Quickstart

Let us start from zero and learn how to image an evidence device safely in Atola Insight Forensic.

Step 1. Plug the source and target devices into the DiskSense system.

Take two SATA drives that will serve as your source and target devices. Plug them into the SATA source and SATA target ports.

Step 2. Launch Atola Insight.

Launch already installed the Atola Insight Forensic software.

You will see the following window asking you to select the desired action:

Select Close to avoid powering up the source SATA port for now.

Step 3. Diagnose first before imaging.

Presumably, we know nothing about the source device and its state. Maybe it is a good working drive, or maybe it is not. It may be a damaged one or it may die in a few hours. That is why we should begin with Automatic Checkup.

Click Diagnostics -> Automatic checkup, and then click the Start button.

It will take a couple of minutes to get to the Diagnostics report. In this particular case, we see that the source drive is in good state, and we can safely start imaging it.

Step 4. Select the imaging targets.

Click Imaging on the left side menu and then Create New Session. You will be asked to select the imaging targets, including the following:

• Devices plugged into SATA/USB target ports of the DiskSense system
• Image files
• Local PC devices

Let us take advantage of imaging into two targets at the same time: SATA target drive and image file.

Click Add Image File and then confirm a selected filename. Then tick the SATA Target 1 device. In the end, you will get the a screen like this:

Click the Select button to confirm.

Step 5. Start imaging.

Imaging includes a wide variety of settings for tuning the process. Sometimes it is helpful when dealing with severely damaged evidence drives. However, the default imaging preset works great in most cases.

Here is just one button to click, Start Imaging, to get the imaging process running.

Bonus: Screencasts

Congratulations! You read the quickstart up to this section, and we have an award for you! :-) Here are a number of screencasts explaining specific features of Atola Insight Forensic.

• Download or watch in high-resolution on Dropbox
• Watch on Youtube

Introduction

Atola Insight Forensic offers complex data retrieval functions along with utilities for manually accessing hard drives at the lowest level, wrapped in a very simple and efficient user interface.

The tool is developed by a team of industry renowned data recovery engineers in collaboration with law enforcement agencies and forensic experts from around the globe.

Atola Insight Forensic system includes:

• Atola Insight Forensic software (runs on any Windows PC or laptop)
• DiskSense hardware unit
• Hardware extensions ( optional)

Forensic and E-Discovery solution

Atola Insight Forensic workflow

Atola Insight Forensic covers all phases of the data acquisition process:

1. Media diagnosis
2. Media recovery (if needed)
3. Image creation
4. File recovery

1. Media diagnosis

Whenever you start working on a hard drive, the very first thing we recommend to do is to find out if the drive is damaged in any way, and if so, what is the extent of the damage.

The tool comes with fully automated hard drive diagnosis module. It diagnoses all hard drive components: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.

After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.

2. Media recovery

Atola Insight Forensic can recover and/or remove unknown HDD passwords (also known as ATA-passwords). For most hard drives the unlocking process is fully automated. Some hard drives (for example, latest 2.5-inch Hitachi hard drives) require a degree of manual interference. Operator can choose whether to display the password or just remove it and unlock the drive. Both security levels (High or Maximum) are supported.

List of hard drives currently supported by automatic password recovery routine can be obtained at http://atola.com/products/insight/supported-drives.html

Manual firmware recovery

If there is firmware damage that cannot be fixed automatically, you will have to proceed with manual firmware recovery procedure. Generally speaking, firmware recovery process includes of the following steps:

1. Full firmware backup

2. Diagnosis

3. Recovery

Backup is a very important part of the process. Make sure you have full firmware backup before you make any change to the firmware area.

Basic diagnostics of the firmware area is done during Automatic Diagnostics process (see Automatic Diagnostics ). More in-depth diagnostics is done during firmware backup process, after which any firmware damage that may exist will become obvious, as damaged modules will have either "Read Failure" or "Bad Checksum" mark. Some of these damaged modules can be recovered by right-clicking them and selecting Recover (module will be re-generated and written to the drive). In some rare cases, when Atola Insight Forensic cannot regenerate the module, you would have to copy it from a donor drive (you would need to locate a similar hard drive, save that module from that drive into a file, and then copy that file into the bad drive's firmware, replacing the damaged module).

Please note: if after the full firmware backup you find that there are many unreadable firmware modules (more than 10% of total number of modules), it might be a good indication that the head stack is malfunctioning. The best thing to do in this case is to reconfirm that the hard drive does not have a head damage before proceeding with firmware recovery attempt. Attempting firmware recovery on a hard drive with internal damage may result in an unrecoverable damage.

3. Image creation

Before you proceed with any file recovery attempt, it is very important that you have a sector-by-sector copy of the drive. This is done with the Imaging module available in the software.

Please see the following link for more information on imaging: http://atola.com/products/insight/disk-duplication.html

4. File recovery

After you made a copy of the original hard drive, you can start recovering files. File Recovery engine is able to show status of each file in the file browser, such as what percentage of file was imaged without errors. There's also an ability to create lists of files specifying the status of each file. After creation, the list may be presented for a review.

Learn more about File Recovery: http://atola.com/products/insight/file-recovery.html

Package contents

Please make sure that you have the following items in the package:

DiskSense unit

Power supply

4x HDD eSATAp cables

Hitachi password extraction adapter

3.5" to 2.5" IDE adapter

IDE power cable

IDE interface cable

Serial cable RS-232

Ethernet cat 5e or 6 cable

USB3 to Ethernet adapter

Flash card reader

Extension modules

DiskSense system allows expanding its functionality via hardware extension modules.

How to plug an extension module

DiskSense system must be powered off before an extension module can be installed:

1. Power off DiskSense system
2. Plug extension module into Extension port
3. Power on DiskSense system

SAS extension module

Technical specifications:

• SAS interface: 6 Gbit/s
• Max read/write speed: 500 MB/s
• Hotplug for SAS drives is supported
• Current sensing is supported
• Short circuit and overvoltage protection is active

Atola Insight Forensic allows to run most operations for a SAS drive plugged into DiskSense system. There are a few functions that are not available for SAS drives by their nature: Host Protected Area (HPA), Device Configuration Overlay (DCO), Security Features, and SSD Trim. Firmware recovery is also not supported.

Connecting a SAS drive to DiskSense via SAS extension module

1. Plug the mini SAS connector into the extension module
2. Plug the molex power connector into the IDE source power socket
3. Plug the SAS connector into the drive

SAS extension

10 Gbit Ethernet extension module

The module accelerates the following operations executed with image files: Imaging, File Recovery, Compare, Write from File. For optimum performance please follow these instructions

1. Update the 10GbE driver on the PC workstation to the latest version
2. Link 10GbE Ethernet extension module and 10GbE PC workstation LAN adapter with a Cat6 ethernet cable
3. Open Windows Network and Sharing Center
4. Click 'Change adapter settings' link
5. Locate 10GbE Ethernet card and open its Properties accessible via right mouse button
6. Click 'Configure button'
7. Select 'Advanced' tab
8. Change 'Jumbo Packet' value to 9014

Note that PC motherboard quality can have an impact on the resulting network performance. Also, please ensure that the PC drive is able to read/write at speeds above 300 MB/s.

10Gb extension

Thunderbolt extension module

With the help of Thunderbolt extension module Insight supports imaging, hash calculation and verification, comparing, media scan, file recovery, write protection on all MacBooks with FireWire, Thunderbolt 2 and Thunderbolt 3 interfaces.

Connecting MacBook via Thunderbolt extension module

1. Connect MacBook to DiskSense unit with the help of Thunderbolt extension and the FireWire cable. Use adapters if needed (included).
2. To boot MacBook in Target Disk Mode, start it up while holding down the T key until you see a Firewire or Thunderbolt icon displayed on screen signifying Target Disk Mode.
3. Start DiskSense unit and launch Atola Insight Forensic on your computer.
4. Select Identify device option in the pop-up window.
5. In Source - Select MacBook Case window click Add new case button.

Thunderbolt extension

Apple PCIe SSD extension module

This module supports custom proprietary PCIe SSDs from Apple MacBooks (Mid 2013 - 2015).

Apple PCIe SSD extension

Connecting an M.2 PCIe drive via extension module

M.2 PCIe SSD extension

Connecting an M.2 SATA drive via extension module

1. Connect the source eSATAp cable end to the extension
2. Power off source SATA port in Atola Insight Forensic
3. Plug M.2 SATA drive into the extension and fix it in place with the plastic latch

Drive hotplug is supported. Before replacing hard drives the SATA power must be turned off via the software Power button (for safety reasons).

M.2 SATA SSD extension

Please note that M.2 extension currently does not support NVMe drives.

Hardware and OS requirements

Minimum hardware specs:

• Intel Celeron 2GHz/AMD Sempron CPU
• 2 GB of RAM
• one 100 MBit Ethernet port
• 2 GB of free disk space

Recommended hardware specs for optimal performance:

• Intel or AMD dual core CPU
• 8 GB of RAM
• one 1000 MBit (Gigabit, 1000BASE-T) Ethernet port
• 10 GB of free disk space
• Firewall and especially antivirus software disabled

Supported OS:

• Windows 10 (32/64 bit)
• Windows 8 (32/64 bit)
• Windows 7 (32/64 bit)

Connecting devices and starting Atola Insight Forensic

The purpose of this page is to provide information on Atola Insight Forensic start up procedure.

Source Device Selection dialog

Source Device Selection dialog is available from main menu (Source -> Select Source...) or via F3 shortcut key:

Source device selection

At this point you can select the port you'd like to work with (SATA, USB, IDE Master, IDE Slave).

After you select the device, Atola Insight Forensic switches to the main application window.

Attaching and detaching hard drives

Y ou can attach and remove hard drives at any time without restarting the software or hardware unit.

When replacing hard drives, Atola Insight Forensic detects the change automatically. However, if you'd like to manually re-identify a hard drive, you can do one of the following:

• Use Source Port Re-Identify button or press F2
• Use Source->Select Source... menu item

Source device menu

The difference is that re-identification works only when the attached hard drive can return at least some identification data. When the hard drive has significant damage (for example, a burnt PCB) and therefore won't return identification data, Atola Insight Forensic will fail to automatically recognize such hard drive. In this case you would have to use Source->Select Source menu item to manually select the device. Atola Insight Forensic will still be able to diagnose a hard drive that is "completely dead" by relying on the current sampling.

Before disconnecting hard drives from the unit, we recommend to use Power Off button in Atola Insight Forensic software to properly shut down the drive:

Source power button

Working with MacBooks via Thunderbolt extension module

Thunderbolt extension enables Insight to operate on all MacBooks with FireWire, Thunderbolt 2 and Thunderbolt 3 interfaces. There is no need to remove the SSD, Thunderbolt extension allows connecting the whole Apple laptop to Insight.

The extension module comes with:

• Thunderbolt 3 to Thunderbolt 2 adapter (by Apple)
• Thunderbolt 2 to FireWire adapter (by Apple)
• FireWire cable

Cable adapters

Connecting MacBook to DiskSense unit

1. Connect MacBook to DiskSense unit with the help of Thunderbolt extension and the FireWire cable ( NB Both MacBook and DiskSense have to be turned off). Use the adapters to connect to the MacBooks with Thunderbolt 2 or Thunderbolt 3 interface.

2. Start DiskSense unit and launch Atola Insight Forensic on your computer.

3. Boot the MacBook in Target Disk Mode. To do that, start it up while holding down the T key. You should see a Firewire or Thunderbolt icon displayed on screen signifying that Target Disk Mode is detected and working.

MacBook drive and DiskSense unit connected

4. Select Identify device option in the pop-up window.

5. In Source - Select MacBook Case window click Add new case button.

Select MacBook Case

6. If this is the first time this MacBook is identified by Insight, you need to enter the Serial number of the MacBook in the pop-up window and click OK. The device has been identified. ( NB MacBook's serial number can be found on the bottom case).

MacBook's serial number

Now you can perform these operations with the connected MacBook:

• imaging
• hash calculation
• hash verification
• comparing
• media scan
• file recovery

When a MacBook is connected to Insight for a subsequent session, you can simply select the appropriate case from the table.

Open existing MacBook case

Atola Insight Forensic: Main Window

This page provides information on basic Atola Insight Forensic controls.

1. Back and Forward buttons

These buttons allow you to go to the previous screen of the program. This may be useful if you'd like to see previous output or quickly restart a process.

2. Main menu

You use this menu to navigate through different parts of the software.

3. Case

This panel shows the current case number or allows assigning a case number.

4. Source Port controls and indicators

The source port consists of several parts:

• Power button. Allows to manually apply power to the hard drive attached to the DiskSense unit.
  • When power is on, single button click sends a spin down command first and after that performs power-off.
  • When power is on, you can click the button second time during spin down to instantly power the device off.
• Re-Identify button. Used when you replace the hard drive.
• HDD model, firmware, and serial number. Hard drive identification info.
• Device interface type. Can be SATA, USB, IDE.
• DCO. Indicates whether Device Configuration Overlay (DCO) is activated.
• HPA. Indicates whether Host Protection Area (HPA) is activated.
• PWD. Indicates if the hard drive is locked with an ATA password.

Port context (right-click) menu

• Select Source... Allows choosing another source device (SATA/IDE/USB) (please see Attaching and detaching hard drives for more information).
• Reset Resets hard drive's interface
• Re-identify Should be used after you replace the drive
• Spindown Sends "Spindown Immediate" ATA command to the drive
• Current Oscilloscope Brings up the oscilloscope window
• Terminal Brings up RS-232/serial terminal window
• Assign Case Number... Allows assinging a specific number to the open case
• Print... Print or Export the whole case history
• Export... Save the entire case history into a single file
• Import... Import case history from a previously exported file

5. Target Port controls and indicators

Target port has all features of Source port. Target port allows to plug one of the following:

• Device attached to the hardware target port (SATA or USB)
• PC device (hard drive attached directly to the host PC)
• Image file

6. Source Menu

• Select Source... Allows choosing another source device (SATA/IDE/USB) (please see Attaching and detaching hard drives for more information).
• Reset Resets hard drive's interface
• Re-identify Should be used after you replace the drive
• Spindown Sends "Spindown Immediate" ATA command to the drive
• Current Oscilloscope Brings up the oscilloscope window
• Terminal Brings up RS-232/serial terminal window
• Assign Case Number... Allows assinging a specific number to the open case
• Print... Print or Export the whole case history
• Export... Saves the entire case history into a single file
• Import... Imports case history from a previously exported file

7. Windows menu

This menu is used to open the Current Oscilloscope and Terminal windows.

• Current Oscilloscope. Helps to keep track of hard drive power consumption levels, can be especially useful for remote hard drive diagnostics.
• Terminal. Helps in accessing the firmware area of certain hard drive models for both manual and automatic firmware recovery modes. The serial port can also be used for certain diagnostic functions.

8. Selected device information

9. Case history

Here you can see all actions that were done to the currently attached hard drive. If you'd like to get full details on an action, just click it and Atola Insight Forensic will show you the detailed report.

10. Attached Files

Insight Forensic allows attaching files to the case. Whenever you attach a picture, a thumbnail is added to the Home screen.

11. Status and Error registers

This panel displays raw contents of Status and Error ATA registers in real time.

Registers: what they mean

Link Register

It's only enabled when port powered on, device presence detected and PHY communication established.

Status Register

This register contains hard drive status information. It is updated after every single command sent to the drive.

ERR: means last command failed to execute. In this case the Error register contains more details on the specific error.
INDX: obsolete, used to trigger after each spindle revolution
CORR: obsolete, used to trigger after a bad sector was automatically corrected by ECC
DREQ (Data Request): is asserted when hard drive wants to exchange data with the host controller (in either direction)
DRSC (Device Seek Complete): is obsolete; always asserted on modern hard drives
FAULT (Write Fault): is obsolete
DRDY (Device Ready): is obsolete; always asserted on modern hard drives
BUSY: indicates that the hard drive is busy executing a command OR initializing (after power on or reset)

Error Register

Error register provides more details if the last command failed. This register is only valid when ERR bit of the Status Register is asserted.

AMNF: means Address Mark Not Found (usually occurs on failed read attempt)
T0NF (Track 0 Not Found): obsolete
ABRT: command aborted (unsupported command or other failure)
IDNF: sector ID not found (usually occurs on failed read attempt)
UNC: uncorrectable read error; the hard drive was unable to read data even after applying ECC recovery algorithms
ICRC (Interface CRC error): there was CRC error while transferring data between host and the hard drive (usually indicates bad interface cable)

Automatic Diagnostics

Automatic Checkup feature diagnoses the following hard drive components:

• Electronics (circuit board)
• Motor
• Heads
• Media surface
• Firmware area
• Partitions and file systems

One-button start of Diagnostics

First, hard drive's electronics (printed circuit board or PCB) is diagnosed. The system applies power to the device and records and analyzes spin-up current curve. This allows to detect most issues with the PCB and the motor. Then, the contents of the hard drive's ATA registers and device identification sector are being analyzed:

Measuring hard drive's currents

After that, the head stack is tested. Several factors are taken into consideration when diagnosing heads: media access time for each head, power consumption curves, and internal hard drive's error reporting systems:

Head stack test

If head stack looks good, the system performs a short media scan. The purpose of this scan is to find out how many "bad sectors" (if any) there are on the surface:

Checking media surface for bad sectors

Then, several firmware tests are performed:

Firmware checks

If no issues found up to this point, a file systems checkup is performed:

Short analysis of filesystems

After all tests are done, Atola Insight Forensic will display the full report. Diagnostics result message box contains a short summary of all tests:

Final diagnosis

Media Scan

Media scan can help detect two kind of hard drive damage:

• Head stack damage
• Read errors ("bad sectors")

Media scan can also be used to determine general condition of the hard drive's surface.

There are three methods of scanning:

• Linear — from start LBA to end LBA
• Backward — from end LBA to start LBA (in reverse)
• Fast — from start LBA to end LBA. Please note that in this mode the software skips large numbers of sectors; this mode is to be used only to get a quick overview of the entire surface.

Let's scan a good hard drive and see what we get.

Good hard drive

Drive without bad sectors

There are two graphs; the top graph represents single block read time (one block is 2048 sectors which equals to 1 megabyte), and the bottom graph represents read speed for the entire surface.

Now let's have a look at some graphs taken from damaged hard drives.

Unstable hard drive

We call such hard drives "unstable". They usually do not have read errors, but at the same time media access times are very high and change sporadically. In most cases it is possible to create a clean image of such drive.

Hard drive with damaged head

You can observe patterns of delays which indicate head damage. However, please note that although the head is damaged, it can still read *some* sectors without errors, therefore it is possible to create a relatively good image of such hard drive by imaging data off good heads first, and then off the bad head.

Read errors

Read errors are displayed as vertical red bars. Please note that when scanning, Atola Insight Forensic shows the entire block as bad even when only one sector in that block is damaged.

Tracking a drive's SMART table status before and after imaging

Being able to evaluate the drive’s state before it has exhausted its resources can make all the difference between a case won or a case lost in a court of law.

SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure. Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).

To view SMART table of a drive:

1. Go to View SMART subcategory of Diagnostics category of the left-side menu
2. Click Read SMART button

Hitachi drive with 1221 pending sectors

SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:

• Reallocated sectors count
• Current pending sector count
• Uncorrectable sector count

When RAW value of any of these attributes is greater than zero, Insight will highlight it in yellow.

The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.

To keep track of the changes occurring to the attributes of the SMART table, Insight records SMART table indices prior and after each imaging session.

To open both SMART tables for side-by-side comparison:

1. Go to Imaging Results
2. In SMART data line click View link.

By comparing the two tables, operator can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse.

How SMART table state changed after image acquisition

Whenever you need to evaluate how the state of the drive has been changing long-term, you can go to previous imaging sessions and look up SMART table. Insight will store this information in its case management system.

Multi-pass imaging of damaged drives

Atola Insight Forensic has a complex imaging functionality, which allows imaging even physically damaged hard drives, while avoiding further drive deterioration. Damaged drives require a complex imaging approach, which would balance thorough data extraction with forensics’ need in expediency and measured treatment of damaged media.

Most imagers have a linear imaging process, and whenever such imager encounters a bad sector on a drive, the process slows down drastically, which often causes the drive to freeze. To speed up imaging of damaged drives and maximize the amount of successfully retrieved data, Insight operates using a special imaging algorithm that provides deliberate timeout and block size control.

Using small block size pays off when you need to thoroughly retrieve maximum data from an unstable drive, but it also significantly slows down imaging process. What’s worse, such approach increases the possibility of causing further damage to the media. That's why Insight's multi-pass imaging engine uses large blocks with short timeouts on the first few passes, scheduling reads inside slow areas for later and then using the smallest block size on the last pass when fewer sectors are left to be read.

This technique helps achieve imaging speeds of 500 MB/sec in good areas of the drive, while approaching bad areas in the most gentle way possible and reaching unbeatable overall speed of disk imaging.

The best part is that Atola Insight Forensic will handle block sizes automatically, thus providing the best possible results in the shortest amount of time. This allows Atola Insight Forensic to be faster in virtually any job than any other data recovery or image acquisition tools commercially available.

Block sizes and timeouts are adjustable. However, the default settings of the passes are based on our decades-long experience in data recovery market to fit most problematic drives. Therefore, it is advisable to follow them, unless a particular drive requires specific settings.

Full control over imaging passes

On the first pass, Insight allows 1-second Timeout per block, and the Max read block size is set to 4096 sectors. The settings of the first pass allow smooth sequential imaging of all modern hard drives, whose media is sound. But when imaging damaged drives, these settings make Insight skip any areas that slow down reading and perform Jump on error by 1,000,000 sectors at a time. These settings ensure imaging data from the healthy areas of the drive at top speed, while forcing Insight to return to the problematic areas during the following passes, splitting such areas into smaller ones and allowing more time for reading the data within.

While Max read block size remains the same during the second and the third passes, the Jump on error is set to 20000 sectors and 4096 sectors respectively and slightly longer, 5-second Timeouts are allowed for attempted reading of the blocks.

On the fourth pass, both Jump on error and Max read block size are yet again reduced, this time to 256 sectors.

On the fifth pass Insight allocates 60-second Timeouts to read the Maximum block size of 256 with just 1-sector Jump on error. It is the last and the most scrupulous attempt to read the remaining bad areas of the drive.

After the final pass the Imaging Results report will appear to show the eventual number of errors on the drive and other detailed statistics.

When looking at the settings of the imaging passes, you will see the Reverse direction check boxes. With this function selected, Insight will approach skipped areas of the drive from the other side on any selected pass. This way Insight can get more data from a drive before entering a damaged zone, which needs to be concentrated on during the following passes.

Another option in the imaging pass settings, which is worth mentioning is Disable read look-ahead option. Most contemporary hard drives have read look-ahead functionality, which makes the drive sequentially read more blocks than requested by software. In good drives, this functionality helps the drive to operate faster by reading more data and caching them. But with bad drives, read look-ahead leads to bad areas being addressed more often, which slows down the process and may lead to a complete freeze of the drive. In such cases, disabling read look-ahead option is advisable.

Please note that when dealing with a damaged drive, we strongly recommend using Segmented hashing because this method supports multi-pass imaging and handling of bad sectors, and provides better resiliency against data corruption.

To read about the way Insight handles imaging of freezing damaged drives please follow this link.

Creating a logical image of a source drive

While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.

Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.

This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.

In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.

Image only those sectors that have data

When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.

By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.

When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.

Imaging results

Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.

This will open the Target port.

1. Click Scan partitions button
2. Select any of the imaged partitions you want to
3. Click Open partition button

In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.

Clip Target Drive to Source Evidence Size

When you image data from a drive involved in an investigation case, and the target drive will be holding a 1:1 clone of evidence data, in many cases it is critical that the target drive's capacity is identical to that of the source drive. Should there be a difference in size between the source and the target devices, their hashes will be different too.

However, if your SATA target drive has a larger capacity, you can limit its size to that of the source drive using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools as well as the end user.

To do that:

1. Go to Imaging category of the left-side menu and click Create New Session link
2. In Preset line click the Show settings link.
3. In Miscellaneous tab tick the box next to Limit target disk size to source size using HPA(SATA target ports only) option.

Enabling HPA restriction for target

You can now proceed with the Imaging process by clicking Start Imaging button.

When Imaging is complete, you will see that target disk port now contains an HPA indicator, thus informing you that HPA has been enabled on this drive. There will also be a report created in the Case History.

This report will contain information about the time when HPA was enabled, a detailed device description and how this action was initiated. It will also indicate the initial max address as well as the current one.

Now you can calculate hashes on both disks to make sure they are identical.

Please note that enabling HPA is an option available only for SATA target drives.

Imaging Drives with Damaged Heads

Hard drives with physical damage require a complex imaging approach. This guide will explain how to retrieve data with the minimal risk of data loss on a drive with a damaged head stack.

If an Automatic Checkup report indicates that there is a problem with the heads, look at the status of each head.

Head problem found during Diagnostics

If the status of a head or multiple heads is Degraded or Damaged , the drive will not be able to read all the data. What’s worse, even more sectors may soon become unavailable due to incorrect functioning of the drive’s hardware.

We recommend that you start by imaging the heads, whose status is OK , as soon as possible. To do that: Step 1. Go to Imaging category of the left-side menu, click on Create New Session link and select the device or file to which the data will be imaged.
Step 2. In the Start new imaging session page go to Heads line and click on Select heads to use link.
Step 3. Unselect the damaged head.
Step 4. Click on Start Imaging button.

Unselect degraded head

As a result, you get as much data from the drive’s viable heads as possible before even beginning to work with the damaged head. This way the risk of losing data on the working part of the head stack is minimized.

Imaging result with 3 good heads

Now that this data has been successfully retrieved, you have two options:

• To have the head stack replaced before imaging the remaining data. However, as a result of head stack replacement data on the drive can become unreadable.
• To attempt Imaging data with the Degraded or Damaged head. Follow the same procedure as with the good heads, only this time, during Step 3 unselect all the working heads and leave only the Degraded/Damaged one(s) before clicking on Start Imaging.

Unselect 3 working heads

Atola Insight Forensic’s sophisticated functionality enables users to retrieve maximum data even from the severely damaged drives.

Imaging degraded head

Now that you have an image of the source evidence including the data copied from the damaged head, you can take the risk and get the head stack fixed. Afterwards, you can start a new session to complete the initially created image with data from previously unreadable sectors.

Imaging Freezing Damaged Drives

When Atola Insight Forensic performs Imaging, it approaches bad sectors in the most gentle yet thorough way with high overall speed. But most importantly, Insight is unbeatable at imaging severely damaged drives, while providing all the necessary tools for evidence verification and proper data storage formats. Insight's ability to succeed even with the drives that freeze in the course of imaging makes it indispensable for forensic specialists.

So why do damaged drives freeze?

When a drive receives and runs a Read sectors command, and comes across a physically or logically damaged sector, the device is unable to return a good result. Therefore it goes into Retry mode, repeatedly attempting to retrieve data from the damaged area.

However, often the drive is unable to read data from the damaged sectors and the Retry mode can last for a very long time before it decides to give up on a particular sector and return an Error.

How does Insight handle this issue?

If Insight simply waited for each Read sectors command to be completed:

• it would take ages to get an Image of a drive with numerous errors;
• it could cause the drive to slip into complete freeze;
• in the worst-case scenario, further damage could be caused to the data on the drive.

For these reasons, Insight issues a Reset command whenever a drive attempts to read a block of sectors for longer than allowed by the pre-configured Timeout. Reset is a device interface operation, using which Insight (the host) stops the previously sent Read sectors (or any other) ATA command so that Insight continues imaging from the next planned block on the drive.

If the device is still running Read Sectors command, even after Reset attempt, Insight will wait 3 seconds and perform another Reset command. At the moment of the second Reset, a new entry will appear in the Imaging Log reading Device hangs while reading block
X – Y.

Power cycle due to frozen source device

If 20 seconds after the second Reset, the drive has not been able to abandon the current block, Insight will perform Power cycle by forcibly cutting power to the drive for 5 seconds. At this point Insight will add two entries to the log: Performing power cycle... (when the power is cut off) and Waiting for the device to become ready… (when the power is switched back on).

Should Power cycle prove successful and the drive become ready to accept the next command, there will be a final log entry for this problematic block of sectors saying: Cannot read block of data at X – Y (Timeout).

If Power cycle is ineffective, it means that the drive is still in Busy state that prevents it from becoming ready to run the next command. After that, Insight will make one or more additional power cycles. In Insight’s default settings the Max consecutive Power Cycles option is set to five . Should all five Power cycles be unsuccessful, Imaging will be automatically terminated. It can be resumed afterwards, and Insight will continue to image all remaining sectors.

While users are able to change the default maximum numbers of Resets and Power cycles, these are set based on our decades-long experience and balance the need of data retrieving with the risk of further data loss.

NB If prior to Imaging, you applied Change Max Address temporarily (until power cycle) option, the Power cycles performed in the course of Imaging will not affect it. The Host Protected Area will remain accessible throughout the Imaging process. Insight will temporarily remove HPA max address restriction after each Imaging-related Power cycle.

The same is true for Reset Password until power cycle option. Insight will keep the password reset throughout the Imaging process, without regard to the Power cycles applied.

Imaging a Source Drive to an E01 File with MD5 and SHA-1 Hashes

In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To image a source evidence drive to an E01 file you have to add a new target file.

Selecting a new E01 file

1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Add Image File link.

2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.

3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):

4. Click on Select button in the Target Device Selection window .

As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).

Imaging & calculating the hashes

1. Go to Imaging category of the left-side menu and click on Create New Session link
2. In Preset line click on the Show settings link
3. In Passes and Hash tab check the Hash source during imaging box
4. In Hash method drop-down menu select Linear
5. In Hash type drop-down menu select MD5 and SHA-1
6. Click on Start imaging button

Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page:

Calculated MD5 and SHA1 hashes

Splitting an imaging session to separate targets

A situation may occur when multi-target imaging is paused to be continued later, but one or more targets become unavailable. The drive may need to be taken and used by another technician or broken, or the server with the image file may become unavailable. But you may need to finish the imaging to the remaining target asap to start working on the evidence.

It is for such cases that we have added the splitting imaging sessions functionality to the 4.9 release of Atola Insight Forensic.

With the source drive connected to Insight, go to Imaging category and view the details of the interrupted imaging session to several targets. If not all target drives and image files are available, it is impossible to simply resume imaging. However it is possible to split the previous imaging session into separate ones: one per each target. To do that click Split all sessions to separate targets link.

Once the session has been split, it is possible to resume imaging to each separate target by clicking Resume button in each target’s Imaging Session.

The resumed imaging session will skip all sectors imaged to the target within the previous session.

This way one can complete imaging to all targets at different times, as they become available.

NB Please note that if a target becomes unavailable during imaging, the process will automatically stop running, and you can try to either resume imaging to all targets, or split imaging sessions should it be necessary.

Insight's Case Management system records every step of data acquisition process saving them into reports grouped by cases.

To view the whole list of cases and their devices:

1. Go to Case category in the top menu
2. Click on Search/Open option

In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.

It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.

Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.

Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.

The case opens as a separate port in the Top Bar of the Insight window.

Artifacts search

Imaging is a time-consuming part of the evidence acquisition process, especially when dealing with damaged drives.

Even though Atola Insight Forensic is the fastest forensic imaging tool in the world (there is literally no penalty on a drive speed when you image it with Insight!), we want to help expedite forensic process even further. The artifact search feature allows analysis of data from an evidence device in the course of imaging.

Artifacts settings

1. Go to Imaging category of the left-side menu
2. Click Create new session link and select the target device
3. In Preset line click Show settings link
4. Open the Artifacts tab.

In this tab it is possible to view, select or deselect the artifacts you want to be searched in the course of imaging.

For each of these artifacts we have not only applied well-known algorithms including the Luhn formula used to validate credit card numbers, but also applied our own smart filters to eliminate false results (e.g. if there are two slashes near the number that has preliminarily been identified as a credit card number, that will eliminate it from the search results, as it is likely to be a part of a URL).

Keywords and regular expressions can be added to the search parameters in a txt file with one artifact per line. Click the View link next to Keywords category in Artifacts tab before imaging and make sure the keywords are displayed correctly. Keyword encoding can be adjusted to Unicode, Unicode (UTF-8), Unicode (Big-Endian) or US-ASCII.

A few of the artifacts are selected by default, namely: GPS, MAC, Phone numbers, URL. You can adjust these default settings and click Save settings button. This will affect all future imaging sessions (including those on new source drives) unless you re-adjust the settings or restore the default settings by clicking the corresponding link. The paths to the files with keywords and regular expressions will also remain saved, although should any changes by made to the txt files in the saved directory, the changes will be uploaded at the start of each imaging session.

Once you have ticked the boxes next to the artifacts you would like to be searched for, click Start Imaging button.

Browsing through the artifacts in the course of imaging

Once imaging has begun, go to the Artifacts tab in the bottom part of Insight window and watch the selected artifacts being found: the numbers of artifacts and the corresponding diagram change on the go.

To see the artifacts in a list, press on any of the categories or the diagram.

In the table, each artifact is assigned an Id number, each found Value is shown in the context (including 20 bytes before and 20 bytes after the artifact in grey color), the LBA and the offset are also displayed in the table to help locate the artifact.

There are many options to help find, sort, filter and view the artifacts: it is possible to view one or a few categories of artifacts in one list, use the Search bar to find a specific value (search examples are provided in the bottom right corner of the window), filter results for unique values by clicking the Show unique artifacts link.

The latter option is quite valuable as it helps identify the values most frequently occurring on the drive: to sort the results click Count in the table header.

To promptly find the sector where an artifact is located, you can double click the artifact you would like to examine more thoroughly.

Exporting artifacts

Export to CSV button is disabled during imaging. You can wait until imaging is completed or pause it, make an export and restart imaging, should it be necessary to start analyzing the current artifact search output with an external tool:

1. Pause imaging.
2. In the Imaging results page click on Artifacts link.
3. In the Artifacts page you can select the artifacts you would like to be exported (e.g. one or multiple artifact categories, unique artifacts or only those fitting certain search criteria), and then click Export to CSV file button.
4. Select the path for the file and click Export
5. Once the export is completed (which normally takes no longer than a few seconds), restart imaging.

There is Export artifact link now in the Imaging category of Insight's menu. If the source drive was imaged in multiple sessions, and artifact lists were created during different imaging sessions, by clicking this link you can download a merged list of artifacts from multiple imaging sessions.

Segmented Hashing

Segmented hashing is a new hashing concept, which enables to hash damaged source drives and avoid losing a target image if part of the data gets corrupted. This hashing method can be used during multi-pass imaging of damaged drives.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges of the image. The sum of these LBA ranges represents the entire image, though not necessarily in sequential order. You can still prove that the entire image has not been modified by verifying all hashes in a set.

Segmented hashes are saved in a CSV file in this format:

Hash,start LBA,end LBA

Example:
75c92419e86ce82734ef3bbb781e6602 ,0,8388608
e2c7fc5264bae820e46c50b0502236d3 ,8388609,16777216
42718e48b5adb59563c98727cbce0619 ,16777217,25165824
... And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing method prevents imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Segmented hashing allows the use of multiple passes and a more efficient handling of damaged drives, while hashing all good areas.

Hashes are calculated only for the imaged areas, while all bad sectors are excluded from the calculation.

Selecting segmented hashing method in imaging settings

Better resiliency

Another reason to use segmented hashes is to ensure better resiliency against data corruption in the image. If your acquired evidence image gets damaged in the future, with a regular linear hash you will get a hash mismatch upon verification, and the entire image will become useless. With segmented hashes only the hash for one segment in the set will become invalid.

Example: Imaging with segmented hashing

Here are imaging results including a link to the file with segmented hashes.

Segmented hashes are saved in a CSV file in "Hash,start LBA,end LBA" format:

Verifying damaged images with segmented hashing

Last November Atola Technology team presented a new hashing method called Segmented hashing. Unlike the conventional linear hashing, segmented hashing produces not a single hash, but a list of hashes of corresponding LBA ranges of the image saved into a CSV file in this format:
Hash, start LBA, end LBA

By validating all hashes on the list, you can prove that the entire image has not been modified. For more information about this hashing method, please follow this link: Segmented Hashing.

While this method of hashing has a number of benefits for forensic specialists, among its strongest advantages is its applicability to damaged drives.

For one, this non-linear hashing method allows calculating hashes of the good areas of evidence media, while bad areas that are impossible to read and image, are left out of the calculation.

Secondly, if your acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only the hash of the damaged segment will become invalid. For example, in the case of a 4TB hard drive, if the default 4GB segment size is applied, one invalid hash will account for only 0.1% of the drive, while the remaining 99.9% of hashes can still be verified.

Verifying segmented hashes

For instance, you have imaged a source drive and calculated its segmented hashes, the CSV file is stored on your computer. Now let's simulate a change of the evidence image to see how Segmented hashing helps us identify the areas, whose integrity has not been compromised.

Step 1. Select the target image in the top Port bar. In the Disk Editor subcategory of Device Utilities category of the left-side menu, we can open any sector of the drive. There we can change one byte in sector #35,000,000.

Changing one byte in Disk Editor

Step 2. In the Hashing category of the left-side menu there is Verifying Segmented Hashes subcategory. This is an automated way to verify the segmented hashes in an existing CSV file against the target image. Select the file with segmented hashes calculated during imaging and click Start.

Hash verification

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

Step 4. Hash verification finishes with the proper case report automatically created, also in CSV format.

Segmented hash verification report

This is how segmented hashing helps you avoid the whole image being compromised when a small area of the evidence target is damaged.

Calculating Hash During Imaging

Atola Insight Forensic supports hash calculation of both source and target devices in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures as well as avoid causing further damage to fragile media.

To view the hashing options:

1. Go to Imaging category of the left-side menu and click on Create New Session link
2. Select the target device or file
3. In Preset line click on the Show settings link
4. In the upper part of the Passes and Hash tab there are three checkboxes:

• Pre-hash source device
• Hash source during imaging
• Post-hash target device(s)

Imaging results with segmented hashes

Multiselect is available, which allows an operator to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, Insight only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. Therefore ticking Hash source during imaging checkbox and selecting Linear or combined Linear and Segmented option in Hashing method drop-down menu leads the number of passes to be limited to one. When dealing with a damaged drive, we strongly recommend using Segmented hashing, as this method supports multi-pass imaging and handling of bad sectors and provides better resiliency against data corruption. For more details please follow this link: Segmented hashing.

Post-hash target device(s) option allows to properly record the calculated hash in the case. Since this operation does not require reading the source drive, it is safe to use this option while imaging either good or damaged drives.

Imaging results with segmented hashes

Calculating MD5 and SHA1 hashes of an existing E01 file

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not only the physical or logical copy of the source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To view the hash calculated for an E01 file with Atola Insight Forensic, open the file by pressing the Plus icon in the port bar and then selecting E01 image files (*.E01) file extension in the drop-down menu to view existing files with this extension.

In the Home page look through the File History and click on the Imaging target link.

This will open an Imaging target report, at the bottom of which you will be able to see both hashes calculated during the imaging session.

You may leave this window open or save the report as a pdf file to compare the hash with the newly calculated one later.

Then go to Calculate Hash page in Hashing category of the left-side menu and select Linear in Hash method drop-down menu and MD5 and SHA-1 in Hash type drop-down menu.

Once the hashes have been calculated, you can make sure that the two sets of hashes are identical.

Comparing Hashes of Source and Target to Find Modified Data

So you have a Source evidence drive and its image on a different device, and you have a record that their hash values were identical in the past.

If you get a different hash value when you calculate the hash of the target now, it could be due to hardware failure, or because the device containing your image was used by a third party.

To understand how substantial these changes are, you will want to locate the sectors that have been modified.

1. In the Disk Utilities category click Compare subcategory.
2. Make sure that the whole range of sectors of the drive and radio button next to Device on DiskSense Target Port option is selected
3. Click Compare button.

Atola Insight Forensic's high-performance compare function will compare the source and the target and will help you identify and locate the modified sectors:

Extracting and Resetting an Unknown ATA Password

Insight can recover and/or remove unknown HDD passwords (also known as ATA passwords) and for most hard drives the unlocking process is fully automated.

When a device is connected and identified as locked with an ATA password, there is a corresponding PWD indicator displayed in the port, and Security Status in the Home page says Locked, High or Locked, Maximum. High and maximum are password protection levels that the operator who locked the device selected. Although information about it may be relevant to the investigator, both security levels are supported by Insight's password recovery functionality, therefore this information is not important for the purpose of this guide.

Source deviced locked with ATA password

To perform a complete Diagnostics, Insight needs to have a hard drive unlocked. Therefore we suggest that when dealing with a locked device, password recovery is performed before running the Automatic Checkup.

Diagnostics showing password lock

Password Extraction, Reset and Reset until power cycle

Under Device Recovery category of the left-side menu select Password Recovery subcategory. There are 3 options of dealing with a locked hard drive:

• To display the password without unlocking the device at this moment, click Extract button. This option does not require write protection on the source port to be switched off.
• To work with the data on the drive without permanently resetting the password, tick Reset Password until power cycle checkbox and then click on Reset button. This way write protection stays enabled on the source port, and no changes can be made to the drive.

• Finally, to permanently unlock the device, switch off write protection and then click on Reset button.

Unknown password recovery

For the list of hard drives currently supported by Insight's automatic password recovery, please follow this link.

Please note that this guide is applicable to all supported Samsung, Toshiba and Western Digital hard drives. To unlock a Seagate drive, please connect the device to the Serial port of the DiskSense unit and then follow the same steps. Hitachi drives require the use of the password extraction adapter: for more information please follow this link .

Connecting Seagate Drives to Serial Port

If you need to extract or reset an unknown password or perform drive recovery on a Seagate hard drive, use a Serial cable to connect the drive to the DiskSense unit.

Take a minute to familiarize yourself with the Serial cable’s three connectors. On one side of the cable, there are two connectors. Both are 2-pin RX-TX (receive-transmit) connectors. The slightly larger one has 2.5-mm pin pitch and is used for IDE drives. The smaller one has 2-mm pin pitch and is used for SATA drives.

On the opposite side of the Serial cable, there is a 3-pin TX-RX-GND (transmit-receive-grounding) connector. This connector is inserted in the Serial port on the back side of the DiskSense unit.

DiskSense Back Side

Connecting 3.5-inch and 2.5-inch Seagate SATA drives

When you look at a Seagate SATA drive (either 3.5-inch or 2.5-inch), there is a 4-pin jumper block right next to the SATA port.

3.5 SATA serial port

2.5 SATA serial port

Connect the 2-mm RX-TX end of the serial cable to the two jumper pins located closest to the SATA port so that the red RX (receive) wire is connected to the pin closer to the SATA port.

3.5 SATA Seagate connected

2.5 SATA Seagate connected

Connecting 3.5-inch Seagate IDE drives

Desktop IDE drives have an 8-pin jumper block between IDE port and Power port. For the purpose of this manual, we shall call the pair of pins located closest to the IDE port and used for Master/Slave settings the first pair of pins. The next, second pair of pins is usually used for Cable Select settings. The third pair of pins is the one we will connect the Serial cable to.

Please note that IDE hard drives must be set to Master mode for password extraction and reset or drive recovery. To use the drive in Master mode, place a jumper on the first pair of pins (closest to the IDE port), as shown in the picture below.

3.5 IDE Seagate pins

Attach the 2.5-mm RX-TX connector to the third pair of jumper pins, as shown in the picture below. Make sure that red RX (receive) wire is facing down and the black TX (transmit) wire is facing up. The second pair and the fourth pair of pins must be left open.

3.5 IDE Seagate connected

Connecting 2.5-inch Seagate IDE drives

Similar to desktop hard drives, laptop Seagate hard drives also must be set to Master mode to perform password extraction and reset or drive recovery. Master mode on a 2.5-inch device is set by removing all jumpers.

2.5 IDE Seagate pins

There is a 3.5"-to-2.5" IDE adapter included in the package with the DiskSense unit. It consists of the following components:

• IDE port J1 for IDE interface cable
• 2.5-inch IDE port J2 to connect the drive to
• Power port J3 for IDE power cable
• 4-pin block J4, where each pin is marked with letter A, B, C, and D.

2.5 to 3.5 IDE adapter

Use the adapter to connect the drive to IDE interface cable and IDE power cable. Then attach the 2.5-mm RX-TX connector to pins marked A and C, as shown in the picture below. Make sure that the black TX (transmit) wire is connected to the pin A, and red RX (receive) wire is connected to the pin C.

2.5 IDE Seagate connected

Please note that to use the 2.5-inch Seagate IDE drive in Slave mode, the 2.5-mm RX-TX connector must be detached from the adapter and instead a jumper must be placed on pins A and B.

Configuring the Baud rate

Once the Seagate hard drive is connected to the unit, follow these instructions to configure the Baud rate of Seagate Terminal, which allows you to use an extensive set of commands on a Seagate drive:

1. If there is only one source drive connected to the DiskSense unit, it will automatically be identified and displayed in the Source disk port. However, if there are multiple hard drives connected to the DiskSense unit as Source drives, go to Source category of the top level menu, click on Select Source and choose the Seagate drive.
2. Power down the selected drive.
3. In the Windows category of the top level menu click on Terminal and in the COM Port Settings window select the Baud rate compatible with the drive. Please note that for Seagate 7200.10 and older Baud rate will be 9600; for 7200.11 and newer Baud rate will be 38400 (Atola Insight Forensic will suggest the baud rate by setting a default value in the Terminal window for the drive connected to it).
4. Then click OK. But do not close the Terminal window just yet.
5. Power on the drive again. There must be a valid output in the Terminal window (see the picture below).

Terminal output

Should there be no output in the Terminal window or should it consist of random symbols, try to change the Baud rate until you get a good response.

Now proceed with password extraction or send Seagate Terminal commands to the drive.

Recovering Seagate 7200.11 hard drives

First of all, please connect the hard drive's serial port to DiskSense unit by following instructions on the Serial Port Connection page.

Open the Terminal window, select the DiskSense COM port (usually the one that is displayed by default is the correct one). 38400 is the proper speed for 7200.11 hard drives:

COM terminal connection

Once everything is set up, click OK. Make sure that you have attached everything correctly by applying power to the drive (you should see a meaningful output in the terminal window).

Note: if you make an mistake while entering commands, you will get the following message:

Invalid Diag Cmd Parameter

In this case simply re-enter the command and double-check that you are entering everything exactly as shown in this manual.

Once everything is ready and you have powered on the drive, you should see the following (or very similar) output in the terminal window:

At this point press CTRL+Z. You should receive the command prompt:

Fixing zero capacity problem

1. Type the following: m0,2,2,0,0,0,0,22 and then press ENTER.

2. At this point the drive will stop responding for a while.

3. After some time (1-5 minutes) you will get several messages from the drive similar to these:

User Partition Format Successful - Elapsed Time 0 mins 00 secs

4. Wait some more time until you see the command prompt again:

5. Type the following: /2 and then press ENTER. You will see the following output:

6. Type capital Z and press ENTER:

7. At this point you have to re-power the drive. The procedure is complete.

Fixing HDD always BUSY problem

This problem is also known as "LED:000000CC problem". This is because when you apply power, you will usually see the following output:

To fix this issue, please follow these steps:

1. Power off the drive
2. Remove two screws as shown on the picture below (you will need a Torx T6 screwdriver):

3. Put a piece of paper as shown on the picture below (the goal is to separate spindle motor contacts from the pcb):

4. If you detached any cables from the drive, this is the right time to attach them back.

5. Apply power to the drive (with screws removed and paper inserted) and wait for the drive to become ready (usually no more than one minute)

6. You will see the following (or very similar) output in the terminal:

7. Press CTRL+Z. You will get the command prompt:

8. Type the following: /2 and then press ENTER. You will see the following output:

9. Type capital Z and press ENTER:

10. Now remove the paper, put all screws back and tighten them (do not power off the drive!):

11. Type capital U and press ENTER:

12. Type the following: /1 and then press ENTER. You will see the following output:

13. Type the following: N1 (capital N and one) and then press ENTER. You will see the following output:

14. Re-power the drive (press Power Off button on the DiskSense unit; wait 10-15 seconds; press Power On button) and wait until it initializes:

15. Press CTRL+Z. You will get the command prompt:

16. Type the following: i4,1,22 and then press ENTER. You will see the following output:

17. At this point do not re-power the drive, scroll to the top of this page and go through Fixing zero capacity problem starting from step 1.

Unlocking Hitachi hard drives

Password extraction on Hitachi SATA drives

Hitachi drives require the use of the password extraction adapter which is included in the product package. The adapter plugs straight into the IDE port located on the front side of the DiskSense Forensic unit.

Atola Hitachi password extraction adapter

2.5-inch SATA hard drives (HGST models)

The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.

1. Connect Hitachi password extraction adapter to the IDE Source port of DiskSense unit.

2. Connect the source Hitachi HDD to Hitachi password extraction adapter.

3. Place the hard drive as shown on the picture (no need to disconnect any cables):

4. Use a T4 screwdriver to remove four screws as shown below:

5. Put a piece of paper between the circuit board and the hard drive assembly:

6. Do not remove paper; proceed with unlocking

7. To disable the Safe Mode, first remove the paper and then put all screws back:

8. Continue with the unlocking process.

2.5-inch SATA hard drives (old models)

The following actions can only be performed if your SATA drive is attached to DiskSense unit via Hitachi password extraction adapter.

1. Connect Hitachi password extraction adapter to the IDE Source port of DiskSense unit.

2. Connect the source Hitachi HDD to Hitachi password extraction adapter.

3. Place the hard drive as shown on the picture (no need to disconnect any cables):

4. Use a T4 screwdriver to remove two screws as shown below:

5. Put a piece of paper between the circuit board and the hard drive assembly:

6. Do not remove paper; proceed with unlocking

7. To disable the Safe Mode, first remove the paper and then put all screws back:

8. Continue with the unlocking process.

3.5-inch SATA hard drives

1. Place the hard drive as shown on the picture (no need to disconnect any cables):

You may see the orange cable connected to the PCB being fastened by the latch.

2. Important: Power off the drive.

3. Unlock the latch as it is shown below:

4. Disconnect the cable to activate Safe Mode.

5. Proceed following Atola Insight instructions.

6. Important: Power off the drive.

7. To deactivate Safe Mode, plug the orange connector into the PCB socket and fasten it with the latch.

8. Follow Atola Insight instructions.

IDE hard drives

1. You will need the Atola 2.5-inch to 3.5-inch adapter:

If you have such an adapter, please skip to step 4.

2. Disconnect the drive and place it as shown on the picture:

You do not need to perform this step if you have Atola 2.5-inch to 3.5-inch adapter (see step 1)

3. Locate a jumper that fits 2.5-inch HDD jumper pins:

And then install the jumper into position as shown below:

You do not need to perform this step if you have Atola 2.5-inch to 3.5-inch adapter (see step 1)

4. If you're using Atola 2.5-inch to 3.5-inch adapter, then install a jumper between pins A and C (on the adapter).

5. Attach the hard drive back to the Atola DiskSense unit and proceed with unlocking.

6. To disable the Safe Mode, simply remove the jumper:

7. Plug the hard drive back to the Atola DiskSense unit and continue with unlocking.

Multitasking Capabilities of Atola Insight Forensic

With each passing year, speed becomes a yet bigger issue for forensic specialists: while the capacity of hard drives grows exponentially, their speed does not keep up. A common 4TB drive's speed constitutes up to 200 MB/s or 12 GB/min, which translates to more than 5 hours of imaging. And it may take prohibitive amounts of time to image a drive with damaged zones. Therefore, the ability to simultaneously run different operations on several devices is more vital than ever.

To provide users with greater productivity, Atola Insight Forensic's high-capacity multi-core CPU supports up to 15 concurrent tasks, that can be assigned to different drives or image files.

You can start Imaging process from a Source drive to one or multiple Target drives and/or image files. Then you can click on the Plus icon and open another target drive to start another operation.

How to add more device operations

For example, you can launch Fill/Erase on this Target drive to get it ready for the next imaging session:

Additional wiping task being executed in parallel

It is also possible to Calculate Hash on yet another Target drive:

Hash calculation being executed in parallel

Other long-running operations you can perform simultaneously include:

• Automatic Checkup
• Artifact Finder
• Verifying Segmented Hashes
• File Recovery
• Scripting (e.g. search files, files types, words, phrases or patterns, specific information type like email address, telephone, address, GPS coordinates etc.).
• Comparing data on drive with a pattern
• Media Scan

Artifacts Finder

Insight's Artifact Finder feature allows early analysis of data by reading and parcing data on an evidence drive or its images.

Insight supports multiple simultaneous artifact searches on both source and target drives.

Searching for artifacts

Go to Artifacts Finder in the left-side menu. In the upper part of the window there is a table with previous artifact searches performed on the current drive including those carried out during imaging. If you want to perform another search, select the artifacts that need to be found.

The artifacts include:

1. Credit cards
2. Emails
3. GPS coordinates
4. IP
5. MAC
6. Phone numbers
7. URL
8. Keywords
9. Regular expressions

For each of the artifacts, not only widely known filter algorithms were applied for proper result filtering (such as the Luhn formula used to validate credit card numbers), but there have also been custom smart filters applied to eliminate false results (e.g. two slashes next a number that has preliminarily been identified as a credit card number, will eliminate it from the search results, as it is likely to be a part of a URL).

Keywords and regular expressions can be added to the search parameters in a txt file with one artifact per line. Keyword encoding can be adjusted to Unicode, Unicode (UTF-8), Unicode (Big-Endian) or US-ASCII.

Browsing through the found artifacts

As the Artifact Finder is still running, you can look at the progress in the Artifacts tab below the progress bar and click the diagram to see the list of found artifacts. If you only want to look at a certain category, click it in the list or in the diagram.

In the table, each artifact is given an Id number, each found Value is shown in the context (including 20 bytes before and 20 bytes after the artifact in grey color), the LBA and the offset are also displayed in the table to help locate the artifact.

There are many options to help find, sort, filter and view the artifacts. It is possible to view one or a few categories of artifacts in one list, use the Search bar to find a specific value (search examples are provided in the bottom right corner of the window), filter results for unique values by clicking the Show unique artifacts link. It helps identify the values most frequently occurring on the drive: to sort the results click Count in the table header.

Click an artifact in the list to see the sector where it is located. It allows you to see the context, in which this artifact is placed.

Exporting the list of found artifacts

Export to CSV button is disabled during the search. You can wait until the process is completed or, should it be necessary to start analyzing the current search output with an external tool, stop it, make an export and restart the search from scratch or from the last LBA analyzed during the previous session.

To make an export:

1. Click the link with the number of artifacts found during this search.
2. In the Artifacts page select the artifacts to be exported (e.g. one or multiple artifact categories, unique artifacts or only those fitting certain search criteria), and then click Export to CSV file button.
3. Select the path for the file and click Export

Wiping multiple drives simultaneously

Erasing data on destination drives guarantees accuracy of the imaged data and helps verify that the drive has no errors. In the course, all sectors are overwritten with the help of selected pattern or method.

When you need to prepare multiple hard drives for imaging, Insight's multitasking capabilities enable you to do so much faster by launching Erase/Fill on multiple drives simultaneously, including those connected to the source port.

Write protection switch

To wipe the drive connected to the source port, remember to switch off write protection on the port so that the indicator above the switch is off and there is a notification right below the port bar saying Note: Write protection of currently attached device is OFF (see the picture below).

Then follow these steps:

1. 1. Under Device Utilities select Fill or Erase.
2. 2. Select Fill method among the wide range of options and click on Next button.
3. 3. Select the range of sectors to be erased on the drive and click on Start Fill / Erase button.
4. 4. Finally, confirm that you want to erase data on the disk in the pop-up window.

To run a concurrent Fill/ Erase process on another drive, click on the + (plus) icon in the port bar and select a drive connected to a Target port:

Then repeat the same steps to launch the process on this device:

By following the same steps you can wipe data from one source drive and three target drives, all at the same time, as shown in the picture below.

This ability to perform Fill/Erase on multiple drives makes Insight exceptionally useful for forensic units dealing with multiple cases, where evidence acquisition is an ongoing activity.

Lifting HPA and DCO restrictions

Both HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

When you connect a hard drive to the DiskSense unit, in addition to the standard Identify device command, Atola Insight Forensic automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify . If drive size has been limited by DCO or HPA, Insight will draw attention to these changes by adding corresponding red indicators to the DiskSense Source Port.

Indicators showing active HPA and DCO restrictions

To get more details about the modifications that have been made to the drive’s firmware, run Automatic Checkup and see the Firmware section of the Diagnostics report.

There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

1. The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
2. Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.

Diagnostics showing active HPA and DCO restrictions

To disable any limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Device Utilities category of the left-side menu and click on Unclip button.

Please note that Write Protection switch needs to be disabled on the DiskSense unit to perform this operation, as Unclip HPA/DCO implies making changes to the drive's firmware, and Write Protection won't let perform such changes.

Unclip HPA and DCO

Atola Insight Forensic lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

HPA and DCO restrictions cleared

Lift HPA until power cycle

Often, due to internal procedures, forensic specialists are not allowed to make any changes to the drive, therefore they cannot disable HPA and DCO restrictions and access data in the hidden areas. But with Atola Insight Forensic it is possible to lift HPA limitation until the next power cycle, which helps avoid permanent changes to the drive.

To use this feature, go to Host Protected Area subcategory of the Device Utilities category of the menu and click Read HPA parameters link. By clicking Set as current link you will automatically change Current Max Address value to that of Native Max Address. Then tick the Change Max Address temporarily (until power cycle) checkbox and click Change Max Address button.

Changing HPA max address until power cycle

This will allow access to the data in the area previously protected by HPA, yet as soon as you power off or detach the drive, the HPA will be in place again.

NB If the drive contains damaged areas and Insight needs to perform power cycles during imaging, such power cycles will not affect the temporarily disabled HPA: Insight will temporarily remove HPA max address restriction after each imaging-related power cycle, and HPA will remain accessible throughout the imaging process.

For more information about imaging of freezing drives, please follow this link.

Case Management system

Insight's Case Management system records every step of data acquisition process: every operation is automatically added to the case from the moment a device is identified including date, time, media map and hash values. When a hard drive is imaged, its media map is recorded detailing all the sectors that have been skipped. Case notes can be added at any time to log information such as the case technician or owner of the hard drive.

Whenever an operator connects a hard drive to the DiskSense unit, Atola Insight Forensic makes an automatic database lookup and retrieves all past records associated with that particular hard drive. New entries will be added seamlessly to the database. You do not need to enable Case Management or take any additional actions for it to start functioning; it is fully embedded into Atola Insight Forensic and works at all times.

Case number can be assigned and changed at any time. The system also allows browsing through all cases and records within the cases, without corresponding devices being connected to the unit.

Finding and opening a case

Insight's Case Management system records every step of data acquisition process saving them into reports grouped by cases.

To view the whole list of cases and their devices:

1. Go to Case category in the top menu
2. Click on Search/Open option

Search/Open case

In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.

It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.

Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.

Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.

Case search filters

The case opens as a separate port in the Top Bar of the Insight window.

Print reports from a case

Insight’s Case Management system includes flexible printing functionality. To print a report click the Print link in the case’s Home page.

Print link

In the Print Case History window you get all the reports listed, sortable by date or by reported operation. It is possible to tick just some of the reports or select all reports in the case by ticking the check box in the header of the list. Below there are all pictures attached to the case, which you can also select to be printed.

At the top of the Print Case History window there are four check boxes with report listing and printing settings (click on the Case Management arrow to view all check boxes):

• Insert page break after every report on print
• Also show miscellaneous reports hides/displays all reports of seemingly minor importance, yet essential to some forensic specialists in accordance with their internal procedures
• Also print CSV logs allows the printed version of the reports to include operation logs saved in CSV format
• Also print segmented hashes also enables segmented hash saved in CSV files to be included in the printed version of the reports

It is possible to print or save the selected reports and pictures in a PDF, HTML or RTF file by clicking Save to file… or Print buttons.

Print options

If you have ticked the two later options, this is how the log and the segmented hashes will be displayed in the report:

Printing report having logs and segmented hashes included

Changing details in a case

Insight's case management system has been created to help users efficiently keep track of hard drive-related information.

Even if a hard drive has already been used for a while, imaging and hashing have already been performed, it is still possible to open the case and make adjustments to its details.

Change case details in a single click

Click the Plus icon next to the Case Number in the top right corner.

Now you can enter or change the Case Number and Description. To save your changes click OK button.

Changing case details

You will see the description visible next to the Case History. For quick changes, you can also click Change link located right below the description.

A little lower there is a green Plus icon, which you can click to add a document or an image to the case.

Case description added

In the Attach File window enter the file location path and leave a comment in the corresponding field.

If you tick the Copy to work folder check box, the file will be copied to the same folder where any other related files are located, e.g. tables with segmented hashes, logs, imaging maps, file signature lists etc.

Attaching files

You can now see all the uploaded files in the case's Homepage below the description, and you can view all the details and change them when necessary by clicking Manage attached files link.

Attached Files window contains the list of files including an icon representing the file type, the name, the folder where the file is located, the date when the file was attached to the case and the comment added by the user.

Right-clicking a file provides the Edit option enabling a user to edit the Comment or copy the file to the case folder at any time.

Exporting and importing cases from one computer to another

It is possible to transfer all or some of the cases stored in one Insight's case management system to another one. The only requirement is that both computers have the same version of Insight installed.

Whenever cases need to be transferred from one computer to another one, start by exporting the cases.

1. Go to Cases category of the top level menu and click Export.

Export selected cases

2. In the Export Cases window select folder where the cases should be stored, then select the cases you would like to be exported and click Save button.

3. The cases are now saved as a package in a zip file (with the default name Cases.Package.zip), which can later be copied to a different computer.

NB Whenever a case is exported, a record about it is added to the case’s history.

Case export report

Importing cases

To import cases from a zip file into Insight on a different computer.

1. Click Import in Cases category of the top menu of Insight.

2. Click Browse icon and select path and name of the zip file.

Importing cases

3. Select some or all of the cases in the table and click Import button.

Importing cases selectively

Please note that if there is a match between existing case numbers and the imported ones, Insight will prompt you to either cancel the import or save the case that causes the conflict as a copy.

Ways to resolve import conflicts