Drive diagnostics

When an investigator gets an evidence drive to image and analyze, there are some questions to ask about that evidence device:

In most cases, you never can tell just by looking at a drive.

That is why Atola TaskForce 2 can automatically perform forensic drive diagnostics to check drive health before imaging and provides a clear and detailed diagnostics report. Even for drives that cannot be identified.

Sample diagnostics reports about drive health


Why it is important to diagnose an evidence drive?

Forensic drive diagnostics in TaskForce 2 helps you to make informed decisions and prioritize tasks depending on evidence device condition and imaging time.

Prioritize imaging and investigative tasks

Diagnostics shows you if there is any data, partitions, or hidden areas on the drive, thus helping you to prioritize it among other devices involved in the same case.

Estimate time needed to image evidence drive

Diagnostics gives you an estimate of how much time it will take to image this drive, based on the drive state, reading speed, and size.

Extract data from a bad drive without damaging it

To image an evidence drive without causing further damage to it, TaskForce 2 automatic diagnostics evaluates the state of the drive, identifies specific errors, and recommends the best approach for data acquisition.

How to diagnose a drive

To start automatic disk diagnostics, an operator simply plugs an evidence drive into the TaskForce 2 unit and clicks a single button. Real-time status updates are displayed throughout the checkup.

It takes up to 5 minutes to generate a full diagnostic report. The report contains detailed recommendations on how to acquire data from this particular drive, based on its condition.

TaskForce 2 diagnostics module automatically checks all systems of the drive:

Drive diagnostics in progress.

Drive diagnostics in progress.

Detect issues with drive’s motor and electronics

TaskForce 2 checks the drive's printed circuit board. The system applies power to the device and analyzes spin-up currents. This allows to detect most issues with the PCB and the motor.

Also, TaskForce 2 identifies the device by reading its identification sector. Even if TaskForce 2 can't recognize a drive, it can still diagnose it. For more details, see Diagnose hard drives that cannot be identified.

Identify damaged heads to avoid delays

TaskForce 2 analyzes each head to detect head damage.

If any head is damaged or degraded, attempts to read sectors with it will slow down an imaging process and can cause further damage to the hard drive.

In this case, TaskForce 2 will recommend you to disable damaged or degraded head before imaging to acquire data from good heads first.

Avoid the need to swap heads

Physical head swap is always a challenge. Certain hard drive designs make the process extremely complicated, and in some cases, donor parts can be very difficult or even impossible to acquire. Physical recovery cases can be time-consuming and expensive, head-by-head imaging can often save an operator the need to attempt a head swap.

One degraded head detected during HDD diagnostics.

One degraded head detected during HDD diagnostics.

Assess disk’s readability and get imaging time estimate

To check disk’s readability, TaskForce 2 verifies if there are any bad sectors in the starting, middle and ending sectors of the drive.

The diagnostics module also records the reading speed in different parts of the drive surface and calculates the time needed to image that device.

Detect any hidden areas on the drive and check for password protection

During the firmware analysis, TaskForce 2 checks if the disk is locked with a password and if it contains hidden areas created by HPA, DCO, or AMA limitations.

The diagnostics module reads the SMART table to check if there are any defects in the media. It also shows the disk’s temperature and power cycle history to provide an investigator with additional clues.

Evaluate the size of disk partitions and unallocated space

TaskForce 2 detects and verifies the file system on the evidence drive. The diagnostics report contains information about the type and size of disk partitions and indicates if any disk space is not associated with any partition.

What types of devices can be diagnosed

TaskForce 2 performs diagnostics for all popular device types:

Diagnose drives that cannot be identified

TaskForce 2 can accurately diagnose evidence drives that cannot be identified or recognized by any system. When TaskForce 2 can’t identify the drive, it can still diagnose the device by sensing the SATA PHY status, sending low-level, vendor-specific commands into the HDD, and interpreting electrical currents.

TaskForce 2 applies power to the drive, while immediately starting to sample its startup currents. The next step: comparing the startup currents to the internal database, thus detecting a specific failure.

This very approach allows to successfully identify a range of defects: head stack failure, motor damage, electronic board damage, and more.

Diagnose drives with multiple malfunctions

Usually, TaskForce 2 identifies multiple failures at once. In some cases, though, only one failure will show up during the first diagnostics. Other issues will come up during the recovery process.

For example, if a drive fails in both the PCB and firmware area, only PCB damage will be identified at first. And this is because the PCB is responsible for relaying electrical signals from the drive to detect firmware damage.

Once the PCB is repaired, the drive has to be diagnosed for the second time to identify the damage to the firmware area.

Damaged drive diagnostics.

Damaged drive diagnostics.