire surface.
Now let's have a look at some graphs taken from damaged hard drives.
We call such hard drives "unstable". They usually do not have read errors, but at the same time media access times are very high and change sporadically. In most cases it is possible to create a clean image of such drive.
You can observe patterns of delays which indicate head damage. However, please note that although the head is damaged, it can still read *some* sectors without errors, therefore it is possible to create a relatively good image of such hard drive by imaging data off good heads first, and then off the bad head.
Read errors are displayed as vertical red bars. Please note that when scanning, Atola Insight Forensic shows the entire block as bad even when only one sector in that block is damaged.
Being able to evaluate the drive’s state before it has exhausted its resources can make all the difference between a case won or a case lost in a court of law.
SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure. Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).
To view SMART table of a drive:
Hitachi drive with 1221 pending sectors
SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:
When RAW value of any of these attributes is greater than zero, Insight will highlight it in yellow.
The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.
To keep track of the changes occurring to the attributes of the SMART table, Insight records SMART table indices prior and after each imaging session.
To open both SMART tables for side-by-side comparison:
By comparing the two tables, operator can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse.
How SMART table state changed after image acquisition
Whenever you need to evaluate how the state of the drive has been changing long-term, you can go to previous imaging sessions and look up SMART table. Insight will store this information in its case management system.
Atola Insight Forensic has a complex imaging functionality, which allows imaging even physically damaged hard drives, avoiding their further deterioration.
Most imagers have a linear imaging process. Whenever such imager encounters a bad sector on a drive, the process slows down drastically. This often causes the drive to freeze. Insight operates using a special imaging algorithm that provides deliberate timeout and block size control. This allows speeding up the imaging of damaged drives while maximizing the amount of successfully retrieved data.
Using small block size pays off when you need to retrieve the maximum data from an unstable drive. This approach also significantly slows down the imaging process. It may also increase the possibility of causing further damage to the media. That's why Insight's multi-pass imaging engine uses large blocks with short timeouts on the first few passes. It schedules reads inside slow areas for later and then uses the smallest block size on the last pass. That is when fewer sectors are left to be read.
This technique helps achieve imaging speeds of 500 MB/sec in good areas of the drive. When approaching bad areas, it is the most gentle way possible to retrieve data. And it allows reaching unbeatable overall speed of disk imaging.
The best part is that Atola Insight Forensic will handle block sizes automatically. And it provides the best possible results in the shortest amount of time. This makes Atola Insight Forensic faster in any job than any other commercially available data recovery or image acquisition tools.
Block sizes and timeouts are adjustable. However, the default settings of the passes are based on our decades-long experience in data recovery market to fit most problematic drives. Therefore, it is advisable to follow them, unless a particular drive requires specific settings.
Full control over imaging passes
On the first pass, Insight allows 1-second Timeout per block, and the Max read block size is set to 4096 sectors. The default settings of the first pass allow smooth sequential imaging of all modern hard drives in good condition. But when you need to image a hard drive with bad sectors, these settings make Insight skip any areas that slow down reading: it performs Jump on error by 1,000,000 sectors at a time. These settings ensure imaging data from the healthy areas of the drive at top speed, while forcing Insight to return to the problematic areas during the following passes. Atola Insight Forensic splits such areas into smaller ones and allows more time for reading the data within.
Atola Insight Forensic: Imaging a hard drive with bad sectors
While Max read block size remains the same during the second and the third passes, the Jump on error is set to 20000 sectors and 4096 sectors respectively. Insight will allow slightly longer, 5-second Timeouts for attempted reading of the blocks.
Image a hard drive with bad sectors: 2nd pass
On the fourth pass, both Jump on error and Max read block size are yet again reduced, this time to 256 sectors.
Image a hard drive with bad sectors: 4th pass
On the fifth pass Insight allocates 60-second Timeouts to read the Maximum block size of 256 with just 1-sector Jump on error. It is the last and the most scrupulous attempt to read the remaining bad areas of the drive.
Image a hard drive with bad sectors: reading the remaining areas on the 5th pass
After the final pass, the Imaging Results report will appear to show the eventual number of errors on the drive and other detailed statistics.
Atola Insight Forensic: Imaging Results
When looking at the settings of the imaging passes, you will see the Reverse direction check boxes. With this function selected, Insight will approach skipped areas of the drive from the other side on any selected pass. This way Insight can get more data from a drive before entering a damaged zone. The system will focus on the damaged zone during the following passes.
Another option in the imaging pass settings worth mentioning is Disable read look-ahead option. Most contemporary hard drives have read look-ahead functionality. It makes the drive sequentially read more blocks than requested by software. In good drives, this functionality helps the drive to operate faster by reading and caching more data. But with bad drives, read look-ahead leads to bad areas being addressed more often. This slows down the process and may lead to a complete freeze of the drive. In such cases, disabling read look-ahead option is advisable.
When dealing with a damaged drive, we strongly recommend using Segmented hashing because this method supports multi-pass imaging and handling of bad sectors, and provides better resiliency against data corruption.
To read about the way Insight handles imaging of freezing damaged drives please follow this link.
While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.
Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.
This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.
In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.
Image only those sectors that have data
When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.
By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.
When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.
Imaging results
Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.
This will open the Target port.
In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.
When you image data from a drive involved in an investigation case, and the target drive will be holding a 1:1 clone of evidence data, in many cases it is critical that the target drive's capacity is identical to that of the source drive. Should there be a difference in size between the source and the target devices, their hashes will be different too.
However, if your SATA target drive has a larger capacity, you can limit its size to that of the source drive using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools as well as the end user.
To do that:
Enabling HPA restriction for target
You can now proceed with the Imaging process by clicking Start Imaging button.
When Imaging is complete, you will see that target disk port now contains an HPA indicator, thus informing you that HPA has been enabled on this drive. There will also be a report created in the Case History.
This report will contain information about the time when HPA was enabled, a detailed device description and how this action was initiated. It will also indicate the initial max address as well as the current one.
Now you can calculate hashes on both disks to make sure they are identical.
Please note that enabling HPA is an option available only for SATA target drives.
Hard drives with physical damage require a complex imaging approach. This guide will explain how to retrieve data with the minimal risk of data loss on a drive with a damaged head stack.
If an Automatic Checkup report indicates that there is a problem with the heads, look at the status of each head.
Head problem found during Diagnostics
If the status of a head or multiple heads is Degraded or Damaged , the drive will not be able to read all the data. What’s worse, even more sectors may soon become unavailable due to incorrect functioning of the drive’s hardware.
We recommend that you start by imaging the heads, whose status is
OK
, as soon as possible. To do that: Step 1. Go to
Imaging category of the left-side menu, click on
Create New Session link and select the device or file to which the data will be imaged.
Step 2. In the
Start new imaging session page go to
Heads
line and click on
Select heads to use
link.
Step 3. Unselect the damaged head.
Step 4. Click on
Start Imaging button.
Unselect degraded head
As a result, you get as much data from the drive’s viable heads as possible before even beginning to work with the damaged head. This way the risk of losing data on the working part of the head stack is minimized.
Imaging result with 3 good heads
Now that this data has been successfully retrieved, you have two options:
Unselect 3 working heads
Atola Insight Forensic’s sophisticated functionality enables users to retrieve maximum data even from the severely damaged drives.
Imaging degraded head
Now that you have an image of the source evidence including the data copied from the damaged head, you can take the risk and get the head stack fixed. Afterwards, you can start a new session to complete the initially created image with data from previously unreadable sectors.
When Atola Insight Forensic performs Imaging, it approaches bad sectors in the most gentle yet thorough way with high overall speed. But most importantly, Insight is unbeatable at imaging severely damaged drives, while providing all the necessary tools for evidence verification and proper data storage formats. Insight's ability to succeed even with the drives that freeze in the course of imaging makes it indispensable for forensic specialists.
When a drive receives and runs a Read sectors command, and comes across a physically or logically damaged sector, the device is unable to return a good result. Therefore it goes into Retry mode, repeatedly attempting to retrieve data from the damaged area.
However, often the drive is unable to read data from the damaged sectors and the Retry mode can last for a very long time before it decides to give up on a particular sector and return an Error.
If Insight simply waited for each Read sectors command to be completed:
For these reasons, Insight issues a Reset command whenever a drive attempts to read a block of sectors for longer than allowed by the pre-configured Timeout. Reset is a device interface operation, using which Insight (the host) stops the previously sent Read sectors (or any other) ATA command so that Insight continues imaging from the next planned block on the drive.
If the device is still running
Read Sectors command, even after
Reset attempt, Insight will wait 3 seconds and perform another
Reset
command. At the moment of the second Reset, a new entry will appear in the Imaging
Log reading
Device hangs while reading block
X – Y.
Power cycle due to frozen source device
If 20 seconds after the second Reset, the drive has not been able to abandon the current block, Insight will perform Power cycle by forcibly cutting power to the drive for 5 seconds. At this point Insight will add two entries to the log: Performing power cycle... (when the power is cut off) and Waiting for the device to become ready… (when the power is switched back on).
Should Power cycle prove successful and the drive become ready to accept the next command, there will be a final log entry for this problematic block of sectors saying: Cannot read block of data at X – Y (Timeout).
If Power cycle is ineffective, it means that the drive is still in Busy state that prevents it from becoming ready to run the next command. After that, Insight will make one or more additional power cycles. In Insight’s default settings the Max consecutive Power Cycles option is set to five . Should all five Power cycles be unsuccessful, Imaging will be automatically terminated. It can be resumed afterwards, and Insight will continue to image all remaining sectors.
While users are able to change the default maximum numbers of Resets and Power cycles, these are set based on our decades-long experience and balance the need of data retrieving with the risk of further data loss.
NB If prior to Imaging, you applied Change Max Address temporarily (until power cycle) option, the Power cycles performed in the course of Imaging will not affect it. The Host Protected Area will remain accessible throughout the Imaging process. Insight will temporarily remove HPA max address restriction after each Imaging-related Power cycle.
The same is true for Reset Password until power cycle option. Insight will keep the password reset throughout the Imaging process, without regard to the Power cycles applied.
In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.
To image a source evidence drive to an E01 file you have to add a new target file.
1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Create Image File link.
2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.
3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):
4. Click on Select button in the Target Device Selection window .
As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).
Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page:
Calculated MD5 and SHA1 hashes
A situation may occur when multi-target imaging is paused to be continued later, but one or more targets become unavailable. The drive may need to be taken and used by another technician or broken, or the server with the image file may become unavailable. But you may need to finish the imaging to the remaining target asap to start working on the evidence.
It is for such cases that we have added the splitting imaging sessions functionality to the 4.9 release of Atola Insight Forensic.
With the source drive connected to Insight, go to Imaging category and view the details of the interrupted imaging session to several targets. If not all target drives and image files are available, it is impossible to simply resume imaging. However it is possible to split the previous imaging session into separate ones: one per each target. To do that click Split all sessions to separate targets link.
Once the session has been split, it is possible to resume imaging to each separate target by clicking Resume button in each target’s Imaging Session.
The resumed imaging session will skip all sectors imaged to the target within the previous session.
This way one can complete imaging to all targets at different times, as they become available.
NB Please note that if a target becomes unavailable during imaging, the process will automatically stop running, and you can try to either resume imaging to all targets, or split imaging sessions should it be necessary.
Insight's Case Management system records every step of data acquisition process saving them into reports grouped by cases.
To view the whole list of cases and their devices:
In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.
It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.
Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.
Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.
The case opens as a separate port in the Top Bar of the Insight window.
Imaging is a time-consuming part of the evidence acquisition process, especially when dealing with damaged drives.
Even though Atola Insight Forensic is the fastest forensic imaging tool in the world (there is literally no penalty on a drive speed when you image it with Insight!), we want to help expedite forensic process even further. The artifact search feature allows analysis of data from an evidence device in the course of imaging.
Unlike most forensic analysis tools that parse the file structure, Insight does sector-level parsing, which allows getting data even from the spaces of the drive that are not associated with any file (e.g. remnants of previously deleted documents), thus providing you with clues that are omitted by most analysis tools. Artifact finder uses Intel Hyperscan engine, which makes it the fastest possible tool for primary data analysis.
In this tab it is possible to view, select or deselect the artifacts you want to be searched in the course of imaging.
For each of these artifacts we have not only applied well-known algorithms including the Luhn formula used to validate credit card numbers, but also applied our own smart filters to eliminate false results (e.g. if there are two slashes near the number that has preliminarily been identified as a credit card number, that will eliminate it from the search results, as it is likely to be a part of a URL).
Keywords and regular expressions can be added to the search parameters in a txt file with one artifact per line. Click the View link next to Keywords category in Artifacts tab before imaging and make sure the keywords are displayed correctly. Keyword encoding can be adjusted to Unicode, Unicode (UTF-8), Unicode (Big-Endian) or US-ASCII.
A few of the artifacts are selected by default, namely: GPS, MAC, Phone numbers, URL. You can adjust these default settings and click Save settings button. This will affect all future imaging sessions (including those on new source drives) unless you re-adjust the settings or restore the default settings by clicking the corresponding link. The paths to the files with keywords and regular expressions will also remain saved, although should any changes by made to the txt files in the saved directory, the changes will be uploaded at the start of each imaging session.
NB. It is advisable that no more than 4 artifacts are selected at a time, otherwise imaging will slow down considerably. Also, keywords consisting of less than 4 symbols or regular expressions consisting of less than 6 symbols; large number of keywords (more than 2000) or regular expressions (more than 10) may also slow down imaging process. This is due to the large number of results such search parameters are capable of producing.Once you have ticked the boxes next to the artifacts you would like to be searched for, click Start Imaging button.
Once imaging has begun, go to the Artifacts tab in the bottom part of Insight window and watch the selected artifacts being found: the numbers of artifacts and the corresponding diagram change on the go.
To see the artifacts in a list, press on any of the categories or the diagram.
In the table, each artifact is assigned an Id number, each found Value is shown in the context (including 20 bytes before and 20 bytes after the artifact in grey color), the LBA and the offset are also displayed in the table to help locate the artifact.
There are many options to help find, sort, filter and view the artifacts: it is possible to view one or a few categories of artifacts in one list, use the Search bar to find a specific value (search examples are provided in the bottom right corner of the window), filter results for unique values by clicking the Show unique artifacts link.
The latter option is quite valuable as it helps identify the values most frequently occurring on the drive: to sort the results click Count in the table header.
To promptly find the sector where an artifact is located, you can double click the artifact you would like to examine more thoroughly.
Export to CSV button is disabled during imaging. You can wait until imaging is completed or pause it, make an export and restart imaging, should it be necessary to start analyzing the current artifact search output with an external tool:
There is Export artifact link now in the Imaging category of Insight's menu. If the source drive was imaged in multiple sessions, and artifact lists were created during different imaging sessions, by clicking this link you can download a merged list of artifacts from multiple imaging sessions.
We test our units on a wide range of storage devices. To check the imaging speed on different HDDs, SSDs and USB flash drives we imaged a few of them and cross-checked the speed with userbenchmark.com, where you can find detailed info on the minimum, average and maximum read and write speed of almost every data storage device in the market.
NB. Imaging speed is limited by the speed of the slowest of the devices participating in the imaging session. Therefore, the slowest of the two speeds (either the read speed of the source or the write speed of the target) will define the speed at which imaging process is running.
We begin with the Samsung 850 Pro SSDs mentioned above. These two drives are not damaged but are rather worn out, as we have been demonstrating Insight's imaging speed on them at every exhibition for a few years now. Insight images from one such SSD to another at 501 MB/s (therefore it is the write speed of the target drive that defines the imaging speed in this case).
At userbenchmark.com this drive's maximum write speed in sequential mode (sectors read and written to in sequential order) is 502 MB/s.
Next, we take the 128 GB version of the same SSD drive, and Insight images it at 490 MB/s.
The maximum write rate (we image to an identical SSD) claimed at userbenchmark.com (based on over 6 thousand samples) is 490 MB/s, the same rate as that achieved by Atola disk imaging hardware.
When Insight images a 4TB Toshiba X300 (an HDD with SATA interface), it achieves the speed of 195 MB/s.
How does this speed compare to the one at userbenchmark.com? The website quotes 182 MB/s of max read speed. Insight's speed substantially exceeded the benchmark speed based on 992 samples!
Insight's speed of imaging a Western Digital's Blue 250 GB constituted 115 MB/s.
At userbenchmark.com the same drive's max read speed is 115 MB/s. Again Insight achieved the top speed based on over 3000 samples.
Insight was able to reach 77 Mb/s when reading WD7500AYPS 750GB drive.
The same drive at userbenchmark.com achieved the maximum read speed of 73.7 MB/s. Again Insight exceeds this index.
When imaging this HGST 1TB SAS hard drive, Insight was able to achieve 111 MB/s.
And it is a much higher speed than that of userbenchmark.com (99.5 MB/s max read speed).
Next, we imaged Corsair Voyager 3.0 64GB USB, and Insight reached an overall speed of 207 MB/s.
The max read speed achieved by the contributors of userbenchmark.com constituted 215 MB/s. Insight did below the max speed but substantially above the average.
Please note that here we imaged devices that were in overall good health. Imaging may be considerably slower when dealing with a damaged drive, and the speed heavily depends on the type and degree of such damage.
Here are links to the userbenchmark.com pages with the devices mentioned above for your reference:
Samsung 850 Pro 256GB https://ssd.userbenchmark.com/Samsung-850-Pro-256GB/Rating/2385
Samsung 850 Pro 128GB https://ssd.userbenchmark.com/Samsung-850-Pro-128GB/Rating/3483
Toshiba X300 4TB https://hdd.userbenchmark.com/Toshiba-X300-4TB/Rating/3592
WD Blue WD2500AAKS 250GB https://hdd.userbenchmark.com/SpeedTest/2143/WDC-WD2500AAKS-00L6A0
WD WD7500AYPS-01ZKB0 750GB https://hdd.userbenchmark.com/SpeedTest/7309/WDC-WD7500AYPS-01ZKB0
HGST Travelstar 5K1000 2.5" 1TB https://hdd.userbenchmark.com/SpeedTest/72/HGST-HTS541010A9E680
Corsair Voyager GT 3.0 64GB https://usb.userbenchmark.com/SpeedTest/5886/Corsair-Voyager-GT-30
If you need to create multiple images of a drive for different purposes, with Insight you can image to three targets simultaneously. The targets can be of different types: another drive, an E01/AFF4/RAW file located on a server/workstation.
Select target drives
If one of the targets has to be a file, follow these steps:
1. Click Create Image File link in the Target Device Selection window.
Select target drives
2. Select file location, name and format, then click Open button.
Select target drives
3. Once you have selected all targets, click Select button.
Select target drives
4. Double-check imaging settings and click Start Imaging button.
NB The speed of this imaging session will depend on the slowest of the devices involved in it: either on the read speed of the source drive or the write speed of the targets you have selected.
Select target drives
Every once in a while forensic examiners come across hard drives that get shorted. In most cases, a drive has become shorted after experiencing overvoltage either due to a power supply failure or as a result of a user error. Here is what happens to drive in these scenarios and how to fix this.
Most drives have two TVS diodes: one on the 5V rail and another one on the 12V rail.
In a situation when a drive experiences overvoltage, these diodes protect the drive's circuit by converting the surplus electric power into heat energy and warming up. In case of reverse polarity, the current will go in the opposite direction and will completely be flowing through the diode, thus warming it up, too. If overvoltage or reverse polarity episode is relatively short and the dissipated energy is not too high, the diodes will recover and continue working. Otherwise, the diodes "sacrifice" themselves and get shorted.
When the drive is subsequently powered, the diodes create short circuit. This term describes the situation in which there is a low resistance connection between two nodes. That is exactly what happens to a drive when its TVS diodes are shorted.
Hard drive with TVS diodes
If you try to connect such drive to Atola Insight Forensic, the Source window will have a short circuit alert to notify the operator about the detected issue.
Short circuit alert
A drive with a shorted TVS diode cannot be identified or imaged. You can try to run diagnostics on the drive, although it cannot be properly diagnosed and the report will suggest that the TVS diodes should be replaced.
Diagnostics report of a shorted drive
However, if you need to image such drive and you have no new TVS diodes at hand to replace the shorted ones, you can actually image such drive with an Atola imager just by removing the diodes!
It is safe to image such drives with any Atola product. Both Atola TaskForce and Atola Insight Forensic have short circuit and overvoltage protection to secure both the imager and the drives attached to it from circuit failures.
The best way to remove the diodes is by heating the area of the drive where the they are located with a hot fan (e.g. in a hot air soldering station), and then gently removing them with tweezers.
Once the diodes have been detached, you can plug the drive to Atola Insight Forensic and proceed with imaging data from its platters.
Imaging a drive with detached TVS diodes
Atola Insight Forensic supports imaging into a file on an encrypted target drive, using VeraCrypt for data encryption.
After your source drive is identified by the system perform these steps:
Formatting will take a few seconds.
After you click the Start Imaging button, Insight will begin imaging data into the file on your encrypted target.
Upon completion of the imaging session, check the Imaging results screen.
Data extraction:
Now you can view the partition name, size and encryption algorithm.
Once you have entered the password, the volume will be mounted and you can access it from Windows Explorer and use the image for subsequent operations.
Atola Insight Forensic supports NVMe drive imaging via NVMe-to-USB adapter, based on the JMS583 chip.
To start working with an NVMe drive:
NB Please note that in case the unit is booted with a device plugged into its USB port, the booting will not be completed correctly.
To identify the source drive:
1. Click the Identify device link on Atola Insight Forensic home screen or press the F2 button on your keyboard;
2. In the pop-up window with all available source devices, select the NVMe device connected to the USB source port;
3. You can either select a previously created case (if the same drive had been connected and identified with your Insight before) or click the Add new case button;
4. To create a new NVMe device case, enter the NVMe model and serial number in the Add new NVMe device case pop-up window.
NVMe model and serial number can be found on the device’s label:
To launch an imaging session:
1. Go to the Imaging category in the left-side menu on the home screen and click the Create New Session link;
2. Select the target device and confirm by clicking the Select button;
3. In Imaging settings, specify the parameters for the imaging session. Click the Start Imaging button.
Insight will start imaging the NVMe drive.
Use these imaging settings and follow the recommendations to cope with severely damaged drives.
RAW image file or target drive plugged into the unit Best to use segmented hashing with linear hashing disabled.
E01 is a linear format. It limits the use of Insight's advanced imaging features, e.g. reverse imaging or manual jumps.
Imaging with linear hash - one MD5/SHA1 hash. Imaging with segmented hashes - many hashes of corresponding LBA ranges of the imag
The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.
The last pass has a unique feature which does not occur during previous passes: internal auto-reread procedure for error block sector-by-sector. It is defined by an unchangeable Jump size = 1 sector.
How imaging engine works on the last pass:
If you want to speed up the image acquistion, follow these hints.
How it is useful:
1. Make sure the drive is in good condition or learn about the type of damage to make an informed decision about your following steps
2. Prioritize the drive. Diagnostics report tells you if there is any data at all.
3. Use imaging time estimation
When imaging to network, 10Gbit extension is highly recommended.
All files contain file data and metadata. Partitions store metadata in specific structures: for NTFS as an example. Metadata includes file name, access/modification datetimes, size, etc.
Imaging all sectors with metadata results in a full directory tree with files with metadata and without data.
Then you can open File Recovery and create an imaging session for specific files you need.
Example: pictures, videos, documents.
Important: The resumed imaging session will complement the data imaged prior to the pause with only the sectors that were not yet copied.
Segmented hashing is a new hashing concept, which enables to hash damaged source drives and avoid losing a target image if part of the data gets corrupted. This hashing method can be used during multi-pass imaging of damaged drives.
With regular hashing, you get a single hash for the entire image.
With segmented hashing, you end up with many hashes of corresponding LBA ranges of the image. The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.
Segmented hashes are saved in a CSV file in this format:
Hash,start LBA,end LBA
Example:
75c92419e86ce82734ef3bbb781e6602 ,0,8388608
e2c7fc5264bae820e46c50b0502236d3 ,8388609,16777216
42718e48b5adb59563c98727cbce0619 ,16777217,25165824
... And so on until the last LBA.
Conventional hashing method prevents imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Segmented hashing allows the use of multiple passes and a more efficient handling of damaged drives, while hashing all good areas.
Hashes are calculated only for the imaged areas, while all bad sectors are excluded from the calculation.
Selecting segmented hashing method in imaging settings
Another reason to use segmented hashes is to ensure better resiliency against data corruption in the image. If your acquired evidence image gets damaged in the future, with a regular linear hash you will get a hash mismatch upon verification, and the entire image will become useless. With segmented hashes only the hash for one segment in the set will become invalid.
Here are imaging results including a link to the file with segmented hashes.
Segmented hashes are saved in a CSV file in "Hash,start LBA,end LBA" format:
Last November Atola Technology team presented a new hashing method called
Segmented hashing. Unlike the conventional linear hashing, segmented hashing produces not a single hash, but
a list of hashes of corresponding LBA ranges of the image saved into a CSV file in this format:
Hash, start LBA, end LBA
By validating all hashes on the list, you can prove that the entire image has not been modified. For more information about this hashing method, please follow this link: Segmented Hashing.
While this method of hashing has a number of benefits for forensic specialists, among its strongest advantages is its applicability to damaged drives.
For one, this non-linear hashing method allows calculating hashes of the good areas of evidence media, while bad areas that are impossible to read and image, are left out of the calculation.
Secondly, if your acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only the hash of the damaged segment will become invalid. For example, in the case of a 4TB hard drive, if the default 4GB segment size is applied, one invalid hash will account for only 0.1% of the drive, while the remaining 99.9% of hashes can still be verified.
For instance, you have imaged a source drive and calculated its segmented hashes, the CSV file is stored on your computer. Now let's simulate a change of the evidence image to see how Segmented hashing helps us identify the areas, whose integrity has not been compromised.
Step 1. Select the target image in the top Port bar. In the Disk Editor subcategory of Device Utilities category of the left-side menu, we can open any sector of the drive. There we can change one byte in sector #35,000,000.
Changing one byte in Disk Editor
Step 2. In the Hashing category of the left-side menu there is Verifying Segmented Hashes subcategory. This is an automated way to verify the segmented hashes in an existing CSV file against the target image. Select the file with segmented hashes calculated during imaging and click Start.
Hash verification
Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.
Segmented hash verification in progress
Step 4. Hash verification finishes with the proper case report automatically created, also in CSV format.
Segmented hash verification report
This is how segmented hashing helps you avoid the whole image being compromised when a small area of the evidence target is damaged.
Atola Insight Forensic supports hash calculation of both source and target devices in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures as well as avoid causing further damage to fragile media.
To view the hashing options:
Imaging results with segmented hashes
Multiselect is available, which allows an operator to use all three of these options.
However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.
On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, Insight only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.
NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. Therefore ticking Hash source during imaging checkbox and selecting Linear or combined Linear and Segmented option in Hashing method drop-down menu leads the number of passes to be limited to one. When dealing with a damaged drive, we strongly recommend using Segmented hashing, as this method supports multi-pass imaging and handling of bad sectors and provides better resiliency against data corruption. For more details please follow this link: Segmented hashing.
Post-hash target device(s) option allows to properly record the calculated hash in the case. Since this operation does not require reading the source drive, it is safe to use this option while imaging either good or damaged drives.
Imaging results with segmented hashes
Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not only the physical or logical copy of the source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.
To view the hash calculated for an E01 file with Atola Insight Forensic, open the file by pressing the Plus icon in the port bar and then selecting E01 image files (*.E01) file extension in the drop-down menu to view existing files with this extension.
In the Home page look through the File History and click on the Imaging target link.
This will open an Imaging target report, at the bottom of which you will be able to see both hashes calculated during the imaging session.
You may leave this window open or save the report as a pdf file to compare the hash with the newly calculated one later.
Then go to Calculate Hash page in Hashing category of the left-side menu and select Linear in Hash method drop-down menu and MD5 and SHA-1 in Hash type drop-down menu.
Once the hashes have been calculated, you can make sure that the two sets of hashes are identical.
So you have a Source evidence drive and its image on a different device, and you have a record that their hash values were identical in the past.
If you get a different hash value when you calculate the hash of the target now, it could be due to hardware failure, or because the device containing your image was used by a third party.
To understand how substantial these changes are, you will want to locate the sectors that have been modified.
Atola Insight Forensic's high-performance compare function will compare the source and the target and will help you identify and locate the modified sectors:
Insight can recover and/or remove unknown HDD passwords (also known as ATA passwords) and for most hard drives the unlocking process is fully automated.
When a device is connected and identified as locked with an ATA password, there is a corresponding PWD indicator displayed in the port, and Security Status in the Home page says Locked, High or Locked, Maximum. High and maximum are password protection levels that the operator who locked the device selected. Although information about it may be relevant to the investigator, both security levels are supported by Insight's password recovery functionality, therefore this information is not important for the purpose of this guide.
Source deviced locked with ATA password
To perform a complete Diagnostics, Insight needs to have a hard drive unlocked. Therefore we suggest that when dealing with a locked device, password recovery is performed before running the Automatic Checkup.
Diagnostics showing password lock
Under Device Recovery category of the left-side menu select Password Recovery subcategory. There are 3 options of dealing with a locked hard drive:
Unknown password recovery
For the list of hard drives currently supported by Insight's automatic password recovery, please follow this link.
Please note that this guide is applicable to all supported Samsung, Toshiba and Western Digital hard drives. To unlock a Seagate drive, please connect the device to the Serial port of the DiskSense unit and then follow the same steps. Hitachi drives require the use of the password extraction adapter: for more information please follow this link .
If you need to extract or reset an unknown password or perform drive recovery on a Seagate hard drive, use a Serial cable to connect the drive to the DiskSense unit.
Take a minute to familiarize yourself with the Serial cable’s three connectors. On one side of the cable, there are two connectors. Both are 2-pin RX-TX (receive-transmit) connectors. The slightly larger one has 2.5-mm pin pitch and is used for IDE drives. The smaller one has 2-mm pin pitch and is used for SATA drives.
On the opposite side of the Serial cable, there is a 3-pin TX-RX-GND (transmit-receive-grounding) connector. This connector is inserted in the Serial port on the back side of the DiskSense unit.
DiskSense Back Side
When you look at a Seagate SATA drive (either 3.5-inch or 2.5-inch), there is a 4-pin jumper block right next to the SATA port.
3.5 SATA serial port
2.5 SATA serial port
Connect the 2-mm RX-TX end of the serial cable to the two jumper pins located closest to the SATA port so that the red RX (receive) wire is connected to the pin closer to the SATA port.
3.5 SATA Seagate connected
2.5 SATA Seagate connected
Desktop IDE drives have an 8-pin jumper block between IDE port and Power port. For the purpose of this manual, we shall call the pair of pins located closest to the IDE port and used for Master/Slave settings the first pair of pins. The next, second pair of pins is usually used for Cable Select settings. The third pair of pins is the one we will connect the Serial cable to.
Please note that IDE hard drives must be set to Master mode for password extraction and reset or drive recovery. To use the drive in Master mode, place a jumper on the first pair of pins (closest to the IDE port), as shown in the picture below.
3.5 IDE Seagate pins
Attach the 2.5-mm RX-TX connector to the third pair of jumper pins, as shown in the picture below. Make sure that red RX (receive) wire is facing down and the black TX (transmit) wire is facing up. The second pair and the fourth pair of pins must be left open.
3.5 IDE Seagate connected
Similar to desktop hard drives, laptop Seagate hard drives also must be set to Master mode to perform password extraction and reset or drive recovery. Master mode on a 2.5-inch device is set by removing all jumpers.
2.5 IDE Seagate pins
There is a 3.5"-to-2.5" IDE adapter included in the package with the DiskSense unit. It consists of the following components:
2.5 to 3.5 IDE adapter
Use the adapter to connect the drive to IDE interface cable and IDE power cable. Then attach the 2.5-mm RX-TX connector to pins marked A and C, as shown in the picture below. Make sure that the black TX (transmit) wire is connected to the pin A, and red RX (receive) wire is connected to the pin C.
2.5 IDE Seagate connected
Please note that to use the 2.5-inch Seagate IDE drive in Slave mode, the 2.5-mm RX-TX connector must be detached from the adapter and instead a jumper must be placed on pins A and B.
Once the Seagate hard drive is connected to the unit, follow these instructions to configure the Baud rate of Seagate Terminal, which allows you to use an extensive set of commands on a Seagate drive:
Terminal output
Should there be no output in the Terminal window or should it consist of random symbols, try to change the Baud rate until you get a good response.
Now proceed with password extraction or send Seagate Terminal commands to the drive.
First of all, please connect the hard drive's serial port to DiskSense unit by following instructions on the Serial Port Connection page.
Open the Terminal window, select the DiskSense COM port (usually the one that is displayed by default is the correct one). 38400 is the proper speed for 7200.11 hard drives:
COM terminal connection
Once everything is set up, click OK. Make sure that you have attached everything correctly by applying power to the drive (you should see a meaningful output in the terminal window).
Note: if you make an mistake while entering commands, you will get the following message:
Invalid Diag Cmd Parameter
In this case simply re-enter the command and double-check that you are entering everything exactly as shown in this manual.
Once everything is ready and you have powered on the drive, you should see the following (or very similar) output in the terminal window:
Rst 0x20M
(P) SATA Reset
At this point press CTRL+Z. You should receive the command prompt:
F3 T>
1. Type the following: m0,2,2,0,0,0,0,22 and then press ENTER.
2. At this point the drive will stop responding for a while.
3. After some time (1-5 minutes) you will get several messages from the drive similar to these:
Max Wr Retries = 00, Max Rd Retries = 00, Max ECC T-Level = 00, Max Certify Rewrite Retries = 0000
User Partition Format Successful - Elapsed Time 0 mins 00 secs
4. Wait some more time until you see the command prompt again:
F3 T>
5. Type the following: /2 and then press ENTER. You will see the following output:
F3 T>/2
F3 2>
6. Type capital Z and press ENTER:
F3 2>Z
Spin Down Complete
Elapsed Time 10.543 secs
F3 2>
7. At this point you have to re-power the drive. The procedure is complete.
This problem is also known as "LED:000000CC problem". This is because when you apply power, you will usually see the following output:
Rst 0x10M
LED:000000CC FAddr:0025BF67
To fix this issue, please follow these steps:
1. Power off the drive
2. Remove two screws as shown on the picture below (you will need a Torx T6 screwdriver):
3. Put a piece of paper as shown on the picture below (the goal is to separate spindle motor contacts from the pcb):
4. If you detached any cables from the drive, this is the right time to attach them back.
5. Apply power to the drive (with screws removed and paper inserted) and wait for the drive to become ready (usually no more than one minute)
6. You will see the following (or very similar) output in the terminal:
Rst 0x20M
7. Press CTRL+Z. You will get the command prompt:
F3 T>
8. Type the following: /2 and then press ENTER. You will see the following output:
F3 T>/2
F3 2>
9. Type capital Z and press ENTER:
F3 2>Z
Spin Down Complete
Elapsed Time 0.132 msecs
F3 2>
10. Now remove the paper, put all screws back and tighten them (do not power off the drive!):
11. Type capital U and press ENTER:
F3 2>U
Spin Up Complete
Elapsed Time 6.604 secs
F3 2>
12. Type the following: /1 and then press ENTER. You will see the following output:
F3 2>/1
F3 1>
13. Type the following: N1 (capital N and one) and then press ENTER. You will see the following output:
F3 1>N1
F3 1>
14. Re-power the drive (press Power Off button on the DiskSense unit; wait 10-15 seconds; press Power On button) and wait until it initializes:
Rst 0x20M
(P) SATA Reset
15. Press CTRL+Z. You will get the command prompt:
F3 T>
16. Type the following: i4,1,22 and then press ENTER. You will see the following output:
F3 T>i4,1,22
F3 T>
17. At this point do not re-power the drive, scroll to the top of this page and go through Fixing zero capacity problem starting from step 1.
Hitachi drives require the use of the password extraction adapter which is included in the product package. The adapter plugs straight into the IDE port located on the front side of the DiskSense Forensic unit.
Atola Hitachi password extraction adapter
The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.
1. Connect Hitachi password extraction adapter to the IDE Source port of DiskSense unit.
2. Connect the source Hitachi HDD to Hitachi password extraction adapter.
3. Place the hard drive as shown on the picture (no need to disconnect any cables):
4. Use a T4 screwdriver to remove four screws as shown below:
5. Put a piece of paper between the circuit board and the hard drive assembly:
6. Do not remove paper; proceed with unlocking
7. To disable the Safe Mode, first remove the paper and then put all screws back:
8. Continue with the unlocking process.
The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.
1. Connect Hitachi password extraction adapter to the IDE Source port of DiskSense unit.
2. Connect the source Hitachi HDD to Hitachi password extraction adapter.
3. Place the hard drive as shown on the picture (no need to disconnect any cables):
4. Use a T4 screwdriver to remove two screws as shown below:
5. Put a piece of paper between the circuit board and the hard drive assembly:
6. Do not remove paper; proceed with unlocking
7. To disable the Safe Mode, first remove the paper and then put all screws back:
8. Continue with the unlocking process.
1. Place the hard drive as shown on the picture (no need to disconnect any cables):
You may see the orange cable connected to the PCB being fastened by the latch.
2. Important: Power off the drive.
3. Unlock the latch as it is shown below:
4. Disconnect the cable to activate Safe Mode.
5. Proceed following Atola Insight instructions.
6. Important: Power off the drive.
7. To deactivate Safe Mode, plug the orange connector into the PCB socket and fasten it with the latch.
8. Follow Atola Insight instructions.
1. You will need the Atola 2.5-inch to 3.5-inch adapter:
If you have such an adapter, please skip to step 4.
2. Disconnect the drive and place it as shown on the picture:
You do not need to perform this step if you have Atola 2.5-inch to 3.5-inch adapter (see step 1)
3. Locate a jumper that fits 2.5-inch HDD jumper pins:
And then install the jumper into position as shown below:
You do not need to perform this step if you have Atola 2.5-inch to 3.5-inch adapter (see step 1)
4. If you're using Atola 2.5-inch to 3.5-inch adapter, then install a jumper between pins A and C (on the adapter).
5. Attach the hard drive back to the Atola DiskSense unit and proceed with unlocking.
6. To disable the Safe Mode, simply remove the jumper:
7. Plug the hard drive back to the Atola DiskSense unit and continue with unlocking.
With each passing year, speed becomes a yet bigger issue for forensic specialists: while the capacity of hard drives grows exponentially, their speed does not keep up. A common 4TB drive's speed constitutes up to 200 MB/s or 12 GB/min, which translates to more than 5 hours of imaging. And it may take prohibitive amounts of time to image a drive with damaged zones. Therefore, the ability to simultaneously run different operations on several devices is more vital than ever.
To provide users with greater productivity, Atola Insight Forensic's high-capacity multi-core CPU supports up to 15 concurrent tasks, that can be assigned to different drives or image files.
You can start Imaging process from a Source drive to one or multiple Target drives and/or image files. Then you can click on the Plus icon and open another target drive to start another operation.
How to add more device operations
For example, you can launch Fill/Erase on this Target drive to get it ready for the next imaging session:
Additional wiping task being executed in parallel
It is also possible to Calculate Hash on yet another Target drive:
Hash calculation being executed in parallel
Other long-running operations you can perform simultaneously include:
Insight's Artifact Finder feature allows early analysis of data by reading and parcing it on an evidence drive or its images. Unlike most forensic analysis tools that parse the file structure, Insight does sector-level parsing, which allows getting data even from the spaces of the drive that are not associated with any file (e.g. remnants of previously deleted documents), thus providing you with clues that are omitted by most analysis tools. Artifact finder uses Intel Hyperscan engine, which makes it the fastest possible tool for primary data analysis.
Insight supports multiple simultaneous artifact searches on both source and target drives.
Go to Artifacts Finder in the left-side menu. In the upper part of the window there is a table with previous artifact searches performed on the current drive including those carried out during imaging. If you want to perform another search, select the artifacts that need to be found.
The artifacts include:
For each of the artifacts, not only widely known filter algorithms were applied for proper result filtering (such as the Luhn formula used to validate credit card numbers), but there have also been custom smart filters applied to eliminate false results (e.g. two slashes next a number that has preliminarily been identified as a credit card number, will eliminate it from the search results, as it is likely to be a part of a URL).
Keywords and regular expressions can be added to the search parameters in a txt file with one artifact per line. Keyword encoding can be adjusted to Unicode, Unicode (UTF-8), Unicode (Big-Endian) or US-ASCII.
As the Artifact Finder is still running, you can look at the progress in the Artifacts tab below the progress bar and click the diagram to see the list of found artifacts. If you only want to look at a certain category, click it in the list or in the diagram.
In the table, each artifact is given an Id number, each found Value is shown in the context (including 20 bytes before and 20 bytes after the artifact in grey color), the LBA and the offset are also displayed in the table to help locate the artifact.
There are many options to help find, sort, filter and view the artifacts. It is possible to view one or a few categories of artifacts in one list, use the Search bar to find a specific value (search examples are provided in the bottom right corner of the window), filter results for unique values by clicking the Show unique artifacts link. It helps identify the values most frequently occurring on the drive: to sort the results click Count in the table header.
Click an artifact in the list to see the sector where it is located. It allows you to see the context, in which this artifact is placed.
Export to CSV button is disabled during the search. You can wait until the process is completed or, should it be necessary to start analyzing the current search output with an external tool, stop it, make an export and restart the search from scratch or from the last LBA analyzed during the previous session.
To make an export:
Erasing data on destination drives guarantees accuracy of the imaged data and helps verify that the drive has no errors. In the course, all sectors are overwritten with the help of selected pattern or method.
When you need to prepare multiple hard drives for imaging, Insight's multitasking capabilities enable you to do so much faster by launching Erase/Fill on multiple drives simultaneously, including those connected to the source port.
Write protection switch
To wipe the drive connected to the source port, remember to switch off write protection on the port so that the indicator above the switch is off and there is a notification right below the port bar saying Note: Write protection of currently attached device is OFF (see the picture below).
Then follow these steps:
To run a concurrent Fill/ Erase process on another drive, click on the + (plus) icon in the port bar and select a drive connected to a Target port:
Then repeat the same steps to launch the process on this device:
By following the same steps you can wipe data from one source drive and three target drives, all at the same time, as shown in the picture below.
This ability to perform Fill/Erase on multiple drives makes Insight exceptionally useful for forensic units dealing with multiple cases, where evidence acquisition is an ongoing activity.
Both HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.
When you connect a hard drive to the DiskSense unit, in addition to the standard Identify device command, Atola Insight Forensic automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify . If drive size has been limited by DCO or HPA, Insight will draw attention to these changes by adding corresponding red indicators to the DiskSense Source Port.
Indicators showing active HPA and DCO restrictions
To get more details about the modifications that have been made to the drive’s firmware, run Automatic Checkup and see the Firmware section of the Diagnostics report.
There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:
A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.
Diagnostics showing active HPA and DCO restrictions
To disable any limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Device Utilities category of the left-side menu and click on Unclip button.
Please note that Write Protection switch needs to be disabled on the DiskSense unit to perform this operation, as Unclip HPA/DCO implies making changes to the drive's firmware, and Write Protection won't let perform such changes.
Unclip HPA and DCO
Atola Insight Forensic lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.
HPA and DCO restrictions cleared
Often, due to internal procedures, forensic specialists are not allowed to make any changes to the drive, therefore they cannot disable HPA and DCO restrictions and access data in the hidden areas. But with Atola Insight Forensic it is possible to lift HPA limitation until the next power cycle, which helps avoid permanent changes to the drive.
To use this feature, go to Host Protected Area subcategory of the Device Utilities category of the menu and click Read HPA parameters link. By clicking Set as current link you will automatically change Current Max Address value to that of Native Max Address. Then tick the Change Max Address temporarily (until power cycle) checkbox and click Change Max Address button.
Changing HPA max address until power cycle
This will allow access to the data in the area previously protected by HPA, yet as soon as you power off or detach the drive, the HPA will be in place again.
NB If the drive contains damaged areas and Insight needs to perform power cycles during imaging, such power cycles will not affect the temporarily disabled HPA: Insight will temporarily remove HPA max address restriction after each imaging-related power cycle, and HPA will remain accessible throughout the imaging process.
For more information about imaging of freezing drives, please follow this link.
Writing from image file to device allows to promptly copy data from the chosen container to the target device.
To start extracting data from the file, follow these steps:
1. In the upper panel of Atola Insight Forensic Home screen click '+' (Plus) button and select port for the target you intend to use:
2. Choose your target device and click Select:
3. Go to Device Utilities section in the right side menu, and click Write from file option;
4. Click Select file link to locate the file you’re planning to image (you can work with E01/AFF4/Raw image files, split image files, etc.):
5. Having selected your image file, click the Open button:
If you want to copy a certain range of data from the file, you can easilly adjust start and end LBA;
6. Click the Start button to launch your imaging session.
Atola Insight Forensic will provide you with all the essential details on the target you are going to use. The system will notify you if your target contains data. To confirm the intention to overwrite the data, type YES in the pop-up window.
Please note that, depending on your bandwidth, writing from file to target device may require more time than drive-to-drive imaging. Insight will help you track the progress of your session and indicate the estimated time left.
Atola Insight Forensic automatically creates reports for every session. You can find reports in the Case Management System.
Insight's Case Management system records every step of data acquisition process: every operation is automatically added to the case from the moment a device is identified including date, time, media map and hash values. When a hard drive is imaged, its media map is recorded detailing all the sectors that have been skipped. Case notes can be added at any time to log information such as the case technician or owner of the hard drive.
Whenever an operator connects a hard drive to the DiskSense unit, Atola Insight Forensic makes an automatic database lookup and retrieves all past records associated with that particular hard drive. New entries will be added seamlessly to the database. You do not need to enable Case Management or take any additional actions for it to start functioning; it is fully embedded into Atola Insight Forensic and works at all times.
Case number can be assigned and changed at any time. The system also allows browsing through all cases and records within the cases, without corresponding devices being connected to the unit.
Insight's Case Management system records every step of data acquisition process saving them into reports grouped by cases.
To view the whole list of cases and their devices:
Search/Open case
In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.
It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.
Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.
Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.
Case search filters
The case opens as a separate port in the Top Bar of the Insight window.
Insight’s Case Management system includes flexible printing functionality. To print a report click the Print link in the case’s Home page.
Print link
In the Print Case History window you get all the reports listed, sortable by date or by reported operation. It is possible to tick just some of the reports or select all reports in the case by ticking the check box in the header of the list. Below there are all pictures attached to the case, which you can also select to be printed.
At the top of the Print Case History window there are four check boxes with report listing and printing settings (click on the Case Management arrow to view all check boxes):
It is possible to print or save the selected reports and pictures in a PDF, HTML or RTF file by clicking Save to file… or Print buttons.
Print options
If you have ticked the two later options, this is how the log and the segmented hashes will be displayed in the report:
Printing report having logs and segmented hashes included
Insight's case management system has been created to help users efficiently keep track of hard drive-related information.
Even if a hard drive has already been used for a while, imaging and hashing have already been performed, it is still possible to open the case and make adjustments to its details.
Change case details in a single click
Click the Plus icon next to the Case Number in the top right corner.
Now you can enter or change the Case Number and Description. To save your changes click OK button.
Changing case details
You will see the description visible next to the Case History. For quick changes, you can also click Change link located right below the description.
A little lower there is a green Plus icon, which you can click to add a document or an image to the case.
Case description added
In the Attach File window enter the file location path and leave a comment in the corresponding field.
If you tick the Copy to work folder check box, the file will be copied to the same folder where any other related files are located, e.g. tables with segmented hashes, logs, imaging maps, file signature lists etc.
Attaching files
You can now see all the uploaded files in the case's Homepage below the description, and you can view all the details and change them when necessary by clicking Manage attached files link.
Attached Files window contains the list of files including an icon representing the file type, the name, the folder where the file is located, the date when the file was attached to the case and the comment added by the user.
Right-clicking a file provides the Edit option enabling a user to edit the Comment or copy the file to the case folder at any time.
It is possible to transfer all or some of the cases stored in one Insight's case management system to another one. The only requirement is that both computers have the same version of Insight installed.
Whenever cases need to be transferred from one computer to another one, start by exporting the cases.
1. Go to Cases category of the top level menu and click Export.
Export selected cases
2. In the Export Cases window select folder where the cases should be stored, then select the cases you would like to be exported and click Save button.
3. The cases are now saved as a package in a zip file (with the default name Cases.Package.zip), which can later be copied to a different computer.
NB Whenever a case is exported, a record about it is added to the case’s history.
Case export report
To import cases from a zip file into Insight on a different computer.
1. Click Import in Cases category of the top menu of Insight.
2. Click Browse icon and select path and name of the zip file.
Importing cases
3. Select some or all of the cases in the table and click Import button.
Importing cases selectively
Please note that if there is a match between existing case numbers and the imported ones, Insight will prompt you to either cancel the import or save the case that causes the conflict as a copy.
Ways to resolve import conflicts
What are the PC requirements for Atola Insight Forensic?
Atola Insight Forensic software requires a Windows PC. More details are available in the Atola Insight Forensic Manual
Does Insight utilize BIOS and/or Operating System functions in the hardware unit to image data?
Insight's hardware runs a Linux OS with a highly-customized and fine-tuned kernel that allows blocking all BIOS and standard Linux I/O operations for the lowest-level control for SATA, USB and IDE ports.
Does Insight image mobile phones, tablets, IoT devices, etc.?
Atola products are designed to handle HDDs, SSDs and other detachable media. We never developed our systems to support mobile devices like phones or tablets. This approach allows us to be the best at handling the media we focus on and progress fast in developing high-performance imaging and innovative features for our customers.
Does Insight repair damaged drives?
Insight can handle damaged drives with varying degrees of success depending on the severity and type of damage, namely:
Insight is equipped with various functionality for damaged media:
However, the system does not perform drive repair. We advise that a drive's hardware-related problems are forwarded to data recovery labs.
How do I image an NVMe drive?
Insight hardware unit does not have an NVMe port. However, there is an adapter with JMS583 bridge chip by JMicron that was tested on various NVMe drives and approved for use by our QA team. This NVME to USB adapter allows imaging of NVMe drives via any USB port.
However, the adapter does not allow detecting the NVMe drive's model and serial number. These details can be entered manually when you create a new case or start an operation:
Insight will automatically open the Source - Select NVMe Device Case window when one selects a source/target USB port with the adapter plugged into it to start any session (imaging, hashing, wiping, etc.) with the exception of diagnostics. Automatic checkup works in its low-level way: identifies the adapter and runs NVMe drive checks via the adapter.
How do I image a drive soldered into a laptop?
Insight supports imaging of specific models of MacBooks Pro and Air released in 2016-2017. Here is an article in the manual explaining how to image them using a Thunderbolt extension.
Other than that, Insight does not support remote imaging from a laptop. The product is based on a low-level native IO, which requires that the source drive is plugged into it. The easiest way to image a laptop's soldered-in SSD is to create a boot drive with a forensic boot image with a tool available in the market.
How do I image to split (segmented) raw files?
Segmented imaging into RAW files is supported. You can split the image into segments (chunks) at the home page of the target image port. Follow these step-by-step instructions:
What is the difference between a standard IMG and a preallocated IMGP image file created?
IMGP file contents are identical to those of an IMG file: it is the same raw bit-to-bit source copy. The only difference is that Insight preallocates space within an IMGP file filling it with zeros until the last LBA so that the IMGP file is the same size as the source even before the imaging has begun.
IMGP file is the way to claim the space on a target media. Our customers use it when they have a remote server storing all image files of organization. When image file grows to its final size, it is guaranteed that there will not be a lack of space.
To mount it to any other forensic software, one can just change IMGP target file image extension to .img, .dd, .raw or any other file extensions they want.
NB to continue working with an IMGP file in Insight after changing extension, one must edit the image file extension back to .imgp.
When should I use All sectors with data and All sectors with metadata imaging options?
These options define the scope of imaging.
All sectors with data is used to image only the sectors belonging to files of all detected partitions. The exception is partitions that Insight cannot parse (rare types, e.g. UFS, ReiserFS), which will be imaged in their entirety.
All sectors with metadata results in a complete directory tree with files without the file data. Partitions store metadata in specific structures (e.g. $MFT for NTFS). Metadata includes file name, access/modification timestamps, attributes and the exact sector numbers of the corresponding file data. This screencast explains how to make use of metadata imaging.
How do I make sure Target HEX Viewer does not save any data on persistent storage?
Here is how Target HEX Viewer internals work. It has two modes:
1. Automatic refresh is performed when Freeze checkbox is inactive. Every time a block of data is imaged, one sector of this block is sent to Windows software via Ethernet. Insight's software receives the sector and shows it in Target HEX Viewer wiping the previous one. So it executes an automatic refresh on-the-fly and does not save any data on persistent storage, i.e. hard drive.
2. Manual Read Sectors can only be run by clicking on Read Sector... button. It will initiate reading a specified sector from one of target devices. Then the read sector resides only in RAM for a time interval while it is being shown in Target HEX Viewer. Similarly to the Automatic refresh, no data is saved on any persistent storage during manual read sectors.
How do I create or format an NTFS partition on a target drive?
Insight supports creating exFAT partitions (including encrypted ones) on target drives for subsequent imaging to files stored on it. However, we have not supported the creation or formatting of NTFS partitions.
How do I decrypt a BitLocker volume in Insight?
For the time being, Insight supports only decryption of APFS partitions with a known password or recovery key.
As for BitLocker partitions, Insight detects BitLocker volumes and displays its GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encounters it.
How much variation is there in data transfer speed during imaging?
Insight can reach speeds up to MB/sec, but the speed may be as slow as 50 MB/sec (3 GB per minute) when working with older or slower HDD models.
Does Insight always image at the max speeds listed on this website?
The max speeds have been lab-tested for accuracy on modern storage devices. The speed of imaging always depends on the native speed of the individual devices used in the process. During the drive-to-drive imaging, the slower device will determine the actual data transfer rate because one drive can only receive data as fast as the other can send it, and vice versa. When imaging to or from the network, another potential bottleneck is the bandwidth.
How do I achieve the best performance when imaging to the network?
To avoid potential bottlenecks, make sure of the following:
Other things that could affect transfer speeds are network adapter drivers, motherboard drivers, antivirus software and so on. However, complying with the rules above is enough for most cases.
How do I verify the data transfer rate from Insight to the network?
Follow these steps:
If everything is working properly, the speeds will be between 50 MB/s and up to MB/sec depending on the native speed of the source drive.
Does Insight support damaged SSD drives?
Atola Insight Forensic does support damaged SSDs. It can automatically diagnose SSDs very well, creating a nicely designed and well-thought report. Surely Insight's imaging will get any data that is readable from solid-state drives using multi-pass and read error recovery subsystems. It's fair to say you receive pretty much the same functionality as with standard HDDs. The only exception: unknown password removal and firmware recovery are not supported for SSDs.
In addition to that, Insight Forensic allows working with the custom PCIe SSDs from Apple MacBooks. It works fast via proprietary Atola extension.
When should I use reverse imaging option and is there a downside to it?
Normally, reverse imaging is beneficial when there is a spot/scratch resulting in a number of bad sectors on the surface area. Reverse imaging (from the inner to the outer tracks) on one of the imaging passes helps you narrow down the bad area faster. It also allows getting more data from the good areas of the drive before entering the damaged zone and digging into it to retrieve data.
As for the downsides, reverse imaging leads to a speed decrease because HDD's heads have to make additional moves to perform it, and caching is impossible.
How do I change timeout in the imaging settings on-the-fly?
Changing timeout is only possible when you are creating a new session. Here is how to go around it:
NB The new imaging session will complement the previous one and will only attempt retrieving data from the sectors that have not yet been copied.
Some of the imaging pass settings can be adjusted on the fly: e.g. enabling reverse imaging on the following pass.
How do I identify which of the imaged files contain bad sectors?
NB If the imaging session was interrupted or the range of sectors scheduled for the session did not cover the whole partition (and therefore some of the files), the list of partially imaged files may contain both files with bad sectors and those not covered by the imaging session.
How do I find where the bad sectors are located within a file?
When imaging, Insight automatically creates a Media Map that reflects the status of all sectors imaged during a given session, namely:
To look up the Media Map:
Does Insight support mounting of a damaged APFS partition?
Partition search in Insight is quite advanced; it is more than just looking into MBR/GPT records and involves our unique heuristic algorithm.
It means that Insight should be able to find a partition, and the partition should not be damaged. For cases of damaged partitions, our customers use forensic software that performs file carving or DR software (e.g. R-Studio).
The only File Recovery functionality that works when there is data missing, is finding deleted files in several partition types including NTFS, HFS, FAT.
What is the success rate of File recovery?
You can recover up to 100% of files imaged with Insight only if the internal file system structure has been successfully imaged. Follow these steps:
How do I compare the files on a source and a target using their hashes?
To compare the files on the two devices:
In the end, you get two complete file lists and can compare them using third-party software, e.g. Compare++
How do I use black and white hash lists to filter data?
Watch this screencast about using hash lists in Insight. And here is the full workflow:
You can find two use cases in White/Black hash lists section in our blog.
How do I look up a drive's G-List with Insight?
Firmware recovery has not been our focus for many years now; therefore Insight has a limited firmware recovery functionality. While some models may give out information about the G-List (see 3. Full firmware access), G-List is not a kind of information you automatically see on the screen. You would need to manually find G-List among firmware modules, which requires a certain level of data recovery knowledge.
How does diagnostics work and how accurate is it?
The automatic diagnostic function applies a sophisticated system that analyzes electrical currents as they enter and leave the hard drive, examines the hard drive’s responsiveness to low-level commands and incorporates firmware information (if it is accessible). Our studies had shown that this approach is accurate in pinpointing malfunctions in at least 95% cases.
How do I analyze electrical currents from the oscilloscope if I received no training?
Some data from the oscilloscope is straightforward to understand (for example, when HDD power fails, the lines go flat). Users can learn to understand more complex oscilloscope information by seeking advice from other data recovery technicians, seeking professional training, or simply through gaining experience in the field.
While current monitoring technology plays an important role in the Insight’s operation, no specific skills are required because the system performs current analysis automatically.
Can RAID arrays be diagnosed as a single HDD?
Insight can diagnose only the drives that are directly connected to the hardware unit. Hard drives from RAID arrays must be diagnosed and recovered individually.
Atola TaskForce is capable of automated assembly RAID drives in a single virtual device even when RAID configuration is unknown.
Why is there a difference in the quantity of errors and performance between Media Scan and Imaging?
The short explanation: Imaging uses different commands and level of reading thoroughness rather than Media Scan.
Imaging reads data and sends it over data cable (SATA, PATA, USB). At the same time, Media Scan utilizes low-level Verify command that checks a block of sectors for an error with no data transfer involved.
The two operations are not equally thorough. Media Scan verifies drive surface block by block (2048 sectors per block). It does not dig in searching for specific bad sectors in a 2048-sector error block.
As opposed to that, the imaging engine has a goal to image as much data as possible. The multi-pass system is used during imaging.
However, if linear hashing is enabled, imaging switches to one pass with a 4096-sector block size by default using this algorithm:
How does Insight detect the capacity of hybrid drives?
There are two types of hybrid drives.
How do I calculate hash during imaging and do I need to use both linear and segmented hashing?
Hashing is disabled in the default settings. Simply tick Hash source during imaging option in the Default (5 passes) preset.
Here are the guides about calculating linear hash during imaging and segmented hashing.
Segmented hashing is the only tried and proven way to verify an image of a damaged source drive. Segmented hash can be calculated during a multi-pass imaging, which allows getting more data while covering all imaged intervals with a set of hashes, and this ability has proven crucial for our customers in courts.
Besides, with segmented hashing, image remains usable even if some of the data gets corrupt over time (due to people, other buggy software, hardware, power losses etc.): it allows you to identify the segment of data that got corrupt and continue using the good parts of the image.
How does hashing work in parallel with imaging?
When Insight images and calculates hash in parallel, here is how our imaging engine works:
Two important rules:
Why do I need to wipe/erase target before imaging data onto it?
Certain forensic evidence acquisition or data recovery scenarios require the target hard drive to be wiped/erased prior to imaging. It ensures that the software being used to recover files won’t extract old data that was previously on the destination HDD.
How does write verification work in Fill/Erase?
Here is how the algorithm used during the wiping process in Insight:
How does SSD Trim work and does it wipe a drive completely?
SSD Trim doesn't instantly wipe sectors (NAND memory cells) of a drive. It instructs SSD's firmware which sectors can be wiped by marking them as 'dirty'.
Time of erasure of 'dirty' sectors depends on the SSD manufacturer and firmware. For instance, recent Samsung SSDs have a so-called foreground garbage collection. It wipes any erased file almost immediately thanks to a TRIM command proactively executed by the operating system. In older SSDs, trimmed sectors can remain intact for minutes or even hours.
The most secure way to erase an SSD entirely is running Secure Erase, which is available in Insight as a method of Fill/Erase. The drive's internal SecureErase implementation is vendor-specific. In most drives, it ensures full erasure of an SSD including non-addressable areas.
How do I copy Insight database to another PC?
Yes, it is possible: Go to Cases > Export for that and select All cases. A single file will be generated, which can later be imported via Cases > Import.
How can I tell who worked with the drive if I am working on a previously created case?
You can open any operation performed with a hard drive by clicking on the corresponding link in the case history. In the report header, you can see which computer was used, and thus you can deduce which user worked on this phase of the case.
How do I add notes to the case history after a case was closed?
The quickest and easiest way is to open case history Cases > Search/Open and click Add note.
Can 2 hard drives share the same case number if they are related?
Yes, it is possible to assign the same case number to multiple hard drives. It helps keep track of hard drives related to the same investigation.
Firmware Recovery. Which hard drive models does the Insight support firmware recovery for?
There are two ways in which Insight provides firmware recovery: by automatically repairing firmware and providing direct access to firmware files for manual repair. Different sets of hard drive models are supported for each of these approaches due to differences in firmware design by the hard drive manufacturers. For a complete and up to date list of supported hard drive models for firmware recovery, see the supported drives page.
Firmware Recovery. How commonly do modern hard dives experience firmware corruption?
Less than 10% of data recovery cases with modern hard drives involve firmware corruption. Occasionally, a manufacturer will release a hard drive with flawed firmware and data recovery labs will see a spike in firmware recovery jobs for a period of time.
Firmware Recovery. What is the difference between firmware files stored on the HDD platter and ROM/EEPROM/NVRAM?
This depends on the HDD manufacturer and hard drive model. Each hard drive has its own preferences for where firmware data is stored.
Password Removal. How do hard drives become locked with ATA passwords?
ATA passwords can be set through computer’s BIOS or by using special products like the Insight.
Password Removal. Which hard drives is password removal supported for?
Automatic password removal works for most hard drives available on the market. For more specific information, please refer to the Supported Drives List.
My DiskSense hardware unit does not boot
It is very likely that there is a USB device plugged into the unit, which prevents it from booting properly. Try detaching all USB cables and restart the hardware unit. If that has not worked, follow these steps to fully reset:
The previous boot attempt was interrupted and now the unit does not boot
Connect a monitor directly to the unit's HDMI or VGA port. If you see a BIOS message saying Would you like to restore Fastboot on the next boot? (Y/N), it is likely that the previous booting got interrupted at a specific booting moment.
The most straightforward recipe here is to plug a USB keyboard into one of the USB ports and press the N button. After the unit has booted successfully, please restart it again to make sure the next booting cycle is smooth.
How do I reset the IP address of the hardware unit
You can reset DiskSense unit's IP by holding the small IP RST button on the backside. You should keep holding the button until the UNIT STATUS led stops blinking. Then unit's IP must be reset to 192.168.0.188 and 10.0.0.188.
How to change the hardware unit's IP
The system has been designed to work in the most commonly used networks and has IP addresses 10.0.0.188; 172.16.0.188; 192.168.0.188; 169.254.0.188.
If your network has one of these subnets (10.0.0.*; 172.16.0.*; 192.168.0.*; 169.254.0.*), and the IP address ending with 188 is free, you can simply connect the unit to the network. Then run Insight software, select default unit IP ending with 188, and click Insight -> Modify DiskSense Unit IP.
If your network has a different subnet address, follow these steps:
I am able to ping the Insight's hardware unit but cannot connect to it
Here are the possible reasons:
Should these steps prove ineffective, try updating your PC's Windows install.
Insight software is stuck in Searching for DiskSense unit window
It appears that your unit's HASP is not detected. Please check if you can still ping DiskSense unit IP address from Windows PC. Then try the following:
Remote License Search Parameters must be either empty or contain the DiskSense IP address (the latter is preferable).
I connected DiskSense directly to my PC's second Ethernet cards but I cannot ping it or connect to it.
First and foremost, please check whether you can ping the unit when it is connected directly via your 2nd Ethernet adapter.
Connection losses occur when I use the USB-to-Ethernet adapter (NIC)
Certain platforms have issues with these adapters, and such issues may occur after large amounts of data have been transferred. It may be a USB 3.0-related issue: a memory leak in the USB 3.0 driver which accumulates after a few days of high-speed transfers.
Try replacing the adapter with a similar one:
Windows 10 32-bit. hardlock.sys error during installation
It looks like a HASP (dongle) run-time installation issue. You can install the newest run-time following an alternative scenario:
haspdinst.exe -r -fr -kp -fss -purge
haspdinst.exe -i -fi -kp -fss
Windows blue screen when launching Atola Insight Forensic
Microsoft updated Windows 10 (October 2020), and it broke the support of the HASP run-time v6.60.
The issue will be fixed in Atola Insight Forensic 4.17. For already released software versions (4.16 and older), please download and install the newest run-time following these steps:
After database setup, there are missing cases in the Search window.
Most likely, you selected either either incorrect Work Folder or SQL Server.
Insight's database consists of SQL Server data and Work folder files. Large files like imaging maps, file signatures, artifacts, report logs are saved in the Work folder. While the case information, including report data, is stored on an SQL Server.
Two Insight settings refer to that:
\\networkpath\Atola is the work folder we need. First of all, it must be specified in the Insight -> Preferences -> Work folder path setting.
Also, it is important to find corresponding SQL Server database. If you know the names of the computer, SQL server and database, follow these steps.
If cases do not appear, try different combinations of database name, SQL server name, computer name.
How do I change the path to the Work Folder?
To change the path to the Work Folder, go to Insight > Preferences > Work folder path, change the directory and click the Apply button.
I am running out of free storage space in Work folder
Depending on the features and the settings you use, Insight saves different kinds of data in its Work Folder.
After I changed the Work folder, files from the previously created cases have not been moved to the new folder
This can be done manually:
Mapped network drive is unavailable during Image File selection
The shared folder mapped as a network drive to the local PC is unavailable. The issue happens in Windows 10 and is caused by Microsoft's native components we use to select files.
Microsoft explains this with UAC being enabled and suggests editing the Windows registry as a workaround.
NB the mapped network drive is just a shortcut for the longer network path. Always select Network part of tree view and select the same network folder. Insight will remember the last selected path and open it when you select another image file.
Insight can't identify a Seagate drive and shows an inaccurate device capacity
Zero-capacity implies typically firmware issues which may be corrected via serial port in the case of Seagate drives. Atola Insight Forensic enables to take advantage of serial connection.
We do not have many guides about fixing specific Seagate issues, which would require a profound knowledge of Seagate terminal command system. But here is another article in the manual that may be helpful.
Seagate. Turn off bad sector reallocation (or clear G-LIst)
Unfortunately, Insight does not handle bad sector reallocation automatically. You may find more info on data recovery forums by searching for:
Here is the information about terminal commands for modern Seagate drives.
Artifact finder does not find artifacts in files (.pdf, .pst, .docx, etc.)
Artifact finder performs low-level sector-by-sector search without parsing file structure and interpreting each type of file (.pdf, .pst, .docx).
Instead, Insight's search engine detects keywords, IP addresses, URLs, and other artifacts in raw drive space. This way, it complements the traditional analysis via Magnet AXIOM, X-Ways Forensics, etc.
Another benefit of Insight's artifact search: it goes through the whole drive space, including unallocated space. It helps find evidence at the sector level, where other tools could miss it.
I don't seem to be able to unlock an SSD or a USB drive with Insight
Insight supports unlocking passwords of a limited range of drives. While we would like to provide you with maximum support, it is impossible due to the firmware of different drive families being very vendor-specific. Please check the list of supported drives.
We have primarily developed this functionality for hard drives, but extending this functionality for SSDs or USBs would require a prohibitive amount of work to support the huge range of firmware types and controllers. Unfortunately, this functionality has not been the focus of our attention.
Encase does not open an E01 file created by Insight
E01 files have a problem opening in Encase typically due to a file handle held by Insight. It can manifest itself in CRC errors during Encase verification. To resolve it, close the E01 file's port in the top panel in Insight before opening the file in Encase.
It helps to know that Encase caches unsuccessful verification results for the E01 file (or E01 file with the same metadata). So it may be necessary to clear the cache or start a new case in Encase application.
Max path length / folder length
Make sure that the path length has not exceeded the limit set in Windows API.
Atola Insight supports the maximum path of 32,767 characters.
Since you are not able to move the files using Windows Explorer, you can take advantage of subst command to shorten the file path for the file(s). Here is the easiest way to fix this:
A USB drive imaging produces read errors
To eliminate the possibility of faulty cables, it may be worth investing in short, high-quality USB3 cables. Longer, lower-quality USB3 cables can produce read errors during acquisition.
Non-working USB flash or USB port
It's very unlikely you have a faulty DiskSense system. Moreover, bearing in mind all USB ports are native motherboard ports without any adapters in between. Nevertheless, let's try to make diagnostics and find out what works and what does not:
This is a clear test for USB ports. It would be great if you can run the scenario several times with different USB flash drives. Pay attention that the 2nd step (power cycle the DiskSense system) is a must to have clear test results.
Serial COM port (RS-233). Unlock problem
First and foremost, I would ask to double-check whether the serial cable connection and selected baud rate are correct. Here is the easiest way: