Atola TaskForce Manual

Version: Aug 03 2020

Quickstart

Introduction

Unit & extensions

Installation & environment setup

Working with devices

Interface controls & indicators

Diagnostics

Imaging

Automation

Calculating & verifying hash

More features & special capabilities

Case management

Quickstart

Atola TaskForce has highly intuitive design. This guide will assist in quickly learning how to use TaskForce and image an evidence drive.

1. Start TaskForce

Switch on the power button on the back side of the system and wait for a message to appear on the small IP screen on the front panel. If TaskForce is connected to the local network with an Ethernet cable, IP addresses will be displayed, which can be entered in a Chrome browser on any device within the same local network. If no Ethernet cable is connected to it, TaskForce will start in Standalone mode, in this case you can use the main screen on top of the device.

TaskForce shows network IP address to connect

TaskForce shows network IP address to connect

2. Plug the source drive into the unit

Atola TaskForce has 18 ports, and each of them can be used as either a source or a target. Before connecting your evidence drive to the appropriate port, make sure the port is in the source mode, thus securing any command that can change the state of the drive from being applied to the evidence drive.

3. Diagnose the source drive

In the left-side menu click the Diagnose button and a slide-out Select device menu will appear.

In the appropriate category (SATA, SAS, USB, File, IDE or Extension*) select the source drive and click START button. Diagnostics will take a couple of minutes. Should the state of the evidence drive be good, you can proceed to image it.

Diagnostics proves the drive is fine

Diagnostics proves the drive is fine

4. Plug the target drive(s) into the unit

When connecting a target drive (or multiple targets), also make sure that the corresponding ports are set to target mode.

5. Start imaging

In the left-side menu click the Image button.

Select the source device you have diagnosed in the menu.

Select the targets in the menu. Once you have selected the source, a right-hand slide-out Select target device menu will appear. Under the same categories you can find and select a single target or multiple targets.

The Imaging initiation page lists the source drive and the case ID at the top of the page, the default settings applied to this imaging session and the list of Targets to be involved in this session. Click Start button at the bottom of the page.

Image acqusition in progress

Image acqusition in progress

TaskForce workflow

Atola TaskForce provides a complete feature set for has a forensically sound evidence acquisition process. Based on our own decade-long experience of working with data storage devices as well as the experience of our clients in digital forensics market we strongly recommend this workflow:

1. Diagnose the drive

TaskForce is equipped with a fully-automated diagnostics module, which diagnoses all drive systems: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.

After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.

Diagnostics of damaged drive

Diagnostics of damaged drive

2. Get access to the media

HPA and DCO recovery

TaskForce detects hidden areas on the drive set via Host Protected Area (HPA) or Device Overlay Configuration (DCO) and can automatically recover/remove them. To avoid change the state of the drive, HPA or DCO reset until power cycle option is available with software version 2018.2.

3. Image the evidence

To ensure efficient imaging of both good and damaged drives, TaskForce is equipped with a sophisticated and powerful imaging module that creates a bit-to-bit copy of the evidence. Based on the diagnostics report, image drives with default settings or adjust them, should the media be damaged and require special treatment.

Imaging damaged drive

Imaging damaged drive

Imaging good SSD. Speed: 538 MB/s

Imaging good SSD. Speed: 538 MB/s

4. Calculate hash

To ensure forensically sound evidence acquisition process, remember to calculate hash of the evidence and the image. It is essential way to prove image integrity.

With damaged devices, it is best to calculate hash during imaging (using segmented hashing*). This way data on a fragile device is only read once, and less potential damage to the media is caused.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. When it encounters a bad sector, linear hash calulation is discontinued. In upcoming releases we will support Segmented hashing so that hash can be calculated for damaged drives.

Package contents

Please make sure that you have all these items in the package:

Power supply

14x SAS/SATA powered cables

Hitachi password extraction adapter

3.5" to 2.5" IDE adapter

IDE power cable

IDE interface cable

Serial cable RS-232

2x Ethernet cat 7 cable

Flash card reader

Microfiber cloth

1-page installation instruction

Extension modules

TaskForce system allows expanding its compatibility with other device interfaces via hardware extension modules.

How to plug an extension module

TaskForce system must be powered off before an extension module can be plugged:

  1. Power off TaskForce
  2. Plug extension module into the Extension port
  3. Power on TaskForce

Thunderbolt extension module

With the help of Thunderbolt extension module TaskForce supports imaging, hash calculation, write protection on MacBooks with ith the following interfaces:

  • FireWire
  • Thunderbolt 2
  • Thunderbolt 3, 2016 - 2017 models

Connecting MacBook via Thunderbolt extension module

  1. Connect MacBook to TaskForce unit with the help of Thunderbolt extension and the FireWire cable. Use adapters if needed (included).
  2. To boot MacBook in Target Disk Mode, start it up while holding down the T key until you see a Firewire or Thunderbolt icon displayed on screen signifying Target Disk Mode.
  3. Power on TaskForce and wait for the booting to be completed.
  4. Open Device menu.
  5. Click the port in Extension section of the Device menu.
  6. In the Enter MacBook serial pop-up window, enter the serial number located on the bottom side of the MacBook and click OK.
Thunderbolt extension

Thunderbolt extension

For more information about working with MacBooks via Thunderbolt extension, read this article in our manual.

Apple PCIe SSD extension module

This module supports custom proprietary PCIe SSDs from Apple MacBooks (Mid 2013 - 2015).

Apple PCIe SSD extension

Apple PCIe SSD extension

M.2 SSD extension module

Only M key interface drives are supported by this module. Differences between M.2 MVMe, M.2 SATA and M.2 PCIe support:

Features M.2 NVMe M.2 SATA M.2 PCIe
All TaskForce operations Partial Partial
Drive hotplug
Power management

M.2 SSD features supported:

  • Max read/write speed: 1300MB/s
  • Damaged drive support
  • Calculate hash
  • Write protection

Connecting an M.2 NVMe or M.2 PCIe drive via extension module

M.2 PCIe SSD extension

M.2 PCIe SSD extension

Connecting an M.2 SATA drive via extension module

  1. Connect the eSATAp cable end to the extension
  2. Power off SATA or SAS port in Atola TaskForce software
  3. Plug M.2 SATA drive into the extension and fix it in place with the plastic latch
  4. Power on SATA or SAS port in Atola TaskForce software

For M.2 SATA, drive hotplug is supported. It allows installing and replacing drives by powering off the extension port in Atola TaskForce software.

M.2 SATA SSD extension

M.2 SATA SSD extension

Atola TaskForce's connectivity and multi-user access

Atola TaskForce has three connectivity options:

  1. 10Gb Ethernet network
  2. Standalone mode
  3. WiFi access point

10Gb Ethernet network

Atola TaskForce is equipped with two 10Gb Ethernet ports. Whenever the system is connected to a local network via one of its Ethernet ports, an IP address will be displayed on the IP screen on the front panel of the system.

IP address of Atola TaskForce

IP address of Atola TaskForce

If the system is connected via both Ethernet ports, two IP addresses will be displayed on the screen. These IP addresses are assigned to TaskForce by your DHCP server.

Multi-user access

With the help of these IP addresses, TaskForce can be operated by multiple users from their workstations or mobile devices:

  • enter either of the IP addresses as shown on the IP screen in Chrome browser on another device within the same local network.
Enter IP address in Chrome browser

Enter IP address in Chrome browser

Through Chrome browser one can remotely track and manage tasks, power devices on and off, open, edit and print cases etc.

Types of devices that can be used to access TaskForce simultaneously include:

  • Desktop PC
  • Laptop
  • Tablet
  • Smartphone
  • Built-in TaskForce touch screen

TaskForce software can be open in Chrome browser within any OS.

This functionality enables a group of users to work on different assignments using the same tool. This helps utilize TaskForce’s multitasking capabilities to the maximum and track operation progress remotely. The number of users accessing TaskForce simultaneously is unlimited

Standalone mode

TaskForce is equipped with highly responsive HD screen (see Hardware specs), which allows the system’s use in standalone mode.

Whenever the system is not connected to a network via its 10Gb Ethernet ports, Standalone mode status will be displayed on the IP screen.

In this mode, you can image data from multiple source drives to target drives in parallel. Thanks to its compact size TaskForce can be easily used in the field.

Compact and lightweight TaskForce

Compact and lightweight TaskForce

Wi-Fi access point

The third way to access TaskForce's user interface is via built-in Wi-Fi 802.11n 150 Mb/s adapter. The adapter is disabled by default. To enable it, follow these steps:

  1. Go to Menu in top right corner of TaskForce web page
  2. Click Settings
  3. Enable Wi-Fi Hotspot. An IP address will appear underneath Wi-Fi Hotspot category.
  4. Click SETTINGS button
Enable Wi-Fi Hotspot

Enable Wi-Fi Hotspot

  1. Enable Wi-Fi Hotspot
  2. Set SSID and Password. To make the network invisible to other devices, check the Hidden mode box. Click SAVE button.
  3. Use these details to connect to the Hotspot from another device.
Adjust Wi-Fi settings

Adjust Wi-Fi settings

  1. To open TaskForce interface, enter the IP address (indicated under Wi-Fi Hotspot category in Settings window, see Step 3) in Chrome browser of the device you have connected to the Hotspot.
 

The vast connectivity options make TaskForce a great tool for using both in the lab and in the field.

Updating TaskForce firmware

Atola TaskForce firmware is updated on regular basis by our team. You can keep track of the updates we make to the firmware in TaskForce changelog.

Updating TaskForce firmware is easy using a remotely connected computer.

  1. Plug TaskForce into to your local Ethernet network
  2. Open Chrome on your PC
  3. Download the most recent version of the firmware
  4. Enter TaskForce IP address in Chrome browser
  5. Open the System menu by clicking the top right corner icon
  6. In the right-side menu, click Update firmware
  7. Click Update firmware

    Click Update firmware

  8. In the pop-up window, click Choose firmware file
  9. Click Choose firmware file button

    Click Choose firmware file button

  10. In the file selector, select the firmware file and then click Open button
  11. Select the firmware file

    Select the firmware file

  12. In the pop-up window, click Update button

Once the update process has been completed, TaskForce software will switch to the new version. No TaskForce reboot or Chrome restart is required.

The current firmware version can be checked in About page of the System menu.

Check current formware version

Check current formware version

Network setup guides and tips

Configuring 10Gb network with DHCP-enabled switch

You need to create or extend network with DHCP-enabled switch with 10Gb connection.

Example. Ubiquiti EdgeSwitch 16 XG: four 10Gb Ethernet ports, twelve 10Gb SFP ports. Approximate price: $600.

This kind of switch supports static IP setup via simple web admin. So you could set the IP addresses you need for each current network device.

How to configure Ubiquiti DHCP server:

  1. Connect PC and TaskForce to Ubiquiti switch
  2. Set static IP address of PC to 192.168.1.4
  3. Open a browser and enter 192.168.1.2 (default Ubiquiti switch IP)
  4. Log in with default credentials: ubnt (both in name and password fields)
  5. Go to System >> Advanced Configuration >> DHCP server >> Global
  6. Activate Admin mode by checking a necessary checkbox and pressing Submit button
  7. Go to Pool Summary and press Add to make a new address pool
  8. Enter your:
    • pool name
    • network base address (for example, 192.168.1.0)
    • network mask (in most cases, it should be 255.255.255.0)
    • put Default Router Address and DNS
    After creating your pool, you can change it via Pool configuration tab.
  9. Click Save configuration button in the upper right corner of the window and click Save

You can check this Youtube quide for alternative instructions on network setup using Ubiquiti switch.

Getting maximum performance of Ubiquiti EdgeSwitch 16 XG network

To optimize performance using Ubiquiiti EdgeSwitch 16 XG, you need to enable 10Gbit with jumbo frames:

  1. Go to Basic > Port summary
  2. Select ports 0/13, 0/14, 0/15, 0/16 and click Edit
  3. Change Maximum Frame Size to 9014 in Edit Port configuration window

Configuring a dynamic IP for TaskForce in a network without router or DHCP-enabled switch

If there is no hardware in the network that assigns IP address, or if you want to keep a small network with TaskForce and your server/PC connected directly, it is possible to install and setup software DHCP server. The good news is, it does not require any investment. All you need is some time to set it up on any computer in the server network. Follow the instructions from these guides:

Accessing Windows Server 2012 shared folder

If you want to store a target image file in a Window Server 2012 network folder but it appears missing, please follow these steps:

  1. Go to Control panel
  2. Enable Guest account (Administrative tools > AD users and computers > Users)
  3. Network and sharing center > Change advanced sharing settings > Turn On network discovery + Turn on sharing (file and printers + public folders)
  4. In the shared folder access options, add Guest or Everyone

If the shared folder demands restricted access, please follow this guide.

Setting up Synology DS218 as storage server

To set up Synology DS218:

  1. Go to Control panel > File services > SMB > Advanced settings
  2. Set Maximum protocol to SMB3
  3. Go to Control panel > Shared folder
  4. Click Create button and specify network folder details

If you need to get a guest account working, run the following actions:

  1. Go to Control panel > User
  2. Edit for Guest user
  3. Untick Disable this account

For more instructions and information about check our Troubleshooting guide and FAQ page

Imaging to server faster using Jumbo frames in TaskForce

In TaskForce, Jumbo frames are activated by default to ensure maximum data transfer rates when imaging to a file on your server.

However, if Jumbo frames have been disabled, it is easy to enable them again and experience substantial boost to the speed of imaging!

First, create a file on the server, to which you will be imaging.

Create target file

Create target file

When you start to image to your server with Jumbo frame disabled, the data transfer speed will not exceed 500 MB/s. The actual speed will also depend on the configuration and current traffic in the network.

Speed of imaging without Jumbo frames

Speed of imaging without Jumbo frames

To boost the speed:

1. Pause the imaging session
2. Click the Service menu in the right corner of the top bar
3. Click Settings

Open Service menu

Open Service menu

4. Enable Jumbo frames of the Ethernet port you are using and set MTU to 9000

Enabling Jumbo frames

Enabling Jumbo frames

NB For fast imaging of files to your server via 10 Gigabit network, you need to activate Jumbo framework in the settings of the server’s network adapter as well as in the settings of the network switch, should it be necessary (10Gb switches normally have Jumbo framework activated by default).

Then you can return to your imaging session by clicking Image button and selecting the source and clicking Resume button. This time, the speed will be way higher!

Imaging speed with Jumbo frames enabled

Imaging speed with Jumbo frames enabled

Connecting drives & starting Atola TaskForce

This page provides information about Atola TaskForce start up procedure to ensure safe and effective operation of the unit.

Powering on TaskForce

The power switch is located on the back panel of the unit. To start TaskForce, turn the power switch on.

Booting

The booting process takes up to 3 minutes.

Once booting is completed, the IP screen on the front panel will display either "Standalone mode" message or the IP address if the unit be connected to the Ethernet. At this point, the unit is ready for operation.

TaskForce screen

The Microsoft Surface Pro tablet that serves as TaskForce's screen is switched on and off independently from the unit, by pressing the button in the tablet's top panel.

Connecting drives

Atola TaskForce supports SAS, SATA, USB, and IDE drives via its 17 ports, as well as other storage devices via Thunderbolt, Apple PCIe, and M.2 SSD extension modules.

To ensure both TaskForce and the devices connected to it are used properly and safely, read the instructions below.

Connecting USB devices

TaskForce system must be powered on before a USB device is plugged in. As soon as booting is finished and the IP address is displayed you can plug the USB device into any of 4 USB ports available.

NB If you connect a USB device before starting TaskForce, the imager will not be able to boot correctly.

Connecting Extensions

Before connecting an extension module, make sure TaskForce is powered off. Plug the extension module into the extension slot located on the back panel of TaskForce and power the unit on.

Connecting evidence drives

Each port is equipped with an individual Source switch enabling hard write protection on the port. To make sure data on the drive is not overwritten, make sure the port is in the source before you connect the evidence drive.

Connecting SATA & SAS drives

TaskForce has 6 SATA and 6 SATA/SAS ports. Before connecting evidence and target devices to the imager, make sure the ports are switched to the right mode. When a drive is connected to a running TaskForce imager, the port is by default powered off. To identify the device plugged into the port, click the Devices button in the top panel of the TaskForce interface, and TaskForce will start to identify all connected drives. The system ensures sustainable overall power consumption in the situations when many drives are plugged in.

Powering off TaskForce

If TaskForce is not running any processes, it is safe to power off the unit by turning off the power switch. Any sessions that were active at the moment the unit was powered off (whether it is due to an outage or the power switch being turned off) will not be stopped correctly and cannot be resumed later.

TaskForce drive identification

Atola TaskForce is designed to perform multiple processes simultaneously and provide its users with unprecedented flexibility when it comes to a variety of devices and configurations in which they can be used. TaskForce also makes sure to efficiently communicate how a device is being used and helps a user to handle drives correctly.

When connecting a drive to the system, make sure the right mode is set on the port: in source mode, an evidence drive is automatically write-protected. It can only be changed with Source hardware switches.

Source hardware switches

Source hardware switches

As soon as you choose a particular task or click Devices button in the top bar, TaskForce starts sequentially supplying power and sending commands to identify all connected devices.

After a connected drive receives power supply and identification commands from the unit, it responds with device info including:

  • device model and serial number;
  • device capacity;
  • limitations of the drive.

TaskForce software also immediately detects whether the drive is locked by ATA password or the drive’s max readable address is limited via HPA/DCO. The unit indicates these restrictions and notifies a user about those with red color indication in the device menu.

TaskForce detects ATA, HPA/DCO limitations

TaskForce detects ATA, HPA/DCO limitations

These indicators allow a user to make informed decisions on how to proceed with the device, whether unlocking is required to get access to the whole drive space before starting an imaging session.

Notification device not detected may point to one of these issues:

  • there is no device on the port;
  • the cable is not properly plugged in;
  • the device is connected to another port;
  • the device is heavily damaged.
Notifications device not detected

Notifications device not detected

If a source drive is busy with a running operation, the port will be temporarily unavailable for selection when launching other tasks. In such case, the fonts in the respective box will be a lighter shade of grey, making the port unclickable.

Busy source drive

Busy source drive

When selecting a target device for wiping or imaging, source drives are also unavailable to ensure that data on an evidence drive doesn’t get overwritten by mistake.    

Selecting target device

Selecting target device

To accommodate our users’ needs in a fast forensic process, Atola engineers are working to significantly reduce the amount of time needed for drive identification in the upcoming firmware releases. This will make TaskForce faster yet!

Working with MacBooks via Thunderbolt extension module

Thunderbolt extension enables TaskForce to work on MacBooks with the following interfaces:

  • FireWire
  • Thunderbolt 2
  • Thunderbolt 3, 2016 - 2017 models

No SSD removal is necessary, the extension allows connecting TaskForce directly to a MacBook.

The extension module comes with:

  • Thunderbolt 3 to Thunderbolt 2 adapter (by Apple)
  • Thunderbolt 2 to FireWire adapter (by Apple)
  • FireWire cable (comes in white or black color)
Cable adapters

Cable adapters

Connecting MacBook to TaskForce unit

In the Enter MacBook serial pop-up window, enter the serial number located on the bottom side of the MacBook and click OK.

1. Connect MacBook to TaskForce unit with the help of Thunderbolt extension and the FireWire cable (NB Both MacBook and TaskForce have to be turned off). Use adapters to connect to the MacBooks with Thunderbolt 2 or Thunderbolt 3 interface.

2. Boot the MacBook in Target Disk Mode. To do that, start it up while holding down the T key. You should see a Firewire or Thunderbolt icon displayed on screen signifying that Target Disk Mode is detected and working.

Thunderbolt extension

Thunderbolt extension

3. Power on TaskForce and wait for the booting to be completed.

4. Open Device menu.

5. Click the device box in Extension section of the Device menu.

Select MacBook device in Device menu

Select MacBook device in Device menu

6. If this is the first time this MacBook is identified by TaskForce, you need to enter the serial number in the Enter MacBook serial pop-up window and click OK.

Enter MacBook's serial number

Enter MacBook's serial number

NB serial number located on the bottom side of the MacBook.

MacBook's serial number

MacBook's serial number

Now you can perform these operations and features with the connected MacBook:

  • imaging
  • hash calculation
  • write protection

During the subsequent identifications of a MacBook connected to TaskForce, its serial number can be selected from the drop-down menu in the Enter MacBook serial pop-up window. TaskForce will look up its case management system and will offer the choice of MacBooks with the same drive size.

Select the MacBook with serial number you have connected to TaskForce

Select the MacBook with serial number you have connected to TaskForce

Atola TaskForce: Main window

This article helps in understanding TaskForce’s main window, its controls and buttons and how to use them.

1. Home icon

The Home button brings you back to the Home screen. This is where you can check the active and recently completed tasks in the respective sections of the screen.

The number of current active processes is indicated next to the Home icon in a small orange box.

2. Left-side taskbar

When you click Other button in the left-side taskbar you will see two more important TF operations: looking up the SMART table of a drive and unclipping HPA/DCO restriction, applied to a drive.

3. Cases

By clicking the Cases button in the top panel you get to the Cases page with a list of the latest cases. With the help of the Search bar you can find a specific case. The cases are available for import and export between different TaskForce units.

4. Reports

By clicking the Reports button in the top panel you get to the Reports page that is equipped with a similar search bar. The reports can be selected and printed directly from this page.

5. Current overall performance

To check the Current overall performance please click the Atola logo in the top panel. This allows you to keep track of the unit’s capacity usage. TaskForce allows running processes at 15 TB/hour and more.

6. Devices

Click Devices button in the top panel to see all the drives connected to TaskForce to obtain maximum information about each by simply clicking it.

The Devices panel provides additional options for working with the drives: you can power off, reset and re-identify any device.

7. Menu

The Menu contains device settings and features that regulate your use of the TaskForce unit.

In Settings you can adjust the general, database and network settings.

Activation status allows you to look up, reactivate the status or extend the subscription.

In Release notes you can read the information about the most recent Atola TaskForce firmware release and track all updates and enhancements by clicking corresponding links.

In Update firmware you can check the current TaskForce firmware, choose update method and perform the firmware update by selecting and downloading the firmware file.

Toggle fullscreen option is handy when working with other programs or files.

By clicking the About button in the Service menu you open general info about TaskForce.

Registers: what they mean

SATA device registers

SATA device registers


Link Register

It's only enabled when port powered on, device presence detected and PHY communication established.

Status Register

This register contains hard drive status information. It is updated after every single command sent to the drive.

ERR: means last command failed to execute. In this case the Error register contains more details on the specific error.
INDX: obsolete, used to trigger after each spindle revolution
CORR: obsolete, used to trigger after a bad sector was automatically corrected by ECC
DREQ (Data Request): is asserted when hard drive wants to exchange data with the host controller (in either direction)
DRSC (Device Seek Complete): is obsolete; always asserted on modern hard drives
FAULT (Write Fault): is obsolete
DRDY (Device Ready): is obsolete; always asserted on modern hard drives
BUSY: indicates that the hard drive is busy executing a command OR initializing (after power on or reset)

Error Register

Error register provides more details if the last command failed. This register is only valid when ERR bit of the Status Register is asserted.

AMNF: means Address Mark Not Found (usually occurs on failed read attempt)
T0NF (Track 0 Not Found): obsolete
ABRT: command aborted (unsupported command or other failure)
IDNF: sector ID not found (usually occurs on failed read attempt)
UNC: uncorrectable read error; the hard drive was unable to read data even after applying ECC recovery algorithms
ICRC (Interface CRC error): there was CRC error while transferring data between host and the hard drive (usually indicates bad interface cable)

Diagnosing a drive with Atola TaskForce

When an evidence drive lands on investigator’s table for the first time, there is always an uncertainty when it comes to the drive's condition. A broken head or scratched surface of the media require different imaging tactics. That’s why it is strongly suggested that before imaging, each drive should first be diagnosed. 

TaskForce has Atola's unique diagnostics module which checks all systems of the drive:

  • Hard drive's motor and electronics (PCB)
  • Head stack
  • Media surface
  • All firmware/system areas
  • Partitions and file systems

At the end the system produces a report which sums up all issues. The process will take only 2 - 5 minutes. 

To start, click Diagnostics button in the left-side menu, select the drive and then click START button at the bottom of the screen.

Start diagnostics

Start diagnostics

First, TaskForce checks the drive's printed circuit board. The system applies power to the device and records and analyzes spin-up current curve. This helps detect most issues with the PCB and the motor. Next, TaskForce analyzes the contents of the hard drive's ATA registers and device identification sector.

Circuit board check

Circuit board check

After that, the head stack is tested. Several factors are taken into consideration when diagnosing heads: media access time for each head, power consumption curves, and internal drive's error reporting systems.

If the head stack looks good, the system performs a short media scan. The purpose of this scan is to verify if there are any bad sectors in the starting, middle and ending sectors of the drive pointing to a damage to the media surface or logical errors. 

Heads and media surface check

Heads and media surface check

Next, several firmware tests are performed:

Firmware check

Firmware check

If TaskForce detected no issues by this point, it performs a file system checkup:

File system check

File system check

After this final stage of diagnostics, TaskForce displays the full report. Diagnostics result message box contains a short summary of all tests. It also provides estimated imaging time for this drive.

Diagnostics report

Diagnostics report

Tracking a drive's SMART table status before and after imaging

SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure. Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).

SMART table is included in Diagnostics report. If you want to have a look at the current indices:

  1. Click Other in the left-side menu
  2. Click View SMART
  3. Select the drive
  4. Click Start button
SMART table report

SMART table report

SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:

  • Reallocated sectors count
  • Current pending sector count
  • Uncorrectable sector count

When RAW value of any of these attributes is greater than zero, TaskForce will highlight it in yellow.

The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.

To keep track of the changes occurring to the attributes of the SMART table, the imaging settings can be easily adjusted to records SMART table indices prior and after each imaging session.

Adjust the imaging settings to keep the record of SMART prior and after the imaging session

Adjust the imaging settings to keep the record of SMART prior and after the imaging session

By comparing the two tables, user can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse. Any discrepancies between the two SMART tables will be highlighted in yellow.

How SMART table state changed after image acquisition

How SMART table state changed after image acquisition

Whenever you need to evaluate how the state of the drive has been changing long-term, you can go to previous imaging sessions and look up SMART table. TaskForce will store this information in its case management system.

Imaging an evidence drive to 5 targets

Atola TaskForce allows imaging to up to 5 targets at a time.

The targets may include

  • E01 or RAW (.img, .dd) file on a network server
  • target drive plugged into one of 18 TaskForce ports

To start an imaging session that includes 5 targets:

1) Click Image icon in the left-side menu

2) Select source and target devices. To create a target file, click Select file icon in the target drive menu and click Continue button.

Select targets

Select targets


3) In Select image file, open the folder on the server where you want the file to be created and click the Plus icon.

4) In Create image file pop-up window, type in a name for the file and select its type (E01, RAW, img., or dd.), click Create and click Continue button in Select target devices window.

Enter the name of the file

Enter the name of the file


5) In the summary page, double-check imaging settings and the targets selected for the imaging session and click Start button.

Check the settings and click Start button

Check the settings and click Start button


In the imaging page, there are two diagrams that show the progress of imaging. The upper one is called imaging map bar and shows imaging progress throughout the whole drive space (all successfully imaged sectors on the source drive are marked green, all damaged ones are marked red). The lower diagram is called read speed graph and shows the time TaskForce spent reading sectors on the source drive. 

NB Overall imaging speed is always limited by the slowest device: either by the read speed of the source or the write speed of the slowest target. 

Imaging in progress

Imaging in progress


When imaging is completed, you are redirected to the imaging summary page, where you can review the details of the session including source and target drive details, imaging settings, hash values and the time when imaging session started and when it was completed.

Imaging completed

Imaging completed

Imaging a drive to two targets with post-hashing

Atola TaskForce's imaging functionality provides many adjustable settings to help forensic examiners follow the guidelines set by their organizations as well as common-sense evidence handling routines.

When you need to create two images of a source drive and verify that both images are identical to the source drive, you will need to calculate the hashes of both targets after imaging. To optimize the process, post-hashing of both target devices is easily configured in imaging settings:

1) Click Image button in the left-side menu

2) Select Source and Target devices, which will redirect you to the page with the summary of current imaging settings. In the default settings, hashing of source drive during imaging is enabled.

3) Click the Change button to adjust the settings.

Change default imaging settings

Change default imaging settings

4) in the Hashes tab of the settings, enable Post-hash target devices option.

5) Click Start button to proceed with imaging

Select post-hashing of targets

Select post-hashing of targets

Hashing of source drive during imaging is a preferred option because it only requires the data on the evidence drive to be read once, for both imaging and hash calculation. This ensures both a forensically sound process and minimal impact to potentially unstable media. Hashing during imaging does not slow down imaging process.

Imaging progress

Imaging progress

Once imaging is completed, post-hashing begins immediately on both target devices:

Post-hashing in progress

Post-hashing in progress

In the end, TaskForce produces a report that documents hashes of both source and target devices:

Imaging report with source and target hashes

Imaging report with source and target hashes

Imaging only sectors with data

Capacity of an average drive in a case constantly grows, and selective imaging becomes a way out for many investigators, to keep their backlogs smaller.

selective imaging functionality and have made it possible to image only sectors containing data.

The feature is supported in these file systems: NTFS, APFS, Ext 2/3/4, HFS, HFS+, ExFAT, FAT16, FAT32.

1) Click Change button to adjust imaging settings

2) In Passes tab, click on the value in What to image column

3) Select Sectors with data in the drop-down menu

4) Click Show button to preview the partitions on the source drive

5) Click Start button to proceed with imaging

You can see the partitions being imaged in the imaging log. In the imaging bar, the blue areas represent the sectors that are planned to be imaged. These are the sectors that belong to the drive's partitions and contain data.

Imaging to an E01 file with dual hash

E01 file format is the de facto standard format for forensic examiners to store images due to its ability to store not only a copy of the evidence drive, but also case and evidence details. E01 file can also store both MD5 and SHA1 hash values calculated during imaging.

To image a source evidence drive to an E01 file, you have to create a new target file.

Creating a new E01 file

  1. Click Image in the left-side menu
  2. Select the source evidence drive in Select source device window
  3. Click Select file in Select target devices panel
  4. In the file selector, find the folder to store the image and click the plus (+) button in the bottom right corner
  5. In the pop-window, select the E01 file type, and click Create button
  6. Fill in E01 file information and click Create button.
  7. Click Continue button.
Create an E01 file

Create an E01 file

Enable dual-hash and start imaging

  1. Once you have selected the source drive and created the target file, you end up in Settings summary page. Click Change button to adjust the imaging settings.
  2. In the Hashes tab make sure that Hash source during imaging is selected, also select both MD5 and SHA1 hash types.
  3. Click Start button to proceed with imaging.
Adjust imaging settings

Adjust imaging settings

The report and the E01 file

Imaging report

Imaging report

Upon completion of imaging, you can see both MD5 and SHA1 hash values indicated in the Imaging completed report.

E01 file with calculated MD5 and SHA1 hashes

E01 file with calculated MD5 and SHA1 hashes

It is also possible to look up the information of the created E01 file. To do that, perform the following actions:

  1. Open the Devices menu by clicking the Devices button in the upper right corner.
  2. There, in the File section, click the Select file box. This will open the file information page with all the metadata of the E01 file.

The MD5 and SHA hash values will be listed there, too.

Creating an E01 file on a target drive

By putting a target device in Storage mode, TaskForce enables the creation of multiple image files (E01, RAW, img or dd) on the target drive.

To set a target device to Storage mode:

1.Go to Home page;
2. Click Image button in the left-side taskbar;
3. Select the source drive;
4. In Select target devices panel click Select file.

Select target

Select target

5. In Select image file window click Add storage button.

Add a storage drive

Add a storage drive

6. In the Select device panel click the drive you want to use in Storage mode. Please note that TaskForce uses a lighter shade of blue to indicate that a storage drive is being configured.

Select a storage drive

Select a storage drive

If TaskForce cannot find the appropriate exFAT partition on the drive selected, it will offer you to format the device accordingly.

Format the target to exFAT

Format the target to exFAT

7. By clicking Yes you agree to launching target device formatting to exFat with a large cluster size (32 MB). This cluster size will enable faster imaging to this drive.

Format the target to exFAT

Format the target to exFAT

Once the target device is formatted, TaskForce perceives it as a Storage target.

The drive in Storage mode is marked with a special blue icon in the device panel.

A drive in Storage mode

A drive in Storage mode

To proceed with creating a compressed E01 image file on this device:

1.Click the storage drive and then the + Create file button;

Add a new file

Add a new file

2. In Create image file pop-up window, enter the name and select the type of the image file.

Create a file

Create a file

3. Click the Create button to fill E01 file information.
4. Tick the Combox next to Compressed E01 option and fill out the form with file details. Then click Create.

Configure the compressed E01 file

Configure the compressed E01 file

5. Check your imaging settings and click Start to proceed with imaging by clicking the Start button.

Check imaging settings

Check imaging settings

NB When you select compressed E01 option in the imaging settings, the multi-pass imaging system or reverse imaging option cannot be applied to such an imaging session. However, other fine-tuning options remain available including advanced hashing options (pre-hash, post-hash, Segmented hashing, etc.) and selective imaging.

The Imaging completed report provides all the time stamps, hash values and hash verification result. To look up the settings of the imaging session, you can also see the Imaging started report in the case management system.

Imaging completed

Imaging completed

Imaging to a file on an encrypted drive with TaskForce

With newest Atola TaskForce 2020.1 firmware, it is possible to image into files on an encrypted target drive using VeraCrypt for data encryption. Multiple target drives can be encrypted for the same or different sessions.
After you have connected the source drive to a port in Source mode, take these steps:

1. Click on Image icon in the left-side taskbar
2. In Select source device panel, select the evidence drive
3. In Select target device menu, click on the tile in the File section
4. In Select image file window, click Add storage Click the link Create Image File on Target.

5. In Select device panel, choose the drive connected to a port in Target mode
6. Select Create an encrypted VeraCrypt container (exFAT) option and click Next

7. Enter and confirm the password for the encrypted volume on the drive

8. Confirm the formatting of the device by entering YES and clicking OK. After this step, the formatting will take a few seconds.
9. Click + Create file button
10. Enter the name of the image and choose the file format (E01, raw, img or dd).

11. Once you have created the file, you may add more image files in the same or a different folder

After you click the Continue button, TaskForce will image the evidence into the file on your encrypted target.

Upon completion of the imaging session, check the Imaging completed report. 

Data Extraction

  1. To find the VeraCrypt volume and the imaged file, plug the target drive into your computer;
  2. Use VeraCrypt software to safely access encrypted data from your drive;
  3. Select the drive label (A, B, C, etc.) on which you want the volume to be mounted;
  4. Click Select device button;
  5. In the pop-up window select your encrypted volume;
  6. Click the Mount button. 

Now you can view the partition name, size and encryption algorithm.

7. Next, use the password set prior to the imaging session to get access to the encrypted volume.

Once you have entered the password, the volume will be mounted and you can access it from Windows Explorer and use the image for subsequent operations.

Clip target drive to source evidence size

When you image data from an evidence drive, but the target drive is larger than that of the source, the hash values for the source and for the target drives will not be identical. This will happen even if there is no data in the remaining space of the target.

To avoid it, you can limit your SATA target drive's capacity using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools or the end user. In TaskForce, it only takes one quick adjustment to the imaging settings:

  1. Click Image in the left-side task menu and select the source and the target
  2. In the Settings page click Change button.
  3. In Miscellaneous tab activate the Limit target disk size to source size using HPA (SATA target ports only) option.
Enabling HPA restriction for target

Enabling HPA restriction for target

You can now proceed with the Imaging process by clicking Start button.

Before the imaging starts, TaskForce looks up the size of the evidence drive and limits the space of the target using HPA to make its capacity identical to that of the evidence drive.

When Imaging is complete, the report will contain information about the time when HPA was enabled.

Imaging report indicates the change to the target drive capacity

Imaging report indicates the change to the target drive capacity

The target disk's port in Devices menu now contains an HPA indicator, thus informing you that HPA has been enabled on this drive.

HPA indicator in the port of the Device menu

HPA indicator in the port of the Device menu

There will also be a report created in the case management system, which indicates the old (native) and the new (as set by HPA) max address.

Report about HPA activation

Report about HPA activation

Now you can calculate hash on both drives to make sure the hash values are identical.

NB Enabling HPA is an option available only for SATA target drives.

To learn how to unclip HPA, read this article in our manual.

Accessing password-protected servers

Accessing password-protected servers allows saving image files on such servers, imaging or calculating hash of the files located there, etc.

To create an image file on a password-protected server:

1) Click Image button in the left-side menu

2) Select the source device

3) Click SELECT FILE in FILE section of the target device menu and click Continue.

4) In the file dialog, click the server from the list. If the server does not appear in the list, click Refresh icon to search for all available directories. If the server still does not appear in the list, click Connect.

Select server from the list

Select server from the list

5) Whether you have selected the server from the list, or clicked Connect, Connect to server dialog box will open. Here, you need to enter the name of the server and fill out login details including domain or workgroup and click Connect. To learn these details, contact your network admin.

NB. TaskForce supports NTLM protocol, which is enabled by default in Active Directory and Windows.

Enter server and login details, click Connect

Enter server and login details, click Connect

6) Go to the folder on the server where you need to store your image, and click the Plus icon in the right bottom corner of the window.

Create new file in the directory

Create new file in the directory

7) Enter the name of the new image file and select the format. Click Create button.
Enter name and select the format of the new image file

Enter name and select the format of the new image file

8) Click Continue button.
Click Continue

Click Continue

9) Check your imaging settings and click Start button to proceed with imaging.
Click START

Click START

Creating, exporting and importing imaging presets

For organizations that need to ensure that imaging is always performed with special settings, we have created the possibility to create a special preset, which can also be exported from one TaskForce device and imported to another one. Create custom settings:

  1. Click Image icon in the left-side menu and select source and target devices
  2. Click the Imaging preset management icon in the right bottom part of the window
  3. Select Create option
  4. Type in the name of the preset and click Create
  5. To adjust the settings, click Change button
  6. Change the settings (e.g. hashing options)
  7. Click back and preview the summary of the new settings saved in the preset
Creating a preset (GIF)

Creating a preset (GIF)

To export a preset:
  1. Click the Imaging preset management icon
  2. Click Export option
  3. The preset will be downloaded in .json format
Exporting a preset

Exporting a preset

To import a preset:
  1. Click the Imaging preset management icon
  2. Click Import option
  3. In Import settings window, click Select file button
  4. Choose the file in the file selector and click Open
  5. Double-check the preset in Import settings window and click Import
Importing a preset (GIF)

Importing a preset (GIF)

Exporting sector lists from an imaging session

When an imaging session is completed or paused, it is possible to see its summary in the Imaging sessions summary page. Now there is also a possibility to export lists which would clearly indicate which of the sectors on the source drive have been successfully imaged, which have not (if any), and which of the sectors contained errors.

To export such list:

1) Click Image icon in the left-side menu and select the source drive
2) In the session summary, click the Export icon

Click <em>Export</em> icon

Click Export icon

3) Select the sectors you are interested in (e.g. Imaged sectors)

Select the type of sectors

Select the type of sectors

4) Save the downloaded .csv file

This file shows the ranges of imaged sectors:

/img/tf/manual/3exported-sectors-300x202.jpg
NB Should an imaging session be completed, the list of non-imaged sectors will be blank. 

Imaging a drive with a damaged head

The diagnostics module, selective head imaging and multi-pass imaging algorithm allow TaskForce to handle a drive with damaged heads gently and effectively. All these techniques help minimize the risk of losing more data on the working part of the head stack.

Diagnose first

The built-in diagnostics module of Atola TaskForce automatically checks all major subsystems of the evidence drive: circuit board, heads, media surface, firmware and file system.

A diagnostics report provides detailed information about the heads. In addition, it offers recommendations for the optimal imaging strategy for your damaged hard drive.

Diagnostics completed.Device has major issues

The above diagnostics report informs the operator that the drive’s hardware has major issues and points to defects in the media and a damaged head (Head#3). The report contains a recommendation to disable the damaged head in the imaging settings.

Selective head imaging

Atola engineers recommend that the good heads are imaged first. To do that:

1. Click the Image category in the left-side menu;

2. Select your source and target devices;

3. Click Continue.

If a head was identified as damaged during the diagnostics, at this stage you will see a pop-up window prompting you to disable the damaged head and by clicking YES you confirm that the head should be automatically disabled for the subsequent imaging session.

Alternatively, the damaged head can be disabled in the imaging settings:

4. Click Change to adjust the settings for your imaging session;

5. In What to Image section click on All sectors to configure the selective imaging.

6. Unselect the damaged head, сlick Save;

7. To launch your imaging session click the Start button.

Multi-pass imaging algorithm

As you can see in the screenshot below, some errors were found in the course of imaging on the space of the drive that is read with the Head#4. It is common for a drive with a bad head to also contain errors on the platters that are read with other heads.

TaskForce uses its multi-pass imaging algorithm when encountering a bad sector that belongs to a good head. It allows handling errors and retrieving data from some of the bad sectors. For as long as it is possible to read data from the sector or block of sectors within the specified pass timeout, TaskForce will be able to image this data.

Having completed imaging from the good heads, the system pauses the session and produces a detailed imaging report with a log of all actions performed during the imaging session.

TaskForce firmware version 2020.7 and above allow editing settings of all unstarted imaging passes, adding or removing passes, etc. So if later you think you may be able to retrieve important data with Head#4, you can add another pass and configure the settings of the new pass accordingly.

TaskForce firmware under 2020.7 automatically inserts and launches an additional imaging pass after you click Resume on the pause session. The new pass will include all non-imaged sectors.

Atola TaskForce automatically creates reports for every single action applied to each device connected to it. The reports are stored in the case management system.

Working with a bad head

After you successfully retrieved data from the good heads, you have two options:

  • To replace the head stack before you get down to imaging of the remaining data. You should be aware of the risk, however, that data on the drive can become unreadable due to head stack replacement;
  • To attempt imaging data with the Degraded or Damaged head.

To image the unselected bad head simply click Resume.

Atola TaskForce resumes the imaging session to focus on the area that belongs to the damaged head.

If the number of errors keeps growing, while the number of the imaged sectors remains unchanged, pause your imaging session and power down the drive because the head seems to be completely inoperable.

In the Imaging report above, you can see that TaskForce imaged 520,961,167 sectors out of 625,142,448, having extracted as much data from good heads as was possible with the default settings.

For more details scroll the report down to check the Log:

Using Web API in a browser

Starting firmware version 2019.7, Web API is built into TaskForce, and it will help optimize your workflow in many ways.

Web API is extremely handy as it allows you to use it in scripts, via CLI tools like curl, and simply by typing commands in the browser address bar.

1. Scan devices plugged to all source ports. The command powers up all ports and returns the list of drive on each port in Source mode as well as the model and the serial number of the drive on each port.

Start imaging

2. Start imaging a source drive plugged into TaskForce SATA 4 port.

Start imaging

3. Track imaging session status using task key received in response to the command above.

Check task status
For more information about these and other commands, please look up the API documentation that we made available to public.

Instantly launching multiple imaging sessions using Web API

Imagine you have 12 TaskForce ports switched to Source mode and source drives plugged into them. Now you can instantly launch 12 imaging sessions simply starting the script.

Python script utilizes /start-image API request and prints task keys of all launched imaging sessions.


import sys

if sys.version_info[0] < 3:
    raise Exception("Please use Python 3 to run this script")

import urllib.request

ports = ["SATA1", "SATA2", "SATA3", "SATA4", "SATA5", "SATA6", "SAS1", "SAS2", "SAS3", "SAS4", "SAS5", "SAS6"]
tasks = []
errors = {}

for port in ports:
    try:
        res = urllib.request.urlopen("http://10.0.0.4/api/start-image?source=%s&targetFolder=//Vitaliy/Share" % (port))
        tasks.append(res.read().decode('utf-8'))
    except urllib.error.HTTPError as e:
        errors[port] = e.read()

print("IDs of started imaging tasks:")
print('\n'.join(tasks))

The script works in any operating system. To run, perform the following actions:

  1. Save the script into image12.py file
  2. Replace 10.0.0.4 with IP address of your TaskForce
  3. Replace //Vitaliy/Share with your shared network folder path
  4. Execute the script in the console: python image12.py

For more information about these and other commands, please look up the API documentation that we made available to public.

Autostart image analysis when imaging is completed

With TaskForce, you can track the status of the started imaging sessions using /check-task API request. It reports the imaging progress enabling you (or your code) to notice when the task gets completed. Once this notification is received, it makes perfect sense to automatically start the forensic analysis of the target image.

Powershell script below shows how one can create this kind of automation flow:

  1. Start imaging a source drive on TaskForce SATA port 4 to the target folder \\Vitaliy\Share
  2. Wait for imaging completion using /check-task
  3. Launch Autopsy Ingest via command-line when the target image is ready

Important: Instead of Autopsy, you are free to use any Magnet Forensics products, X-Ways Forensics, or any other forensic analysis toolkit that supports console launch with arguments.


try {
    $r = Invoke-WebRequest "http://10.0.0.65/api/start-image?source=SATA4&targetFolder=\\Vitaliy\Share"
}
catch {
    Write-Output "$($_.Exception.Message)"
    exit $_.Exception.Response.StatusCode
}

$taskKey = $r.Content
do {
    $check = (Invoke-WebRequest "http://10.0.0.65/api/check-task?taskKey=$taskKey").Content | ConvertFrom-Json
    Start-Sleep -s 1
} while ($check.state -eq "progress")

$windowsPath = "C:\Share\" + ($check.target -replace '[\/]', '\' | Split-Path -leaf)
$caseName = "Case123"
$autopsyArguments = '--inputPath="' + $windowsPath + '" --caseName=' + $caseName + ' --runFromCommandLine=true'

Start-Process -FilePath "C:\Program Files\Autopsy-4.11.0\bin\autopsy64.exe" -ArgumentList $autopsyArguments

The script works in Windows with Powershell. To run it, please perform the following actions:

  1. Install Autopsy
  2. Create C:\Share folder
  3. Save the script into image.ps1 file
  4. Replace 10.0.0.65 with IP address of your TaskForce
  5. Replace \\Vitaliy\Share with your shared network folder path
  6. Execute the script in the console: powershell -ExecutionPolicy ByPass -File image.ps1

NB. Autopsy Ingest v4.11 does not work with network file paths from the command line. That’s why this example shows a shared folder located at PC where PowerShell script is executed. Therefore \\Vitaliy\Share points to C:\Share folder.

For more information about these and other commands, please look up the API documentation that we made available to public.

Calculating hash during imaging

Atola TaskForce supports hash calculation of both the evidence drive and the image in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures, while avoiding further damage to fragile media.

To calculate hash of both the evidence and the image:

  1. Click Image category of the left-side menu
  2. Select the Source device and the Target device or file
  3. Click Change button in the Settings summary page
  4. In the Hashes tab there are three checkboxes:
  • Pre-hash source device
  • Hash source during imaging
  • Post-hash target device
Select hash methods

Select hash methods

Multiselect is available, which allows a user to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, TaskForce only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass.When it encounters a bad sector, linear hash calulation is discontinued. In upcoming releases we will support Segmented hashing so that hash can be calculated for damaged drives.

Post-hash target device option allows to properly record the calculated hash in the case.

Imaging results with hash values for both hash during imaging and post-hash

Imaging results with hash values for both hash during imaging and post-hash

Calculating dual hash of an existing E01 file

Some source evidence drives and their images can be involved in a long-running investigation case and wait to be presented in court for months or years on end. Data stored on such drives and their image files may eventually get corrupt. Therefore it may be critical for an investigator to ensure the integrity of data on such devices or image files before resuming to work with them or presenting them in court.

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not both the image of the drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hash values.

To view the previously calculated hash calculated for an E01 file with Atola TaskForce, open the imaging report in the case management system. It contains the hash values calculated during imaging.

Alternatively, you can look up the metadata stored in the E01 file itself:

  1. Open Devices menu by clicking the Devices button in the top bar.
  2. Click Select file box in the File category.
  3. Select the E01 file in the file browser.
Hash calculated during imaging stored in E01 file's metadata

Hash calculated during imaging stored in E01 file's metadata

 

To ensure the integrity of the data in the file, you can recalculate its hash.

  1. Click Hash in the left-side task menu. This will open the devices to choose the one for which you want to calculate hash.
  2. Click Select file box in the File category.
  3. Select the E01 file in the file browser.
  4. Make sure to select the same hashing types (MD5, SHA1, etc.)
  5. Click Start button
Start hash calculation

Start hash calculation

Adjust hashing settings and start hash calculation by clicking the Start button.

When the hash calculation is completed, you can make sure that the two sets of hashes are identical.

Compare the calculated hash values to the ones calculated during imaging

Compare the calculated hash values to the ones calculated during imaging

Express mode: self-launching imaging of 17 drives

Express mode enables automatic launch of multiple imaging sessions on all ports that are set to source: just plug a drive into TaskForce and the imaging session will start automatically.

Activating Express mode

Just like everything else in TaskForce’s interface, this feature is designed to be intuitively easy to set up.

Source evidence drives can be imaged to E01 (regular or compressed) or RAW files located in a specfied folder on the local server. Two 10Gb Ethernet ports enable high data throughput.

As essential as imaging speed is, the proper treatment of evidence drives remains a priority. To enable automatic launch of imaging of the healthy devices and avoid potential deterioration of drives in a shaky condition, the Express mode settings have 2 handy options: select Diagnose source drive before imaging so that diagnostics is launched automatically, then select Start imaging only if diagnostics has no issues.

Atola’s signature automated diagnostics module checks all drive systems: hard drive’s motor and electronics (PCB), head stack, media surface, all firmware/system areas, partitions, and file systems. We recommend that diagnostics is always run upon a drive is connected to TaskForce for the first time.

Last but not least, you can select one of the imaging presets at the bottom of the express mode activation screen (they can be easily configured in the imaging screen). This will ensure that all imaging sessions in express mode will fit your organization’s demands and procedures.

Once express mode settings are specified, simply click the Activate button and connect your evidence drives for an immediate start of imaging upin a source drive is plugged.

17 self-launching imaging sessions

Once all settings are configured and express mode is activated, simply plug in the drives one by one and watch the imaging sessions start automatically!

TaskForce can process 17 self-launching imaging sessions in Express mode on almost all of its ports with the exception of the Extension slot. The ports that can be used for imaging in express mode are, therefore:

  • 6 SATA
  • 6 SATA/SAS
  • 4 USB
  • IDE

When activated, express mode controls all source ports, leaving target ones available for other tasks. If a port is switched from target to source, it also becomes available for imaging in express mode.

TaskForce’s 8-thread Xeon processor, ECC RAM, and the server-grade motherboard sustain multiple fast and reliable data acquisitions.

Getting it all under control

Express mode substantially speeds up imaging of evidence drives while enabling a user to configure settings for optimal handling of evidence drives.

And should TaskForce detect an issue with an imaging session, User action required notification will prompt the user to take the decision.

In addition, TaskForce keeps the user updated by displaying the number of actions required on the IP screen on the front panel of the unit.

In short, Express mode’s self-launching imaging is a perfect solution when it comes to processing large amounts of data under time pressure, while still allowing gentle treatment of damaged media.

Wiping 18 drives simultaneously

With TaskForce, Atola introduced the fastest and most capable imaging engine to the forensic market. While cumulative imaging speed in TaskForce constitutes 15 TB/h, the engine is capable of wiping up to 18 drives connected to it, thus achieving a cumulative speed of 15TB/h, 20TB/h or even more.

TaskForce’s task-oriented and efficient user interface has been developed with the intention to launch every operation in just a couple of clicks to expedite work with multiple evidence drives.

Atola TaskForce has 18 ports (6 SATA, 6 SATA/SAS, 4 USB, 1 IDE, 1 Extension slot for Atola Thunderbolt, Apple PCIe SSD and M.2 NVMe/PCIe/SATA SSD extension modules), all of which can be used for simultaneous wiping sessions.

TaskForce can wipe 18 devices simultaneously at their top native speeds when using the standard wiping method.

To perform multiple wiping sessions:

1. Connect the drives to TaskForce

2. Switch the ports, to which the drives are connected, to Target mode by using the individual Source switches on each port

3. In the user interface, click Wipe icon in the left-side taskbar

4. In Select devices window, select a drive

5. Adjust wiping settings:

  • the range of sectors to be wiped
  • wiping method
  • enter a pattern and its format (HEX/ASCII)

6. Click Start.

Wiping process is consecutively launched for each device. Repeat the same with all the drives you want to wipe.

Once the operations are launched, you can track the progress of all tasks in the Homepage, where the percentage of wiped drive area and the time left until the end of the planned session are displayed. By clicking on an individual wiping session, you can open it to see more details on the progress.

Click Atola logo in the center of the top bar to reveal the current overall speed of wiping. In this case, we were able to achieve 18 TB/h. This high-speed wiping capability allows a forensic expert to complete the process of preparing drives for wiping in minimal time.

NB Please note that a wiping session can take longer if a different wiping method is selected. E.g. NIST 800-88 method implies not only wiping but also rereading of the wiped range. In its turn, DoD 5220.22-M method wipes the same range three times.

To ensure maximum transparency and effectiveness, Atola TaskForce documents every operation by creating detailed reports and logs. Click Reports button in the top bar and find the report in the list or by using the Search bar at the top of the page.

Lifting HPA and DCO

HPA (host protected area) and DCO (device configuration overlay) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity). But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

When you connect a hard drive to the TaskForce unit, in addition to the standard Identify device command, Atola TaskForce software automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO or HPA, TaskForce will draw your attention to these changes by adding the note in red color in the device menu.

Notification about HPA and DCO in device menu

Notification about HPA and DCO in device menu


To get more details about the modifications that have been made to the drive’s firmware, run Dignostics and see the Firmware section of the Diagnostics report.

HPA and DCO limitations are indicated in the Diagnostics summary

HPA and DCO limitations are indicated in the Diagnostics summary


There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

  1. The Max Address according to device ID line shows the max address from the ID sector, affected by both HPA and DCO restrictions if those are applied.
  2. Native Max Address indicates max address ignoring HPA limitation that may have been enabled, yet affected by DCO restriction.
  3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA or DCO activated will have the same value in all three lines.

HPA and DCO restriction details in the Firmware section of the Diagnostics report

HPA and DCO restriction details in the Firmware section of the Diagnostics report


To disable HPA limitations that have been applied to the drive’s firmware, click on the Unclip HPA/DCO subcategory under Other category of the left-side menu and click on Unclip button.

NB Please note that the drive needs to be in the Target mode (use the Source/Target switch on the unit to perform this operation), as Unclip HPA/DCO implies making changes to the drive's firmware, and that is not possible when the drive is in the Source mode.

Remove HPA and DCO by clicking Unclip button

Remove HPA and DCO by clicking Unclip button


Atola TaskForce lifts HPA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

HPA and DCO unclip report

HPA and DCO unclip report

Lift HPA until power cycle

To ensure the forensically sound process, it can be necessary to avoid making any changes to the drive. Therefore it is prohibited to disable HPA and DCO restrictions and access data in the hidden areas. With Atola TaskForce it is possible to lift HPA restriction until the next power cycle. This helps avoid permanent changes to the drive.

  1. Click Imaging in the left-side Task Menu.
  2. Select the Source and the Target.
  3. In a pop-up window suggesting you unclip the drive until power cycle, click Yes button.
Changing native max address until power cycle

This will allow temporary access to the data in HPA-protected area, but as soon as you power off or unplug the drive, the HPA will be back again.

NB If a drive freezes in the course of imaging TaskForce forcibly performs power cycles to continue imaging the drive. However, such power cycles will not affect the temporarily disabled HPA. TaskForce will be temporarily removing HPA max address restriction after each power cycle performed during imaging. The HPA-protected area will remain accessible throughout the imaging process.

Multi-pass imaging of damaged drives

TaskForce's complex imaging functionality allows imaging even physically damaged drives, while avoiding further drive deterioration. Damaged media require a sophisticated imaging approach to balance out thorough data extraction with forensics’ need in expediency and careful treatment of damaged media.

Most forensic imagers can only do linear imaging, which dramatically slows down imaging process whenever a bad sector is encountered, and, as a result, the drive may freeze. To speed up imaging of damaged media and maximize the amount of successfully retrieved data, TaskForce has a special imaging algorithm that includes deliberate timeout and block size control.

Using small block size pays off when you need to thoroughly retrieve maximum data from an unstable drive, but it also significantly slows down the imaging process. What’s worse, such imaging approach may cause further damage to the media. That's why TaskForce's multi-pass imaging engine uses large blocks with short timeouts on the first few passes, scheduling reads inside slow areas for later and then using the smallest block size on the last pass when very few sectors are left to be read.

This technique allows the bad areas to be approached in the most gentle way, while achieving imaging speeds of up to 550 MB/sec in good areas of the drive and reaching an unbeatable overall speed of imaging.

TaskForce handles block size automatically, to provide the best possible results in the shortest time span. This makes TaskForce faster at virtually any job than any other data recovery or image acquisition tools commercially available.

Block sizes and timeouts are adjustable. However, the default settings of the passes are based on our decades-long experience in data recovery market to fit most types of damage to the drives. That's why we suggest that you use the default settings unless a particular drive requires a specific imaging approach.

Multi-pass imaging settings

Multi-pass imaging settings

On the first pass, TaskForce allows 1-second Timeout per block, and the Max read block size is set to 4096 sectors. This allows smooth sequential imaging of all healthy modern drives. But when imaging damaged media, these settings allow TaskForce to skip any areas that slow down the process and perform Jump on error by 1,000,000 sectors at a time. This way all the good areas of the drive are imaged at top speed, while forcing TaskForce to return to the problematic areas on the next passes, narrowing down the bad areas and allowing more time to retrieve the data within them.

Imaging on the first pass. Empty areas where errors were encountered and jumps were performed

Imaging on the first pass. Empty areas where errors were encountered and jumps were performed

While Max read block size remains the same during the second and the third passes, the  Jump on error is set to 20000 sectors and 4096 sectors respectively and slightly longer, 5-second Timeouts are allowed for attempted reading of the blocks.

Empty areas start filling up with data, as the jumps become smaller

Empty areas start filling up with data, as the jumps become smaller

On the fourth pass, both Jump on error and Max read block size are reduced to 256 sectors.

The amount of data retrieved is already 99%

The amount of data retrieved is already 99%

On the fifth pass, TaskForce allocates 60-second Timeouts to read the Maximum block size of 256 with just 1-sector Jump on error. It is the last and the most thorough attempt to retrieve data from the remaining bad areas of the drive.

On the fifth pass TaskForce attempts to read the data for the last time

On the fifth pass TaskForce attempts to read the data for the last time

After the final pass, the Imaging Results report will indicate the eventual number of errors on the drive and other detailed statistics.

Multi-pass imaging settings

Multi-pass imaging settings

By clicking on one of the imaging passes in the imaging settings, you can adjust all parameters of the pass. Reverse direction option may help handle some of the damaged media. With this function selected, TaskForce will approach skipped areas of the drive from the opposite side on any selected pass. This way TaskForce can get more data from a drive before entering a damaged zone, which needs to be concentrated on during the following passes.

Reverse direction and disable read look-ahead functions may prove to be a good strategy with some damaged media

Reverse direction and disable read look-ahead functions may prove to be a good strategy with some damaged media

Another option in the imaging pass settings, which is worth mentioning is Disable read look-ahead. Most contemporary hard drives have read look-ahead functionality, which makes the drive sequentially read more blocks than requested in a command. In good drives, this functionality helps the drive to operate faster by reading more data and caching them. But with bad drives, read look-ahead leads to bad areas being addressed more often, which slows down the process and may lead to a complete freeze of the drive. In such cases, disabling read look-ahead option is advisable.

Case management system and report types

TaskForce's case management system records every step of the data acquisition process: every operation is automatically added to the case from the moment a device is identified including date, time, imaging map and hash values. When a hard drive is imaged, its imaging map is recorded detailing all the sectors that have been skipped.

Whenever an operator connects a hard drive to the TaskForce, the system makes an automatic database lookup and retrieves all past records associated with that particular hard drive. New entries will be added seamlessly to the database. You do not need to enable case management or take any additional actions for it to start functioning; it is fully embedded into Atola TaskForce and works at all times.

Case number can be assigned and changed at any time. The system also allows browsing through all cases and reports, without corresponding devices being connected to the unit.

Report types and formats

There are two types of reports in TaskForce:

  1. Device reports are created every time an action is taken to the drive: drive identification, imaging, hashing, wiping and other operations related to the drive are documented in these reports.
  2. Non-device reports are created to register any changes made to the cases: case opening, case details change, case import and export.

All reports have these key elements: a header that provides device and case details, an action summary and task details (task settings, task log, etc.).

Imaging report in TaskForce

Imaging report in TaskForce

A diagnostics report contains even more details: it lists the checkup results for all subsystems of a drive and includes oscillograms, SMART table, etc.

Diagnostics report in Atola TaskForce

Diagnostics report in Atola TaskForce

The reports that have been imported to TaskForce's case management system from Atola Insight Forensic, are easily identifiable due to the differences in the interface of the two tools.

Case imported from Atola Insight Forensic

Case imported from Atola Insight Forensic

Finding and editing cases

TaskForce automatically creates reports for every single action applied to each drive connected to it. Whether it is a source drive or a target drive, any action, be it imaging, wiping or physically switching write protection on or off, will be documented and stored in the system.

To find a case, click Cases in the top left corner, it will redirect you to the case management system.

Open case management system

Open case management system

Search for a specific case or device in the Search bar (by case ID, investigator's name or device details) and sort results by any column.

Search and sort cases in the list

Search and sort cases in the list

To open a case, click the respective line in the list.

A case page contains case details, information about the devices associated with the case (name, serial number, capacity etc.), as well as reports for all tasks applied to the device.

NB At the moment, a case may only include one device. In the future releases, we will be adding the possibility to add multiple devices in a case as well as including the same device within a number of cases.


Editing case details

To change case details, click on Edit button at the bottom of a case page.

Case page

Case page

It is possible to change the case ID, Description and Investigator. Click Save changes button when done editing.

Change case details

Change case details

In upcoming software releases, we will be adding the possibility to store multiple drives under the same case number. We will also be adding the possibility to upload pictures (photos of the device, scanned reports and documents related to the drive etc.) to be stored in a case.

Finding reports

TaskForce automatically creates reports for every single action applied to each drive connected to it. The system also allows browsing through all cases and reports, without corresponding devices being connected to the unit. The reports are listed and can be easily retrieved in different parts of TaskForce software.

1. Via case page

All reports related to the case are listed at the bottom of the case page. Scroll down and turn pages to view all the reports, sort them by date or by title, use the search bar to look for specific reports by their titles.
Case page with reports

Case page with reports

  To open a report, click the respective line.

2. Via View reports

If you need to search among all existing reports, click View reports button at the bottom of the Cases page.
View reports

View reports

Click View reports button This will redirect you to the page with all existing report that can be filtered by date, title, case ID or device details. Search for a specific report by entering report title or drive details.
View reports page

View reports page

Open the report you need by clicking it in the list.

3. Via Home page

Similarly, recent reports can also be found on the Home page underneath the Active tasks. Home page is the place where you can look up active and completed tasks and view reports for all completed tasks. Find specific reports quickly by entering filters in the search field.
Finding reports on the Home page

Finding reports on the Home page

Printing reports from a case

When you work on an investigation and want to have complete information about the evidence drive and all operations that have been taken to diagnose, image, calculate hash, etc., you can address Atola TaskForce’s case management system to print out all reports concerning your evidence.

To do that:

1) Click Print button at the bottom of the case page.
  1. Click Print button at the bottom of the case page.
  2. Print reports

    Print reports

     
  3. In the pop-up window, you can choose if you want the printed reports to include non-device reports and logs.
  4. NBNon-device reports are case-related reports that register case details changes, case imports, exports etc. Logs are parts of the reports that give detailed information about the start and the end of a task, problems encountered during the operation (e.g. inability to read a sector within the time allocated for the operation), actions taken (e.g. jumps from a bad sector, completed pass of imaging, performed resets and power cycles etc.)
    Print multiple reports from a case and include logs and non-device reports

    Print multiple reports from a case and include logs and non-device reports

     
  5. Click Generate button. This will redirect you to a page with full reports. There they are put in the same order as the order, in which they were listed on the case page (either by date or by title).
  6. Generated reports

    Generated reports

     

    NB If you selected the Information about unit's components, the last report generated will include the description of all storage devices contained in current TaskForce system.

    Generated report listing all storage devices contained in current TaskForce unit

    Generated report listing all storage devices contained in current TaskForce unit

     
  7. In this page, there is another Print button. After clicking it you can configure printing settings.

Each report will be printed on a new page.

Importing cases from Atola Insight Forensic

Cases from Atola Insight Forensic can easily be imported into TaskForce. First, export cases from Insight's case management system.

To import cases from Insight's case management system,

1) click Cases in the top left corner of the TaskForce page

2) click the Import button at the bottom of the page.

Click the <em>Import</em> button

Click the Import button

3) In the file selector, find the zip file that contains cases from Insight's case management system.

Select file with cases exported from Insight

Select file with cases exported from Insight

Importing will take a few minutes. Then you will be redirected to the report with the list of all imported cases.

Report of case import

Report of case import

Now all cases are a part of TaskForce's case management system.

Imported cases in TaskForce's case management system

Imported cases in TaskForce's case management system

NB Reports exported from Atola Insight Forensic system and imported to Atola TaskForce have a slightly different format: their header is contained in a box.

Case imported from Insight

Case imported from Insight