Quickstart

Atola TaskForce has highly intuitive design. This guide will assist in quickly learning how to use TaskForce and image an evidence drive.

1. Start TaskForce

Switch on the power button on the back side of the system and wait for a message to appear on the small IP screen on the front panel. If TaskForce is connected to the local network with an Ethernet cable, IP addresses will be displayed, which can be entered in a Chrome browser on any device within the same local network. If no Ethernet cable is connected to it, TaskForce will start in Standalone mode, in this case you can use the main screen on top of the device.

2. Plug the source drive into the unit

Atola TaskForce has 18 ports, and each of them can be used as either a source or a target. Before connecting your evidence drive to the appropriate port, make sure the port is in the source mode, thus securing any command that can change the state of the drive from being applied to the evidence drive.

3. Diagnose the source drive

In the left-side menu click the Diagnose button and a slide-out Select device menu will appear.

In the appropriate category (SATA, SAS, USB, File, IDE or Extension*) select the source drive and click START button. Diagnostics will take a couple of minutes. Should the state of the evidence drive be good, you can proceed to image it.

4. Plug the target drive(s) into the unit

When connecting a target drive (or multiple targets), also make sure that the corresponding ports are set to target mode.

5. Start imaging

In the left-side menu click the Image button.

Select the source device you have diagnosed in the menu.

Select the targets in the menu. Once you have selected the source, a right-hand slide-out Select target device menu will appear. Under the same categories you can find and select a single target or multiple targets.

The Imaging initiation page lists the source drive and the case ID at the top of the page, the default settings applied to this imaging session and the list of Targets to be involved in this session. Click Start button at the bottom of the page.

TaskForce workflow

Atola TaskForce provides a complete feature set for has a forensically sound evidence acquisition process. Based on our own decade-long experience of working with data storage devices as well as the experience of our clients in digital forensics market we strongly recommend this workflow:

1. Diagnose the drive

TaskForce is equipped with a fully-automated diagnostics module, which diagnoses all drive systems: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.

After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.

2. Get access to the hidden drive areas

Unclip or change HPA, DCO, AMA limitations

TaskForce detects hidden areas on the drive Host Protected Area (HPA), Device Overlay Configuration (DCO), or Accessible Max Address (AMA) and can automatically recover/remove them. To avoid change the state of the drive, HPA reset until power cycle option is available.

3. Image the evidence

To ensure efficient imaging of both good and damaged drives, TaskForce is equipped with a sophisticated and powerful imaging module that creates a bit-to-bit copy of the evidence. Based on the diagnostics report, image drives with default settings or adjust them, should the media be damaged and require special treatment.

4. Calculate hash

To ensure forensically sound evidence acquisition process, remember to calculate hash of the evidence and the image. It is essential way to prove image integrity.

With damaged devices, it is best to calculate hash during imaging (using segmented hashing*). This way data on a fragile device is only read once, and less potential damage to the media is caused.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. When it encounters a bad sector, linear hash calulation is discontinued. In upcoming releases we will support Segmented hashing so that hash can be calculated for damaged drives.

Package contents (TaskForce)

Please make sure that you have all these items in the package:

Forensic hardware unit

To support multiple simultaneous imaging sessions and other forensic tasks running on its 18 ports at top speeds, TaskForce hardware unit is built on extremely robust, high-capacity components that include a server-grade motherboard, 8-thread Xeon CPU 3.7 GHz and ECC RAM. To ensure high quality and efficiency of our tools, we test them on hundreds of storage devices.

This forensic hardware unit is designed for various types of digital investigations. It can be used in the lab and in standalone mode.

Ports, indicators & switches

Ports:

• 6 SATA
• 6 SATA/SAS
• 4 USB
• IDE
• Extension slot (for Thunderbolt, Apple PCIe SSD and M.2 SSD extension modules)

Source/target switch on each of 18 ports enabling hardware write protection in source mode:

• Source mode: helps safely connect and with the examined evidence drives to TaskForce
• Flexible port configuration: any TaskForce port can serve you as source or target depending on your needs.

LED indicators: two indicators for each of 18 ports. One indicator is located next to the port’s source/target switch and lights up when source mode is enabled.

Two 10Gb Ethernet ports

• In the lab: handles 12+ multiple imaging sessions utilizing two 10Gb network connections
• In the field: works fast with modern portable NAS solutions

Flash card support via card reader attached to any USB port of TaskForce.

Displays

Main display: Microsoft Surface Pro 4

• Screen: 12.3" PixelSense Display
• Resolution: 2736 x 1824 (267 PPI)
• Touch: 10 point multi-touch
• Detachable from TaskForce if necessary

IP display: OLED (20x2 characters)

Physical / Environmental

• Dimensions (including screen): 12x10x3 inches (30x25x7,5 cm)
• Weight (including screen): 4.5 lbs (3.6 kg)
• TaskForce working temperature range: 0°C – 40°C (32°F – 104°F)
• Screen working temperature range: 0° – 35°C (32° – 95°F)
• Power consumption: 60 Watt average, 280 Watt peak
• Supply Voltage: 100 - 240 VAC, 50 - 60 Hz

Other specs

Inside TaskForce forensic hardware unit

TaskForce forensic hardware unit is essentially a small server-grade computer running Linux. But because neither BIOS, nor Linux kernel was designed to handle hard disk failures, Atola engineers have invested a significant amount of research and development efforts to build a highly customized and fine-tuned Linux kernel that fully overcomes these issues and handle damaged media properly. Additionally, this kernel features:

• High-speed DMA data transfers, 500+ MB/s
• Full low-level control over SATA, USB and IDE ports
• Full native SATA support
• Reset and SATA PHY control for best handling of severely damaged hard drives
• All BIOS and standard kernel functions are disabled

TaskForce hardware also features Atola's proprietary circuitry for ultimate drive's power control:

• Current sensor for in-depth hard disk diagnosis
• Automatic overcurrent and short-circuit protection
• Overvoltage protection

These features are a must for proper handling of damaged drives.

For instance, low-level control of the SATA, SAS, USB and IDE ports allows TaskForce to handle the devices that do not properly initialize, have many bad sectors, or frequently freeze due to internal (mechanical) failures. SATA PHY control allows resetting a frozen hard drive without a power cycle, thus saving time during imaging, and reducing the chances of further hard disk degradation and failure. Current sensing allows TaskForce to diagnose a failed drive even if it has electronic or mechanical damage.

Overcurrent protection detects when the drive draws abnormal current and stops it to prevent any further damage. Overvoltage protection circuit ensures that in the unlikely event of the forensic hardware malfunction, the attached drives are not damaged in any way.

TaskForce hardware forensic unit is fully controlled by the software via Chrome browser, therefore no Linux experience is required to operate it.

Magnetic screen cover

The cover protects the TaskForce screen from physical damage during transportation and allows for quick and easy packing of the unit.

Made of 2-mm thick alumium, it is sturdy to protect the screen from scratching and breaking, yet is lightweight and thin to add no additional bulk to the device.

5 magnetic screws on TaskForce's upper panel help attach the lid quickly and easily. It is as easily removed with a measured pulling motion.

The cover comes in the standard package with TaskForces assembled from September 2020 onwards. All customers with an active TaskForce subscription can receive the complimentary cover by contacting our support and providing their unit's serial number and shipping address.

NB The only magnetic parts used are the magnetic screws. While our tests have shown that they are not able to damage a drive, we recommend that no storage or other devices are placed near the magnets.

Extension modules

TaskForce system allows expanding its compatibility with other device interfaces via hardware extension modules.

How to plug an extension module

TaskForce system must be powered off before an extension module can be plugged:

1. Power off TaskForce
2. Plug extension module into the Extension port
3. Power on TaskForce

Thunderbolt extension module

With the help of Thunderbolt extension module TaskForce supports imaging, hash calculation, write protection on MacBooks with ith the following interfaces:

• FireWire
• Thunderbolt 2
• Thunderbolt 3, 2016 - 2017 models

Connecting MacBook via Thunderbolt extension module

1. Connect MacBook to TaskForce unit with the help of Thunderbolt extension and the FireWire cable. Use adapters if needed (included).
2. To boot MacBook in Target Disk Mode, start it up while holding down the T key until you see a Firewire or Thunderbolt icon displayed on screen signifying Target Disk Mode.
3. Power on TaskForce and wait for the booting to be completed.
4. Open Device menu.
5. Click the port in Extension section of the Device menu.
6. In the Enter MacBook serial pop-up window, enter the serial number located on the bottom side of the MacBook and click OK.

For more information about working with MacBooks via Thunderbolt extension, read this article in our manual.

Apple PCIe SSD extension module

This module supports custom proprietary PCIe SSDs from Apple MacBooks (Mid 2013 - 2015).

M.2 SSD extension module

Connecting an M.2 NVMe or M.2 PCIe drive via extension module

Connecting an M.2 SATA drive via extension module

1. Connect the eSATAp cable end to the extension
2. Power off SATA or SAS port in Atola TaskForce software
3. Plug M.2 SATA drive into the extension and fix it in place with the plastic latch
4. Power on SATA or SAS port in Atola TaskForce software

For M.2 SATA, drive hotplug is supported. It allows installing and replacing drives by powering off the extension port in Atola TaskForce software.

Magnetic screen cover

The cover is made of 2-mm lightweight aluminum to protect the screen from physical damage during transportation and allows for instant packing of the unit.

To start using the cover, screw 5 magnetic screws into TaskForce's upper panel as indicated below:

Attach the lid by placing the cover against the magnets and remove with a careful pulling motion.

NB The only magnetic parts used are the magnetic screws. Do not place drives on top of the screws. While our tests have shown that they are not able to damage a drive, we recommend that no storage or other devices are placed near the magnets.

The cover comes in the standard package with TaskForces assembled from September 2020 onwards. All customers with an active TaskForce subscription can receive the complimentary cover by contacting our support and providing their unit's serial number and shipping address.

Atola TaskForce's connectivity and multi-user access

Atola TaskForce has three connectivity options:

1. 10Gb Ethernet network
2. Standalone mode
3. WiFi access point (optional)

10Gb Ethernet network

Atola TaskForce is equipped with two 10Gb Ethernet ports. Whenever the system is connected to a local network via one of its Ethernet ports, an IP address will be displayed on the IP screen on the front panel of the system.

If the system is connected via both Ethernet ports, two IP addresses will be displayed on the screen. These IP addresses are assigned to TaskForce by your DHCP server.

Multi-user access

With the help of these IP addresses, TaskForce can be operated by multiple users siultaneously from their workstations or mobile devices:

• enter either of the IP addresses as shown on the IP screen in Chrome browser on another device within the same local network.

Through Chrome browser one can remotely track and manage tasks, power devices on and off, open, edit and print cases etc.

Types of devices that can be used to access TaskForce simultaneously include:

• Desktop PC
• Laptop
• Tablet
• Smartphone
• Built-in TaskForce touch screen

TaskForce software can be open in Chrome browser within any OS.

This functionality enables a group of users to work on different assignments using the same tool. This helps utilize TaskForce’s multitasking capabilities to the maximum and track operation progress remotely. The number of users accessing TaskForce simultaneously is unlimited.

Standalone mode

TaskForce is equipped with highly responsive HD screen (see Hardware specs), which allows the system’s use in standalone mode.

Whenever the system is not connected to a network via its 10Gb Ethernet ports, Standalone mode status will be displayed on the IP screen.

In this mode, you can image data from multiple source drives to target drives in parallel. Thanks to its compact size TaskForce can be easily used in the field.

Wi-Fi access point

The third way to access TaskForce's user interface is via Wi-Fi 802.11n 150 Mb/s adapter. The adapter is optional and can be purchased from your preferred retailer. Here is a link to the supported adapter sold on Amazon. To enable the adapter, follow these steps:

1. Connect the adapter to one of your TaskForce's four USB ports.
2. Go to Menu in top right corner of TaskForce web page.
3. Click Settings.
4. Enable Wi-Fi Hotspot. An IP address will appear underneath Wi-Fi Hotspot category.
5. Click SETTINGS button.

5. Enable Wi-Fi Hotspot.
6. Set SSID and Password. To make the network invisible to other devices, check the Hidden mode box. Click SAVE button.
7. Use these details to connect to the Hotspot from another device.

8. To open TaskForce interface, enter the IP address (indicated under Wi-Fi Hotspot category in Settings window, see Step 3) in Chrome browser of the device you have connected to the Hotspot.

 

The vast connectivity options make TaskForce a great tool for using both in the lab and in the field.

Use TaskForce with multiple user profiles

For security reasons, you can allow access to Atola TaskForce only for authorized users, protect each user profile with a password, and keep processes, reports, and cases separate and confidential for each user.

Also, you can set up Atola TaskForce to automatically lock its screen after a certain time of inactivity and to prompt a user to log in.

User profiles is an optimal solution when you want to:

• Share one Atola TaskForce unit with multiple colleagues at the same time.
• Keep other users from interrupting the processes you started on your TaskForce.
• Keep your colleagues from seeing each other’s cases.
• Temporarily pass your TaskForce to other forensic lab, department, or agency without giving access to your cases.

What others can see and do when you share one TaskForce

After you enable User management, you become an administrator and can create up to 20 profiles with either Admin or User role. These roles have different permissions.

What an Admin can see and do

The first profile that you create after enabling User management has an Admin role. You can have more than one profile with the Admin role on your TaskForce.

As an Admin, you can:

• See and edit all cases of other users.
• See and stop all processes run by other users.
• See and print all reports created by other users.
• Access and change all TaskForce settings.
• Enable or disable User management.
• Add, edit, or delete other user profiles with either Admin or User role.
• Change other user’s password.
• Set TaskForce to automatically lock screen after a certain time of inactivity.

What a User can see and do

A profile with a User role is created by Admin and has limited access to TaskForce.

As a User, you can:

• Log in only to your user profile.
• See and edit only your cases.
• See and print only your reports.
• See, run, and stop only your processes.
• Change only your password.

As a User, you can’t:

• Access somebody else’s user profile.
• See and edit other users’ cases.
• See and print other users’ reports.
• See or interrupt other users’ processes.
• Assess a device that runs other user’s process.
• Access and change TaskForce settings.
• Enable or disable User management.
• Add, edit, or delete other user profiles.
• Change other user’s password.
• Disable or configure Automatically lock screen feature set by Admin.

Enable User management

The first profile, what you create after enabling User management, has an Admin role.

To enable the multi-user mode in Atola TaskForce, do the following steps:

1. In the Atola TaskForce window, go to Menu > Settings.
2. In the Users section, toggle User management.
3. Enter username and password for administrator’s profile, and then click Create.

Now you can add, edit, or delete other user profiles.

Add, edit, or delete users

Only Admin can add, edit, or delete other user profiles with either Admin or User role.

Add a user

To add a user, do the next steps:

1. Log in to a profile that has the Admin role.
2. In the Atola TaskForce window, go to Menu > Settings.
3. In the Users section, click Manage.
4. On the Users page, click Create user.
5. Enter username and password for a user.
   Optional: To grant this user an Admin role, select Admin checkbox.
6. Click Create.

Edit a user

To edit a user, do the following:

1. Log in to a profile that has the Admin role.
2. In the Atola TaskForce window, go to Menu > Settings.
3. In the Users section, click Manage.
4. On the Users page, select a user you want to edit.
5. In the Edit user dialog, edit username.
   Optional: To grant this user an Admin role, select Admin checkbox.
6. Click Save.

Delete a user

After deleting a user, you can still access their cases and reports under a profile with the Admin role.

To delete a user, and do the next steps:

1. Log in to a profile that has the Admin role.
2. In the Atola TaskForce window, go to Menu > Settings.
3. In the Users section, click Manage.
4. On the Users page, select a user you want to delete.
5. In the Edit user dialog, click the Delete icon.
6. In the confirmation dialog, enter YES, and then click Delete.

Log in and log out

To log out, click Menu > Log out. Atola TaskForce locks itself and prompts to enter username and password. All the processes you started before logging out are still running in the background.

To log in, enter your username and password, and then click Log in. Atola TaskForce unlocks itself and shows its Home screen.

Change password

As a User, you can change only your password. As an Admin, you can change other user’s password as well.

Change password for your profile

To change password for your profile, go to Menu > Change your password, enter your current and new passwords and click Save.

Change password for other user as an administrator

To change password for other user, do the following:

1. Log in to a profile that has the Admin role.
2. In the Atola TaskForce window, go to Menu > Settings.
3. In the Users section, click Manage.
4. On the Users page, select a user you want to change password.
5. In the Edit user dialog, enter new password, confirm password, and then click Save.

If you forgot or don’t know the password for an administrator profile on your TaskForce, contact Atola Support.

Automatically lock screen

As an Admin, you can set up Atola TaskForce to automatically lock its screen after a certain time of inactivity. To enable this feature, log in to a profile with the Admin role and do the next steps:

1. Go to Menu > Settings.
2. In Users section, toggle Automatically lock screen.
3. Enter a time period in minutes you want TaskForce to wait before automatically locking in.

Disable User management and password protection

As an Admin, you can disable user management and password protection for your Atola TaskForce.

To disable user management and password protection, do the following steps:

1. Log in to a profile that has the Admin role.
2. Go to Menu > Settings.
3. In Users section, toggle off User management.

Updating TaskForce firmware

Atola TaskForce firmware is updated on regular basis by our team. You can keep track of the updates we make to the firmware in TaskForce changelog.

Updating TaskForce firmware is easy using a remotely connected computer.

1. Plug TaskForce into to your local Ethernet network
2. Open Chrome on your PC
3. Download the most recent version of the firmware
4. Enter TaskForce IP address in Chrome browser
5. Open the System menu by clicking the top right corner icon
6. In the right-side menu, click Update firmware


Click Update firmware

7. Сlick Select file


Click Select file button

8. In the file selector, select the firmware file and then click Open button


Select the firmware file

9. In the pop-up window, click Update button


Click Update button

Once the update process has been completed, TaskForce software will switch to the new version. No TaskForce reboot or Chrome restart is required.

The current firmware version can be checked in Update firmware page of the System menu.

Configuring TaskForce use with Synology or QNAP NAS as a LAN

Here is a guide to configure your NAS to be used with TaskForce for storage of image files.

This manual is indicative and may vary between models and manufacturers. We have tested this setup on Synology DS218 and QNAP TS-431K.

Table of contents

Setting up Synology
Setting up QNAP
Direct connection with a Static IP:

1. Configuring TaskForce
2. Configuring Static IP in Synology
3. Configuring Static IP in QNAP

Setting up LAN using a router with DHCP (Dynamic IP):

1. Configuring the router
2. Configuring DHCP in TaskForce
3. Configuring DHCP in Synology
4. Configuring DHCP in QNAP

Setting up a Synology NAS

1. Install drives in the Synology NAS
2. Use a LAN cable to connect the DiskStation to your switch, router, or hub.
3. Press the power button to turn on your Synology NAS.
4. Install DiskStation Manager (DSM) – Synology’s browser-based operating system – on your DiskStation.
5. Follow the instructions to create a RAID volume and a partition with a file system on it.

Enabling SMB3 is highly recommended for the best performance:

• Go to Control panel > File services > SMB > Advanced settings
• Set Maximum protocol to SMB3
• Go to Control panel > Shared folder
• Click Create button and specify network folder details

6. Create a Shared folder in the new volume:
Control panel > File sharing > Shared folder > Create > Create Shared Folder

7. In the folder creation menu, set the folder name, e.g. Image Files and set access options.

Setting up a QNAP NAS

1. Install drives in the QNAP NAS
2. Use a LAN cable to connect the QNAP to your switch, router, or hub.
3. Press the power button to turn on your QNAP.
4. Install Qfinder Pro for quick find and easy access to QNAP NAS on the same LAN.
5. Find your QNAP using Qfinder Pro and go to its page in the browser.
6. Follow instructions to complete Smart Installation.

7. Create Storage Pool (RAID):

• Storage & Snapshots
  
• Storage (left menu)
  
• Storage/Snapshots
  
• New Storage Pool (in the the top right corner)
  
• Follow the instructions to set up the Storage Pool.

8. In the final stages of setting up the Storage Pool, create a New Volume.

9. In the File Station utility, you can find the new volume: QNAP. In it, there is a Shared Folder created by default called Public.

10. For a Shared Folder with specific access or encoding settings, create a new one by clicking the icon showing a folder with a + and adjust the configuration.

Direct connection with a Static IP:

Since we are not connecting TaskForce and Synology/QNAP NAS to a wider network, it is enough to set up the same Subnet Mask for the NAS and the TaskForce, and configure Static IP addresses that will indicate the same network.

TaskForce configurations

1. Go to Settings > Network section
2. Select the Ethernet port through which Synology is connected (e.g. ETH1)
3. Click IP settings’s Edit icon

4. In the pop-up window, enter the address (e.g. 255.255.0.0) in the Subnet Mask field that is identical to that of Synology.
5. Assign an IP address using the Subnet Mask: the first two bytes of TaskForce’s IP must be identical to those of IP Synology (e.g. 10.0.0.15). This will ensure that both TaskForce and Synology belong to the same network. (e.g. 10.0.0.8)

6. Click Save

Setting up a Static IP in Synology

1. Go to the Control panel
2. Network interface
3. Select the current connection to Synology
4. Click Edit

• In IPv4 tab select Use manual configuration
• Assign Subnet Mask (e.g. 255.255.0.0), which is identical to that of TaskForce.
• Assign IP address (e.g.: 10.0.0.15).
• Click ОК.

• After Synology has changed the settings, it can be disconnected from the current network.

Setting up Static IP in QNAP

1. In the Control panel go to Network & Virtual Switch
2. Select the current connection to QNAP
3. Open the Menu
4. Click Configure

5. In the IPv4 tab, select Use static IP address
6. Assign a Subnet Mask (e.g. 255.255.0.0), which is identical to that of TaskForce.
7. Assign an IP address (e.g.: 10.0.0.16).
8. Gateway field should be left blank because you are configuring a LAN and connecting to other networks is unnecessary.
9. Jumbo Frame and Network speed should be left with the default values.
10. Click Apply.

11. After the QNAP has changed the settings you can disconnect it from the current network.

Connecting to the Shared Folder in TaskForce

1. Connect the Synology/QNAP NAS to TaskForce’s ETH1 port
2. Click the Devices icon in the upper right corner. Go to the File section and click Select File
3. Click Connect
4. Enter the Server name, Username, Password. If you do not remember the server name, look it up:
Synology > Control Panel > Info Center > Server name
QNAP > Control Panel > General Setting > Server name
5. Click Connect

6. TaskForce has connected to Synology and you can open the previously created Shared Folder

Setting up a LAN using router with DHCP (Dynamic IP)

Setting up router

1. Connect the router directly to your PC or laptop via the Ethernet port.
2. Log in to the web configurator.
3. Turn on the DHCP server in the local network settings.
4. Apply changes.

Setting up DHCP in TaskForce

1. Open Settings, go to the Network section.
2. Select the Ethernet port to which Synology will be connected. (e.g. ETH1)
3. Click the Edit icon to adjust the IP settings.
4. Untick the Use static IP address checkbox.
5. Click Save.

Setting up DHCP in Synology

1. Go to Control panel > Network interface > Select the current connection to Synology > Click Edit

2. In the IPv4 tab, select the Get network configuration automatically (DHCP) option.

Setting up DHCP in QNAP

1. Open Control panel > go to the Network & Virtual Switch > select the current connection to QNAP > Menu > Configure

2. In the IPv4 tab, select Obtain IP address settings automatically via DHCP

Connecting the LAN devices

After all the reconfigurations, connect TaskForce, NAS and your PC or laptop to the router using Ethernet ports and connect to the Shared Folder as described above.

Network setup tips

• Configuring 10Gb network with DHCP-enabled switch
• Getting maximum performance of Ubiquiti network
• Configuring a dynamic IP for TaskForce in a network without router or DHCP-enabled switch
• Accessing Windows Server 2012 shared folder
• Setting up Synology DS218 as storage server

Configuring 10Gb network with DHCP-enabled switch

You need to create or extend network with DHCP-enabled switch with 10Gb connection.

Example. Ubiquiti EdgeSwitch 16 XG: four 10Gb Ethernet ports, twelve 10Gb SFP ports. Approximate price: $600.

This kind of switch supports static IP setup via simple web admin. So you could set the IP addresses you need for each current network device.

How to configure Ubiquiti DHCP server:

1. Connect PC and TaskForce to Ubiquiti switch
2. Set static IP address of PC to 192.168.1.4
3. Open a browser and enter 192.168.1.2 (default Ubiquiti switch IP)
4. Log in with default credentials: ubnt (both in name and password fields)
5. Go to System >> Advanced Configuration >> DHCP server >> Global
6. Activate Admin mode by checking a necessary checkbox and pressing Submit button
7. Go to Pool Summary and press Add to make a new address pool
8. Enter your:
• pool name
• network base address (for example, 192.168.1.0)
• network mask (in most cases, it should be 255.255.255.0)
• put Default Router Address and DNS
After creating your pool, you can change it via Pool configuration tab.
9. Click Save configuration button in the upper right corner of the window and click Save

You can check this Youtube guide for alternative instructions on network setup using Ubiquiti switch.

Getting maximum performance of Ubiquiti EdgeSwitch 16 XG network

To optimize performance using Ubiquiiti EdgeSwitch 16 XG, you need to enable 10Gbit with jumbo frames:

1. Go to Basic > Port summary
2. Select ports 0/13, 0/14, 0/15, 0/16 and click Edit
3. Change Maximum Frame Size to 9014 in Edit Port configuration window

Configuring a dynamic IP for TaskForce in a network without router or DHCP-enabled switch

If there is no hardware in the network that assigns IP address, or if you want to keep a small network with TaskForce and your server/PC connected directly, it is possible to install and setup software DHCP server. The good news is, it does not require any investment. All you need is some time to set it up on any computer in the server network. Follow the instructions from these guides:

• Windows: Free DHCP server.
• Linux: Included DHCP service.

Accessing Windows Server 2012 shared folder

If you want to store a target image file in a Window Server 2012 network folder but it appears missing, please follow these steps:

1. Go to Control panel
2. Enable Guest account (Administrative tools > AD users and computers > Users)
3. Network and sharing center > Change advanced sharing settings > Turn On network discovery + Turn on sharing (file and printers + public folders)
4. In the shared folder access options, add Guest or Everyone

If the shared folder demands restricted access, please follow this guide.

Setting up Synology DS218 as storage server

To set up Synology DS218:

1. Go to Control panel > File services > SMB > Advanced settings
2. Set Maximum protocol to SMB3
3. Go to Control panel > Shared folder
4. Click Create button and specify network folder details

If you need to get a guest account working, run the following actions:

1. Go to Control panel > User
2. Edit for Guest user
3. Untick Disable this account

For more instructions and information about check our Troubleshooting guide and FAQ page

Maximize 10 Gb network throughput

If you image evidence drives to a file on a server or a computer using a local network and want to achieve the best imaging speeds, maximize your network throughput by following these tips.

Set up 10 gigabit Ethernet network

Atola TaskForce is equipped with two 10 gigabit Ethernet ports. To fully use this potential and achieve the best imaging speeds, every node in your local network between the TaskForce unit and your computer or server need to support 10 gigabit connection as well.

Use 10 gigabit network adapter

Make sure that a network adapter on your server or your computer supports a 10 gigabit connection:

• Check vendor specifications for your network adapter.
• Check the network adapter speed in your OS settings.

How to check Ethernet connection speed on Windows 10 and Windows 11

1. Go to Control panel > Network & Internet > Network and Sharing Center.
2. In the View your active networks section, click your Ethernet connection.
3. In the Status window, check the connection speed. It must be equal to 10 Gbps.

Use 10 gigabit network cable

Make sure that the network cable you use to connect your TaskForce unit and your local network nodes supports 10 gigabit connection. It must have Cat6 (with the length of less than 55 meters), Cat6a, Cat7, Cat7a, or Cat8 marking on it.

Use 10 gigabit router or switch

If your TaskForce unit is connected through a network router or switch, make sure that every such device in your local network in between TaskForce and the target computer or server supports a 10 gigabit connection:

• Check vendor specifications for your network router or switch.
• Check that the 10 gigabit network cable is connected to a 10 gigabit port on your router or switch.

Enable jumbo frames

To speed up your 10 gigabit network, enable jumbo frames on your TaskForce, your target device, and every network switch or router in between them.

Jumbo frames increase the efficiency of broadband Ethernet processing because they carry 9000 bytes of payload, which is more than the standard limit of payload.

Enable jumbo frames on TaskForce

To enable jumbo frames on your TaskForce unit, do the following:

1. In the Atola TaskForce interface, go to Menu > Settings.
2. In the Network section, toggle Jumbo frames for respective Ethernet port (ETH1 or ETH2). Default MTU (maximum transmission unit) value is set to 9000 bytes, don’t change it.

Jumbo frames toggle on the Settings page in Atola TaskForce.

Enable jumbo frames on a target computer

To enable jumbo frames for 10 gigabit network adapter on a target computer running Windows 10 or Windows 11, do the next steps:

1. Go to Control panel > Network & Internet > Network and Sharing Center.
2. In the View your active networks section, click on your Ethernet connection.
3. In the Status window, click Properties.
4. In the Properties window, click Configure and go to the Advanced tab.
5. On the Advanced tab, select Jumbo Packet and change its Value to 9014 Bytes.
6. Click OK.

Enable jumbo frames on a network router or switch

Jumbo frames need to be enabled on network routers or switches, which connect your TaskForce unit with your target computer or server.

Many 10 gigabit routers and switches support jumbo frames by default.

For specifications and instructions, refer to a router or switch user guide provided by its manufacturer.

Use Samba version 3.0 or later

Samba is a free software that provides fast shared access to files and printers for all network clients using the SMB/CIFS protocol.

We recommend using Samba version 3.0 or later to speed up the imaging to the files on network-connected drives.

For guidance, refer to the Samba installation guide.

Update OS and drivers

Install the latest OS and driver updates.

Due to various software issues, the local network speed can be lower than expected if the operating system and network drivers are outdated.

Check server use quota

Sometimes, a network administrator can create quotas, which limit server space or throughput for end users.

Check if there is an opportunity to change or lift these quotas to achieve maximum data throughput during imaging.

Use faster target drives

To achieve higher imaging speeds, we recommend using faster destination drives with reading and writing speeds of no less than 600 MB per second.

If you’re using a RAID array as a storage, consider choosing RAID types with faster reading and writing speed, such as RAID 0 and RAID 5.

When storing very big files, opt for a large cluster size on your server. The bigger files you want to store, the larger cluster size should be.

Jumbo frames for fast imaging to server

In TaskForce, Jumbo frames are activated by default to ensure maximum data transfer rates when imaging to a file on your server.

However, if Jumbo frames have been disabled, it is easy to enable them again and experience substantial boost to the speed of imaging!

First, create a file on the server, to which you will be imaging.

When you start to image to your server with Jumbo frame disabled, the data transfer speed will not exceed 500 MB/s. The actual speed will also depend on the configuration and current traffic in the network.

To boost the speed:

1. Pause the imaging session
2. Click the Service menu in the right corner of the top bar
3. Click Settings

4. Enable Jumbo frames of the Ethernet port you are using and set MTU to 9000

NB For fast imaging of files to your server via 10 Gigabit network, you need to activate Jumbo framework in the settings of the server’s network adapter as well as in the settings of the network switch, should it be necessary (10Gb switches normally have Jumbo framework activated by default).

Then you can return to your imaging session by clicking Image button and selecting the source and clicking Resume button. This time, the speed will be way higher!

Connecting drives & starting Atola TaskForce

This page provides information about Atola TaskForce start up procedure to ensure safe and effective operation of the unit.

Powering on TaskForce

The power switch is located on the back panel of the unit. To start TaskForce, turn the power switch on.

Booting

The booting process takes up to 3 minutes.

Once booting is completed, the IP screen on the front panel will display either "Standalone mode" message or the IP address if the unit be connected to the Ethernet. At this point, the unit is ready for operation.

TaskForce screen

The Microsoft Surface Pro tablet that serves as TaskForce's screen is switched on and off independently from the unit, by pressing the button in the tablet's top panel.

Connecting drives

Atola TaskForce supports SAS, SATA, USB, and IDE drives via its 17 ports, as well as other storage devices via Thunderbolt, Apple PCIe, and M.2 SSD extension modules.

To ensure both TaskForce and the devices connected to it are used properly and safely, read the instructions below.

Connecting USB devices

TaskForce system must be powered on before a USB device is plugged in. As soon as booting is finished and the IP address is displayed you can plug the USB device into any of 4 USB ports available.

NB If you connect a USB device before starting TaskForce, the imager will not be able to boot correctly.

Connecting Extensions

Before connecting an extension module, make sure TaskForce is powered off. Plug the extension module into the extension slot located on the back panel of TaskForce and power the unit on.

Connecting evidence drives

Each port is equipped with an individual Source switch enabling hard write protection on the port. To make sure data on the drive is not overwritten, make sure the port is in the source before you connect the evidence drive.

Connecting SATA & SAS drives

TaskForce has 6 SATA and 6 SATA/SAS ports. Before connecting evidence and target devices to the imager, make sure the ports are switched to the right mode. When a drive is connected to a running TaskForce imager, the port is by default powered off. To identify the device plugged into the port, click the Devices button in the top panel of the TaskForce interface, and TaskForce will start to identify all connected drives. The system ensures sustainable overall power consumption in the situations when many drives are plugged in.

Powering off TaskForce

If TaskForce is not running any processes, it is safe to power off the unit by turning off the power switch. Any sessions that were active at the moment the unit was powered off (whether it is due to an outage or the power switch being turned off) will not be stopped correctly and cannot be resumed later.

TaskForce drive identification

Atola TaskForce is designed to perform multiple processes simultaneously and provide its users with unprecedented flexibility when it comes to a variety of devices and configurations in which they can be used. TaskForce also makes sure to efficiently communicate how a device is being used and helps a user to handle drives correctly.

When connecting a drive to the system, make sure the right mode is set on the port: in source mode, an evidence drive is automatically write-protected. It can only be changed with Source hardware switches.

As soon as you choose a particular task or click Devices button in the top bar, TaskForce starts sequentially supplying power and sending commands to identify all connected devices.

After a connected drive receives power supply and identification commands from the unit, it responds with device info including:

• device model and serial number;
• device capacity;
• limitations of the drive.

TaskForce software also immediately detects whether the drive is locked by ATA password or the drive’s max readable address is limited via HPA/DCO/AMA. The unit indicates these restrictions and notifies a user about those with red color indication in the device menu.

These indicators allow a user to make informed decisions on how to proceed with the device, whether unlocking is required to get access to the whole drive space before starting an imaging session.

Notification device not detected may point to one of these issues:

• there is no device on the port;
• the cable is not properly plugged in;
• the device is connected to another port;
• the device is heavily damaged.

If a source drive is busy with a running operation, the port will be temporarily unavailable for selection when launching other tasks. In such case, the fonts in the respective box will be a lighter shade of grey, making the port unclickable.

When selecting a target device for wiping or imaging, source drives are also unavailable to ensure that data on an evidence drive doesn’t get overwritten by mistake.    

To accommodate our users’ needs in a fast forensic process, Atola engineers are working to significantly reduce the amount of time needed for drive identification in the upcoming firmware releases. This will make TaskForce faster yet!

Working with MacBooks via Thunderbolt extension module

Thunderbolt extension enables TaskForce to work on MacBooks with the following interfaces:

• FireWire
• Thunderbolt 2
• Thunderbolt 3, 2016 - 2017 models

No SSD removal is necessary, the extension allows connecting TaskForce directly to a MacBook.

The extension module comes with:

• Thunderbolt 3 to Thunderbolt 2 adapter (by Apple)
• Thunderbolt 2 to FireWire adapter (by Apple)
• FireWire cable (comes in white or black color)

Connecting MacBook to TaskForce unit

In the Enter MacBook serial pop-up window, enter the serial number located on the bottom side of the MacBook and click OK.

1. Connect MacBook to TaskForce unit with the help of Thunderbolt extension and the FireWire cable (NB Both MacBook and TaskForce have to be turned off). Use adapters to connect to the MacBooks with Thunderbolt 2 or Thunderbolt 3 interface.

2. Boot the MacBook in Target Disk Mode. To do that, start it up while holding down the T key. You should see a Firewire or Thunderbolt icon displayed on screen signifying that Target Disk Mode is detected and working.

3. Power on TaskForce and wait for the booting to be completed.

4. Open Device menu.

5. Click the device box in Extension section of the Device menu.

6. If this is the first time this MacBook is identified by TaskForce, you need to enter the serial number in the Enter MacBook serial pop-up window and click OK.

NB serial number located on the bottom side of the MacBook.

Now you can perform these operations and features with the connected MacBook:

• imaging
• hash calculation
• write protection

During the subsequent identifications of a MacBook connected to TaskForce, its serial number can be selected from the drop-down menu in the Enter MacBook serial pop-up window. TaskForce will look up its case management system and will offer the choice of MacBooks with the same drive size.

Atola TaskForce: Main window

This article helps in understanding TaskForce’s main window, its controls and buttons and how to use them.

1. Home icon

The Home button brings you back to the Home screen. This is where you can check the active and recently completed tasks in the respective sections of the screen.

The number of current active processes is indicated next to the Home icon in a small orange box.

2. Left-side taskbar

When you click Other button in the left-side taskbar you will see two more important TF operations: looking up the SMART table of a drive and unclipping HPA/DCO/AMA restriction, applied to a drive.

3. Cases

By clicking the Cases button in the top panel you get to the Cases page with a list of the latest cases. With the help of the Search bar you can find a specific case. The cases are available for import and export between different TaskForce units.

4. Reports

By clicking the Reports button in the top panel you get to the Reports page that is equipped with a similar search bar. The reports can be selected and printed directly from this page.

5. Current overall performance

To check the Current overall performance please click Atola logo in the top panel. This allows you to keep track of the unit’s capacity usage. TaskForce allows running processes at 15 TB/hour and more.

6. Devices

Click Devices button in the top panel to see all the drives connected to TaskForce to obtain maximum information about each by simply clicking it.

The Devices panel provides additional options for working with the drives: you can power off, reset and re-identify any device.

7. Menu

The Menu contains device settings and features that regulate your use of the TaskForce unit.

In Settings you can adjust the general, database and network settings.

Activation status allows you to look up, reactivate the status or extend the subscription.

In Release notes you can read the information about the most recent Atola TaskForce firmware release and track all updates and enhancements by clicking corresponding links.

In Update firmware you can check the current TaskForce firmware, choose update method and perform the firmware update by selecting and downloading the firmware file.

Toggle fullscreen option is handy when working with other programs or files.

Registers: what they mean

Link Register

It's only enabled when port powered on, device presence detected and PHY communication established.

Status Register

This register contains hard drive status information. It is updated after every single command sent to the drive.

ERR: means last command failed to execute. In this case the Error register contains more details on the specific error.
INDX: obsolete, used to trigger after each spindle revolution
CORR: obsolete, used to trigger after a bad sector was automatically corrected by ECC
DREQ (Data Request): is asserted when hard drive wants to exchange data with the host controller (in either direction)
DRSC (Device Seek Complete): is obsolete; always asserted on modern hard drives
FAULT (Write Fault): is obsolete
DRDY (Device Ready): is obsolete; always asserted on modern hard drives
BUSY: indicates that the hard drive is busy executing a command OR initializing (after power on or reset)

Error Register

Error register provides more details if the last command failed. This register is only valid when ERR bit of the Status Register is asserted.

AMNF: means Address Mark Not Found (usually occurs on failed read attempt)
T0NF (Track 0 Not Found): obsolete
ABRT: command aborted (unsupported command or other failure)
IDNF: sector ID not found (usually occurs on failed read attempt)
UNC: uncorrectable read error; the hard drive was unable to read data even after applying ECC recovery algorithms
ICRC (Interface CRC error): there was CRC error while transferring data between host and the hard drive (usually indicates bad interface cable)

Diagnosing a drive with Atola TaskForce

When an evidence drive lands on investigator’s table for the first time, there is always an uncertainty when it comes to the drive's condition. A broken head or scratched surface of the media require different imaging tactics. That’s why it is strongly suggested that before imaging, each drive should first be diagnosed. 

TaskForce has Atola's unique diagnostics module which checks all systems of the drive:

• Hard drive's motor and electronics (PCB)
• Head stack
• Media surface
• All firmware/system areas
• Partitions and file systems

At the end the system produces a report which sums up all issues. The process will take only 2 - 5 minutes.

To start, click Diagnostics button in the left-side menu, select the drive and then click START button at the bottom of the screen.

First, TaskForce checks the drive's printed circuit board. The system applies power to the device and records and analyzes spin-up current curve. This helps detect most issues with the PCB and the motor. Next, TaskForce analyzes the contents of the hard drive's ATA registers and device identification sector.

After that, the head stack is tested. Several factors are taken into consideration when diagnosing heads: media access time for each head, power consumption curves, and internal drive's error reporting systems.

If the head stack looks good, the system performs a short media scan. The purpose of this scan is to verify if there are any bad sectors in the starting, middle and ending sectors of the drive pointing to a damage to the media surface or logical errors. 

Next, several firmware tests are performed:

If TaskForce detected no issues by this point, it performs a file system checkup:

After this final stage of diagnostics, TaskForce displays the full report. Diagnostics result message box contains a short summary of all tests. It also provides estimated imaging time for this drive.

Tracking a drive's SMART table status before and after imaging

SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure. Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).

SMART table is included in Diagnostics report. If you want to have a look at the current indices:

1. Click Other in the left-side menu
2. Click View SMART
3. Select the drive
4. Click Start button

SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:

• Reallocated sectors count
• Current pending sector count
• Uncorrectable sector count

When RAW value of any of these attributes is greater than zero, TaskForce will highlight it in yellow.

The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.

To keep track of the changes occurring to the attributes of the SMART table, the imaging settings can be easily adjusted to records SMART table indices prior and after each imaging session.

By comparing the two tables, user can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse. Any discrepancies between the two SMART tables will be highlighted in yellow.

Whenever you need to evaluate how the state of the drive has been changing long-term, you can go to previous imaging sessions and look up SMART table. TaskForce will store this information in its case management system.

Imaging an evidence drive to 5 targets

Atola TaskForce allows imaging to up to 5 targets at a time.

The targets may include

• file on a network server
• target drive plugged into one of 18 TaskForce ports

To start an imaging session that includes 5 targets:

1) Click Image icon in the left-side menu

2) Select source and target devices. To create a target file, click Select file icon in the target drive menu and click Continue button.

3) In Select image file, open the folder on the server where you want the file to be created and click the Plus icon.

4) In Create image file pop-up window, type in a name for the file and select its type (E01, RAW, img., or dd.), click Create and click Continue button in Select target devices window.

5) In the summary page, double-check imaging settings and the targets selected for the imaging session and click Start button.

In the imaging page, there are two diagrams that show the progress of imaging. The upper one is called imaging map bar and shows imaging progress throughout the whole drive space (all successfully imaged sectors on the source drive are marked green, all damaged ones are marked red). The lower diagram is called read speed graph and shows the time TaskForce spent reading sectors on the source drive. 

NB Overall imaging speed is always limited by the slowest device: either by the read speed of the source or the write speed of the slowest target. 

When imaging is completed, you are redirected to the imaging summary page, where you can review the details of the session including source and target drive details, imaging settings, hash values and the time when imaging session started and when it was completed.

Imaging a drive to two targets with post-hashing

Atola TaskForce's imaging functionality provides many adjustable settings to help forensic examiners follow the guidelines set by their organizations as well as common-sense evidence handling routines.

When you need to create two images of a source drive and verify that both images are identical to the source drive, you will need to calculate the hashes of both targets after imaging. To optimize the process, post-hashing of both target devices is easily configured in imaging settings:

1) Click Image button in the left-side menu

2) Select Source and Target devices, which will redirect you to the page with the summary of current imaging settings. In the default settings, hashing of source drive during imaging is enabled.

3) Click the Change button to adjust the settings.

4) in the Hashes tab of the settings, enable Post-hash target devices option.

5) Click Start button to proceed with imaging

Hashing of source drive during imaging is a preferred option because it only requires the data on the evidence drive to be read once, for both imaging and hash calculation. This ensures both a forensically sound process and minimal impact to potentially unstable media. Hashing during imaging does not slow down imaging process.

Once imaging is completed, post-hashing begins immediately on both target devices:

In the end, TaskForce produces a report that documents hashes of both source and target devices:

Imaging only sectors with data

Capacity of an average drive is constantly growing, and selective imaging becomes a way out for many investigators, to keep their backlogs smaller.

We at Atola have developed selective imaging functionality to make it possible to image only sectors containing data.

The feature is supported in these file systems: NTFS, APFS, XFS, ext2/3/4, HFS, HFS+, ExFAT, FAT16, FAT32.

1) Click Change button to adjust imaging settings

2) In Passes tab, click on the value in What to image column

3) Select Sectors with data in the drop-down menu

4) Click Show button to preview the partitions on the source drive.

NB Imaging individual partitions is possible: just unselect the partitions you do not want to image. The imaging report will document this setting and indicate, which of the partitions have been imaged and the sector ranges in which the partitions were located.

5) Click Start button to proceed with imaging

You can see the partitions being imaged in the imaging log. In the imaging bar, the blue areas represent the sectors that are planned to be imaged. These are the sectors that belong to the drive's partitions and contain data.

Imaging to an E01 file with dual hash

E01 file format is the de facto standard format for forensic examiners to store images due to its ability to store not only a copy of the evidence drive, but also case and evidence details. E01 file can also store both MD5 and SHA1 hash values calculated during imaging.

To image a source evidence drive to an E01 file, you have to create a new target file.

Creating a new E01 file

1. Click Image in the left-side menu
2. Select the source evidence drive in Select source device window
3. Click Select file in Select target devices panel
4. In the file selector, find the folder to store the image and click the plus (+) button in the bottom right corner
5. In the pop-window, select the E01 file type, and click Create button
6. Fill in E01 file information and click Create button.
7. Click Continue button.

Enable dual-hash and start imaging

1. Once you have selected the source drive and created the target file, you end up in Settings summary page. Click Change button to adjust the imaging settings.
2. In the Hashes tab make sure that Hash source during imaging is selected, also select both MD5 and SHA1 hash types.
3. Click Start button to proceed with imaging.

The report and the E01 file

Upon completion of imaging, you can see both MD5 and SHA1 hash values indicated in the Imaging completed report.

It is also possible to look up the information of the created E01 file. To do that, perform the following actions:

1. Open the Devices menu by clicking the Devices button in the upper right corner.
2. There, in the File section, click the Select file box. This will open the file information page with all the metadata of the E01 file.

The MD5 and SHA hash values will be listed there, too.

Creating an E01 file on a target drive

By putting a target device in Storage mode, TaskForce enables the creation of multiple image files (E01, RAW, img or dd) on the target drive.

To set a target device to Storage mode:

1.Go to Home page;
2. Click Image button in the left-side taskbar;
3. Select the source drive;
4. In Select target devices panel click Select file.

5. In Select image file window click Add storage button.

6. In the Select device panel click the drive you want to use in Storage mode. Please note that TaskForce uses a lighter shade of blue to indicate that a storage drive is being configured.

If TaskForce cannot find the appropriate exFAT partition on the drive selected, it will offer you to format the device accordingly.

7. By clicking Yes you agree to launching target device formatting to exFat with a large cluster size (32 MB). This cluster size will enable faster imaging to this drive.

Once the target device is formatted, TaskForce perceives it as a Storage target.

The drive in Storage mode is marked with a special blue icon in the device panel.

To proceed with creating a compressed E01 image file on this device:

1.Click the storage drive and then the + Create file button;

2. In Create image file pop-up window, enter the name and select the type of the image file.

3. Click the Create button to fill E01 file information.
4. Tick the Combox next to Compressed E01 option and fill out the form with file details. Then click Create.

5. Check your imaging settings and click Start to proceed with imaging by clicking the Start button.

NB When you select compressed E01 option in the imaging settings, the multi-pass imaging system or reverse imaging option cannot be applied to such an imaging session. However, other fine-tuning options remain available including advanced hashing options (pre-hash, post-hash, Segmented hashing, etc.) and selective imaging.

The Imaging completed report provides all the time stamps, hash values and hash verification result. To look up the settings of the imaging session, you can also see the Imaging started report in the case management system.

Imaging to a file on an encrypted drive with TaskForce

With newest Atola TaskForce 2020.1 firmware, it is possible to image into files on an encrypted target drive using VeraCrypt for data encryption. Multiple target drives can be encrypted for the same or different sessions.
After you have connected the source drive to a port in Source mode, take these steps:

1. Click on Image icon in the left-side taskbar
2. In Select source device panel, select the evidence drive
3. In Select target device menu, click on the tile in the File section
4. In Select image file window, click Add storage Click the link Create Image File on Target.

5. In Select device panel, choose the drive connected to a port in Target mode
6. Select Create an encrypted VeraCrypt container (exFAT) option and click Next

7. Enter and confirm the password for the encrypted volume on the drive

8. Confirm the formatting of the device by entering YES and clicking OK. After this step, the formatting will take a few seconds.
9. Click + Create file button
10. Enter the name of the image and choose the file format (E01, raw, img or dd).

11. Once you have created the file, you may add more image files in the same or a different folder

After you click the Continue button, TaskForce will image the evidence into the file on your encrypted target.

Upon completion of the imaging session, check the Imaging completed report. 

Data Extraction

1. To find the VeraCrypt volume and the imaged file, plug the target drive into your computer;
2. Use VeraCrypt software to safely access encrypted data from your drive;
3. Select the drive label (A, B, C, etc.) on which you want the volume to be mounted;
4. Click Select device button;
5. In the pop-up window select your encrypted volume;
6. Click the Mount button. 

Now you can view the partition name, size and encryption algorithm.

7. Next, use the password set prior to the imaging session to get access to the encrypted volume.

Once you have entered the password, the volume will be mounted and you can access it from Windows Explorer and use the image for subsequent operations.

Clip target drive to source evidence size

When you image data from an evidence drive, but the target drive is larger than that of the source, the hash values for the source and for the target drives will not be identical. This will happen even if there is no data in the remaining space of the target.

To avoid it, you can limit your SATA target drive's capacity using Host Protected Area (HPA) or Accessible Max Address (AMA). It will make the sectors beyond this limit inaccessible to the hashing tools or the end user. In TaskForce, it only takes one quick adjustment to the imaging settings:

1. Click Image in the left-side task menu and select the source and the target
2. In the Settings page click Change button.
3. In Miscellaneous tab activate the Limit target disk size to source size using HPA/AMA (SATA target ports only) option.

You can now proceed with the Imaging process by clicking Start button.

Before the imaging starts, TaskForce looks up the size of the evidence drive and limits the space of the target using HPA/AMA to make its capacity identical to that of the evidence drive.

When Imaging is complete, the report will contain information about the time when HPA/AMA was enabled.

The target disk's port in Devices menu now contains an HPA/AMA indicator, thus informing you that HPA/AMA has been enabled on this drive.

There will also be a report created in the case management system, which indicates the old (native) and the new (as set by HPA/AMA) max address.

Now you can calculate hash on both drives to make sure the hash values are identical.

NB Enabling HPA/AMA is an option available only for SATA target drives.

To learn how to unclip HPA/AMA, read Unclip or change HPA, DCO, AMA limitations in our manual.

Accessing password-protected servers

Accessing password-protected servers allows saving image files on such servers, imaging or calculating hash of the files located there, etc.

To create an image file on a password-protected server:

1) Click Image button in the left-side menu

2) Select the source device

3) Click SELECT FILE in FILE section of the target device menu and click Continue.

4) In the file dialog, click the server from the list. If the server does not appear in the list, click Refresh icon to search for all available directories. If the server still does not appear in the list, click Connect.

5) Whether you have selected the server from the list, or clicked Connect, Connect to server dialog box will open. Here, you need to enter the name of the server and fill out login details including domain or workgroup and click Connect. To learn these details, contact your network admin.

NB. TaskForce supports NTLM protocol, which is enabled by default in Active Directory and Windows.

6) Go to the folder on the server where you need to store your image, and click the Plus icon in the right bottom corner of the window.

7) Enter the name of the new image file and select the format. Click Create button.

8) Click Continue button.

9) Check your imaging settings and click Start button to proceed with imaging.

Imaging presets

For examiners who need to ensure they are using specific imaging settings for certain types of drives or cases, TaskForce allows creating different presets for easy, one-click switching to a specific imaging routine. Presets also allow these specific imaging settings to be shared with colleagues who use another TaskForce by exporting presets from one device and importing them onto another one.

TaskForce has two presets called Default and Damaged recommended for healthy and faulty drives respectively.

Managing custom presets

To create a custom preset:

1. Click Image in the left-side menu and select source and target devices
2. Click Change
3. Change the imaging settings in the pop-up window
4. Click the three-dot icon in the bottom right corner and click Save to
5. In the pop-up window, type in the name of the preset and click Save

Once you have saved a preset, they are stored in TaskForce's work folder and can be used by other operators using the same imager. They can find the presets you created under the Custom button.

The Chrome browser of the user who created a preset, saves a copy of the preset locally. When this user opens the Custom menu, both presets are displayed:

• one is the preset saved in TaskForce's work folder
• another one is the local copy

If one becomes redundant, it can be easily deleted.

To delete a preset:

1. Select the preset in the Custom menu
2. Go to the three-dot menu in the bottom-right corner and click Delete

Sharing presets with another TaskForce

Once you have created your custom presets, you can share them with colleagues who use another TaskForce imager.

To export a preset:

1. Select the preset from the Custom menu
2. Click the three-dot icon
3. Click Export

The preset will be downloaded in .json format.

To import a preset:

1. Click the three-dot icon
2. Click Import option
3. In Import settings window, click Select file button
4. Find the file in the file selector and click Open
5. Double-check the preset and click Import

After this import, the preset can be found in the Custom menu.

Exporting sector lists from an imaging session

When an imaging session is completed or paused, it is possible to see its summary in the Imaging sessions summary page. Now there is also a possibility to export lists which would clearly indicate which of the sectors on the source drive have been successfully imaged, which have not (if any), and which of the sectors contained errors.

To export such list:

1) Click Image icon in the left-side menu and select the source drive
2) In the session summary, click the Export icon

3) Select the sectors you are interested in (e.g. Imaged sectors)

4) Save the downloaded .csv file

This file shows the ranges of imaged sectors:

NB Should an imaging session be completed, the list of non-imaged sectors will be blank.

Imaging a drive with a damaged head

The diagnostics module, selective head imaging and multi-pass imaging algorithm allow TaskForce to handle a drive with damaged heads gently and effectively. All these techniques help minimize the risk of losing more data on the working part of the head stack.

Diagnose first

The built-in diagnostics module of Atola TaskForce automatically checks all major subsystems of the evidence drive: circuit board, heads, media surface, firmware and file system.

A diagnostics report provides detailed information about the heads. In addition, it offers recommendations for the optimal imaging strategy for your damaged hard drive.

The above diagnostics report informs the operator that the drive’s hardware has major issues and points to defects in the media and a damaged head (Head#3). The report contains a recommendation to disable the damaged head in the imaging settings.

Selective head imaging

Atola engineers recommend that the good heads are imaged first. To do that:

1. Click the Image category in the left-side menu;

2. Select your source and target devices;

3. Click Continue.

If a head was identified as damaged during the diagnostics, at this stage you will see a pop-up window prompting you to disable the damaged head and by clicking YES you confirm that the head should be automatically disabled for the subsequent imaging session.

Alternatively, the damaged head can be disabled in the imaging settings:

4. Click Change to adjust the settings for your imaging session;

5. In What to Image section click on All sectors to configure the selective imaging.

6. Unselect the damaged head, сlick Save;

7. To launch your imaging session click the Start button.

Multi-pass imaging algorithm

As you can see in the screenshot below, some errors were found in the course of imaging on the space of the drive that is read with the Head#4. It is common for a drive with a bad head to also contain errors on the platters that are read with other heads.

TaskForce uses its multi-pass imaging algorithm when encountering a bad sector that belongs to a good head. It allows handling errors and retrieving data from some of the bad sectors. For as long as it is possible to read data from the sector or block of sectors within the specified pass timeout, TaskForce will be able to image this data.

Having completed imaging from the good heads, the system pauses the session and produces a detailed imaging report with a log of all actions performed during the imaging session.

TaskForce firmware version 2020.7 and above allow editing settings of all unstarted imaging passes, adding or removing passes, etc. So if later you think you may be able to retrieve important data with Head#4, you can add another pass and configure the settings of the new pass accordingly.

TaskForce firmware under 2020.7 automatically inserts and launches an additional imaging pass after you click Resume on the pause session. The new pass will include all non-imaged sectors.

Atola TaskForce automatically creates reports for every single action applied to each device connected to it. The reports are stored in the case management system.

Working with a bad head

After you successfully retrieved data from the good heads, you have two options:

• To replace the head stack before you get down to imaging of the remaining data. You should be aware of the risk, however, that data on the drive can become unreadable due to head stack replacement;
• To attempt imaging data with the Degraded or Damaged head.

To image the unselected bad head simply click Resume.

Atola TaskForce resumes the imaging session to focus on the area that belongs to the damaged head.

If the number of errors keeps growing, while the number of the imaged sectors remains unchanged, pause your imaging session and power down the drive because the head seems to be completely inoperable.

In the Imaging report above, you can see that TaskForce imaged 520,961,167 sectors out of 625,142,448, having extracted as much data from good heads as was possible with the default settings.

For more details scroll the report down to check the Log:

Multi-pass imaging of damaged drives

TaskForce's complex imaging functionality allows imaging even physically damaged drives, while avoiding further drive deterioration. Damaged media require a sophisticated imaging approach to balance out thorough data extraction with forensics’ need in expediency and careful treatment of damaged media.

Most forensic imagers can only do linear imaging, which dramatically slows down imaging process whenever a bad sector is encountered, and, as a result, the drive may freeze. To speed up imaging of damaged media and maximize the amount of successfully retrieved data, TaskForce has a special imaging algorithm that includes deliberate timeout and block size control.

Using small block size pays off when you need to thoroughly retrieve maximum data from an unstable drive, but it also significantly slows down the imaging process. What’s worse, such imaging approach may cause further damage to the media. That's why TaskForce's multi-pass imaging engine uses large blocks with short timeouts on the first few passes, scheduling reads inside slow areas for later and then using the smallest block size on the last pass when very few sectors are left to be read.

This technique allows the bad areas to be approached in the most gentle way, while achieving imaging speeds of up to 550 MB/sec in good areas of the drive and reaching an unbeatable overall speed of imaging.

TaskForce handles block size automatically, to provide the best possible results in the shortest time span. This makes TaskForce faster at virtually any job than any other data recovery or image acquisition tools commercially available.

Block sizes and timeouts are adjustable. However, the default settings of the passes are based on our decades-long experience in data recovery market to fit most types of damage to the drives. That's why we suggest that you use the default settings unless a particular drive requires a specific imaging approach.

On the first pass, TaskForce allows 1-second Timeout per block, and the Max read block size is set to 4096 sectors. This allows smooth sequential imaging of all healthy modern drives. But when imaging damaged media, these settings allow TaskForce to skip any areas that slow down the process and perform Jump on error by 1,000,000 sectors at a time. This way all the good areas of the drive are imaged at top speed, while forcing TaskForce to return to the problematic areas on the next passes, narrowing down the bad areas and allowing more time to retrieve the data within them.

While Max read block size remains the same during the second and the third passes, the  Jump on error is set to 20000 sectors and 4096 sectors respectively and slightly longer, 5-second Timeouts are allowed for attempted reading of the blocks.

On the fourth pass, both Jump on error and Max read block size are reduced to 256 sectors.

On the fifth pass, TaskForce allocates 60-second Timeouts to read the Maximum block size of 256 with just 1-sector Jump on error. It is the last and the most thorough attempt to retrieve data from the remaining bad areas of the drive.

After the final pass, the Imaging Results report will indicate the eventual number of errors on the drive and other detailed statistics.

By clicking on one of the imaging passes in the imaging settings, you can adjust all parameters of the pass. Reverse direction option may help handle some of the damaged media. With this function selected, TaskForce will approach skipped areas of the drive from the opposite side on any selected pass. This way TaskForce can get more data from a drive before entering a damaged zone, which needs to be concentrated on during the following passes.

Another option in the imaging pass settings, which is worth mentioning is Disable read look-ahead. Most contemporary hard drives have read look-ahead functionality, which makes the drive sequentially read more blocks than requested in a command. In good drives, this functionality helps the drive to operate faster by reading more data and caching them. But with bad drives, read look-ahead leads to bad areas being addressed more often, which slows down the process and may lead to a complete freeze of the drive. In such cases, disabling read look-ahead option is advisable.

RAID 0 imaging

Atola TaskForce can automatically detect a RAID 0 configuration, assemble and image such RAID array.

Assembling a RAID 0 with unknown configuration

1. Connect the drives to the TaskForce hardware unit's ports that are switched to the Source mode
2. In the left-side Task Menu, click the RAID button

3. In Select source device menu, select the drives and click Continue

You can see key RAID configuration parameters at the top of the page:

• Order of drives/images
• RAID type
• Start LBA
• Block size
• Block order

Before you enter other values either manually or by applying Autodetection module results, the most commonly used values are displayed in the given fields.

The Autodetection module starts running immediately.

RAID 0 autodetection

Stage 1: TaskForce is reading data on the drives to identify the RAID type

NB To change the order of drives in the array, simply drag a drive to its new position. To remove a device from the current array, grab it and put it into the bin.

Stage 2: TaskForce goes through thousands of possible variants of RAID parameters.

Click Apply as soon as a Possible configuration tile appears

After you click Apply, TaskForce automatically applies the suggested configuration and checks the file system for partitions. At the bottom of the screen, a preview of the partitions is available.

Observing files and folders in the preview confirms the detected RAID 0 configuration is correct.

Imaging RAID 0 array

1. After RAID configuration is successfully applied, click Go to Image button to proceed with imaging

2. Select your target device or network folder and click Continue

3. Click the Start button to launch your imaging session

RAID imaging may take much longer than imaging a drive. You can optimize the imaging speed by using a fast target or a high-speed server.

Atola TaskForce automatically generates reports for every session. The Imaging completed report will contain all RAID details as well as timestamps.

RAID 5 forensics: Automated assembly and imaging

TaskForce is equipped with configuration autodetection module that makes assembling and imaging a RAID 5 array with an unknown configuration fast and easy.

Autodetection of RAID 5 configuration

1. Connect the drives that make up the RAID array to the TaskForce unit to ports in Source mode.
2. Click the RAID icon in the left-side Task Menu.

3. In Select source device panel, tick the drives that make up the RAID array and click Continue.

To assemble a RAID from images instead of drives or to use a combination of drives and images, browse and select images in the FILE subsection of the Select source device menu.

Next, you are redirected to the RAID configuration screen. It consists of three parts:
- the selected devices (and/or image files) are shown in the top RAID configuration part.
- the RAID Partitions viewer below it, provides a preview of partitions and files within them, once RAID has been successfully assembled.
- the Autodetection module in the right-hand part of the screen immediately starts running and produces an output of RAID configuration suggestions.

Autodetection module reads data from all the selected devices and/or images to detect these RAID parameters:

• Order of drives/images
• RAID type
• Start LBA
• Block size
• Block order

Should the configuration be known, these parameters can also be set manually by the operator.

The time required for configuration detection can vary from a few seconds to a few hours depending on the numbers of drives involved, RAID volume and type, and how metadata is distributed on the drives in the RAID. In certain cases, Autodetection may produce several configuration suggestions, which can be applied one by one to find the exact match. TaskForce's Autodetection is based on heuristics algorithms that help speed up the variant check.

4. Click the Apply button to apply the configuration suggested by the Autodetection module.

If the suggested configuration matches the RAID native configuration, partitions of the RAID will be displayed and a preview of data within the partition will be enabled.

Imaging selected partitions of RAID 5

1. Click GO TO IMAGE button in the left bottom corner of the screen to adjust the imaging settings and define the target for the image.

2. Select the target for the imaging session. Both a local server and a target device in Storage mode can be used for imaging of a RAID array.

3. Click + CREATE FILE button and fill out the image details in the Create image file window and click Create.

4. In the Settings page, click the Change button and then click the settings of an imaging pass.

5. In Edit imaging pass window, you can select the individual partitions to be imaged if selective imaging is required and click Save.

6. Click the START button to launch the imaging session.

TaskForce will be imaging RAID 5 array or its partitions as configured in the imaging settings.

At the end of the imaging session, TaskForce will produce an Imaging completed report with all the details of the source drives, the RAID configuration, the target, the partition, the timestamps, etc.

Reassembling RAID 5 with a missing drive from image files

Imagine you have image files that are created from source RAID 5 drives. If one of RAID 5 drives was missing or heavily damaged, one image file is missing or incomplete, too. TaskForce uses RAID 5 redundancy to create a full image of the RAID even in such cases.

To reassemble a RAID from image files:

1. Click the RAID icon in the left-side Task menu
2. In the FILE subsection of the Select source devices slide-out panel click SELECT FILE tile
3. In the Select image file explorer find the directory with the images you want to use and select the files. Then click the Select button

4. Click Continue

5. Autodetection module starts running automatically to find a suitable RAID configuration. You know that there is an image file missing from the selection (it may have been lost or damaged), so click Add missing device button underneath the list of image files

6. Autodetection will recommence when a new image file or device is added. If the RAID is type 5, TaskForce will be able to identify the right configuration and reassemble the RAID by using the redundancy. When a possible configuration is found, click the Apply button.

The configuration application automatically changes the order of the drives/images, the detected RAID type, block size and order is applied automatically, too. In the bottom part of the screen, the found partitions are available for preview.

7. To proceed with imaging, click the Go to image button and follow the instruction in subsequent screens to select the target and adjust imaging settings.

During the imaging, TaskForce takes advantage of the redundancy to create an image of the RAID despite one of the devices is missing.

The imaging report clearly indicates which of the devices that make up the RAID array was missing. Other RAID parameters, such as type, block size and order are also clearly reflected in the report.

Imaging RAID 5 array with 2 damaged drives

Even if a RAID 5 array contains errors, Atola TaskForce is able to detect its parameters and image such RAID.

RAID 5 reassembling

1. Connect the drives to the ports of the TaskForce hardware unit. Make sure the ports are in Source mode

2. Click the RAID button in the left-side taskbar

3. Select the drives that make up the RAID array

4. Click Continue

Detecting errors

The TaskForce autodetection module starts running immediately, after you select the RAID devices.

Stage 1: TaskForce reads data on the drives to identify RAID type. If it runs across an error, TaskForce displays error tags next to the respective RAID member.

To see the number of errors encountered on a RAID member, simply hover the cursor over the error tag.

Stage 2: TaskForce goes through thousands of possible RAID configurations to identify a suitable one.

Once the configuration is detected, click the Apply button.

After you click Apply, TaskForce automatically applies the suggested configuration and checks the file system for partitions.

Despite read errors, Atola TaskForce can mount the partitions for preview by rebuilding the data in the bad sectors using data redundancy inherent to this RAID type.

Imaging RAID 5 array with errors

1. After RAID configuration is successfully applied, click the Go to Image button to proceed with imaging

2. Select your target device/folder and click Continue

3. Click the Start button to launch your imaging session

When the TaskForce system encounters an error, it automatically reconstructs the missing data, using the data in the parity blocks on the remaining RAID members.

Thus Atola TaskForce can recover the full image. No operator involvement is necessary.

NB: In case 2 drives of the RAID 5 array contain errors in the same sector, TaskForce can still recover the data from those, using the multi-pass imaging system.

Imaging report

Atola TaskForce automatically generates the Imaging completed report with all RAID details and timestamps.

Atola TaskForce managed to successfully reconstruct and image all the data. That is why the number of errors in the Imaging completed report is zero.

RAID 10: Autodetection and imaging

RAID 10 arrays combine mirroring and striping techniques. This helps these arrays have higher performance and better resiliency against data loss or corruption. TaskForce uses both of these advantages: it images data faster from a RAID 10 compared to other RAID types and rebuilds the image using the data redundancy in case of disk failure.

TaskForce's configuration autodetection module will help identifying the type and other parameters of a RAID 10, should there be a lack of information about the given RAID and its configuration.

To mount an unknown RAID 10 and image it:

1. Click the RAID icon in the main menu.
2. Select the drives that make up the RAID array and click Continue.

3. When the autodetection module (in the right part of the screen) comes up with a suggestion of RAID configuration, click Apply.

NB In rare cases, there can be more than one suggestion. Try them out one by one by clicking Apply next to each suggestion.
If you know the type and parameters of the RAID, you can enter them manually in the drop-downs.

4. TaskForce arranges the drives into respective groups and applies other RAID settings to mount the partitions, which you can browse through in the Partition preview below.

5. Click the Go to Image button and select the target.

6. Check the settings. Please note that you can choose to image only part of the data (only one of the partitions).

7. The automatically generated Imaging report contains the details of the RAID and its members, the target, hashes, signatures found as well as the timestamps.

Instant forensic RAID reconstruction: Linux mdadm

TaskForce can automatically detect configuration of software RAID created with mdadm in Linux and perform immediate forensic RAID reconstruction.

Autodetection of the mdadm-created software RAID

1. Connect the drives to ports in Source mode.
2. Click the RAID button in the left-side Task Menu.
3. Select the drives that make up a RAID array and click CONTINUE.

Autodetection module has instantly recognized and applied the RAID configuration. TaskForce automatically identifies mdadm-created RAID arrays with great precision by detecting controller metadata.

This RAID’s Start LBA is different from 0. TaskForce’s autodetection module is trained to detect this parameter for different types of RAID arrays and mdadm versions.

A partition is displayed in the bottom part of the screen, confirming that the applied configuration is correct.

Imaging the mdadm-created RAID array

1. Click the GO TO IMAGE button to proceed with imaging the assembled RAID.
2. Select the target and click Continue.
3. Click the START button and confirm the overwriting of data on the target.

The imaging session runs as fast as the target speed allows.

The imaging report contains all the RAID details and timestamps.

Logical imaging of a RAID array

Imaging of a RAID can potentially take too long. When you are under time constrains, TaskForce's logical imaging module helps you focus on imaging only the data that can make an immediate impact.

Once a RAID has been reassembled, you have a preview of the RAID's contents in the RAID module. This helps you decide which files or folders you want to image immediately.

1. Click Go to logical button.

2. In the Logical imaging module, you can adjust your selection:

By default, logical imaging is set to image all files from a drive or a RAID. To fine-tune your selection, include or exclude what you need:

• All or selected partitions
• Manually selected files or folders
• Specified file types: archives, emails, documents, databases, financial, virtual machine, audio, video, pictures, security keys.
• Folder types: only user or only OS folders
• Time spans: when files were accessed, created, modified
• File size: from 1 byte to infinity

3. Once you have adjusted the logical imaging parameters, click Continue.

4. Select the Target for your L01 file and click Create file button.

5. Adjust the settings of the L01 file and click Create to start the imaging session.

When the imaging is running, you can track the progress of imaging of the individual files. As for the overall imaging progress, the upper graph indicates the amount of imaged data as related to the whole space of the RAID volume, not to the selected volume.

Imaging report

Atola TaskForce will generate Imaging completed report with all the details of the imaged selection from this RAID:

• The number of scanned and imaged files
• The volume of imaged data
• Time stamps

Imaging started report is created the moment the imaging launched: it is a detailed report of all the settings including the elements selected for this acquisition (partitions, files and folders).

Imaging selected partitions of a RAID array

With Atola TaskForce, you can image individual partitions of an assembled RAID array to avoid imaging excessive amounts of data.

Once the RAID array has been reassembled, you can preview the contents of its partitions. It helps you conclude which of the partitions may contain the critical evidence and which are irrelevant.

1. Click Go to Image button
2. Select your target device and click Continue.
3. Go to the settings and click the imaging pass to adjust the imaging range

4. A pop-up window with pass settings will open. In What to image drop-down menu, select Sectors with data

5. Unselect the partitions you do not need and click Save to keep this change

Please note the selective imaging does not linear hashing of the imaged range, segmeted hashing is suggested for such imaging.

6. Click Start to launch your imaging session

Imaging report

Atola TaskForce will generate Imaging completed report with all the details of the RAID:

• The imaged range
• Time stamps
• A link to the file with the segmented hash, calculated for the imaged range

How to unmount an assembled RAID

After you selected specific drives or images as RAID participants, they constitute virtual RAID array and become unavailable for individual tasks. For instance, you cannot recalculate hash of one of such drives.

To use the individual drives that are a part of a mounted RAID array, you need to unmount the RAID first.

Follow these steps:

1. Click on Devices in the top right corner of the screen.

2. Scroll down to the bottom of the Devices panel to find the currently connected and mounted RAID.

3. Click the Unmount RAID button at the bottom of the page

Now you can proceed with other sessions, using any of the 6 drives connected to TaskForce.

RAID tags and what they mean

When reassembling a RAID in TaskForce, start by selecting the drives and/or images it consists of. The system reads the first 3 million sectors of each RAID member, analyzes the data and compares the members against each other. TaskForce then labels the RAID members with appropriate tags to help you identify the condition, relation and possible position.

Spare

The Spare tag informs you that 99.95% of the drive’s initial 3M sectors are filled with zeros.

A spare (aka hot spare) drive in RAID arrays is used as a standby drive reserved to replace a RAID member in case it fails: in this situation the RAID controller uses redundancy data to reconstruct the data from the failed disk to the spare one. Spare drives are used in RAID 1, RAID 5 and RAID 6.

Mirror

With the Mirror tag, TaskForce informs you that 99.5% out of the analyzed 3M sectors are identical to the same sectors on a different RAID member. It works as a hint that you are dealing with a RAID 1, RAID 10 or RAID 50.

MBR

MBR (Master Boot Record) points to the drive(s) that contain an MBR. Therefore, it is likely that the drive with detected MBR can be placed first in the given array.

File system tags

The initial 3M sectors of each drive/image are analyzed to identify a boot sector of any known file system. When a partition boot sector is detected, the corresponding file system tag is added. To see LBA offset and sector count of the partition, hover mouse cursor over the tag.

Supported file system tags: NTFS, ext4/3/2, APFS, HFS, HFS+, exFAT, FAT32, FAT16, XFS.

Additionally, Unknown tag may appear if the file system identification is not supported yet.

Error

The Error tag Informs you whether there are read errors encountered in the process of RAID autodetection. To see the exact number of encountered errors, hover mouse over the Error tag to get the tooltip.

Using Web API in a browser

Starting firmware version 2019.7, Web API is built into TaskForce, and it will help optimize your workflow in many ways.

Web API is extremely handy as it allows you to use it in scripts, via CLI tools like curl, and simply by typing commands in the browser address bar.

1. Scan devices plugged to all source ports. The command powers up all ports and returns the list of drive on each port in Source mode as well as the model and the serial number of the drive on each port.

2. Start imaging a source drive plugged into TaskForce SATA 4 port.

3. Track imaging session status using task key received in response to the command above.

For more information about these and other commands, please look up the API documentation that we made available to public.

Instantly starting 12 imaging sessions using Web API

Imagine you have 12 TaskForce ports switched to Source mode and source drives plugged into them. Now you can instantly launch 12 imaging sessions simply starting the script.

Python script utilizes /start-image API request and prints task keys of all launched imaging sessions.

import sys

if sys.version_info[0] < 3:
    raise Exception("Please use Python 3 to run this script")

import urllib.request

ports = ["SATA1", "SATA2", "SATA3", "SATA4", "SATA5", "SATA6", "SAS1", "SAS2", "SAS3", "SAS4", "SAS5", "SAS6"]
tasks = []
errors = {}

for port in ports:
    try:
        res = urllib.request.urlopen("http://10.0.0.4/api/start-image?source=%s&targetFolder=//Vitaliy/Share" % (port))
        tasks.append(res.read().decode('utf-8'))
    except urllib.error.HTTPError as e:
        errors[port] = e.read()

print("IDs of started imaging tasks:")
print('\n'.join(tasks))

The script works in any operating system. To run, perform the following actions:

1. Save the script into image12.py file
2. Replace 10.0.0.4 with IP address of your TaskForce
3. Replace //Vitaliy/Share with your shared network folder path
4. Execute the script in the console: python image12.py

For more information about these and other commands, please look up the API documentation that we made available to public.

Autostart image analysis when imaging is completed

With TaskForce, you can track the status of the started imaging sessions using /check-task API request. It reports the imaging progress enabling you (or your code) to notice when the task gets completed. Once this notification is received, it makes perfect sense to automatically start the forensic analysis of the target image.

Powershell script below shows how one can create this kind of automation flow:

1. Start imaging a source drive on TaskForce SATA port 4 to the target folder \\Vitaliy\Share
2. Wait for imaging completion using /check-task
3. Launch Autopsy Ingest via command-line when the target image is ready

Important: Instead of Autopsy, you are free to use any Magnet Forensics products, X-Ways Forensics, or any other forensic analysis toolkit that supports console launch with arguments.

try {
    $r = Invoke-WebRequest "http://10.0.0.65/api/start-image?source=SATA4&targetFolder=\\Vitaliy\Share"
}
catch {
    Write-Output "$($_.Exception.Message)"
    exit $_.Exception.Response.StatusCode
}

$taskKey = $r.Content
do {
    $check = (Invoke-WebRequest "http://10.0.0.65/api/check-task?taskKey=$taskKey").Content | ConvertFrom-Json
    Start-Sleep -s 1
} while ($check.state -eq "progress")

$windowsPath = "C:\Share\" + ($check.target -replace '[\/]', '\' | Split-Path -leaf)
$caseName = "Case123"
$autopsyArguments = '" --createCase --caseName="' + $caseName + ' --caseBaseDir="C:\Work\Cases"' 
                  + ' --addDataSource --dataSourcePath="' + $windowsPath + '" --runIngest --generateReports' 

Start-Process -FilePath "C:\Program Files\Autopsy\bin\autopsy64.exe" -ArgumentList $autopsyArguments

The script works in Windows with Powershell. To run it, please perform the following actions:

1. Install Autopsy
2. Create C:\Share folder
3. Save the script into image.ps1 file
4. Replace 10.0.0.65 with IP address of your TaskForce
5. Replace \\Vitaliy\Share with your shared network folder path
6. Execute the script in the console: powershell -ExecutionPolicy ByPass -File image.ps1

NB. Autopsy Ingest v4.11 does not work with network file paths from the command line. That’s why this example shows a shared folder located at PC where PowerShell script is executed. Therefore \\Vitaliy\Share points to C:\Share folder.

For more information about these and other commands, please look up the API documentation that we made available to public.

Calculating hash during imaging

Atola TaskForce supports hash calculation of both the evidence drive and the image in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures, while avoiding further damage to fragile media.

To calculate hash of both the evidence and the image:

1. Click Image category of the left-side menu
2. Select the Source device and the Target device or file
3. Click Change button in the Settings summary page
4. In the Hashes tab there are three checkboxes:

• Pre-hash source device
• Hash source during imaging
• Post-hash target device

Multiselect is available, which allows a user to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, TaskForce only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass.When it encounters a bad sector, linear hash calulation is discontinued. In upcoming releases we will support Segmented hashing so that hash can be calculated for damaged drives.

Post-hash target device option allows to properly record the calculated hash in the case.

Calculating dual hash of an existing E01 file

Some source evidence drives and their images can be involved in a long-running investigation case and wait to be presented in court for months or years on end. Data stored on such drives and their image files may eventually get corrupt. Therefore it may be critical for an investigator to ensure the integrity of data on such devices or image files before resuming to work with them or presenting them in court.

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not both the image of the drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hash values.

To view the previously calculated hash calculated for an E01 file with Atola TaskForce, open the imaging report in the case management system. It contains the hash values calculated during imaging.

Alternatively, you can look up the metadata stored in the E01 file itself:

1. Open Devices menu by clicking the Devices button in the top bar.
2. Click Select file box in the File category.
3. Select the E01 file in the file browser.

To ensure the integrity of the data in the file, you can recalculate its hash.

1. Click Hash in the left-side task menu. This will open the devices to choose the one for which you want to calculate hash.
2. Click Select file box in the File category.
3. Select the E01 file in the file browser.
4. Make sure to select the same hashing types (MD5, SHA1, etc.)
5. Click Start button

Adjust hashing settings and start hash calculation by clicking the Start button.

When the hash calculation is completed, you can make sure that the two sets of hashes are identical.

Segmented hashing for data verification

Segmented hashing allows verifying data, imaged from damaged media. The image can be verified even if data gets corrupt over time.

Segmented hashing produces a CSV file in the following format:

Segmented hashing vs regular hashing

With conventional hashing method you get a single hash for the entire image, while segmented hashing allows getting many hashes of corresponding LBA ranges of the image. The sum LBA ranges represents the entire image.

Verifying all hashes in a set allows you to prove that the entire image has not been modified.

Segmented hashing and post-hashing of the target for immediate image verification

• Go to the imaging settings, select segmented hashing method
• Enable post-hash of the target to obtain both sets of hashes for the evidence drive and the image

Hashing while imaging does not slow down the imaging session

Post-hashing will commence as soon as the imaging session is completed

In the Imaging completed report you can see imaging results with the link to the file with segmented hashes.

In case you select the post-hashing of the target, you also get the results of cross-checking between the hash sets of the evidence drive and the image.

Express mode: self-launching imaging of 17 drives

Express mode enables automatic launch of multiple imaging sessions on all ports that are set to source: just plug a drive into TaskForce and the imaging session will start automatically.

Activating Express mode

Just like everything else in TaskForce’s interface, this feature is designed to be intuitively easy to set up.

Source evidence drives can be imaged to E01 (regular or compressed) or RAW files located in a specfied folder on the local server. Two 10Gb Ethernet ports enable high data throughput.

As essential as imaging speed is, the proper treatment of evidence drives remains a priority. To enable automatic launch of imaging of the healthy devices and avoid potential deterioration of drives in a shaky condition, the Express mode settings have 2 handy options: select Diagnose source drive before imaging so that diagnostics is launched automatically, then select Start imaging only if diagnostics has no issues.

Atola’s signature automated diagnostics module checks all drive systems: hard drive’s motor and electronics (PCB), head stack, media surface, all firmware/system areas, partitions, and file systems. We recommend that diagnostics is always run upon a drive is connected to TaskForce for the first time.

Last but not least, you can select one of the imaging presets at the bottom of the express mode activation screen (they can be easily configured in the imaging screen). This will ensure that all imaging sessions in express mode will fit your organization’s demands and procedures.

Once express mode settings are specified, simply click the Activate button and connect your evidence drives for an immediate start of imaging upin a source drive is plugged.

17 self-launching imaging sessions

Once all settings are configured and express mode is activated, simply plug in the drives one by one and watch the imaging sessions start automatically!

TaskForce can process 17 self-launching imaging sessions in Express mode on almost all of its ports with the exception of the Extension slot. The ports that can be used for imaging in express mode are, therefore:

• 6 SATA
• 6 SATA/SAS
• 4 USB
• IDE

When activated, express mode controls all source ports, leaving target ones available for other tasks. If a port is switched from target to source, it also becomes available for imaging in express mode.

TaskForce’s 8-thread Xeon processor, ECC RAM, and the server-grade motherboard sustain multiple fast and reliable data acquisitions.

Getting it all under control

Express mode substantially speeds up imaging of evidence drives while enabling a user to configure settings for optimal handling of evidence drives.

And should TaskForce detect an issue with an imaging session, User action required notification will prompt the user to take the decision.

In addition, TaskForce keeps the user updated by displaying the number of actions required on the IP screen on the front panel of the unit.

In short, Express mode’s self-launching imaging is a perfect solution when it comes to processing large amounts of data under time pressure, while still allowing gentle treatment of damaged media.

Wiping 18 drives simultaneously

With TaskForce, Atola introduced the fastest and most capable imaging engine to the forensic market. While cumulative imaging speed in TaskForce constitutes 15 TB/h, the engine is capable of wiping up to 18 drives connected to it, thus achieving a cumulative speed of 15TB/h, 20TB/h or even more.

TaskForce’s task-oriented and efficient user interface has been developed with the intention to launch every operation in just a couple of clicks to expedite work with multiple evidence drives.

Atola TaskForce has 18 ports (6 SATA, 6 SATA/SAS, 4 USB, 1 IDE, 1 Extension slot for Atola Thunderbolt, Apple PCIe SSD and M.2 NVMe/PCIe/SATA SSD extension modules), all of which can be used for simultaneous wiping sessions.

TaskForce can wipe 18 devices simultaneously at their top native speeds when using the standard wiping method.

To perform multiple wiping sessions:

1. Connect the drives to TaskForce

2. Switch the ports, to which the drives are connected, to Target mode by using the individual Source switches on each port

3. In the user interface, click Wipe icon in the left-side taskbar

4. In Select devices window, select a drive

5. Adjust wiping settings:

• the range of sectors to be wiped
• wiping method
• enter a pattern and its format (HEX/ASCII)

6. Click Start.

Wiping process is consecutively launched for each device. Repeat the same with all the drives you want to wipe.

Once the operations are launched, you can track the progress of all tasks in the Homepage, where the percentage of wiped drive area and the time left until the end of the planned session are displayed. By clicking on an individual wiping session, you can open it to see more details on the progress.

Click Atola logo in the center of the top bar to reveal the current overall speed of wiping. In this case, we were able to achieve 18 TB/h. This high-speed wiping capability allows a forensic expert to complete the process of preparing drives for wiping in minimal time.

NB Please note that a wiping session can take longer if a different wiping method is selected. E.g. NIST 800-88 method implies not only wiping but also rereading of the wiped range. In its turn, DoD 5220.22-M method wipes the same range three times.

To ensure maximum transparency and effectiveness, Atola TaskForce documents every operation by creating detailed reports and logs. Click Reports button in the top bar and find the report in the list or by using the Search bar at the top of the page.

Multi-launch of single-device operations

To wipe a bunch of target drives for subsequent imaging sessions or verify hash values on multiple drives in your archive, use multi-launch functionality in TaskForce.

The function is currently supported for single-drive tasks: Wiping, Diagnostics, Hashing.

To wipe multiple drives:

1. Click Wiping in the main menu.

2. In the drive selection panel, tick the multi-launch box and select the drives.

3. In the Settings screen, adjust the sessions parameters. They will be applied to all the currently selected drives. If you wish to double-check the list of selected devices, click the top panel with the number of selected drives. The drop-down provides info about the drives, their health status and case ID.

4. Click Start.

When Check if device contains data option is enabled, TaskForce scans all selected devices. If any data may be overwritten, the imager will warn you.

The procedure is the same for other single-drive processes. When hashing, multi-launch can be applied to both the devices plugged into the system and the locally stored image files.

The case management system automatically saves separate reports into the individual cases.

Restore E01, AFF4, RAW image file to drive

To restore data from an image file to a drive using Atola TaskForce, follow these steps:

1. Click the Image icon in the left-side taskbar of Atola TaskForce


2. To select a file as your source go to File tab of the Select source device panel and click Select file


3. Select the E01, AFF4 or RAW file you are planning to restore


4. Select the target drive and click Continue:
   

   NB: If your target drive is larger than the size of the image, the hash values of the target drive will not be identical to that of the image file. With Atola TaskForce, you can limit a SATA target drive's capacity via Host Protected Area (HPA) or Accessible Max Address (AMA). Applying the HPA or AMA will set a new max address in the drive’s firmware, which will make the sectors beyond the required capacity inaccessible. This will make the hashing process straightforward and the hashes will match.

   To limit SATA target drive's capacity via HPA/AMA, go to the imaging Settings and click the Change button.

   

   Go to the Miscellaneous tab and enable the Limit target disk size to source size using HPA/AMA option.

   

5. Click Start for the imaging to begin.

Atola TaskForce automatically creates detailed reports for every session. The imaging report will list all the details of the source, the target, the imaging settings and timestamps including the setting of the new max address of the target drive. This makes such data extraction from a file transparent and forensically sound.

Unclip or change HPA, DCO, AMA limitations

DCO (device configuration overlay), HPA (host protected area) or AMA (accessible max address) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity).

But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

Atola TaskForce helps you detect, unclip, or change HPA, DCO, AMA limitations.

Detect DCO, HPA, or AMA limitations

When you connect a hard drive to the TaskForce unit, in addition to the standard Identify device command, Atola TaskForce software automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO, HPA, or AMA, TaskForce will draw your attention to these changes by adding the note in red color in the device menu.

To get more details about the modifications that have been made to the drive’s firmware, run Diagnose and see the Firmware section of the Diagnostics report.

There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

1. The Max Address according to device ID line shows the max address from the ID sector, affected by DCO and HPA/AMA restrictions if those are applied.
2. Native Max Address indicates max address ignoring HPA/AMA limitation that may have been enabled, yet affected by DCO restriction.
3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA/AMA or DCO activated will have the same value in all three lines.

Unclip HPA, DCO, AMA limitations

To disable HPA, DCO, AMA limitations that have been applied to the drive’s firmware:

1. In the left-side Task Menu, click Other and then click Hidden drive areas.
2. Select device.
3. Click Unclip button.

Atola TaskForce lifts HPA/AMA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

Unclip HPA temporarily (until power cycle)

To ensure the forensically sound process, it can be necessary to avoid making any changes to the drive. Therefore it is prohibited to disable HPA and DCO restrictions and access data in the hidden areas. With Atola TaskForce it is possible to lift HPA restriction until the next power cycle. This helps avoid permanent changes to the drive.

To unclip HPA on the source drive until power cycle before imaging:

1. In the left-side Task Menu, click Image.
2. Select source device.
3. Select target devices and click Continue.
4. In Confirmation dialog, suggesting you unclip the drive until power cycle, click Yes button.

This will allow temporary access to the data in HPA-protected area, but as soon as you power off or unplug the drive, the HPA will be back again.

After you confirm unclipping HPA until power cycle, the imaging process starts and the following message appears in the imaging log: Source device HPA was set to native max address until power cycle.

Set or change HPA, DCO, AMA limitations

Not all drives support hidden areas. Limitation type supported by the particular drive will be shown in green on the Hidden drive areas page.

The DCO and HPA can co-exist on the same drive: max address limited via HPA should be less than DCO.

Expectedly, AMA is supported by new drives and can't exist if DCO or HPA is supported, and vice versa.

If your target device is larger than your source device, but you need hash values for the source and for the target devices to be identical, see Clip target drive to source evidence size.

To set or change DCO limitation:

1. Make sure that the drive is in the Target mode.
2. In the left-side Task Menu, click Other and then click Hidden drive areas.
3. Select device.
4. Type in new Native max address. Notice that ID sector max address changes accordingly.
5. Click Change button.

To set or change HPA limitation:

1. Make sure that the drive is in the Target mode.
2. In the left-side Task Menu, click Other and then click Hidden drive areas.
3. Select device.
4. Type in new ID sector max address.
5. Optional: Check Change ID sector max address temporarily (until power cycle) if needed.
6. Click Change button.

To set or change AMA limitation:

1. Make sure that the drive is in the Target mode.
2. In the left-side Task Menu, click Other and then click Hidden drive areas.
3. Select device.
4. Type in new ID sector max address.
5. Click Change button.

Case management system and report types

TaskForce's case management system records every step of the data acquisition process: every operation is automatically added to the case from the moment a device is identified including date, time, imaging map and hash values. When a hard drive is imaged, its imaging map is recorded detailing all the sectors that have been skipped.

Whenever an operator connects a hard drive to the TaskForce, the system makes an automatic database lookup and retrieves all past records associated with that particular hard drive. New entries will be added seamlessly to the database. You do not need to enable case management or take any additional actions for it to start functioning; it is fully embedded into Atola TaskForce and works at all times.

Case number can be assigned and changed at any time. The system also allows browsing through all cases and reports, without corresponding devices being connected to the unit.

Report types and formats

There are two types of reports in TaskForce:

1. Device reports are created every time an action is taken to the drive: drive identification, imaging, hashing, wiping and other operations related to the drive are documented in these reports.
2. Non-device reports are created to register any changes made to the cases: case opening, case details change, case import and export.

All reports have these key elements: a header that provides device and case details, an action summary and task details (task settings, task log, etc.).

A diagnostics report contains even more details: it lists the checkup results for all subsystems of a drive and includes oscillograms, SMART table, etc.

Add a case

When you identify a device in Atola TaskForce for the first time, the system automatically creates a new case for that device and records every single operation performed with the device or with the case itself. To know more about how it works, see Case management system and report types.

Until you specify case details, Case ID shows in TaskForce interface as Not assigned.

To distinguish and search your cases by a case number, investigator’s name, and case description, you can add a case and enter these case details. Also, you can set TaskForce to remind you to enter case details before starting any task.

There are several ways to create a new case in TaskForce:

• From the Devices menu.
• From the Cases page.
• From the Device page.

Add a case from the Devices menu

1. Connect a device to TaskForce.
2. In the TaskForce main window, click Devices.
3. In the Select device panel, in the port with your device, click More icon, and then select Add case.

4. Enter case details and click Continue. TaskForce creates a new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

Add a case from the Cases page

1. Connect a device to TaskForce.
2. In the TaskForce main window, click Cases.
3. On the Cases page, click Add case.
4. In the Select device panel, click on your device.
5. Enter case details and click Continue. TaskForce creates a new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

Add a case from the Device page

1. Connect a device to TaskForce.
2. In the TaskForce main window, click Devices.
3. In the Select device panel, click on the port with your device. TaskForce takes you to the Device page.
4. Optional: If TaskForce hasn’t identified your device yet, then, on the Device page, click Re-identify.
5. In Case ID pane, open the drop-down menu, and then click New.

6. Enter case details and click Continue. TaskForce creates a new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

Enter case details before starting any task

Entering case details before performing any operation with a device helps you to keep your cases organized and searchable. TaskForce can be set to request that you enter case details before starting any task.

To enable this feature, do the following:

1. In the TaskForce main window, go to the Menu > Settings.
2. In the Cases section, toggle Set case details before task start.

Now, TaskForce will ask you to enter case details before performing any operation with a device.

Show 'Add case' button

You can add cases right from TaskForce Home screen before working with the device. To do that, set TaskForce to show Add case button in the top panel:

1. In the TaskForce main window, go to the Menu > Settings.
2. In the Cases section, toggle Show 'Add case' button on TaskForce top panel.

Now, TaskForce shows Add case button in the top panel.

Add one device to several cases

In Atola TaskForce, you can include the same device in several new or existing cases using the Case management system. When a device is added to more than one case, TaskForce keeps the tasks and reports, which are associated with each case, separate.

Add a device to another new case

To add your device to several new cases, do the following:

1. Connect a device to TaskForce and identify it.
2. Add first new case and include your device to it. For guidance, see Add a case.

After you have added your device to the first case, do the following steps:

3. In the TaskForce user interface, click Devices.
4. In the Select device window, click on the port with your device. TaskForce takes you to the Device page.
5. In Case ID pane, open the drop-down menu, and then click New.

6. Enter case details and click Continue.

TaskForce creates another new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

Add a device to another existing case

When you already added your device to one case and want to add that device to another existing case, do the following:

1. Connect a device to TaskForce.
2. In the TaskForce user interface, click Devices.
3. In the Select device window, click on the port with your device. TaskForce takes you to the Device page.
4. Optional: If TaskForce hasn’t identified your device yet, then, on the Device page, click Re-identify.
5. In Case ID pane, open the drop-down menu, and then click Select.

6. In the Select active case window, chose your existing case. If needed, use the Search field to find it. TaskForce adds your device to the selected case.

Switch between cases on the Device page

When a device is added to more than one case, TaskForce keeps reports, which are associated with each case, separate.

To switch between cases on the Device page:

1. In Case ID pane, open the drop-down menu.
2. Click on the case you want to make active. TaskForce shows reports, associated with selected case.

Add several devices to one case

In Atola TaskForce, you can have a forensic case that contains more than one device. TaskForce lets you add several devices either to a new or an existing forensic case.

To add several devices to a new case, you need to create a case first. For guidance, see Add a case.

To add another device to an existing case, do the following:

1. Connect a device to TaskForce.
2. In the TaskForce user interface, click Devices.
3. In the Select device window, click on the port with your device. TaskForce takes you to the Device page.
4. Optional: If TaskForce hasn’t identified your device yet, then, on the Device page, click Re-identify.
5. In Case ID pane, open the drop-down menu, and then click Select.

6. In the Select active case window, choose your existing case. If needed, use the Search field to find it.

Now, when you open your case, the Case details page lists all devices associated with the case. The Case details page also contains active tasks and reports for each device included in the case.

Finding and editing cases

TaskForce automatically creates reports for every single action applied to each drive connected to it. Whether it is a source drive or a target drive, any action, be it imaging, wiping or physically switching write protection on or off, will be documented and stored in the system.

To find a case, click Cases in the top left corner, it will redirect you to the case management system.

Search for a specific case or device in the Search bar (by case ID, investigator's name or device details) and sort results by any column.

To open a case, click the respective line in the list.

A case page contains case details, information about the devices associated with the case (name, serial number, capacity etc.), as well as reports for all tasks applied to the device.

NB At the moment, a case may only include one device. In the future releases, we will be adding the possibility to add multiple devices in a case as well as including the same device within a number of cases.

Editing case details

To change case details, click on Edit button at the top of a case page.

It is possible to change the case ID, Description and Investigator. Click Save button when done editing.

In upcoming software releases, we will be adding the possibility to store multiple drives under the same case number. We will also be adding the possibility to upload pictures (photos of the device, scanned reports and documents related to the drive etc.) to be stored in a case.

Finding reports

TaskForce automatically creates reports for every single action applied to each drive connected to it. The system also allows browsing through all cases and reports, without corresponding devices being connected to the unit. The reports are listed and can be easily retrieved in different parts of TaskForce software.

1. Via case page

All reports related to the case are listed at the bottom of the case page. Scroll down and turn pages to view all the reports, sort them by date or by title, use the search bar to look for specific reports by their titles.

To open a report, click the respective line.

2. Via View reports

If you need to search among all existing reports, click Reports button at the top.

Click View reports button This will redirect you to the page with all existing report that can be filtered by date, title, case ID or device details. Search for a specific report by entering report title or drive details.

Open the report you need by clicking it in the list.

3. Via Home page

Similarly, recent reports can also be found on the Home page underneath the Active tasks. Home page is the place where you can look up active and completed tasks and view reports for all completed tasks. Find specific reports quickly by entering filters in the search field.

Printing reports from a case

When you work on an investigation and want to have complete information about the evidence drive and all operations that have been taken to diagnose, image, calculate hash, etc., you can address Atola TaskForce’s case management system to print out all reports concerning your evidence.

To do that:

1) Click Print button at the bottom of the case page.

1. Click Print button at the bottom of the case page.


Print reports

2. In Settings page you can choose if you want the printed reports to include logs.
NB Logs are parts of the reports that give detailed information about the start and the end of a task, problems encountered during the operation (e.g. inability to read a sector within the time allocated for the operation), actions taken (e.g. jumps from a bad sector, completed pass of imaging, performed resets and power cycles etc.)


Print multiple reports from a case and include logs

3. Click Print button. This will redirect you to a page with full reports. There they are put in the same order as the order, in which they were listed on the case page (either by date or by title).


Generated reports

NB If you selected the Information about unit's components, the last report generated will include the description of all storage devices contained in current TaskForce system.



Generated report listing all storage devices contained in current TaskForce unit

4. In this page, there is another Print button. After clicking it you can configure printing settings.

Each report will be printed on a new page.

FAQ

Imaging

RAID configuration autodetection & imaging

Performance

Connectivity

Case management & reports

Hardware

Subscription

Troubleshooting