Atola TaskForce 2 Manual

Version: Mar 28 2024

Quickstart

Introduction

Unit & extensions

Installation & environment setup

Working with devices

Interface controls & indicators

Diagnostics

Imaging: Basics

Imaging: Damaged drives & performance

RAID reassembly and imaging

Automation

Wipe, hash & special capabilities

Case management

What else?

Quickstart

Learn how to image an evidence drive with Atola TaskForce 2.

Step 1. Start TaskForce 2

  1. Press the Power button on the front panel of the hardware unit.
  2. The following message shows on the small IP screen on the front panel: “Booting 3 min”. Wait until it disappears.
  3. Open TaskForce 2 user interface:
    • Network mode: If TaskForce 2 is connected to your local network with an Ethernet cable or a Wi-Fi adapter, open a Chrome browser on your PC, tablet or mobile, and enter the IP address displayed on the IP screen in its address bar.
    • Kiosk mode: If TaskForce 2 is not connected to the network, plug in a VGA display, mouse & keyboard. The “Kiosk mode” message appears on the IP screen.
TaskForce 2 shows an IP address required to connect to its user interface.

TaskForce 2 shows an IP address required to connect to its user interface.

Step 2. Plug a source drive into TaskForce 2

  1. To protect an evidence drive from any alterations, switch one of TaskForce’s 26 ports into the Source mode, using the red source/target switch next to this port. The corresponding source indicator lights up signaling that the port is set to the Source mode and is write-protected.
  2. Connect your evidence drive to the port switched to the Source mode.

Step 3. Diagnose the source drive

  1. In the TaskForce 2 user interface, click Diagnose.
  2. On the Select device panel, find the appropriate category (SATA, SAS, USB, File, IDE, or Extension*), expand it and select your source drive.
  3. Click Start. The Diagnostics process takes a couple of minutes. If diagnostics results show that the drive is in good condition, proceed to imaging.
Diagnostics report proves the drive is in good condition.

Diagnostics report proves the drive is in good condition.

Step 4. Plug a target drive into the TaskForce 2

  1. Switch one of the free ports into the Target mode, using the red source/target switch next to it. The corresponding source indicator turns off.
  2. Connect a target drive to the port switched to the Target mode.

Step 5. Start imaging

  1. In the TaskForce 2 user interface, click Image.
  2. On the Select source device panel, find the appropriate category (SATA, SAS, USB, File, IDE, or Extension*), expand it and select your source drive.
  3. On the Imaging sessions page, click Start new.
  4. On the Select target devices panel, find the appropriate category (SATA, SAS, USB, File, IDE, or Extension*), expand it and select your target device or devices. Then click Continue.
  5. Check the imaging settings and adjust them if needed. The Settings page shows:
    • the source drive and the case ID
    • the default settings applied to this imaging session
    • the list of Targets to be involved in this session
  6. Click Start.
Image acqusition in progress.

Image acqusition in progress.

Atola TaskForce 2 technical specs

Drive ports

26 drive ports

  • 8 SATA (up to 540 MB/s)
  • 8 SAS/SATA (up to 1000 MB/s)
  • 4 NVMe M.2/U.2 PCIe 4.0 (up to 6000 MB/s)
  • 4 USB (up to 400 MB/s)
  • 1 IDE (up to 100 MB/s)
  • 1 Extension

Drive port features

  • Physical source/target switch with LED indication
  • Hardware write protection in the source mode
  • Task status LED indication
  • Full low-level control over drive ports
  • Reset and SATA PHY control for the best handling of severely damaged hard drives

Drive's power control

  • Current sensor
  • Automatic overcurrent protection
  • Automatic short-circuit protection
  • Overvoltage protection

Supported drive interfaces

  • M.2 / U.2 NVMe
  • SATA I/II/III
  • SAS3 (12 Gb)
  • USB 2.0/3.x
  • IDE
  • Flash cards via a card reader attached to any USB port
  • Other interfaces supported via Extension modules (see below)

Network

  • Two 10Gb Ethernet ports for imaging to a network server or NAS.
  • WiFi 802.11n 150 Mb/s adapter in access point mode. Included in the package.

CPU, motherboard, and RAM

  • Xeon CPU with 16 cores
  • Server-grade Supermicro motherboard
  • 16 GB ECC RAM

Extension modules

  • Apple PCIe
  • FireWire
  • Thunderbolt 2 and 3 (2016-2017 models)
  • M.2 NVMe/PCIe/SATA

Indication

Power LED indicator

Signals that hardware is up and running

Color-coded port LEDs

Indicate that a task is running or finished, a process is OK or there are issues

IP display

OLED (20x2 characters). Shows an IP address to connect to the TaskForce 2 user interface or Kiosk mode

Auxiliary connections

Kiosk mode

  • VGA port
  • Two USB ports for connecting a keyboard and mouse

Database

  • Two DB USB 3.0 ports for connecting a USB flash media as database storage
  • Serial RS232 port
  • Fan power port
  • System SD card slot for boot drive

Power

Power consumption

140 Watt average, 650 Watt peak

Supply voltage

100–240 VAC, 50–60 Hz

Power supply

  • Internal power supply
  • IEC 60320 C14 power inlet
  • Power supply switch on the back panel

Size, weight, and temperature

Aluminum case

Dimensions

  • 17.4 x 14.5 x 3.9 in (442 x 370 x 100 mm)
  • Required server rack height: 2.5U

Weight

17.2 lb (7.8 kg)

Working temperature

32° – 95°F (0°C – 35°C)

Lifetime warranty

TaskForce 2 hardware is covered by our Lifetime warranty, for as long as your software update subscription is active.

If you have an active subscription, you can request free replacement of a device, component, extension module, or cable, as well as free training and technical support.

Learn more about Lifetime warranty →

TaskForce workflow

Atola TaskForce provides a complete feature set for a forensically sound evidence acquisition process. Based on our own decade-long experience of working with data storage devices as well as the experience of our clients in digital forensics market we strongly recommend this workflow:

1. Diagnose the drive

TaskForce is equipped with a fully-automated diagnostics module, which diagnoses all drive systems: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into TaskForce unit.

After diagnostics finishes, the tool prepares a report and lets you know the exact issue with the drive; it also suggests the next step to be able to retrieve the data.

Diagnostics of damaged drive.

Diagnostics of damaged drive.

2. Get access to the hidden drive areas

Unclip or change HPA, DCO, AMA limitations

TaskForce detects hidden areas on the drive Host Protected Area (HPA), Device Overlay Configuration (DCO), or Accessible Max Address (AMA) and can automatically recover/remove them. To avoid change the state of the drive, HPA reset until power cycle option is available.

3. Image the evidence

To ensure efficient imaging of both good and damaged drives, TaskForce is equipped with a sophisticated and powerful imaging module that creates a bit-to-bit copy of the evidence. Based on the diagnostics report, image drives with default settings or adjust them, should the media be damaged and require special treatment.

Imaging damaged drive.

Imaging damaged drive.

Imaging good SSD. Speed: 550 MB/s.

Imaging good SSD. Speed: 550 MB/s.

4. Calculate hash

To ensure forensically sound evidence acquisition process, remember to calculate hash of the evidence and the image. It is essential way to prove image integrity.

With damaged devices, it is best to calculate hash during imaging (using segmented hashing). This way data on a fragile device is only read once, and less potential damage to the media is caused.

Updating TaskForce firmware

Atola TaskForce firmware is updated on regular basis by our team. You can keep track of the updates we make to the firmware in TaskForce changelog.

Updating TaskForce firmware is easy using a remotely connected computer.

  1. Plug TaskForce into to your local Ethernet network.
  2. Open the Chrome browser on your PC.
  3. Download the most recent version of the firmware.
  4. Enter TaskForce IP address in the Chrome browser.
  5. Go to the Menu on the top right.
  6. Click Update firmware.
The Update firmware command in the TaskForce 2 menu.

The Update firmware command in the TaskForce 2 menu.

  1. Choose update method and then click Select file.
Choosing update method on the Update firmware page.

Choosing update method on the Update firmware page.

  1. In the file selector, select the firmware file and then click Open.
Selecting the firmware file.

Selecting the firmware file.

  1. In the Update firmware dialog, click Update.
The Update button in the Update firmware dialog.

The Update button in the Update firmware dialog.

Once the update process is completed, TaskForce software switches to the new version. No TaskForce reboot or Chrome restart is required.

To check the current firmware version, go to Menu > Update firmware.

Check current firmware version.

Check current firmware version.

Package contents (TaskForce 2)

The TaskForce 2 package includes the following items:

Power cable

Flash card reader

2x Ethernet cat 7 cable

20x SAS/SATA powered cables

IDE adapter

USB-C cable

IDE power cable

IDE interface cable

Quick setup guide

Lifetime warranty

USB DB

Wi-Fi adapter

Bracets for server rack

Forensic hardware unit

To support many simultaneous imaging sessions and other forensic tasks running on its 26 ports at top speeds, TaskForce 2 hardware unit is built on extremely robust, high-capacity components that include a server-grade motherboard, 16-thread Xeon CPU and 16 GB ECC RAM. To ensure the high quality and efficiency of our tools, we test them on hundreds of storage devices.

This forensic hardware unit is designed for various types of digital investigations in the lab environment.

The IP address of Atola TaskForce 2.

Ports, indicators & switches

Ports:

  • 8 SATA
  • 8 SATA/SAS
  • 4 USB 3.0
  • 4 NVMe M.2/U.2 PCIe 4.0
  • IDE
  • Extension slot (for Thunderbolt, Apple PCIe SSD and M.2 SSD extension modules)

Source/target switch on each of 26 ports enabling hardware write protection in source mode:

  • Source mode: helps safely connect and with the examined evidence drives to TaskForce 2.
  • Flexible port configuration: any TaskForce port can serve you as a source or target depending on your needs.

LED indicators: two indicators for each of the 26 ports. One indicator is located next to the port’s source/target switch and lights up when source mode is enabled.

There are plenty of informative LED indicators on the front panel of the unit:

  • Power LED indicator to signal that hardware is up and running.
  • IP display to show an IP address you need to connect to the TaskForce 2 control interface using Chrome browser.
  • White LED source/target indicator on each of the 26 ports to quickly check if the port is in the source mode and the drive is write-protected.
  • Color-coded LED indication of each port status:
    • Green light: the task is completed successfully.
    • Yellow light: the task completed with minor issues or warnings.
    • Red light: the task failed.
    • Blue light: the connected drive is in Storage mode.
       
    • LED lights still: the task is finished.
    • LED is blinking: the task is running.  

      You can even control LED brightness and color in TaskForce 2 settings.

Network ports:

  • Two 10Gb Ethernet ports handle 26 multiple imaging sessions utilizing two 10Gb network connections
  • One IPMI ETH port

Other connections:

  • Two USB 3.0 ports for connecting a USB flash media as TaskForce 2 database storage
  • Two USB 2.0 ports for keyboard/mouse in the Kiosk mode
  • VGA for connecting a monitor in the Kiosk mode
  • Auxiliary serial RS232 port
  • Auxiliary fan power port

The power socket is located on the back side of the unit.

Supported hard drive interfaces: SATA I/II/III, SAS3 (12Gb), USB 2.0/3.0, IDE, M.2/U.2 PCIe NVMe up to 4.0.

Flash memory cards are supported via a card reader plugged into any USB port of TaskForce 2.

Display

IP display: OLED (20x2 characters)

Physical / Environmental

  • Dimensions: 17.4 × 14.5 × 3.9 in (442 × 370 × 100 mm)
  • Weight: 17.2 lb (7.8 kg)
  • Working temperature range: 32° – 95°F (0°C – 35°C)
  • Power consumption: 140 Watt average, 650 Watt peak
  • Supply Voltage: 100–240 VAC, 50–60 Hz
  • RoHS compliant

Other specs

  • Internal OS: Linux running a custom kernel
  • Control interface: web-based TaskForce application
  • Removable NVMe SSD for internal case management database
  • Optional WiFi 802.11n 150 Mb/s adapter in access point mode for easy connectivity (purchased separately)

Inside TaskForce forensic hardware unit

TaskForce 2 forensic hardware unit is essentially a small server-grade computer running Linux. But because neither BIOS nor Linux kernel was designed to handle hard disk failures, Atola engineers have invested a significant amount of research and development efforts to build a highly customized and fine-tuned Linux kernel that fully overcomes these issues and handles damaged media properly. Additionally, this kernel features:

  • High-speed DMA data transfers, 500+ MB/s
  • Full low-level control over SATA, USB and IDE ports
  • Full native SATA support
  • Reset and SATA PHY control for best handling of severely damaged hard drives
  • All BIOS and standard kernel functions are disabled

TaskForce 2 hardware also features Atola's proprietary circuitry for the ultimate drive's power control:

  • Current sensor for in-depth hard disk diagnosis
  • Automatic overcurrent and short-circuit protection
  • Overvoltage protection

These features are a must for proper handling of damaged drives.

For instance, low-level control of the SATA, SAS, USB and IDE ports allows TaskForce 2 to handle the devices that do not properly initialize, have many bad sectors, or frequently freeze due to internal (mechanical) failures. SATA PHY control allows resetting a frozen hard drive without a power cycle, thus saving time during imaging, and reducing the chances of further hard disk degradation and failure. Current sensing allows TaskForce to diagnose a failed drive even if it has electronic or mechanical damage.

Overcurrent protection detects when the drive draws an abnormal current and stops it to prevent any further damage. An overvoltage protection circuit ensures that in the unlikely event of a hardware malfunction, the attached drives are not damaged in any way.

TaskForce 2 forensic hardware unit is fully controlled by the software via Chrome browser, therefore no Linux experience is required to operate it.

M.2 SSD extension module

You can connect M.2 PCIe NVMe and M.2 PCIe AHCI solid state drives to Atola TaskForce 2 using the M.2 SSD extension module.

This extension module supports only B & M key and M key interface drives.

M.2 SSD extension module works with Atola DiskSense 2 as well.

TaskForce features supported for the M.2 SSD extension

All standard TaskForce operations and features are supported for the M.2 PCIe NVMe and M.2 PCIe AHCI including:

  • Max read/write speed: 4000 MB/s
  • Drive hotplug (excluding M.2 PCIe AHCI drives)
  • Write protection with the physical source/target switch
  • Diagnostics
  • Physical and logical imaging
  • Hash calculation
  • Damaged drive support

Plug and unplug the M.2 SSD extension module

TaskForce hardware unit is equipped with the PCI Express port on its back panel, which is referred to as an Extension port. It is used to plug Atola hardware extension modules supported by Atola TaskForce software.

To connect the M.2 SSD extension module to TaskForce, do the following:

  1. Power off TaskForce.
  2. Align 3 holes on the extension module and 3 screw holes on the Taskforce back panel. Firmly plug the M.2 SSD extension module into the Extension port and fasten the module with 3 screws.
  3. Plug an M.2 PCIe NVMe, or M.2 PCIe AHCI, into the extension and fasten the drive in place with the black plastic slider.
  4. Power on TaskForce.

To disconnect the M.2 SSD extension module or replace it with another extension module, do the following steps:

  1. Power off TaskForce.
  2. Disconnect the SATA cable from the extension module.
  3. Release the screws, which hold the module, and unplug it from the Extension port.
  4. Optional: Plug another extension module into the Extension port and fasten the module with a screw.
  5. Power on TaskForce.

Distinguish between M.2 NVMe/M.2 AHCI, and M.2 SATA drives

All solid state drives with M.2 form factor look pretty much the same.

To define the type of the particular M.2 drive before connecting it to TaskForce, check the markings on the drive or refer to the manufacturer’s specifications.

Connect and identify an M.2 NVMe or M.2 AHCI drive

To identify the M.2 PCIe NVMe or M.2 PCIe AHCI drive, TaskForce must be first booted with that particular type of drive connected to the M.2 SSD extension module:

  1. Power off TaskForce.
  2. Plug an M.2 PCIe NVMe or M.2 PCIe AHCI drive into the extension and fasten the drive with the black plastic slider.
  3. Power on TaskForce and wait for the booting to be completed.
  4. In the TaskForce main window, click Devices.
  5. Click the port in the EXT section of the Select device panel.
NVMe M.2 drive in the EXT section of the Select device panel.

NVMe M.2 drive in the EXT section of the Select device panel.

Work consecutively with several M.2 NVMe drives

Drive hotplug is supported for M.2 PCIe NVMe drives, but not for M.2 PCIe AHCI drives. You can plug several M.2 NVMe drives one after another, without turning TaskForce off and on.

To identify the M.2 PCIe NVMe drive, TaskForce must be first booted with that particular type of drive connected to the M.2 SSD extension module. After you boot TaskForce with an M.2 NVMe drive connected to the extension module, the system identifies all other M.2 NVMe drives without rebooting the hardware unit.

To define the type of the particular drive, check the markings on it or refer to the manufacturer’s specifications.

Connect a U.2 NVMe drive using adapter

To use a drive with U.2 interface, attach the drive to TaskForce with the help of a U.2-to-M.2 adapter and a cable (not included in the package).

To connect a U.2 drive to TaskForce, do the following:

  1. Plug the U.2 drive into the U.2-to-M.2 adapter using the cable.
  2. Plug the U.2-to-M.2 adapter into the Atola M.2 SSD extension.
  3. Plug the extension into TaskForce while the unit is powered off.
U.2 SSD adapters are available to combine them with the Atola M.2 SSD extension. Please contact your Atola dealer for more information.

Connect and identify an M.2 SATA drive

To connect an M.2 SATA drive to the TaskForce 2, you will need to use one of the SATA ports and an M.2 to SATA SSD adapter. Please contact your Atola dealer for more information on adapters.

Apple PCIe SSD extension module

Apple PCIe SSD extension lets you connect TaskForce to the PCIe SSDs with the custom proprietary M.2 interface within Apple laptops:

  • MacBook Pro, Late 2013-2015
  • MacBook Air, 2013-2015

TaskForce Apple PCIe SSD extension module works with Atola DiskSense 2 as well.

TaskForce features supported for Apple PCIe SSD extension

The following TaskForce operations and features are supported for the Apple drives:

  • Write protection with the physical source/target switch
  • Diagnostics
  • Physical and logical imaging
  • Hash calculation
  • Damaged drive support

Plug and unplug the Apple PCIe SSD extension module

TaskForce hardware unit is equipped with the PCI Express port on its back panel, which is referred to as Extension port. It is used to plug Atola hardware extension modules supported by Atola TaskForce software.

To connect the Apple PCIe SSD extension module to TaskForce, do the following:

  1. Power off TaskForce.
  2. Align the screw on the extension module and the top screw hole on the Taskforce back panel. Plug the Apple PCIe SSD extension module into the Extension port and fix the module with a screw.
  3. Plug an Apple PCIe SSD drive into the extension and fasten the drive with the black plastic latch.
  4. Power on TaskForce.

To disconnect the Apple PCIe SSD extension module or replace it with another extension module, do the following steps:

  1. Power off TaskForce.
  2. Release the screw, which holds the module, and unplug it from the Extension port.
  3. Optional: Plug another extension module into the Extension port and fix the module with a screw.
  4. Power on TaskForce.

Thunderbolt extension module

Thunderbolt extension enables TaskForce to work on MacBooks with the following interfaces:

  1. FireWire
  2. Thunderbolt 2
  3. Thunderbolt 3, 2016-2017 models

No SSD removal is necessary, the extension allows connecting TaskForce directly to a MacBook.

The extension module comes with:

  • FireWire cable (comes in white or black color)
  • Thunderbolt 2 to FireWire adapter (by Apple)
  • Thunderbolt 3 to Thunderbolt 2 adapter (by Apple)

TaskForce Thunderbolt extension module works with Atola DiskSense 2 as well.

TaskForce features supported for Thunderbolt extension

TaskForce supports the following operations and features on MacBooks when connected through Thunderbolt extension:

  • Write protection with the physical source/target switch
  • Physical and logical imaging
  • Hash calculation
  • Damaged drive support

Plug and unplug the Thunderbolt extension module

TaskForce hardware unit is equipped with the PCI Express port on its back panel, which is referred to as an Extension port. It is used to plug Atola hardware extension modules supported by Atola TaskForce software.

To connect the Thunderbolt extension module to TaskForce, do the following:

  1. Power off TaskForce.
  2. Align the screw on the extension module and the top screw hole on the Taskforce back panel. Plug the Thunderbolt extension module into the Extension port and fasten the module with a screw.
  3. Power on TaskForce.

To disconnect the Thunderbolt extension module or replace it with another extension module, do the following steps:

  1. Power off TaskForce.
  2. Release the screw, which holds the module, and unplug it from the Extension port.
  3. Optional: Plug another extension module into the Extension port and fix the module with a screw.
  4. Power on TaskForce.

Connect MacBook using Thunderbolt extension module

First, write down or take a photo of the serial number located on the bottom side of the MacBook. It will be needed later.

Then do the following steps:

  1. Turn off both the MacBook and TaskForce.
  2. Plug the Thunderbolt extension module into the Extension port and fasten the module with a screw.
  3. Connect the MacBook to TaskForce unit with the help of the Thunderbolt extension and the FireWire cable. Use adapters to connect to the MacBooks with Thunderbolt 2 or Thunderbolt 3 interface.
  4. Boot the MacBook in the Target Disk Mode. To do that, start it up while holding down the T key. You should see a Firewire or Thunderbolt icon displayed on screen, signifying that Target Disk Mode is detected and working.
  5. Power on TaskForce and wait for the booting to be completed.
  6. In the TaskForce main window, open the Device panel.
  7. Click the port in the EXT section of the Device panel.
MacBook device in the EXT section of the Device panel.

MacBook device in the EXT section of the Device panel.

  1. If it is the first time this MacBook is identified by TaskForce, in the Enter MacBook serial window, enter the serial number located on the bottom side of the MacBook, and then click OK.
Enter MacBook's serial number.

Enter MacBook's serial number.

During the subsequent identifications of the MacBook connected to TaskForce, its serial number can be selected from the drop-down menu in the Enter MacBook serial window. TaskForce will look up its case management system and offer the choice of MacBooks with the same drive size.

Select the MacBook with the serial number you have connected to TaskForce.

Select the MacBook with the serial number you have connected to TaskForce.

Extend subscription

Atola TaskForce 2 comes with a complimentary 1-year subscription. It covers regular software updates, includes training and technical support from our in-house team of developers, and secures a lifetime warranty.

Buy subscription

To extend your subscription for another period, you need to buy it first either from the reseller that sold you the unit or on the Atola website.

If your subscription has not yet expired, you can still purchase and activate a new one. The new subscription period will commence the day following the current subscription’s expiration date.

Depending on where you bought the subscription, there are two ways to activate and extend it:

Extend subscription you bought from the reseller

Choose this option if you have purchased a subscription from the reseller that sold you the TaskForce hardware unit or from the Atola sales department.

You will need:

  • A device with an internet connection (PC or mobile).
  • The serial number located on the bottom side of the TaskForce 2 unit.

After you have purchased a subscription, do the following:

  1. On a device with an internet connection, open the TaskForce 2 user interface in your web browser.
  2. At the top right, click Menu > Activation status.
The Activation status option in the TaskForce Menu.

The Activation status option in the TaskForce Menu.

  1. Click Extend subscription.
The Extend subscription button on the Activation status page.

The Extend subscription button on the Activation status page.

  1. Enter the serial number of the TaskForce 2 unit.
  2. Select I already extended my subscription through a distributor, and then click Next.
The Extend subscription page.

The Extend subscription page.

  1. Visit the Atola licensing page: a.atola.com or scan QR code on the screen.
  2. On the Atola licensing page, enter the license key shown in TaskForce web interface.
  3. Fill out all other fields on the Atola licensing webpage, including:
    • Customer name
    • E-mail address for activation code
    • Telephone
    • Organization, country and city
  1. Click Submit. The Atola licensing webpage generates an activation code.
  2. Go back to TaskForce 2 user interface and enter the activation code in the respective field.
Entering the activation code on the Extend subscription page.

Entering the activation code on the Extend subscription page.

  1. Click Activate. TaskForce 2 confirms that reactivation has been successfully completed.

Extend subscription you bought on the Atola website

Choose this option if you have purchased a subscription key on the Atola website: tf2.atola.com.

You will need:

  • A device with an internet connection (PC or mobile).
  • A subscription key.
  • The serial number located on the bottom side of the TaskForce  unit.

After you have purchased a subscription key, do the following:

  1. On a device with an internet connection, open the TaskForce 2 user interface in your web browser.
  2. At the top right, click Menu > Activation status.
The Activation status option in the TaskForce Menu.

The Activation status option in the TaskForce Menu.

  1. Click Extend subscription.
The Extend subscription button on the Activation status page.

The Extend subscription button on the Activation status page.

  1. Enter the serial number of the TaskForce 2 unit.
  2. Select I want to extend subscription by key, and then click Next.
The Extend subscription page.

The Extend subscription page.

  1. Visit Atola licensing page: s.atola.com or scan the QR code on the screen.
  2. On the Atola licensing page, enter the subscription key you bought on the Atola website.
  3. On the Atola licensing page, enter the license key shown in the TaskForce web interface.
The license key shown in the TaskForce web interface.

The license key shown in the TaskForce web interface.

  1. Fill out all other fields on the Atola licensing webpage, including:
    • Customer name
    • E-mail address for activation code
    • Telephone
    • Organization, country and city
  1. Click Submit. The Atola licensing webpage generates an activation code.
  2. Go back to TaskForce 2 user interface and enter the activation code in the respective field.
Entering the activation code on the Extend subscription page.

Entering the activation code on the Extend subscription page.

  1. Click Activate. TaskForce 2 confirms that reactivation has been successfully completed.

Connectivity and multi-user access

Atola TaskForce 2 has three connectivity options:

  1. 10Gb Ethernet network
  2. Kiosk mode
  3. Wi-Fi access point (optional)

10Gb Ethernet network

TaskForce is equipped with two 10Gb Ethernet ports. Whenever the system is connected to a local network via one of its Ethernet ports, an IP address will be displayed on the IP screen on the system's front panel.

Supported network features:

  • Two 10Gb Ethernet ports
  • Dynamic (DHCP) IP / Static IP address
  • Settings: DNS nameserver, Default gateway, Jumbo frames
  • Secure connection with password-protected network folders
  • DFS (Distributed File System) support
  • Support of HTTPS with external organizational and self-signed certificates
TaskForce 2 shows an IP address required to connect to its user interface

TaskForce 2 shows an IP address required to connect to its user interface

If the system is connected via both Ethernet ports, two IP addresses will be displayed on the screen. These IP addresses are assigned to TaskForce by your DHCP server.

Multi-user access

With the help of these IP addresses, TaskForce can be operated by multiple users simultaneously from their workstations or mobile devices:

  • enter either of the IP addresses as shown on the IP screen in Chrome browser on another device within the same local network.
Enter IP address in Chrome browser

Enter IP address in Chrome browser

Through the Chrome browser one can remotely track and manage tasks, power devices on and off, open, edit and print cases, etc.

Types of devices that can be used to access TaskForce simultaneously include:

  • Desktop PC
  • Laptop
  • Tablet
  • Smartphone

TaskForce software can be opened in the Chrome browser within any OS.

This functionality enables a group of users to work on different assignments using the same tool. This helps utilize TaskForce’s multitasking capabilities to the maximum and track operation progress remotely. The number of users accessing TaskForce simultaneously is unlimited.

Kiosk mode

Use TaskForce without any network connection in the Kiosk mode by plugging a VGA monitor, keyboard, and mouse into respective ports on the back side of the TaskForce hardware unit.

Whenever the system is not connected to a network via its 10Gb Ethernet ports, the Kiosk mode status is displayed on the IP screen.

Once a monitor is plugged in, it displays the Taskforce user interface, and you can operate the system using a keyboard and mouse.

TaskForce 2 in the Kiosk mode.

TaskForce 2 in the Kiosk mode.

Wi-Fi access point

The third way to access TaskForce's user interface is via a Wi-Fi 802.11n 150 Mb/s adapter (included in the package). Once the Wi-Fi access point is established, TaskForce can be operated by multiple users simultaneously from their devices connected to the hotspot.

To enable the adapter, follow these steps:

  1. Plug the adapter into one of the TaskForce's USB ports.
  2. Go to Menu in the top right corner of the TaskForce web page.
  3. Click Settings.
  4. Enable Wi-Fi Hotspot. An IP address of the hotspot will appear on the unit’s IP screen as well as under the Wi-Fi Hotspot category in the Settings window.
  5. Click Settings.
Enable Wi-Fi Hotspot

Enable Wi-Fi Hotspot

  1. Enable Wi-Fi Hotspot.
  2. Set SSID and Password. To make the network invisible to other devices, select Hidden mode. Click Save.
  3. Use these details to connect to the Hotspot from another device.
Adjust Wi-Fi settings

Adjust Wi-Fi settings

  1. To open the TaskForce interface, enter the unit’s IP address (indicated on the unit’s IP screen as well as under the Wi-Fi Hotspot category in the Settings window, see Step 4) in the Chrome browser of the device connected to the Hotspot.

Use TaskForce with multiple user profiles

For security reasons, you can allow access to Atola TaskForce only for authorized users, protect each user profile with a password, and keep processes, reports, and cases separate and confidential for each user.

Also, you can set up Atola TaskForce to automatically lock its screen after a certain time of inactivity and to prompt a user to log in.

Setting up user roles and profiles is an optimal solution when you want to:

  • Share one Atola TaskForce unit with multiple colleagues at the same time.
  • Prevent other users from interrupting the processes you started on your TaskForce.
  • Prevent your colleagues from seeing each other’s cases.
  • Temporarily pass your TaskForce to another forensic lab, department, or agency without giving access to your cases.

What others can see and do when you share one TaskForce

After you enable User management, you become an administrator and can create up to 20 profiles with either Admin or User roles. These roles have different permissions.

What an Admin can see and do

The first profile that you create after enabling User management has an Admin role. You can have more than one profile with the Admin role on your TaskForce.

As an Admin, you can:

  • See and edit all cases of other users.
  • See and stop all processes run by other users.
  • See and print all reports created by other users.
  • Access and change all TaskForce settings.
  • Enable or disable User management.
  • Add, edit, or delete other user profiles with either Admin or User role.
  • Change other user’s password.
  • Set TaskForce to automatically lock the screen after a certain time of inactivity.

      Admin sees all processes and cases of other users.

Admin sees all processes and cases of other users.

What a User can see and do

A profile with a User role is created by Admin and has limited access to TaskForce.

As a User, you can:

  • Log in only to your user profile.
  • See and edit only your cases.
  • See and print only your reports.
  • See, run, and stop only your processes.
  • Change only your password.

As a User, you can’t:

  • Access somebody else’s user profile.
  • See and edit other users’ cases.
  • See and print other users’ reports.
  • See or interrupt other users’ processes.
  • Access a device that is being used by another user
  • Access and change TaskForce settings.
  • Enable or disable User management.
  • Add, edit, or delete other user profiles.
  • Change other user’s password.
  • Disable or configure Automatically lock screen feature set by Admin.

      Profiles with a User role see only their cases and processes.

Profiles with a User role see only their cases and processes.


      Profiles with a User role don’t see each other’s cases and processes.

Profiles with a User role don’t see each other’s cases and processes.

Enable User management

The first profile, what you create after enabling User management, has an Admin role.

To enable the multi-user mode in Atola TaskForce, do the following steps:

  1. In the Atola TaskForce window, go to Menu > Settings.
  2. In the Users section, toggle User management.
  3. Enter the username and password for the administrator’s profile, and then click Create.

Now you can add, edit, or delete other user profiles.


      User management toggle in the Users section of the Settings menu.

User management toggle in the Users section of the Settings menu.

Add, edit, or delete users

Only Admin can add, edit, or delete other user profiles with either Admin or User role.

Add a user

To add a user, do the next steps:

  1. Log in to a profile that has the Admin role.
  2. In the Atola TaskForce window, go to Menu > Settings.
  3. In the Users section, click Manage.
  4. On the Users page, click Create user.
  5. Enter the username and password for a user.
    Optional: To grant this user an Admin role, select Admin checkbox.
  6. Click Create.

      The Create user button and dialog.

The Create user button and dialog.

Edit a user

To edit a user, do the following:

  1. Log in to a profile that has the Admin role.
  2. In the Atola TaskForce window, go to Menu > Settings.
  3. In the Users section, click Manage.
  4. On the Users page, select a user you want to edit.
  5. In the Edit user dialog, edit the username.
    Optional: To grant this user an Admin role, select Admin checkbox.
  6. Click Save.

      The Edit user dialog.

The Edit user dialog.

Delete a user

After deleting a user, you can still access their cases and reports under a profile with the Admin role.

To delete a user, do the following steps:

  1. Log in to a profile that has the Admin role.
  2. In the Atola TaskForce window, go to Menu > Settings.
  3. In the Users section, click Manage.
  4. On the Users page, select a user you want to delete.
  5. In the Edit user dialog, click the Delete icon.
  6. In the confirmation dialog, enter YES, and then click Delete.

      The Delete icon in the Edit user dialog.

The Delete icon in the Edit user dialog.

Log in and log out

To log out, click Menu > Log out. Atola TaskForce locks itself and prompts you to enter a username and password. All the processes you started before logging out are still running in the background.

To log in, enter your username and password, and then click Log in. Atola TaskForce unlocks itself and shows its Home screen.


      Atola TaskForce is locked and prompts you to enter a username and password.

Atola TaskForce is locked and prompts you to enter a username and password.

Change the password

As a User, you can change only your password. As an Admin, you can change other users' passwords as well.

Change the password for your profile

To change the password for your profile, go to Menu > Change your password, enter your current and new passwords and click Save.


      Change your password command in the Menu.

Change your password command in the Menu.

Change the password for another user as an administrator

To change the password for another user, do the following:

  1. Log in to a profile that has the Admin role.
  2. In the Atola TaskForce window, go to Menu > Settings.
  3. In the Users section, click Manage.
  4. On the Users page, select a user you want to change the password for.
  5. In the Edit user dialog, enter a new password, confirm the password, and then click Save.

If you forgot or don’t know the password for an administrator profile on your TaskForce, contact Atola Support.


      Changing a user password in the Edit user dialog on the Users page.

Changing a user password in the Edit user dialog on the Users page.

Automatically lock screen

As an Admin, you can set up Atola TaskForce to automatically lock its screen after a certain time of inactivity. To enable this feature, log in to a profile with the Admin role and do the next steps:

  1. Go to Menu > Settings.
  2. In the Users section, toggle Automatically lock screen.
  3. Enter a time interval in minutes you want TaskForce to wait before automatically locking in.

      The Automatically lock screen toggle in the Users section of the Settings menu.

The Automatically lock screen toggle in the Users section of the Settings menu.

Disable User management and password protection

As an Admin, you can disable user management and password protection for your Atola TaskForce.

To disable user management and password protection, do the following steps:

  1. Log in to a profile that has the Admin role.
  2. Go to Menu > Settings.
  3. In the Users section, toggle off User management.

      Toggling off User management.

Toggling off User management.

Maximize 10Gb network throughput

If you image evidence drives to a file on a server or a computer using a local network and want to achieve the best imaging speeds, maximize your network throughput by following these tips.

Set up 10Gb Ethernet network

Atola TaskForce 2 is equipped with two 10Gb Ethernet ports. To fully use this potential and achieve the best imaging speeds, every node in your local network between the TaskForce unit and your computer or server need to support 10Gb connection as well.

Use 10Gb network adapter

Make sure that a network adapter on your server or your computer supports a 10Gb connection:

  • Check vendor specifications for your network adapter.
  • Check the network adapter speed in your OS settings.

How to check Ethernet connection speed on Windows 10 and Windows 11

  1. Go to Control panel > Network & Internet > Network and Sharing Center.
  2. In the View your active networks section, click your Ethernet connection.
  3. In the Status window, check the connection speed. It must be equal to 10 Gbps.

Use 10Gb network cable

Make sure that the network cable you use to connect your TaskForce unit and your local network nodes supports 10Gb connection. It must have Cat6 (with the length of less than 55 meters), Cat6a, Cat7, Cat7a, or Cat8 marking on it.

Use 10Gb router or switch

If your TaskForce unit is connected through a network router or switch, make sure that every such device in your local network in between TaskForce and the target computer or server supports a 10Gb connection:

  • Check vendor specifications for your network router or switch.
  • Check that the 10Gb network cable is connected to a 10Gb port on your router or switch.

Enable jumbo frames

To speed up your 10Gb network, enable jumbo frames on your TaskForce 2, your target device, and every network switch or router in between them.

Jumbo frames increase the efficiency of broadband Ethernet processing because they carry 9000 bytes of payload, which is more than the standard limit of payload.

Enable jumbo frames on TaskForce 2

To enable jumbo frames on your TaskForce unit, do the following:

  1. In the Atola TaskForce interface, go to Menu > Settings.
  2. In the Network section, toggle Jumbo frames for respective Ethernet port (ETH1 or ETH2). Default MTU (maximum transmission unit) value is set to 9000 bytes, don’t change it.
Jumbo frames toggle on the Settings page in Atola TaskForce.

Jumbo frames toggle on the Settings page in Atola TaskForce.

Enable jumbo frames on a target computer

To enable jumbo frames for 10Gb network adapter on a target computer running Windows 10 or Windows 11, do the next steps:

  1. Go to Control panel > Network & Internet > Network and Sharing Center.
  2. In the View your active networks section, click on your Ethernet connection.
  3. In the Status window, click Properties.
  4. In the Properties window, click Configure and go to the Advanced tab.
  5. On the Advanced tab, select Jumbo Packet and change its Value to 9014 Bytes.
  6. Click OK.

Enable jumbo frames on a network router or switch

Jumbo frames need to be enabled on network routers or switches, which connect your TaskForce unit with your target computer or server.

Many 10Gb routers and switches support jumbo frames by default.

For specifications and instructions, refer to a router or switch user guide provided by its manufacturer.

Use Samba version 3.0 or later

Samba is a free software that provides fast shared access to files and printers for all network clients using the SMB/CIFS protocol.

We recommend using Samba version 3.0 or later to speed up the imaging to the files on network-connected drives.

For guidance, refer to the Samba installation guide.

Update OS and drivers

Install the latest OS and driver updates.

Due to various software issues, the local network speed can be lower than expected if the operating system and network drivers are outdated.

Check server use quota

Sometimes, a network administrator can create quotas, which limit server space or throughput for end users.

Check if there is an opportunity to change or lift these quotas to achieve maximum data throughput during imaging.

Use faster target drives

To achieve higher imaging speeds, we recommend using faster destination drives with reading and writing speeds of no less than 600 MB per second.

If you’re using a RAID array as a storage, consider choosing RAID types with faster reading and writing speed, such as RAID 0 and RAID 5.

When storing very big files, opt for a large cluster size on your server. The bigger files you want to store, the larger cluster size should be.

Use a static IP address

If you plan to connect TaskForce 2 directly to your computer, we recommend configuring your computer and TaskForce to use a static IP address. Here’s how to do it.

Configure TaskForce 2 for using a static IP address

  1. On your computer, open a Chrome browser and in its address bar enter the IP address, displayed on the TaskForce front panel.
  2. In the TaskForce interface, go to Menu > Settings.
TaskForce system menu.

TaskForce system menu.

  1. In the Network section, find the IP settings for the ETH1 or ETH2 port and click the Edit icon next to it.
The Edit icon next to IP settings for the ETH 1 port.

The Edit icon next to IP settings for the ETH 1 port.

  1. Enter the following network settings:
    • IP address: 10.0.0.XXX, where XXX can be any number from 1 to 254.
      Default static IP addresses of the TaskForce unit are 10.0.0.215 and 192.168.0.215.
      The IP address of your PC's Ethernet card must be different from that of the TaskForce unit.
    • Network mask: 255.0.0.0.
      If your PC and the TaskForce unit belong to different subnets, the connection can’t be established.
    • Default gateway and DNS can be left empty or set to any value.
  2. Click Save. The new IP address appears on the TaskForce front panel.
Network settings for the ETH1 port.

Network settings for the ETH1 port.

Connect TaskForce 2 directly to your computer

To use a static IP address, connect your computer to the ETH1 or ETH2 port of TaskForce 2 with an Ethernet network cable.

If your computer has no Ethernet port, you can use the USB-to-Ethernet adapter (not included in the package). Connect it to your computer before configuring a network.

Configure your computer for using a static IP address

  1. In Windows, open Network Connections: press Win+R, enter ncpa.cpl and click OK.
  2. Right-click your Ethernet adapter, and then select Properties.
  3. Select Internet Protocol Version 4, and then click Properties.
  4. Enter the following network settings:
    • IP address: 10.0.0.XXX, where XXX can be any number from 1 to 254 except for 215.
      Default static IP addresses of the TaskForce unit are 10.0.0.215 and 192.168.0.215.
      The IP address of your PC's Ethernet card must be different from that of the TaskForce unit.
    • Network mask: 255.0.0.0.
      If your PC and the TaskForce unit belong to different subnets, the connection can’t be established.
    • Gateway and DNS server can be left empty or set to any value.
  5. Click OK.

Jumbo frames for fast imaging to server

In TaskForce 2, Jumbo frames are activated by default to ensure maximum data transfer rates when imaging to a file on your server.

However, if Jumbo frames have been disabled, it is easy to enable them again and experience substantial boost to the speed of imaging!

First, create a file on the server, to which you will be imaging.

Creating a target file.

Creating a target file.

When you start to image to your server with Jumbo frame disabled, the data transfer speed will not exceed 700 MB/s. The actual speed will also depend on the configuration and current traffic in the network.

Speed of imaging without Jumbo frames.

Speed of imaging without Jumbo frames.

To boost the speed:

  1. Pause the imaging session.
  2. Go to the Menu at the top right.
  3. Click Settings.
The Settings in the TaskForce Menu.

The Settings in the TaskForce Menu.

  1. In the Network section, enable Jumbo frames of the Ethernet port you are using and set MTU to 9000.
Enabling Jumbo frames.

Enabling Jumbo frames.

Then you can return to your imaging session:

  1. Go to Image.
  2. Select the source.
  3. Click Resume.

This time, the speed is way higher!

Imaging speed with Jumbo frames enabled.

Imaging speed with Jumbo frames enabled.

Network setup tips

Configuring 10Gb network with DHCP-enabled switch

You need to create or extend network with DHCP-enabled switch with 10Gb connection.

Example. Ubiquiti EdgeSwitch 16 XG: four 10Gb Ethernet ports, twelve 10Gb SFP ports. Approximate price: $600.

This kind of switch supports static IP setup via simple web admin. So you could set the IP addresses you need for each current network device.

How to configure Ubiquiti DHCP server:

  1. Connect PC and TaskForce 2 to Ubiquiti switch.
  2. Set static IP address of PC to 192.168.1.4.
  3. Open a browser and enter 192.168.1.2 (default Ubiquiti switch IP).
  4. Log in with default credentials: ubnt (both in name and password fields).
  5. Go to System > Advanced Configuration > DHCP server > Global.
  6. Activate Admin mode by checking a necessary checkbox and pressing Submit button.
  7. Go to Pool Summary and press Add to make a new address pool.
  8. Enter your:
    • pool name
    • network base address (for example, 192.168.1.0)
    • network mask (in most cases, it should be 255.255.255.0)
    • put Default Router Address and DNS
    After creating your pool, you can change it via Pool configuration tab.
  9. Click Save configuration button in the upper right corner of the window and click Save.

You can check this Youtube guide for alternative instructions on network setup using Ubiquiti switch.

Getting maximum performance of Ubiquiti EdgeSwitch 16 XG network

To optimize performance using Ubiquiiti EdgeSwitch 16 XG, you need to enable 10Gb with jumbo frames:

  1. Go to Basic > Port summary.
  2. Select ports 0/13, 0/14, 0/15, 0/16 and click Edit.
  3. Change Maximum Frame Size to 9014 in Edit Port configuration window.

Configuring a dynamic IP for TaskForce 2 in a network without router or DHCP-enabled switch

If there is no hardware in the network that assigns IP address, or if you want to keep a small network with TaskForce 2 and your server/PC connected directly, it is possible to install and setup software DHCP server. The good news is, it does not require any investment. All you need is some time to set it up on any computer in the server network. Follow the instructions from these guides:

Accessing Windows Server 2012 shared folder

If you want to store a target image file in a Window Server 2012 network folder but it appears missing, please follow these steps:

  1. Go to Control panel.
  2. Enable Guest account (Administrative tools > AD users and computers > Users).
  3. Network and sharing center > Change advanced sharing settings > Turn On network discovery + Turn on sharing (file and printers + public folders).
  4. In the shared folder access options, add Guest or Everyone.

If the shared folder demands restricted access, please follow this guide.

Setting up Synology DS218 as storage server

To set up Synology DS218:

  1. Go to Control panel > File services > SMB > Advanced settings.
  2. Set Maximum protocol to SMB3.
  3. Go to Control panel > Shared folder.
  4. Click Create button and specify network folder details.

If you need to get a guest account working, run the following actions:

  1. Go to Control panel > User.
  2. Edit for Guest user.
  3. Clear the Disable this account checkbox.

For more instructions and information about check our Troubleshooting guide and FAQ page.

Configuring TaskForce use with Synology or QNAP NAS as a LAN

Here is a guide to configure your NAS to be used with TaskForce 2 for storage of image files.

This manual is indicative and may vary between models and manufacturers. We have tested this setup on Synology DS218 and QNAP TS-431K.

Table of contents

Setting up Synology
Setting up QNAP
Direct connection with a Static IP:

  1. Configuring TaskForce 2
  2. Configuring Static IP in Synology
  3. Configuring Static IP in QNAP

Setting up LAN using a router with DHCP (Dynamic IP):

  1. Configuring the router
  2. Configuring DHCP in TaskForce 2
  3. Configuring DHCP in Synology
  4. Configuring DHCP in QNAP

Setting up a Synology NAS

  1. Install drives in the Synology NAS.
  2. Use a LAN cable to connect the DiskStation to your switch, router, or hub.
  3. Press the power button to turn on your Synology NAS.
  4. Install DiskStation Manager (DSM) – Synology’s browser-based operating system – on your DiskStation.
  5. Follow the instructions to create a RAID volume and a partition with a file system on it.

Enabling SMB3 is highly recommended for the best performance:

  1. Go to Control panel > File services > SMB > Advanced settings.
  2. Set Maximum protocol to SMB3.
  3. Go to Control panel > Shared folder.
  4. Click Create and specify network folder details.
  1. Create a Shared folder in the new volume:
    Control panel > File sharing > Shared folder > Create > Create Shared Folder
  1. In the folder creation menu, set the folder name, e.g. Image Files and set access options.

Setting up a QNAP NAS

  1. Install drives in the QNAP NAS.
  2. Use a LAN cable to connect the QNAP to your switch, router, or hub.
  3. Press the power button to turn on your QNAP.
  4. Install Qfinder Pro for quick find and easy access to QNAP NAS on the same LAN.
  5. Find your QNAP using Qfinder Pro and go to its page in the browser.
  6. Follow instructions to complete Smart Installation.
  1. Create Storage Pool (RAID):
    1. Storage & Snapshots.
    2. Storage (left menu).
    3. Storage/Snapshots.
    4. New Storage Pool (in the the top right corner).
    5. Follow the instructions to set up the Storage Pool.
  1. In the final stages of setting up the Storage Pool, create a New Volume.
  1. In the File Station utility, you can find the new volume: QNAP. In it, there is a Shared Folder created by default called Public.
  1. For a Shared Folder with specific access or encoding settings, create a new one by clicking the icon showing a folder with a + and adjust the configuration.

Direct connection with a Static IP:

Since we are not connecting TaskForce and Synology/QNAP NAS to a wider network, it is enough to set up the same Subnet Mask for the NAS and the TaskForce, and configure Static IP addresses that will indicate the same network.

TaskForce 2 configuration

  1. Go to Menu > Settings > Network section.
  2. Select the Ethernet port through which Synology is connected (e.g. ETH1).
  3. Click IP settings’s Edit icon.
  1. In the ETH settings dialog, enter the address (e.g. 255.255.0.0) in the Subnet Mask field that is identical to that of Synology.
  2. Assign an IP address using the Subnet Mask: the first two bytes of TaskForce’s IP must be identical to those of IP Synology (e.g. 10.0.0.15). This will ensure that both TaskForce and Synology belong to the same network. (e.g. 10.0.0.8).
  1. Click Save.

Setting up a Static IP in Synology

  1. Go to the Control panel.
  2. Open Network interface.
  3. Select the current connection to Synology.
  4. Click Edit.
  1. On IPv4 tab, select Use manual configuration.
  2. Assign Subnet Mask (e.g. 255.255.0.0), which is identical to that of TaskForce.
  3. Assign IP address (e.g.: 10.0.0.15).
  4. Click ОК.
  1. After Synology has changed the settings, it can be disconnected from the current network.

Setting up Static IP in QNAP

  1. In the Control panel, go to Network & Virtual Switch.
  2. Select the current connection to QNAP.
  3. Open the Menu.
  4. Click Configure.
  1. On the IPv4 tab, select Use static IP address.
  2. Assign a Subnet Mask (e.g. 255.255.0.0), which is identical to that of TaskForce.
  3. Assign an IP address (e.g.: 10.0.0.16).
  4. Gateway field should be left blank because you are configuring a LAN and connecting to other networks is unnecessary.
  5. Jumbo Frame and Network speed should be left with the default values.
  6. Click Apply.
  1. After the QNAP has changed the settings you can disconnect it from the current network.

Connecting to the Shared Folder in TaskForce 2

  1. Connect the Synology/QNAP NAS to TaskForce’s ETH1 port.
  2. Click the Devices icon in the upper right corner. Go to the File section and click Select File.
  3. Click Connect.
  4. Enter the Server name, Username, Password.
    If you do not remember the server name, look it up:
    Synology > Control Panel > Info Center > Server name
    QNAP > Control Panel > General Setting > Server name
  5. Click Connect.
  1. TaskForce 2 has connected to Synology and you can open the previously created Shared Folder.

Setting up a LAN using router with DHCP (Dynamic IP)

Setting up router

  1. Connect the router directly to your PC or laptop via the Ethernet port.
  2. Log in to the web configurator.
  3. Turn on the DHCP server in the local network settings.
  4. Apply changes.

Setting up DHCP in TaskForce 2

  1. Open Menu > Settings, go to the Network section.
  2. Select the Ethernet port to which Synology will be connected. (e.g. ETH1).
  3. Click the Edit icon to adjust the IP settings.
  4. Clear the Use static IP address checkbox.
  5. Click Save.

Setting up DHCP in Synology

  1. Go to Control panel > Network > Network interface.
  2. Select the current connection to Synology and click Edit.
  3. On the IPv4 tab, select the Get network configuration automatically (DHCP) option.

Setting up DHCP in QNAP

  1. In the Control panel, go to the Network & Virtual Switch.
  2. Select the current connection to QNAP, open the Menu and select Configure.
  1. On the IPv4 tab, select Obtain IP address settings automatically via DHCP.

Connecting the LAN devices

After all the reconfigurations, connect TaskForce 2, NAS and your PC or laptop to the router using Ethernet ports and connect to the Shared Folder as described above.

Connecting drives & starting Atola TaskForce 2

This page provides information about the startup procedure of Atola TaskForce 2, to ensure the safe and effective operation of the unit.

Powering on TaskForce

The power button is located on the front panel of the unit. To start TaskForce, press the power button.

Booting

The booting process takes up to 3 minutes.

Once booting is completed, the IP screen on the front panel will display either the "Kiosk mode" message or an IP address if the unit is connected to the local network using an Ethernet cable. At this point, the unit is ready for operation.

Connecting drives

TaskForce supports SAS, SATA, USB, NVMe M.2/U.2 PCIe, and IDE drives via its 25 ports, as well as other storage devices via Thunderbolt, Apple PCIe, and M.2 SSD extension modules.

To ensure both TaskForce and the devices connected to it are used properly and safely, read the instructions below.

Connecting M.2 devices

M.2 ports support hotplug to allow for drives to be regularly swapped, without restarting the whole system. To connect an M.2 drive to TaskForce 2, do the following:

  1. Push the tray ejection button located on the left side of an M.2 tray.
  2. Pull the M.2 tray out from its bay.
  1. Remove the 4 screws at the bottom side of the M.2 tray with a PH1 screwdriver.
  2. Slide the black Icy Dock adapter to the side to remove it out of the tray.
  3. Snap off the heatsink of the Icy Dock adapter by pushing it up from the sides.
  1. An adjustable M.2 locker slides to accommodate all the standard M.2 PCIe NVMe SSD drive lengths, including 2230 (30mm), 2242 (42mm), 2260 (60mm), and 2280 (80mm). Adjust the M.2 locker to the drive length.
  1. Insert the M.2 drive into the M.2 connector and then slightly press the drive down. A spring latch locks the drive with a “click” sound. To release the spring latch, slide the locker open by moving the two plastic levers situated on both sides of the drive.
  1. Once the drive is plugged into a connector and secured with a latch, snap the heat sink lid on.
  2. Slide the Icy Dock adapter back into the M.2 tray.
  3. Use at least one screw to secure the adapter onto the tray.
  4. Important: Make sure that the U.2 connector of the adapter faces the bay and the heatsink with the “Icy Dock” logo faces up.
  5. Insert the M.2 tray back into the M.2 bay, make sure it is pushed inside all the way, and then close the lock of the tray.

Connecting extensions

Before connecting an extension module, make sure TaskForce is powered off. Plug the extension module into the extension slot located on the back panel of TaskForce and power the unit on.

Hardware write protection

Each port is equipped with an individual Source switch enabling hardware write protection on the port. To make sure data on an evidence drive is not overwritten, check if the port is in the source before connecting the drive.

Connecting SATA & SAS drives

TaskForce has 8 SATA and 8 SATA/SAS ports. When a drive is connected to TaskForce, the port is powered off by default, therefore the device is not immediately identified.

To identify the device, click the Devices button in the top panel of the TaskForce interface, and TaskForce will start drive identification process on all ports. The system ensures a sustainable overall power consumption in situations when many drives are plugged in. That's why drives are powered not all at once but sequentially, in a matter of a few seconds.

Powering off TaskForce

To power off the TaskForce hardware unit:

  1. In TaskForce window, stop all active tasks.
  2. Press the power button on the front panel of the unit for 5 seconds.

Supported Drives

Atola TaskForce 2 supports all 1.8-inch, 2.5-inch, 3.5-inch IDE, SATA, SAS and USB hard drives, USB Flash media as well as SD, Compactflash, and Memory Stick cards via a generic USB Card Reader.

TaskForce 2 can also work with the following drive types using proprietary Atola extension modules:

  • M.2 NVMe/PCIe/SATA SSDs
  • latest Apple SSDs via Thunderbolt extension
  • the newest PCIe SSDs from Apple MacBooks (2013 - 2015)

Most functions of Atola TaskForce 2 will work with any hard drive or flash card with either IDE, SATA-1/2/3 or USB-1/2/3 interface (including those attached via adapters).

To ensure high quality and efficiency of our tools, we test them on hundreds of storage devices.

Head selection works for the following HDD models

  • SATA and IDE Seagate hard drives (including F3 series)
  • SATA and IDE Western Digital, HGST hard drives with exception of some models released since 2018
  • SATA and IDE Hitachi hard drives
  • SATA and IDE Toshiba hard drives: MG, MK, MQ, DT, HD families with exception of some models released since 2018

RAID support: unknown configuration detection, reassembly, and imaging

  • RAID types: RAID 0, 1, 5, 6, 10 and JBOD
  • Hardware RAID controllers: Adaptec, Areca, HP, Dell, LSI, Intel RST, IBM ServeRAID, other generic controllers
  • Software RAID: mdadm
  • NAS RAID: Synology, QNAP - development in progress (will be released in one of the next firmware updates)
  • File systems: NTFS, ext4/3/2, XFS, exFAT, APFS, HFS/HFS+, FAT32/16

TaskForce drive identification

Atola TaskForce is designed to perform multiple processes simultaneously and provide its users with unprecedented flexibility when it comes to a variety of devices and configurations in which they can be used. TaskForce also makes sure to efficiently communicate how a device is being used and helps a user to handle drives correctly.

When connecting a drive to the system, make sure the right mode is set on the port: in source mode, an evidence drive is automatically write-protected. It can only be changed with Source hardware switches.

Source hardware switches.

Source hardware switches.

As soon as you choose a particular task or click Devices in the top bar, TaskForce starts sequentially supplying power and sending commands to identify all connected devices.

After a connected drive receives power supply and identification commands from the unit, it responds with device info including:

  • device model and serial number;
  • device capacity;
  • limitations of the drive.

TaskForce software also immediately detects whether the drive is locked by an ATA password or the drive’s max readable address is limited via HPA/DCO/AMA. The unit indicates these restrictions and notifies a user about those with the red color indication in the device menu.

TaskForce detects ATA, HPA/DCO/AMA limitations

TaskForce detects ATA, HPA/DCO/AMA limitations

These indicators allow a user to make informed decisions on how to proceed with the device, whether unlocking is required to get access to the whole drive space before starting an imaging session.

Notification device not detected may point to one of these issues:

  • there is no device on the port;
  • the cable is not properly plugged in;
  • the device is connected to another port;
  • the device is heavily damaged.
Notifications device not detected

Notifications device not detected

If a source drive is busy with a running operation, the port will be temporarily unavailable for selection when launching other tasks. In such a case, the fonts in the respective box will be a lighter shade of grey, making the port unclickable.

Busy source drive

Busy source drive

When selecting a target device for wiping or imaging, source drives are also unavailable to ensure that data on an evidence drive doesn’t get overwritten by mistake.

Selecting target device

Selecting target device

Atola TaskForce: Main window

This article helps in understanding TaskForce’s main window, its controls and buttons and how to use them.

An overall view of the TaskForce 2 main window: 1 - Home icon, 2 - Taskbar, 3 - Cases button, 4 - Reports button, 5 - Current overall performance, 6 - Devices button, 7 - Menu.

An overall view of the TaskForce 2 main window: 1 - Home icon, 2 - Taskbar, 3 - Cases button, 4 - Reports button, 5 - Current overall performance, 6 - Devices button, 7 - Menu.

1. Home icon

The Home button brings you back to the Home screen. This is where you can check the active and recently completed tasks in the respective sections of the screen.

The number of current active processes is indicated next to the Home icon in a small orange circle.

2. Taskbar

The Taskbar on the left shows main TaskForce operations:

  1. Diagnose
  2. Image
  3. Logical
  4. RAID
  5. Wipe

Click the Other button in the Taskbar to access 4 more important TaskForce operations:

  1. Hash: Calculates hash of a device: MD5, SHA-1, SHA-256, SHA-512.
  2. View SMART: Shows all SMART attributes as a table.
  3. Browse files: Shows the content of partitions on a device.
  4. Hidden drive areas: Lets you to unclip or change HPA, DCO, AMA limitations.
Section with other tasks: Hash, View SMART, Browse files, Hidden drive areas.

Section with other tasks: Hash, View SMART, Browse files, Hidden drive areas.

3. Cases

By clicking the Cases button in the top panel you get to the Cases page with a list of the latest cases. With the help of the Search bar you can find a specific case. The cases are available for import and export between different TaskForce units.

An overall view of the Cases page with a list of the latest cases.

An overall view of the Cases page with a list of the latest cases.

4. Reports

By clicking the Reports button in the top panel you get to the Reports page that is equipped with a similar search bar. The reports can be selected and printed directly from this page.

The Reports page with a list of the latest reports.

The Reports page with a list of the latest reports.

5. Current overall performance

To check the Current overall performance, click Atola logo in the top panel. This lets you to keep track of the unit’s capacity usage. TaskForce allows running processes at 25 TB/hour and more.

Current overall performance shows after you click Atola logo.

Current overall performance shows after you click Atola logo.

6. Devices

Click Devices button in the top panel to see all the drives connected to TaskForce to obtain maximum information about each by simply clicking it.

The Devices panel provides additional options for working with the drives: add a case for a device, re-identify or power off any device.

The Devices panel is expanded and shows all the drives connected to TaskForce.

The Devices panel is expanded and shows all the drives connected to TaskForce.

The Menu contains device settings and features that regulate your use of the TaskForce unit.

The Menu gives access to Atola TaskForce settings, express mode, full screen mode, release notes, and manual.

The Menu gives access to Atola TaskForce settings, express mode, full screen mode, release notes, and manual.

In Settings you can adjust the general, database, network, print, and other settings.

Express mode enables automatic launch of multiple imaging sessions on all ports that are set to source. For more details, see Express mode: self-launching imaging.

Toggle fullscreen option is handy when working with other programs or files.

In Update firmware you can check the current TaskForce firmware, choose update method and perform the firmware update by selecting and downloading the firmware file.

Activation status lets you to look up, reactivate the status, or extend the subscription.

In Release notes you can read the information about the most recent Atola TaskForce firmware release and track all updates and enhancements by clicking corresponding links.

ATA registers: what they mean


Link Register

It's only enabled when port powered on, device presence detected and PHY communication established.

Status Register

This register contains hard drive status information. It is updated after every single command sent to the drive.

ERR: means last command failed to execute. In this case the Error register contains more details on the specific error.
INDX: obsolete, used to trigger after each spindle revolution
CORR: obsolete, used to trigger after a bad sector was automatically corrected by ECC
DREQ (Data Request): is asserted when hard drive wants to exchange data with the host controller (in either direction)
DRSC (Device Seek Complete): is obsolete; always asserted on modern hard drives
FAULT (Write Fault): is obsolete
DRDY (Device Ready): is obsolete; always asserted on modern hard drives
BUSY: indicates that the hard drive is busy executing a command OR initializing (after power on or reset)

Error Register

Error register provides more details if the last command failed. This register is only valid when ERR bit of the Status Register is asserted.

AMNF: means Address Mark Not Found (usually occurs on failed read attempt)
T0NF (Track 0 Not Found): obsolete
ABRT: command aborted (unsupported command or other failure)
IDNF: sector ID not found (usually occurs on failed read attempt)
UNC: uncorrectable read error; the hard drive was unable to read data even after applying ECC recovery algorithms
ICRC (Interface CRC error): there was CRC error while transferring data between host and the hard drive (usually indicates bad interface cable)

Diagnosing a drive with Atola TaskForce 2

When an evidence drive lands on investigator’s table for the first time, there is always an uncertainty when it comes to the drive's condition. A broken head or scratched surface of the media require different imaging tactics. That’s why it is strongly suggested that before imaging, each drive should first be diagnosed.

TaskForce 2 has Atola's unique diagnostics module which checks all systems of the drive:

  • Hard drive's motor and electronics (PCB)
  • Head stack
  • Media surface
  • All firmware/system areas
  • Partitions and file systems

At the end the system produces a report which sums up all issues. The process will take only 2-5 minutes.

To start, go to Diagnose, select the drive and then click START.

Start diagnostics.

Start diagnostics.

First, TaskForce 2 checks the drive's printed circuit board. The system applies power to the device and records and analyzes spin-up current curve. This helps detect most issues with the PCB and the motor. Next, TaskForce 2 analyzes the contents of the hard drive's ATA registers and device identification sector.

Circuit board check.

Circuit board check.

After that, the head stack is tested. Several factors are taken into consideration when diagnosing heads: media access time for each head, power consumption curves, and internal drive's error reporting systems.

If the head stack looks good, the system performs a short media scan. The purpose of this scan is to verify if there are any bad sectors in the starting, middle and ending sectors of the drive pointing to a damage to the media surface or logical errors.

Heads and media surface check.

Heads and media surface check.

Next, several firmware tests are performed:

Firmware check.

Firmware check.

If TaskForce detected no issues by this point, it performs a file system checkup:

File system check.

File system check.

After this final stage of diagnostics, TaskForce 2 displays the full report. The Diagnostics result message box contains a short summary of all tests. It also provides estimated imaging time for this drive.

Diagnostics report.

Diagnostics report.

Tracking a drive's SMART table status before and after imaging

SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure.

Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).

View SMART table

SMART table is included in the Diagnostics report. If you want to have a look at the current indices:

  1. Go to Other > View SMART.
  2. Select the drive.
  3. Click Start.
SMART table report.

SMART table report.

SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:

  • Reallocated sectors count.
  • Current pending sector count.
  • Uncorrectable sector count.

When RAW value of any of these attributes is greater than zero, TaskForce highlights it in yellow.

The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.

Track changes of the SMART table attributes

To keep track of the changes occurring to the attributes of the SMART table, the imaging settings can be easily adjusted to records SMART table indices prior and after each imaging session.

Adjust the imaging settings to keep the record of SMART prior and after the imaging session.

Adjust the imaging settings to keep the record of SMART prior and after the imaging session.

By comparing the two tables, user can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse. Any discrepancies between the two SMART tables will be highlighted in yellow.

How SMART table state changed after image acquisition

How SMART table state changed after image acquisition

Whenever you need to evaluate how the state of the drive has been changing long-term, go to previous imaging sessions and look up SMART table. TaskForce stores this information in its case management system.

Imaging an evidence drive to 5 targets

Atola TaskForce allows imaging to up to 5 targets at a time.

The targets may include:

  • E01, AFF4, RAW file on a network server.
  • target drive plugged into one of 26 TaskForce ports.

To start an imaging session that includes 5 targets:

  1. Go to Image.
  2. Select a source device.
  3. Select target devices. To create a target file, click Select file on the Select target devices panel.
Selecting target devices.

Selecting target devices.

  1. In the Select image file window, open the folder on the server where you want the file to be created and click Create file.
  2. In the Create image file dialog, enter a name for the file, select its type (E01, aff4, dd, img, or raw), and then click Create.
Entering the name of the file.

Entering the name of the file.

  1. On Select target devices panel, click Continue.
  2. On the imaging settings page, double-check all settings and the targets selected for the imaging session, and then click Start.
The imaging settings page.

The imaging settings page.

In the imaging page, there are two diagrams that show the progress of imaging. The upper one is called imaging map bar and shows imaging progress throughout the whole drive space (all successfully imaged sectors on the source drive are marked green, all damaged ones are marked red). The lower diagram is called read speed graph and shows the time TaskForce spent reading sectors on the source drive.

Imaging in progress.

Imaging in progress.

When imaging is completed, you are redirected to the imaging summary page, where you can review the details of the session including source and target drive details, imaging settings, hash values and the time when imaging session started and when it was completed.

The Imaging completed report.

The Imaging completed report.

Imaging a drive to two targets with post-hashing

Atola TaskForce's imaging functionality provides many adjustable settings to help forensic examiners follow the guidelines set by their organizations as well as common-sense evidence handling routines.

When you need to create two images of a source drive and verify that both images are identical to the source drive, you will need to calculate the hashes of both targets after imaging. To optimize the process, post-hashing of both target devices is easily configured in imaging settings.

Here's how to do it:

  1. Go to Image.
  2. Select Source and Target devices.
  3. TaskForce 2 redirects you to the page with the summary of current imaging settings. By default, hashing of source drive during imaging is enabled.
  4. To adjust the imaging settings, click Change.

Changing default imaging settings.

Changing default imaging settings.

  1. In the imaging settings, open the Hashes tab and toggle Post-hash target devices.
  2. To proceed with imaging, click Start.
Enabling post-hashing of targets.

Enabling post-hashing of targets.

Hashing of source drive during imaging is a preferred option because it only requires the data on the evidence drive to be read once, for both imaging and hash calculation. This ensures both a forensically sound process and minimal impact to potentially unstable media. Hashing during imaging does not slow down imaging process.

Imaging progress.

Imaging progress.

Once imaging is completed, post-hashing begins immediately on both target devices:

Post-hashing in progress.

Post-hashing in progress.

In the end, TaskForce 2 produces a report that documents hashes of both source and target devices:

Imaging report with source and target hashes.

Imaging report with source and target hashes.

Imaging to an E01 file with dual hash

E01 file format is the de facto standard format for forensic examiners to store images due to its ability to store not only a copy of the evidence drive, but also case and evidence details. E01 file can also store both MD5 and SHA1 hash values calculated during imaging.

To image a source evidence drive to an E01 file, you have to create a new target file.

Creating a new E01 file

  1. Go to Image.
  2. Select the source evidence drive.
  3. On the Select target devices panel, click Select file.
  4. In the file selector, find the folder to store the image and click Create file.
  5. In the Create image file dialog, select the E01 file type.
  6. Fill in E01 file information, and then click Create.
  7. On the Select target devices panel, click Continue.
Creating an E01 file.

Creating an E01 file.

Enable dual-hash and start imaging

  1. Once you have selected the source drive and created the target file, you end up on the Settings summary page. To adjust the imaging settings, click Change.
  2. On the Hashes tab, make sure that Hash source during imaging is selected, also select both MD5 and SHA1 hash types.
  3. To proceed with imaging, click Start.
Adjusting imaging settings.

Adjusting imaging settings.

The report and the E01 file

Upon completion of imaging, you can see both MD5 and SHA1 hash values indicated in the Imaging completed report.

Imaging report.

Imaging report.

It is also possible to look up the information of the created E01 file. To do that, perform the following actions:

  1. Click Devices at the top right.
  2. Expand the File section and click Select file.
  3. Choose your file. TaskForce 2 opens the file information page with all the metadata of the E01 file. The MD5 and SHA hash values are listed there, too.
E01 file with calculated MD5 and SHA1 hashes.

E01 file with calculated MD5 and SHA1 hashes.

Imaging to a compressed E01 file on a target drive

By putting a target device in Storage mode, TaskForce 2 enables the creation of multiple image files (E01, RAW, img or dd) on the target drive.

Set a device to the Storage mode

To set a target device to the Storage mode:

  1. Go to Image.
  2. Select the source evidence drive.
  3. On the Select target devices panel, click Select file.
Selecting a target file.

Selecting a target file.

  1. In the Select image file window, click Add storage.
Adding a storage drive.

Adding a storage drive.

  1. On the Select device panel, choose the drive you want to use in the Storage mode. TaskForce 2 uses a lighter shade of blue to indicate that a storage drive is being configured.
Selecting a storage drive.

Selecting a storage drive.

  1. If TaskForce 2 cannot find the appropriate exFAT partition on the selected drive, it offers you to format the device accordingly. In that case, select Format device to exFAT and click Next.
Formatting the target to exFAT.

Formatting the target to exFAT.

  1. To launch target device formatting to exFat with a large cluster size (32 MB), click Format and enter YES for confirmation. This cluster size enables faster imaging to this drive.
Formatting the target to exFAT.

Formatting the target to exFAT.

Once the target device is formatted, TaskForce 2 perceives it as a Storage target.

The drive in the Storage mode is marked with a special blue icon on the Select target devices panel. A LED status indicator of the respecting drive port on the TaskForce 2 front panel also turns blue.

A drive in the Storage mode.

A drive in the Storage mode.

Create a compressed E01 image file

To proceed with creating a compressed E01 image file on the storage device, do the following:

  1. In the Select image file window, select the storage drive and then click + Create file.
Adding a new file.

Adding a new file.

  1. In the Create image file dialog, enter the file name and select the E01 file type.
Creating an image file.

Creating an image file.

  1. Select the Compress E01 option.
  2. Fill out other file details, and then click Create.
Configuring the compressed E01 file.

Configuring the compressed E01 file.

  1. Check your imaging settings and click Start to proceed with imaging.
The imaging settings screen.

The imaging settings screen.

The Imaging completed report provides all the time stamps, hash values, and hash verification result. To look up the settings of the imaging session, you can also see the Imaging started report in the case management system.

The Imaging completed report.

The Imaging completed report.

Imaging to an AFF4 file

Atola TaskForce 2 supports performing an image acquisition of an evidence device to an AFF4 forensic file.

AFF4 is a highly optimized open-source forensic file format used for the storage of digital evidence and data. It offers a wide range of benefits:

  • Is an open-source format: you can describe it in a court.
  • Supports multipass imaging.
  • Offers fast compression methods: Snappy and LZ4.
  • Supports block hashes.
  • Stores binary zeroes as spans similar to sparse files.
  • Is vendor-neutral.

AFF4’s block hashes are calculated for small segments of data on the drive and are stored in a table inside AFF4 metadata. There is a Block map hash that represents a single SHA-512 hash value for all the individual block hashes based on Merkle tree model. This is great for imaging of damaged drives to a file using TaskForce’s multipass imaging algorithms.

Create an AFF4 file as an imaging target

  1. In the TaskForce main window, click Image.
  2. Select a source device.
  3. On the Imaging sessions page, click Start new.
  4. On the Select target devices panel, expand the File section and then click Select file.

      Creating a file as an imaging target.

Creating a file as an imaging target.

  1. Choose a folder for your file. You can save a file:
    • on a computer or server in your local network or
    • on a storage device connected to your TaskForce.
  2. After selecting a folder, click Create file.
  3. In the Create image file dialog, change file Type to AFF4.
  4. Define hashing type and compression algorithm for your target AFF4 file:
    • Block hashes: choose from MD5, SHA1, MD5 + SHA1, SHA256, or SHA512
    • Compression: choose from LZ4, Snappy, or Not compressed.
  5. Enter other case details and then click Create.

      The settings for AFF4 target image file.

The settings for AFF4 target image file.

  1. Click Continue.
  2. Check imaging settings, change them if needed, and then click Start.

TaskForce 2 starts imaging your evidence device to an AFF4 target file. After imaging is finished, the system shows an Imaging completed report.


      The Imaging completed report with an AFF4 file as a target.

The Imaging completed report with an AFF4 file as a target.

Accessing password-protected servers

Accessing password-protected servers allows saving image files on such servers, imaging or calculating hash of the files located there, etc.

To create an image file on a password-protected server:

  1. In the TaskForce main window, click Image.
  2. Select a source device.
  3. On the Imaging sessions page, click Start new.
  4. On the Select target devices panel, expand the File section and then click Select file.
  5. In the Select image file window, choose the server from the list. If the server does not appear in the list, click Refresh icon to search for all available directories. If the server still does not appear in the list, click Connect.
Selecting a server from the list.

Selecting a server from the list.

  1. The Connect to server dialog opens. Enter the name of the server and fill out login details, including domain or workgroup, and then click Connect. To learn these details, contact your network administrator.
Entering server and login details.

Entering server and login details.

  1. Go to the folder on the server where you need to store your image and click the Plus icon in the right bottom corner of the window.
Creating a new file in the directory.

Creating a new file in the directory.

  1. Enter the name of the new image file and select the format. Click Create.
Entering the name and selecting the format of the new image file.

Entering the name and selecting the format of the new image file.

  1. On the Select target devices panel, click Continue.
The Continue button on the Select target devices panel.

The Continue button on the Select target devices panel.

  1. Check your imaging settings and click Start to proceed with imaging.
The Start button on the Imaging settings page.

The Start button on the Imaging settings page.

Imaging to a file on an encrypted drive with TaskForce 2

With Atola TaskForce 2 it is possible to image into files on an encrypted target drive using VeraCrypt for data encryption. Multiple target drives can be encrypted for the same or different sessions.

Create encrypted storage

To image into files on an encrypted target drive, connect the source drive to a port in the Source mode and take these steps:

  1. In the TaskForce main window, click Image.
  2. Select a source device.
  3. On the Imaging sessions page, click Start new.
  4. On the Select target devices panel, expand the File section and then click Select file.
  5. In the Select image file window, click Add storage.
  1. On the Select device panel, choose the drive connected to a port in the Target mode.
  2. Select Create an encrypted VeraCrypt container (exFAT) and click Next.
  1. Enter and confirm the password for the encrypted volume on the drive. Then click Create.
  1. Confirm the formatting of the device by entering YES and clicking OK. After this step, the formatting takes a few seconds.
  2. Click + Create file.
  3. Enter the name of the image file and choose the file format (E01, raw, img or dd). Then click Create.
  1. Once you have created the file, you may add more image files in the same or a different folder.

After you click Continue, TaskForce 2 images the evidence into the file on your encrypted target.

Upon completion of the imaging session, check the Imaging completed report.

Extract data from an encrypted volume

To find the VeraCrypt volume and the imaged file, do the following:

  1. Plug the target drive into your computer.
  2. Use VeraCrypt software to safely access encrypted data from your drive.
  3. Select the drive label (A, B, C, etc.) on which you want the volume to be mounted.
  4. Click Select device.
  5. In the pop-up window, select your encrypted volume.
  6. Click Mount. Now you can view the partition name, size and encryption algorithm.
  7. Use the password set prior to the imaging session to get access to the encrypted volume.

After you enter the password, the volume is mounted and you can access it from Windows Explorer and use the image for subsequent operations.

Restore E01, AFF4, RAW image file to drive

To restore data from an image file to a drive using Atola TaskForce 2, follow these steps:

  1. In the TaskForce main window, click Image.
  2. On the Select source device panel, expand the File section and then click Select file.
  3. Select the E01, AFF4 or RAW file you are planning to restore.
  4. Select the target drive and click Continue.

    To limit SATA target drive's capacity via HPA or AMA, go to the imaging Settings and click the Change button.

    Go to the Miscellaneous tab and enable the Limit target disk size to source size using HPA/AMA option.

  5. Click Start for the imaging to begin.

TaskForce 2 automatically creates detailed reports for every session. The imaging report lists all the details of the source, the target, the imaging settings and timestamps including the setting of the new max address of the target drive. This makes such data extraction from a file transparent and forensically sound.

Clip target drive to source evidence size

When you image data from an evidence drive, but the target drive is larger than that of the source, the hash values for the source and for the target drives will not be identical. This will happen even if there is no data in the remaining space of the target.

To avoid it, you can limit your SATA target drive's capacity using Host Protected Area (HPA) or Accessible Max Address (AMA). It will make the sectors beyond this limit inaccessible to the hashing tools or the end user. In TaskForce, it only takes one quick adjustment to the imaging settings:

  1. In the TaskForce main window, click Image.
  2. Select a source and target device.
  3. On the Imaging sessions page, click Start new.
  4. On the Settings page, click Change.
  5. On the Miscellaneous tab, toggle the Limit target disk size to source size using HPA/AMA (SATA target ports only) option.
Enabling HPA/AMA restriction for target.

Enabling HPA/AMA restriction for target.

You can now proceed with the imaging process by clicking the Start button.

Before the imaging starts, TaskForce 2 looks up the size of the evidence drive and limits the space of the target using HPA/AMA to make its capacity identical to that of the evidence drive.

When imaging is complete, the report will contain information about the time when HPA/AMA was enabled.

The Imaging report indicates the change to the target drive capacity.

The Imaging report indicates the change to the target drive capacity.

The target disk's port in Devices menu now contains an HPA/AMA indicator, thus informing you that HPA/AMA has been enabled on this drive.

The HPA indicator in the port of the Device menu.

The HPA indicator in the port of the Device menu.

There will also be a report created in the case management system, which indicates the old (native) and the new (as set by HPA/AMA) max address.

The report about HPA activation.

The report about HPA activation.

Now you can calculate hash on both drives to make sure the hash values are identical.

To learn how to unclip HPA/AMA, read Unclip or change HPA, DCO, AMA limitations in our manual.

Exporting sector lists from an imaging session

When an imaging session is completed or paused, it is possible to see its summary in the Imaging sessions summary page. Now there is also a possibility to export lists which would clearly indicate which of the sectors on the source drive have been successfully imaged, which have not (if any), and which of the sectors contained errors.

To export such list:

  1. Go to Image and select the source drive.
  2. In the session summary, click the Export icon.

The Export icon in the session summary.

The Export icon in the session summary.

  1. Select the sectors you are interested in (for example, Imaged sectors).
Selecting the type of sectors.

Selecting the type of sectors.

  1. Save the downloaded .csv file. This file shows the ranges of imaged sectors:

Imaging presets

For examiners who need to ensure they are using specific imaging settings for certain types of drives or cases, TaskForce 2 allows creating different presets for easy, one-click switching to a specific imaging routine. Presets also allow these specific imaging settings to be shared with colleagues who use another TaskForce 2 by exporting presets from one device and importing them onto another one.

TaskForce 2 has two presets called Default and Damaged recommended for healthy and faulty drives respectively.

Default presets.

Default presets.

Manage custom presets

To create a custom preset:

  1. Go to Image and select source and target devices.
  2. On the Imaging settings page, click Change.
  3. Change the imaging settings.
  4. Click the three-dot icon in the bottom right corner and choose Save to.
  5. In the dialog window, enter the name of the preset and click Save.
Saving a preset.

Saving a preset.

Once you have saved a preset, they are stored in TaskForce's work folder and can be used by other operators using the same imager. They can find the presets you created under the Custom button.

The Chrome browser of the user who created a preset, saves a copy of the preset locally. When this user opens the Custom menu, both presets are displayed:

  • one is the preset saved in TaskForce's work folder,
  • another one is the local copy.

If one becomes redundant, it can be easily deleted.

All custom presets.

All custom presets.

To delete a preset:

  1. Select the preset in the Custom menu.
  2. Go to the three-dot menu in the bottom-right corner and click Delete.

Share presets with another TaskForce

Once you have created your custom presets, you can share them with colleagues who use another TaskForce imager.

To export a preset:

  1. Select the preset from the Custom menu.
  2. Click the three-dot icon.
  3. Click Export.

The preset will be downloaded in .json format.

Exporting a preset.

Exporting a preset.

To import a preset:

  1. Click the three-dot icon.
  2. Click Import.
  3. In the Import settings window, click Select file.
  4. Find the file in the file selector and click Open.
  5. Double-check the preset and click Import.
Importing a preset.

Importing a preset.

After this import, the preset can be found in the Custom menu.

Imaging a drive with a damaged head

The diagnostics module, selective head imaging and multipass imaging algorithm allow Atola TaskForce 2 to handle a drive with damaged heads gently and effectively. All these techniques help minimize the risk of losing more data on the working part of the head stack.

Diagnose first

The built-in diagnostics module of TaskForce 2 automatically checks all major subsystems of the evidence drive: circuit board, heads, media surface, firmware and file system.

A diagnostics report provides detailed information about the heads. In addition, it offers recommendations for the optimal imaging strategy for your damaged hard drive.

The above diagnostics report informs the operator that the drive’s hardware has major issues and points to defects in the media and a damaged head (Head#3). The report contains a recommendation to disable the damaged head in the imaging settings.

Selective head imaging

Atola engineers recommend that the good heads are imaged first. To do that:

  1. Go to Image.
  2. Select your source and target devices.
  3. Click Continue.
  4. If a head was identified as damaged during the diagnostics, at this stage TaskForce 2 shows a dialog prompting you to disable the damaged head. To confirm that the head should be automatically disabled for the subsequent imaging session, click YES.

Alternatively, the damaged head can be disabled in the imaging settings:

  1. On the Imaging settings page, click Change to adjust the settings for your imaging session.
  2. In What to image section, click on All sectors to configure the selective imaging.
  1. Unselect the damaged head and сlick Save.
  2. To launch your imaging session, click Start.

Multipass imaging algorithm

As you can see in the screenshot below, some errors were found in the course of imaging on the space of the drive that is read with the Head#4. It is common for a drive with a bad head to also contain errors on the platters that are read with other heads.

TaskForce 2 uses its multipass imaging algorithm when encountering a bad sector that belongs to a good head. It allows handling errors and retrieving data from some of the bad sectors. For as long as it is possible to read data from the sector or block of sectors within the specified pass timeout, TaskForce 2 will be able to image this data.

Having completed imaging from the good heads, the system pauses the session and produces a detailed imaging report with a log of all actions performed during the imaging session.

TaskForce 2 allows editing settings of all unstarted imaging passes, adding or removing passes, etc. So if later you think you may be able to retrieve important data with Head#4, you can add another pass and configure the settings of the new pass accordingly.

TaskForce 2 automatically inserts and launches an additional imaging pass after you click Resume on the pause session. The new pass will include all non-imaged sectors.

TaskForce 2 automatically creates reports for every single action applied to each device connected to it. The reports are stored in the case management system.

Working with a bad head

After you successfully retrieved data from the good heads, you have two options:

  • To replace the head stack before you get down to imaging of the remaining data. You should be aware of the risk, however, that data on the drive can become unreadable due to head stack replacement.
  • To attempt imaging data with the Degraded or Damaged head.

To image the unselected bad head, simply click Resume.

TaskForce 2 resumes the imaging session to focus on the area that belongs to the damaged head.

If the number of errors keeps growing, while the number of the imaged sectors remains unchanged, pause your imaging session and power down the drive because the head seems to be completely inoperable.

In the Imaging report above, you can see that TaskForce 2 imaged 520,961,167 sectors out of 625,142,448, having extracted as much data from good heads as was possible with the default settings.

For more details scroll the report down to check the Log:

Multipass imaging of damaged drives

Damaged media require a sophisticated imaging approach to balance out thorough data extraction with forensic units’ need for expediency and careful treatment of damaged media.

Atola TaskForce has a complex imaging functionality that lets you image even physically damaged drives while avoiding causing further drive damage. You can use a predefined setting for imaging a damaged drive, or fine-tune all imaging parameters yourself.

Diagnose first

Before imaging any evidence device, we strongly recommend diagnosing it.

To image an evidence drive without causing further damage to it, TaskForce is equipped with an automatic diagnostics module that evaluates the state of the drive, identifies specific errors and their location, and recommends the best approach for data acquisition.

The detailed diagnostics report contains detailed recommendations on how to acquire data from this particular drive, based on its condition.

The diagnostics report for a damaged device.

The diagnostics report for a damaged device.

Preset for imaging damaged drives

If a device has issues or is damaged, TaskForce shows the respective tag next to it and suggests using the Damaged preset, designed specifically for imaging faulty drives.

In this case, the Damaged preset is automatically selected on the Imaging settings screen.

The default preset for bad drives is based on our decades-long experience in the data recovery market to overcome most types of damage to the drives. That's why we suggest that you use the Damaged preset for bad drives unless a particular drive requires a specific imaging approach.

The Damaged preset is selected on the Imaging settings screen.

The Damaged preset is selected on the Imaging settings screen.

To thoroughly retrieve maximum data from an unstable drive in a forensically sound way, the preset for damaged hard drives has several major differences from default imaging settings:

  • Number of passes: 5 passes for damaged drives instead of 1 pass for good drives.
  • Different timeouts for each pass: 1 second on the first pass, 5 seconds on the second, third, and fourth passes, and 60 seconds on the last fifth pass.
  • Jump on errors: from 1,000,000 sectors on the first pass to only 1 sector jump on the last pass.
  • Different read block sizes for each pass: 4,096 on the first, second, and third passes, 256 for the fourth and fifth passes.
  • Segmented hashing with 4 GB segments instead of linear hashing used by default for good drives.
The Damaged preset for imaging faulty drives.

The Damaged preset for imaging faulty drives.

Multipass algorithm for imaging damaged drives

To approach bad drives in the most gentle way possible, TaskForce uses its special multipass imaging system.

Most forensic imagers can only do linear imaging, which dramatically slows down the imaging process whenever a bad sector is encountered, and, as a result, the drive may freeze. To speed up the imaging of damaged media and maximize the amount of successfully retrieved data, TaskForce has a special imaging algorithm that includes a deliberate timeout and block size control.

Timeouts and block size control

Using a small block size pays off when you need to thoroughly retrieve maximum data from an unstable drive, but it also significantly slows down the imaging process. What’s worse, such an imaging approach may cause further damage to the media.

That's why TaskForce's multipass imaging engine uses large blocks with short timeouts on the first few passes, scheduling reads inside slow areas for later and then using the smallest block size on the last pass when very few sectors are left to be read. TaskForce handles block size automatically, to provide the best possible results in the shortest time.

This technique helps achieve imaging max speeds in good areas of the drive. At the same time, it lets you approach bad areas in the most delicate way possible and retrieve as much data as possible.

First pass

On the first pass, TaskForce allows a 1-second Timeout per block, and the Max read block size is set to 4096 sectors. This allows smooth sequential imaging of all healthy modern drives.

But when imaging damaged media, these settings let TaskForce skip any areas that slow down the process and perform Jump on error by 1,000,000 sectors at a time.

This way all the good areas of the drive are imaged at top speed, while forcing TaskForce to return to the problematic areas on the following passes, narrowing down the bad areas and allowing more time to retrieve the data within them.

Imaging the first pass. Empty areas where errors were encountered and jumps were performed.

Imaging the first pass. Empty areas where errors were encountered and jumps were performed.

Second and third passes

While the Max read block size remains the same during the second and the third passes, the Jump on error is set to 20,000 sectors and 4,096 sectors respectively, and slightly longer, 5-second Timeouts are allowed for attempted reading of the blocks.

Empty areas start filling up with data, as the jumps become smaller.

Empty areas start filling up with data, as the jumps become smaller.

Fourth pass

On the fourth pass, both Jump on error and Max read block size are reduced to 256 sectors to try reading problematic zones in a more granular way.

The amount of data retrieved is already 99%.

The amount of data retrieved is already 99%.

Fifth pass

On the fifth pass, TaskForce allocates 60-second Timeouts to read the Maximum block size of 256 with just 1-sector Jump on error. It is the last and the most thorough attempt to retrieve data from the remaining bad areas of the drive.

The last pass has a unique feature that is not used during previous passes: an internal sector-by-sector auto-reread procedure for an error block. It is defined by an unchangeable Jump size = 1 sector.

How the imaging engine works on the last pass:

  • It reads a block using the Max Block Size pass setting (256 by default).
  • If the reading is successful, it proceeds to the next non-imaged block.
  • If a read error occurs, the engine re-reads the whole error block sector by sector.
On the fifth pass TaskForce attempts to read the data for the last time.

On the fifth pass TaskForce attempts to read the data for the last time.

After the final pass, the Imaging Results report will indicate the eventual number of errors on the drive and other detailed statistics.

The Imaging Results report shows the number of errors on the drive.

The Imaging Results report shows the number of errors on the drive.

Customize imaging settings for each pass

To cope with a severely damaged drive, you can adjust the following parameters of any imaging pass:

  • Timeout
  • Jump on error
  • Max read block address
  • Start and end LBA
  • Image in reverse direction
  • Disable read look-ahead

Also, you can add or delete an imaging pass.

To customize settings for a certain imaging pass, do the following:

  1. On the Imaging settings page, click Change.
The Change button on the Imaging settings page.

The Change button on the Imaging settings page.

  1. Click the pass you want to change.
An imaging pass is highlighted on the Imaging settings page.

An imaging pass is highlighted on the Imaging settings page.

  1. In the Edit imaging pass window, enter new settings or toggle the options you need.
  2. Click Save.
The Edit imaging pass window shows the current settings for the first pass.

The Edit imaging pass window shows the current settings for the first pass.

Start and End LBA

For each pass, you can define the starting and ending sectors by entering logical block addresses in the respective fields (Start LBA, End LBA) or by dragging markers of the slider below.

Alternatively, you can select All sectors with data in the What to image field. It makes TaskForce search for all known partitions and image only the sectors that contain data. This option is a good use when you are facing a lack of time to take a full image.

Currently supported partitions: NTFS, ext4/3/2, XFS, APFS (with encrypted volumes), exFAT, HFS/HFS+, FAT32/16.

Image in reverse direction

With this function selected, TaskForce approaches skipped areas of the drive from the other side on any selected pass. That means the imaging engine reads a source drive backward and reaches the damaged areas from the opposite direction.

This way, the imaging module can retrieve more data from a drive before entering a damaged zone, which needs to be concentrated on during the following passes. But the speed decreases due to auto disabling of the drive's cache.

Hint: It is one of the best options we recommend you enable to get more data from a severely damaged drive.

Disable the read look-ahead mode

Most contemporary hard drives have a read look-ahead functionality, which makes the drive read more blocks sequentially than requested by software.

In good drives, this functionality helps the drive operate faster by reading more data and caching it.

But with bad drives, the read look-ahead feature leads to bad areas being addressed more often. This slows down the process and may lead to a complete freeze of the drive. In such cases, we recommend disabling the read look-ahead option.

Add a pass

You can add new passes even when an imaging session is not yet started or when it’s paused.

To add a new pass to an imaging session, do the following:

  1. On the Imaging settings page, click Change.
  2. Click Add pass.
Adding a pass.

Adding a pass.

  1. Adjust the settings for the new pass.
  2. Click Save.

Delete a pass

You can delete any pass that has not been started yet. To delete an imaging pass, do the following:

  1. On the Imaging settings page, click Change.
The Change button on the Imaging settings page.

The Change button on the Imaging settings page.

  1. Click the pass you want to delete.
An imaging pass is highlighted on the Imaging settings page.

An imaging pass is highlighted on the Imaging settings page.

  1. In the Edit imaging pass window, click the Delete icon and confirm the deletion.

Imaging freezing drives

The core part of the imaging process is based on reading a source drive by sending multiple Read sectors commands and handling the drive's response at the low native I/O level.

When a drive receives and runs a Read sectors command but is unable to read any data from that sector. So it goes into Retry mode, trying to get data from the damaged area again and again.

After a certain number of tries, it gives up on a particular command and returns an error with timeout.

In TaskForce, you can detect a freezing drive during diagnostics or during imaging.

Freeze detection and handling during imaging

Imagine that the drive is unable to read data from the damaged sectors and goes into a long-lasting retry mode before it gives up on a particular sector and returns an error.

If TaskForce simply waited for each Read sectors command to be completed:

  • it would take ages to get an image of a drive with numerous errors;
  • it could cause the drive to slip into complete freeze;
  • in the worst-case scenario, further damage could be caused to the data on the drive.

The Reset command

To avoid causing further damage to the data on the drive and long waiting periods, TaskForce issues a Reset command whenever a drive attempts to read a block of sectors longer than allowed by the pre-configured timeout.

Reset is a device interface operation, using which TaskForce stops the previously sent Read sectors (or any other) command and then continues imaging from the next planned block on the drive.

If the device is still running the Read Sectors command, even after the first Reset attempt, TaskForce waits 3 seconds and performs the second Reset command. At the moment of the second Reset, a new entry appears in the imaging Log reading

Device hangs while reading block X – Y.

      Log entry: Device hangs while reading block X – Y.

Log entry: Device hangs while reading block X – Y.

Performing a power cycle

If 20 seconds after the second Reset command the drive still tries to read the bad block, TaskForce performs the Power cycle command by forcibly cutting power to the drive for 5 seconds.

At this point, TaskForce adds two entries to the imaging Log:

Performing power cycle...   (when the power is cut off) and
Waiting for the device to become ready…   (when the power is switched back on).

      Log entry: Performing power cycle.

Log entry: Performing power cycle.

After a successful power cycle

In case the first Power cycle command is successful, and the drive become ready to accept the next command, there will be a final log entry for this problematic block of sectors saying:

Cannot read block of data at X – Y (Timeout).

And then TaskForce continues imaging from the next planned block.

After an unsuccessful power cycle

If the first Power cycle command is ineffective, and the drive is still in Busy state and can’t run the next command, TaskForce makes the second Power cycle.

If the second Power cycle does not help either, imaging is terminated. It can be resumed afterward, and TaskForce will continue to image all remaining sectors.

Freeze detection during diagnostics

TaskForce diagnostics module automatically checks the status of each head (for HDDs) and the condition of the media surface by reading several hundreds of thousands of sectors from the starting/outer, middle, and ending/inner part of the head or drive.

If a drive freezes, unable to read certain sectors, it may or may not be detected during diagnostics because not all sectors of the drive are being read at this stage.

If an HDD has a damaged head causing it to enter a busy state, a diagnostics report notifies you about that with the line

Device freezes when checking head N. Performing power cycle...

      Notification “Device freezes when checking head N” in the diagnostics report.

Notification “Device freezes when checking head N” in the diagnostics report.

Also, the diagnostics report shows a table with a freeze count and the number of read errors for each HDD head:


      A table with a freeze count for a drive with a damaged head.

A table with a freeze count for a drive with a damaged head.


      A table with a freeze count for a drive with good heads.

A table with a freeze count for a drive with good heads.

If the heads status is OK, but some freezes were detected during diagnostics, the result of the diagnostics show the following line:

According to this test, the device sometimes falls into complete freeze, which will require power cycling.

      The Diagnostics results notifying that the device sometimes falls into complete freeze.

The Diagnostics results notifying that the device sometimes falls into complete freeze.

Imaging a shorted hard drive

Atola TaskForce has built-in short circuit protection and can detect shorted hard drives. In most cases, a drive has become shorted after experiencing overvoltage, either due to a power supply failure or as a result of a user error. Here is what happens to a drive in these scenarios and how to fix this.

How drives become shorted

Most drives are equipped with two TVS diodes to protect the circuit from overvoltage. One diode is located on the 5V rail and another on the 12V rail.

If the drive experiences an overvoltage, the diodes convert the excess electrical power into heat energy and warm up, thus protecting the drive's circuit. Similarly, in the case of reverse polarity, the diode warms up as it conducts the current in the opposite direction.

If the overvoltage or reverse polarity event is short and the dissipated energy is not too high, the diodes can recover and continue working. However, if the dissipated energy is too high, the diodes will "sacrifice" themselves and get shorted.

When the drive is subsequently powered, the shorted diodes create a low resistance connection between two nodes, known as a short circuit. This is exactly what happens to a drive when its TVS diodes are shorted.

Detect a shorted drive

When you connect a shorted drive to Atola TaskForce, the Home screen shows a short circuit alert to notify the operator about the detected issue.


      The Home screen with a short circuit alert.

The Home screen with a short circuit alert.

On the Select device panel, TaskForce marks the port to which a shorted drive is connected with the Short circuit tag and icon.


      The Short circuit tag and icon on the Select device panel.

The Short circuit tag and icon on the Select device panel.

A drive with a shorted TVS diode cannot be identified, diagnosed, or imaged with TaskForce, until you replace or remove the diode.

Image a shorted drive

If you need to image a shorted drive but do not have new TVS diodes on hand to replace the shorted ones, you can image the drive using Atola TaskForce after removing the diodes. This process is safe because Atola TaskForce has short circuit and overvoltage protection, which guards both the imager and the drives connected to it against circuit failures.

To remove the diodes, heat the area of the drive where they are located with a hot fan (such as in a hot air soldering station) and then gently remove them with tweezers.

Once the diodes have been detached, you can plug the drive into Atola TaskForce and proceed with imaging data from it.

Express mode: self-launching imaging of 25 drives

Express mode enables the automatic launch of multiple imaging sessions on all ports set to source. Simply plug a drive into TaskForce 2, and the imaging session will start automatically.

Activate Express mode

Just like everything else in TaskForce’s interface, this feature is designed to be intuitively easy to set up.

Source evidence drives can be imaged to E01 (regular or compressed) or RAW files located in a specified folder on the local server. Two 10Gb Ethernet ports enable high data throughput.

As essential as imaging speed is, the proper treatment of evidence drives remains a priority. To enable the automatic launch of imaging of the healthy devices and avoid potential deterioration of drives in a shaky condition, the Express mode settings have two handy options:

  • select Diagnose source drive before imaging so that diagnostics starts automatically,
  • then select Start imaging only if diagnostics has no issues.

Atola’s signature automated diagnostics module checks all drive systems:

  • hard drive’s motor and electronics (PCB),
  • head stack,
  • media surface,
  • all firmware/system areas,
  • partitions and file systems.

We recommend that diagnostics is always performed as soon as a drive is connected to TaskForce 2 for the first time.

Last but not least, you can select one of the imaging presets at the bottom of the express mode activation screen (they can be easily configured on the imaging screen). This will ensure that all imaging sessions in express mode will fit your organization’s demands and procedures.

Once express mode settings are specified, simply click the Activate button and connect your evidence drives for an immediate start of imaging.

25 self-launching imaging sessions

Once all settings are configured and express mode is activated, simply plug in the drives one by one and watch the imaging sessions start automatically!

TaskForce 2 can process 25 self-launching imaging sessions in Express mode on almost all of its ports except for the Extension slot. The ports that can be used for imaging in express mode are, therefore:

  • 4 NVMe M.2/U.2 PCIe 4.0
  • 8 SATA
  • 8 SATA/SAS
  • 4 USB
  • 1 IDE

When activated, express mode controls all source ports, leaving target ones available for other tasks. If a port is switched from target to source, it also becomes available for imaging in express mode.

TaskForce’s 16-thread Xeon processor, 16 GB ECC RAM, and server-grade motherboard sustain multiple fast and reliable data acquisitions.

Getting it all under control

Express mode substantially speeds up the imaging of evidence drives while enabling a user to configure settings for optimal handling of evidence drives.

Should TaskForce 2 detect an issue with an imaging session, the User action required notification will prompt the user to take a decision.

In addition, TaskForce 2 keeps the user updated by displaying the number of actions required on the IP screen on the front panel of the unit.

In short, Express mode’s self-launching imaging is a perfect solution when it comes to processing large amounts of data under time pressure, while still allowing gentle treatment of damaged media.

Imaging only sectors with data

Capacity of an average drive is constantly growing, and selective imaging becomes a way out for many investigators to keep their backlogs smaller.

We at Atola have developed selective imaging functionality to make it possible to image only sectors containing data.

The feature is supported in these file systems: NTFS, APFS, XFS, ext2/3/4, HFS, HFS+, ExFAT, FAT16, FAT32.

To image only sectors with data, do the following:

  1. On the Imaging settings page, click Change to adjust imaging settings.
  2. On the Passes tab, click on the value in the What to image column.
The value in the What to image column.

The value in the What to image column.

  1. In the Edit what to image on passes dialog, select Sectors with data.
Selecting the Sectors with data option.

Selecting the Sectors with data option.

  1. To preview the partitions on the source drive, click Show.
Partitions preview.

Partitions preview.

  1. In the Edit what to image on passes dialog, click Save.
  2. To proceed with imaging, click Start.
The Start button on the Imaging settings page.

The Start button on the Imaging settings page.

You can see the partitions being imaged in the imaging log. In the imaging bar, the blue areas represent the sectors that are planned to be imaged. These are the sectors that belong to the drive's partitions and contain data.

Information about the partitions imaged in the log.

Information about the partitions imaged in the log.

RAID 0 imaging

Atola TaskForce 2 can automatically detect a RAID 0 configuration, assemble and image such RAID array.

Assembling a RAID 0 with unknown configuration

  1. Connect the drives to the TaskForce hardware unit's ports that are switched to the Source mode.
  2. On the left in the TaskForce main window, click RAID.
  1. On the Select source device panel, select the drives that make up a RAID array and click Continue.
Selecting source RAID drives.

Selecting source RAID drives.

You can see key RAID configuration parameters at the top of the page:

  • Order of drives/images
  • RAID type
  • Start LBA
  • Block size
  • Block order

Before you enter other values either manually or by applying Autodetection module results, the most commonly used values are displayed in the given fields.

The Autodetection module starts running immediately.

RAID 0 autodetection

Stage 1: TaskForce 2 is reading data on the drives to identify the RAID type.

To change the order of drives in the array, simply drag a drive to its new position. To remove a device from the current array, grab it and put it into the bin.

Analyzing devices.

Analyzing devices.

Stage 2: TaskForce 2 goes through thousands of possible variants of RAID parameters.

Click Apply as soon as a Possible configuration tile appears.

Possible RAID configuration.

Possible RAID configuration.

After you click Apply, TaskForce 2 automatically applies the suggested configuration and checks the file system for partitions. At the bottom of the screen, a preview of the partitions is available.

Observing files and folders in the preview confirms the detected RAID 0 configuration is correct.

Imaging RAID 0 array

  1. After RAID configuration is successfully applied, click Go to Image to proceed with imaging.
The Go to image button.

The Go to image button.

  1. Select your target device or network folder and click Continue.
  2. To launch your imaging session, click Start.

RAID imaging may take much longer than imaging a drive. You can optimize the imaging speed by using a fast target or a high-speed server.

How to make raid image.

How to make raid image.

TaskForce 2 automatically generates reports for every session. The Imaging completed report will contain all RAID details as well as timestamps.

The Imaging completed report.

The Imaging completed report.

RAID 5 forensics: Automated reassembly and imaging

TaskForce 2 is equipped with configuration autodetection module that makes assembling and imaging a RAID 5 array with an unknown configuration fast and easy.

Autodetection of RAID 5 configuration

  1. Connect the drives to the TaskForce hardware unit's ports that are switched to the Source mode.
  2. On the left in the TaskForce main window, click RAID.
Initiating work with RAID.

Initiating work with RAID.

  1. On the Select source device panel, select the drives that make up a RAID array and click Continue.
Selecting the drives that make up a RAID.

Selecting the drives that make up a RAID.

To assemble a RAID from images instead of drives or to use a combination of drives and images, on the Select target devices panel, expand the File section and click Select file. Then browse and select images.

After you selected the drives that make up a RAID array, TaskForce 2 redirects you to the RAID configuration screen. It consists of three parts:

  • The selected devices (and/or image files) are shown in the top RAID configuration part.
  • The RAID Partitions viewer below it provides a preview of partitions and files within them, once RAID has been successfully assembled.
  • The Autodetection module in the right-hand part of the screen immediately starts running and produces an output of RAID configuration suggestions.

Autodetection module reads data from all the selected devices and/or images to detect these RAID parameters:

  • Order of drives/images.
  • RAID type.
  • Start LBA.
  • Block size.
  • Block order.

Should the configuration be known, these parameters can also be set manually by the operator.

The time required for configuration detection can vary from a few seconds to a few hours depending on the numbers of drives involved, RAID volume and type, and how metadata is distributed on the drives in the RAID. In certain cases, Autodetection may produce several configuration suggestions, which can be applied one by one to find the exact match. TaskForce's Autodetection is based on heuristics algorithms that help speed up the variant check.

  1. Click the Apply button to apply the configuration suggested by the Autodetection module.
Autodetection module searching for possible RAID configurations.

Autodetection module searching for possible RAID configurations.

If the suggested configuration matches the RAID native configuration, partitions of the RAID will be displayed and a preview of data within the partition will be enabled.

Detected RAID 5 configuration applied

Detected RAID 5 configuration applied

Imaging selected partitions of RAID 5

  1. To adjust the imaging settings and define the target for the image, in the left bottom corner of the screen, click Go to image.
  2. Select the target for the imaging session. Both a local server and a target device in Storage mode can be used for imaging of a RAID array.
  3. Click Create file.
  4. In the Create image file dialog, fill out the image details and click Create.
Imaging RAID. E01 details.

Imaging RAID. E01 details.

  1. On the Settings page, click Change and then click the settings of an imaging pass.
Imaging settings.

Imaging settings.

  1. In Edit imaging pass dialog, select the individual partitions to be imaged if selective imaging is required and click Save.
Selecting partitions in imaging settings

Selecting partitions in imaging settings

  1. To launch the imaging session, click Start.

TaskForce 2 will be imaging RAID 5 array or its partitions as configured in the imaging settings.

Imaging RAID 5 in progress

Imaging RAID 5 in progress

At the end of the imaging session, TaskForce 2 produces an Imaging completed report with all the details of the source drives, the RAID configuration, the target, the partition, the timestamps, etc.

RAID 5 forensics. Imaging report

RAID 5 forensics. Imaging report

Reassembling RAID 5 with a missing drive from image files

Imagine you have image files that are created from source RAID 5 drives. If one of RAID 5 drives was missing or heavily damaged, one image file is missing or incomplete, too. TaskForce 2 uses RAID 5 redundancy to create a full image of the RAID even in such cases.

To reassemble a RAID from image files:

  1. On the left in the TaskForce main window, click RAID.
  2. On the Select source device panel, expand the File section and click Select file.
  3. In the Select image file window, find the directory with the images you want to use and select the files. Then click Select.
Selecting RAID 5 image files.

Selecting RAID 5 image files.

  1. On the Select source device panel, check source image files and then click Continue.
Selecting RAID 5 image files.

Selecting RAID 5 image files.

  1. Autodetection module starts running automatically to find a suitable RAID configuration. You know that there is an image file missing from the selection (it may have been lost or damaged), so click Add missing device underneath the list of image files.
Adding missing RAID 5 drive.

Adding missing RAID 5 drive.

  1. Autodetection will recommence when a new image file or device is added. If the RAID is type 5, TaskForce 2 will be able to identify the right configuration and reassemble the RAID by using the redundancy. When a possible configuration is found, click Apply.
Applying the found RAID configuration.

Applying the found RAID configuration.

The configuration application automatically changes the order of the drives/images, the detected RAID type, block size and order is applied automatically, too. In the bottom part of the screen, the found partitions are available for preview.

  1. To proceed with imaging, click the Go to image button and follow the instruction in subsequent screens to select the target and adjust imaging settings.
Preview the found partitions and proceed to image

Preview the found partitions and proceed to image

During the imaging, TaskForce 2 takes advantage of the redundancy to create an image of the RAID despite one of the devices is missing.

Imaging RAID 5 with a missing drive.

Imaging RAID 5 with a missing drive.

The imaging report clearly indicates which of the devices that make up the RAID array was missing. Other RAID parameters, such as type, block size and order are also clearly reflected in the report.

Imaging report clearly indicates the missing device in RAID 5.

Imaging report clearly indicates the missing device in RAID 5.

Imaging RAID 5 array with 2 damaged drives

Even if a RAID 5 array contains errors, Atola TaskForce 2 is able to detect its parameters and image such RAID.

Reassemble RAID 5

  1. Connect the drives to the ports of the TaskForce 2 hardware unit. Make sure the ports are in Source mode.
  2. On the left in the TaskForce main window, click RAID.
  3. Select the drives that make up the RAID array.
  4. Click Continue.
Selecting RAID members

Selecting RAID members

Detecting errors

The TaskForce 2 autodetection module starts running immediately, after you select the RAID devices.

Stage 1: TaskForce 2 reads data on the drives to identify RAID type. If it runs across an error, TaskForce 2 displays error tags next to the respective RAID member.

To see the number of errors encountered on a RAID member, simply hover the cursor over the error tag.

Error tags

Error tags

Stage 2: TaskForce 2 goes through thousands of possible RAID configurations to identify a suitable one.

Once the configuration is detected, click the Apply button.

Applying the suggested RAID configuration

Applying the suggested RAID configuration

After you click Apply, TaskForce 2 automatically applies the suggested configuration and checks the file system for partitions.

Despite read errors, TaskForce 2 can mount the partitions for preview by rebuilding the data in the bad sectors using data redundancy inherent to this RAID type.

Imaging RAID 5 array with errors

  1. After RAID configuration is successfully applied, click the Go to image button to proceed with imaging.
  1. Select your target device or folder and click Continue.
  2. To launch your imaging session, click Start.
  3. When the TaskForce system encounters an error, it automatically reconstructs the missing data, using the data in the parity blocks on the remaining RAID members.
Coping with errors.

Coping with errors.

Thus TaskForce 2 can recover the full image. No operator involvement is necessary.

Imaging RAID 5 array.

Imaging RAID 5 array.

Imaging report

TaskForce 2 automatically generates the Imaging completed report with all RAID details and timestamps.

TaskForce 2 managed to successfully reconstruct and image all the data. That is why the number of errors in the Imaging completed report is zero.

Imaging report.

Imaging report.

RAID 6 with unknown configuration

Atola TaskForce 2 lets you automatically detect all parameters of a RAID 6 array, preview its contents, and then create its full physical image or perform logical imaging of only selected partitions, folders, and files.

To reassemble and image a RAID 6 array with an unknown configuration, do the following:

  1. On the left in the TaskForce main window, click RAID.
  2. Initiating work with RAID.

    Initiating work with RAID.

  3. On the Select source device panel, select the devices that make up a RAID array. They can be physical drives of all supported types, connected to the TaskForce 2 hardware unit, image files (raw, E01 or AFF4 image files), or a combination of both.
  4. Selecting RAID members.

    Selecting RAID members.

  5. Once all the RAID members are selected, click Continue.
  6. TaskForce 2 redirects you to the RAID configuration screen and immediately starts the Autodetection module.
  7. The RAID configuration screen in Atola TaskForce 2.

    The RAID configuration screen in Atola TaskForce 2.

  8. Optional: If you know some of the RAID parameters, such as RAID type, Start LBA, Block size, and Block order, you can select them manually from the lists at the top of the RAID configuration section. To change the device order, drag the devices up or down, as needed.
  9. Lists with RAID parameters for manual selection.

    Lists with RAID parameters for manual selection.

  10. Optional: If you know that one or two RAID members are missing, choose RAID 6 from the RAID type list and then click the Add missing device button once or twice respectively. For details, see RAID 6 with two missing devices.
  11. Adding a missing device to a RAID.

    Adding a missing device to a RAID.

  12. Wait for a couple of minutes while the module is checking thousands of variants to find a possible RAID configuration. The Autodetection progress is displayed on the right side of the screen. To learn more about our heuristic RAID autodetection algorithm, see How autodetection of an unknown RAID works.
  13. Once TaskForce 2 has detected a possible configuration, click Apply. TaskForce 2 automatically changes the order of the devices, applies the detected RAID type and other parameters, and then parses and verifies the file system of an array.
  14. Applying a possible RAID configuration.

    Applying a possible RAID configuration.

  15. To make sure that the suggested RAID configuration is resulting in tangible data, check the Partitions section at the bottom left and preview the contents of a reassembled RAID, including partitions, folders, and files. To help you decide whether the applied configuration is valid or not, TaskForce 2 displays a small tag with the accuracy percentage next to the partition. In some cases, TaskForce will suggest alternative configurations, and you can try to improve the accuracy percentage by applying these alternative configurations.
  16. The preview of the RAID contents.

    The preview of the RAID contents.

  17. Click Go to image to acquire a full bit-by-bit copy of the array to E01, AFF4, or raw image. Or click Go to logical to copy only selected partitions, folders, or files to L01 or ZIP.
  18. After imaging is finished, TaskForce 2 automatically generates an Imaging completed report. It includes all the details of the source drives, the RAID configuration, the target, the partition, the timestamps and more.
  19. The Imaging completed report.

    The Imaging completed report.

RAID 6 with two missing devices

Even if two of the devices in a RAID 6 array are damaged or missing, Atola TaskForce 2 can rebuild and image a RAID of this type, taking advantage of its extra redundancy. To accomplish that, TaskForce 2 uses both types of parity blocks, XOR parity and Reed-Solomon parity, distributed across all the devices in a RAID 6 array.

TaskForce 2 automatically detects all parameters of a RAID 6 array with two missing devices, reassembles the array, and enables a preview of its contents. Once the RAID is reassembled, you can acquire its full physical image or perform logical imaging of only selected partitions, folders, and files.

To rebuild and image a RAID 6 array with one or two missing devices, do the following:

  1. In the Taskbar, click RAID.
  2. Initiating work with RAID.

    Initiating work with RAID.

  3. On the Select source device panel, select the devices that make up a RAID array. They can be physical drives of all supported types, connected to the TaskForce 2 hardware unit, image files (raw, E01 or AFF4 image files), or a combination of both.
  4. Selecting RAID members.

    Selecting RAID members.

  5. Once the available RAID members are selected, click Continue.
  6. TaskForce 2 redirects you to the RAID reassembly screen and immediately starts the Autodetection process to find the suitable configuration.
  7. The RAID configuration screen in Atola TaskForce 2.

    The RAID configuration screen in Atola TaskForce 2.

  8. Since you know that one or two RAID members are missing, select RAID 6 from the RAID type list and click the Add missing device button once or twice respectively. When checking variants of possible RAID configuration, TaskForce 2 will take into account that there are missing RAID members.
  9. Adding a missing device to a RAID.

    Adding a missing device to a RAID.

  10. Optional: If you know some of the RAID parameters, such as RAID type, Start LBA, Block size, Block order, Parity block order, you can select them manually from the lists at the top of the RAID configuration section.
  11. Lists with RAID parameters for manual selection.

    Lists with RAID parameters for manual selection.

  12. Wait while the module is checking thousands of variants to find a possible RAID configuration. Autodetection progress is displayed on the right side of the screen. To learn more about our heuristic RAID autodetection algorithm, see How autodetection of an unknown RAID works.
  13. Once TaskForce 2 has detected a possible configuration with two missing devices, click Apply. TaskForce 2 automatically changes the order of the devices, applies the detected RAID type and other parameters, and then parses and verifies the file systems of an array.
  14. Applying a possible RAID configuration.

    Applying a possible RAID configuration.

  15. To make sure that the suggested RAID configuration is correct, check the Partitions section at the bottom left and preview the contents of the reassembled RAID, including partitions, folders, and files. To help you decide whether the applied configuration is valid or not, TaskForce 2 displays a small tag with the accuracy percentage near the partition.
  16. The preview of the RAID contents.

    The preview of the RAID contents.

  17. Click Go to image to acquire a full bit-by-bit copy of the array or Go to logical to copy only selected partitions, folders, or files.
  18. After imaging is finished, TaskForce 2 automatically generates an Imaging completed report. It includes all the details of the source drives, the RAID configuration, the target image, the timestamps and more.
  19. The Imaging completed report.

    The Imaging completed report.

RAID 10: reassembly and imaging

RAID 10 arrays combine mirroring and striping techniques. This helps these arrays have higher performance and better resiliency against data loss or corruption. TaskForce 2 uses both of these advantages: it images data faster from a RAID 10 compared to other RAID types and rebuilds the image using the data redundancy in case of disk failure.

TaskForce's configuration autodetection module will help identifying the type and other parameters of a RAID 10, should there be a lack of information about the given RAID and its configuration.

To mount an unknown RAID 10 and image it:

  1. On the left in the TaskForce main window, click RAID.
  2. Select the drives that make up the RAID array and click Continue.
RAID 10. Selecting RAID members.

RAID 10. Selecting RAID members.

  1. When the autodetection module (in the right part of the screen) comes up with a suggestion of RAID configuration, click Apply.
RAID 10. Applying the detected configuration.

RAID 10. Applying the detected configuration.

  1. TaskForce 2 arranges the drives into respective groups and applies other RAID settings to mount the partitions, which you can browse through in the Partition preview below.
RAID 10. Previewing the partitions.

RAID 10. Previewing the partitions.

  1. Click the Go to image button and select the target.
RAID 10. Selecting target.

RAID 10. Selecting target.

  1. Check the settings. Please note that you can choose to image only part of the data (only one of the partitions).
RAID 10. Imaging.

RAID 10. Imaging.

  1. The automatically generated Imaging report contains the details of the RAID and its members, the target, hashes, signatures found as well as the timestamps.
RAID 10. Imaging report.

RAID 10. Imaging report.

Instant forensic RAID reconstruction: Linux mdadm

Atola TaskForce 2 can automatically detect configuration of software RAID created with mdadm in Linux and perform immediate forensic RAID reconstruction.

Autodetection of the mdadm-created software RAID

  1. Connect the drives to ports in Source mode.
  2. On the left in the TaskForce main window, click RAID.
  3. Select the drives that make up a RAID array and click Continue.

Autodetection module has instantly recognized and applied the RAID configuration. TaskForce 2 automatically identifies mdadm-created RAID arrays with great precision by detecting controller metadata.

This RAID’s Start LBA is different from 0. TaskForce’s autodetection module is trained to detect this parameter for different types of RAID arrays and mdadm versions.

A partition is displayed in the bottom part of the screen, confirming that the applied configuration is correct.

Forensic RAID reconstruction.

Forensic RAID reconstruction.

Imaging the mdadm-created RAID array

  1. To proceed with imaging the assembled RAID, click the Go to image button.
  2. Select the target and click Continue.
  3. Click Start and confirm the overwriting of data on the target.

The imaging session runs as fast as the target speed allows.

The imaging report contains all the RAID details and timestamps.

Imaging report for an mdadm-created RAID.

Imaging report for an mdadm-created RAID.

Logical imaging of a RAID array

Imaging of a RAID can potentially take too long. When you are under time constrains, TaskForce's logical imaging module helps you focus on imaging only the data that can make an immediate impact.

Once a RAID has been reassembled, you have a preview of the RAID's contents in the RAID module. This helps you decide which files or folders you want to image immediately.

Create logical image of a RAID array

  1. On the RAID Configuration page, click the Go to logical button.
The suggested RAID configuration applied, partitions preview shows partitions.

The suggested RAID configuration applied, partitions preview shows partitions.

  1. In the Logical imaging module, adjust your selection if needed.
Specify the partitions, files and folders to included or excluded in the imaging.

Specify the partitions, files and folders to included or excluded in the imaging.

By default, logical imaging is set to image all files from a drive or a RAID. To fine-tune your selection, include or exclude what you need:

  • All or selected partitions.
  • Manually selected files or folders.
  • Specified file types: archives, emails, documents, databases, financial, virtual machine, audio, video, pictures, security keys.
  • Folder types: only user or only OS folders.
  • Time spans: when files were accessed, created, modified.
  • File size: from 1 byte to infinity.
Multiple search parameters allow you to fine-tune your selection.

Multiple search parameters allow you to fine-tune your selection.

  1. Once you have adjusted the logical imaging parameters, click Continue.
  2. Select the Target for your L01 file and click Create file.
  3. Adjust the settings of the L01 file and click Create to start the imaging session.
Settings of an L01 file.

Settings of an L01 file.

When the imaging is running, you can track the progress of imaging of the individual files. As for the overall imaging progress, the upper graph indicates the amount of imaged data as related to the whole space of the RAID volume, not to the selected volume.

Logical imaging of a RAID array.

Logical imaging of a RAID array.

Imaging report

TaskForce 2 generates the Imaging completed report with all the details of the imaged selection from this RAID:

  • The number of scanned and imaged files
  • The volume of imaged data
  • Time stamps
Imaging completed report of a logical imaging session

Imaging completed report of a logical imaging session

Imaging started report is created the moment the imaging launched: it is a detailed report of all the settings including the elements selected for this acquisition (partitions, files and folders).

Imaging started report of a logical imaging session.

Imaging started report of a logical imaging session.

Imaging selected partitions of a RAID array

With Atola TaskForce 2, you can image individual partitions of an assembled RAID array to avoid imaging excessive amounts of data.

Once the RAID array has been reassembled, you can preview the contents of its partitions. It helps you conclude which of the partitions may contain the critical evidence and which are irrelevant.

Image selected partitions

To image only selected partitions of an assembled RAID array, do the following:

  1. On the RAID configuration page, click Go to image.
The suggested RAID configuration applied, partitions preview shows partitions.

The suggested RAID configuration applied, partitions preview shows partitions.

  1. Select your target device and click Continue.
  2. On the imaging Settings page, click the imaging pass to adjust the imaging range.

The suggested RAID configuration applied, partitions preview shows partitions.

The suggested RAID configuration applied, partitions preview shows partitions.

  1. In the Edit imaging pass dialog, click on the What to image and select Sectors with data.
Selecting only sectors with data from the What to image list.

Selecting only sectors with data from the What to image list.

  1. Unselect the partitions you do not need and click Apply. Then click Save to keep this change.
Select partitions for imaging

Select partitions for imaging

  1. To launch your imaging session, click Start.
The suggested RAID configuration applied, partitions preview shows partitions

The suggested RAID configuration applied, partitions preview shows partitions

Imaging report

TaskForce 2 generates the Imaging completed report with all the details of the RAID:

  • The imaged range.
  • Time stamps.
  • A link to the file with the segmented hash, calculated for the imaged range.
The Imaging completed report

The Imaging completed report

How to unmount an assembled RAID

After you selected specific drives or images as RAID participants, they constitute virtual RAID array and become unavailable for individual tasks. For instance, you cannot recalculate hash of one of such drives.

To use the individual drives that are a part of a mounted RAID array, you need to unmount the RAID first.

Follow these steps:

1. At the top right, click Devices.

2. Scroll down to the bottom of the Devices panel and in the RAID section select the currently connected and mounted RAID.

Assembled RAID array.

Assembled RAID array.

3. At the bottom of the RAID configuration page, click the Unmount RAID button.

Unmount RAID with a single click.

Unmount RAID with a single click.

Now you can proceed with other sessions, using any of the drives connected to TaskForce 2.

RAID tags and what they mean

When reassembling a RAID in TaskForce 2, start by selecting the drives and/or images it consists of. The system reads the first 3 million sectors of each RAID member, analyzes the data and compares the members against each other. TaskForce 2 then labels the RAID members with appropriate tags to help you identify the condition, relation and possible position.

Spare

The Spare tag informs you that 99.95% of the drive’s initial 3M sectors are filled with zeros.

A spare (aka hot spare) drive in RAID arrays is used as a standby drive reserved to replace a RAID member in case it fails: in this situation the RAID controller uses redundancy data to reconstruct the data from the failed disk to the spare one. Spare drives are used in RAID 1, RAID 5 and RAID 6.

Mirror

With the Mirror tag, TaskForce 2 informs you that 99.5% out of the analyzed 3M sectors are identical to the same sectors on a different RAID member. It works as a hint that you are dealing with a RAID 1, RAID 10 or RAID 50.

MBR

MBR (Master Boot Record) points to the drive(s) that contain an MBR. Therefore, it is likely that the drive with detected MBR can be placed first in the given array.

File system tags

The initial 3M sectors of each drive/image are analyzed to identify a boot sector of any known file system. When a partition boot sector is detected, the corresponding file system tag is added. To see LBA offset and sector count of the partition, hover mouse cursor over the tag.

Supported file system tags: NTFS, ext4/3/2, APFS, HFS, HFS+, exFAT, FAT32, FAT16, XFS.

Additionally, Unknown tag may appear if the file system identification is not supported yet.

Error

The Error tag informs you whether there are read errors encountered in the process of RAID autodetection. To see the exact number of encountered errors, hover mouse over the Error tag to get the tooltip.

Using Web API in a browser

Web API is built into TaskForce 2, and it helps optimize your workflow in many ways.

Web API is extremely handy as it allows you to use it in scripts, via CLI tools like curl, and simply by typing commands in the browser address bar.

Here's how to use Web API in a browser:

  1. Scan devices plugged to all source ports. The command powers up all ports and returns the list of drive on each port in Source mode as well as the model and the serial number of the drive on each port.
Devices identification.

Devices identification.

  1. Start imaging a source drive plugged into TaskForce 2 SATA 4 port.
Start imaging.

Start imaging.

  1. Track imaging session status using task key received in response to the command above.
Check task status.

Check task status.

For more information about these and other commands, see API specification that we made available to public.

Instantly starting 16 imaging sessions using Web API

Imagine you have 16 TaskForce SATA and SAS ports switched to Source mode and source drives plugged into them. Now you can instantly launch 16 imaging sessions simply starting the script.

Python script utilizes /start-image API request and prints task keys of all launched imaging sessions.


import sys

if sys.version_info[0] < 3:
    raise Exception("Please use Python 3 to run this script")

import urllib.request

ports = ["SATA1", "SATA2", "SATA3", "SATA4", "SATA5", "SATA6", "SATA7", "SATA8", 
         "SAS1", "SAS2", "SAS3", "SAS4", "SAS5", "SAS6", "SAS7", "SAS8"]
tasks = []
errors = {}

for port in ports:
    try:
        res = urllib.request.urlopen("http://10.0.0.4/api/start-image?source=%s&targetFolder=//Vitaliy/Share" % (port))
        tasks.append(res.read().decode('utf-8'))
    except urllib.error.HTTPError as e:
        errors[port] = e.read()

print("IDs of started imaging tasks:")
print('\n'.join(tasks))

The script works in any operating system. To run, perform the following actions:

  1. Save the script into image16.py file.
  2. Replace 10.0.0.4 with IP address of your TaskForce 2.
  3. Replace //Vitaliy/Share with your shared network folder path.
  4. Execute the script in the console: python image16.py.

For more information about these and other commands, see API specification that we made available to public.

Autostart image analysis when imaging is completed

With TaskForce 2, you can track the status of the started imaging sessions using /check-task API request. It reports the imaging progress enabling you (or your code) to notice when the task gets completed. Once this notification is received, it makes perfect sense to automatically start the forensic analysis of the target image.

Powershell script below shows how one can create this kind of automation flow:

  1. Start imaging a source drive on TaskForce SATA port 4 to the target folder \\Vitaliy\Share.
  2. Wait for imaging completion using /check-task.
  3. Launch Autopsy Ingest via command-line when the target image is ready.

try {
    $r = Invoke-WebRequest "http://10.0.0.65/api/start-image?source=SATA4&targetFolder=\\Vitaliy\Share"
}
catch {
    Write-Output "$($_.Exception.Message)"
    exit $_.Exception.Response.StatusCode
}

$taskKey = $r.Content
do {
    $check = (Invoke-WebRequest "http://10.0.0.65/api/check-task?taskKey=$taskKey").Content | ConvertFrom-Json
    Start-Sleep -s 1
} while ($check.state -eq "progress")

$windowsPath = "C:\Share\" + ($check.target -replace '[\/]', '\' | Split-Path -leaf)
$caseName = "Case123"
$autopsyArguments = '" --createCase --caseName="' + $caseName + ' --caseBaseDir="C:\Work\Cases"' 
                  + ' --addDataSource --dataSourcePath="' + $windowsPath + '" --runIngest --generateReports' 

Start-Process -FilePath "C:\Program Files\Autopsy\bin\autopsy64.exe" -ArgumentList $autopsyArguments

The script works in Windows with Powershell. To run it, please perform the following actions:

  1. Install Autopsy.
  2. Create C:\Share folder.
  3. Save the script into image.ps1 file.
  4. Replace 10.0.0.65 with IP address of your TaskForce 2.
  5. Replace \\Vitaliy\Share with your shared network folder path.
  6. Execute the script in the console: powershell -ExecutionPolicy ByPass -File image.ps1.

For more information about these and other commands, see API specification that we made available to public.

Multi-launch of single-device operations

To wipe a bunch of target drives for subsequent imaging sessions or verify hash values on multiple drives in your archive, use multi-launch functionality in TaskForce 2.

The function is currently supported for single-drive tasks: Wiping, Diagnostics, Hashing.

To wipe multiple drives:

  1. On the left, click Wipe.
  2. On the Select target devices panel, enable Multi-launch and select the drives.
The Multi-launch option.

The Multi-launch option.

  1. On the wiping settings page, adjust the sessions parameters. They will be applied to all the currently selected drives. If you wish to double-check the list of selected devices, click the top panel with the number of selected drives. The drop-down provides info about the drives, their health status and case ID.
The Settings page.

The Settings page.

  1. Click Start.
Multiple sessions initiated via multi-launch.

Multiple sessions initiated via multi-launch.

When the Check if device contains data option is enabled, TaskForce 2 scans all selected devices. If any data may be overwritten, the imager will warn you.

The procedure is the same for other single-drive processes. When hashing, multi-launch can be applied to both the devices plugged into the system and the locally stored image files.

The case management system automatically saves separate reports into the individual cases.

Wiping 26 drives simultaneously

With TaskForce 2, Atola introduced the fastest and most capable imaging engine to the forensic market. While the cumulative imaging speed in TaskForce 2 constitutes 25 TB/h, the engine can wipe up to 26 drives connected to it and achieve an overall performance of up to 100 TB/h.

Multiple drives connected to Atola TaskForce 2

Multiple drives connected to Atola TaskForce 2

TaskForce’s task-oriented and efficient user interface is designed to enable the launch of every operation in just a couple of clicks and expedite work with multiple evidence drives.

TaskForce 2 has 26 ports:

  • 4 NVMe M.2/U.2 PCIe 4.0,
  • 8 SATA,
  • 8 SAS/SATA,
  • 4 USB,
  • 1 IDE,
  • 1 Extension slot for Atola Thunderbolt, Apple PCIe SSD and M.2 NVMe/PCIe/SATA SSD extension modules,
Each port can be used for simultaneous wiping sessions.

TaskForce 2 can wipe 26 devices simultaneously at their top native speeds using the standard wiping method.

Launch multiple wiping sessions

To perform multiple wiping sessions:

  1. Connect the drives to TaskForce.
  2. Switch the ports, to which the drives are connected, to Target mode by using the individual Source switches on each port.
  3. In the TaskForce user interface, click the Wipe icon on the left.
  4. On the Select target device panel, select a drive.
    To launch the wiping process for multiple drives simultaneously, tick the Multi-launch box at the top right, and select the drives you want to wipe.
  1. Adjust wiping settings:
    • the range of sectors to be wiped
    • wiping method
    • enter a pattern and select its format (HEX/ASCII)
  2. Click Start.

Wiping is consecutively launched for each device.

Track the wiping progress

Once the operations have started, track the progress of all tasks on the Home screen. It displays the percentage of wiped drive area and the time left until the end of the planned session. To see more details on the progress of an individual wiping session, click on that session.

To reveal the current overall wiping speed, click the Atola logo in the center of the top bar. In this case, we were able to achieve 18 TB/h. This high-speed wiping capability allows a forensic expert to prepare target drives for imaging in minimal time.

To ensure maximum transparency and effectiveness, TaskForce 2 documents every operation by creating detailed reports and logs. Click Reports at the top and find the report in the list or use the Search bar at the top of the page.

Unclip or change HPA, DCO, AMA limitations

DCO (device configuration overlay), HPA (host protected area), or AMA (accessible max address) features were created by hard drive manufacturers as hidden areas reserved for storing vendor utilities or simply to make a drive appear to have a certain number of sectors (smaller than the actual drive capacity).

But it is many years ago that end users learned to modify and write to these areas of hard drives with the help of open source and freely available tools. For digital forensics specialists, it means that without the ability to identify such hidden areas of a drive and image the full physical image including data in these areas, the evidence they get may be incomplete and lead to inaccurate investigative conclusions.

Atola TaskForce 2 helps you detect, unclip, or change HPA, DCO, AMA limitations.

Detect DCO, HPA, or AMA limitations

When you connect a hard drive to the TaskForce 2 unit, in addition to the standard Identify device command, TaskForce software automatically sends two commands to look up the drive size as set in drive’s firmware: Read native max address and Device configuration identify. If drive size has been limited by DCO, HPA, or AMA, TaskForce 2 will draw your attention to these changes by adding the note in red color in the device menu.

Notification about HPA, DCO, and AMA in device menu.

Notification about HPA, DCO, and AMA in device menu.

To get more details about the modifications that have been made to the drive’s firmware, run Diagnose and see the Firmware section of the Diagnostics report.

AMA limitation is indicated in the Diagnostics summary.

AMA limitation is indicated in the Diagnostics summary.

There you will see three lines indicating the drive’s Max Address according to different records in the drive’s firmware:

  1. The Max Address according to device ID line shows the max address from the ID sector, affected by DCO and HPA/AMA restrictions if those are applied.
  2. Native Max Address indicates max address ignoring HPA/AMA limitation that may have been enabled, yet affected by DCO restriction.
  3. Max Address from DCO is the line that gives you the actual drive size.

A Diagnostics report of a drive that does not have HPA/AMA or DCO activated will have the same value in all three lines.

HPA and DCO restriction details in the Firmware section of the Diagnostics report.

HPA and DCO restriction details in the Firmware section of the Diagnostics report.

Unclip HPA, DCO, AMA limitations

To disable HPA, DCO, AMA limitations that have been applied to the drive’s firmware:

  1. On the left, click Other and then Hidden drive areas.
  2. Select device.
  3. Click Unclip.
Remove HPA and DCO by clicking the Unclip button.

Remove HPA and DCO by clicking the Unclip button.

TaskForce 2 lifts HPA/AMA and DCO restrictions in a matter of seconds and enables access to all data on the drive.

HPA and DCO unclip report.

HPA and DCO unclip report.

Unclip HPA temporarily (until power cycle)

To ensure the forensically sound process, it can be necessary to avoid making any changes to the drive. Therefore it is prohibited to disable HPA and DCO restrictions and access data in the hidden areas. With TaskForce 2 it is possible to lift HPA restriction until the next power cycle. This helps avoid permanent changes to the drive.

To unclip HPA on the source drive until power cycle before imaging:

  1. Go to Image.
  2. Select source device.
  3. Select target devices and click Continue.
  4. In Confirmation dialog, suggesting you unclip the drive until power cycle, click Yes.

This will allow temporary access to the data in HPA-protected area, but as soon as you power off or unplug the drive, the HPA will be back again.

After you confirm unclipping HPA until power cycle, the imaging process starts and the following message appears in the imaging log: Source device HPA was set to native max address until power cycle.

The message in the imaging log informs that source device HPA was set to native max address until power cycle.

The message in the imaging log informs that source device HPA was set to native max address until power cycle.

Set or change HPA, DCO, AMA limitations

Not all drives support hidden areas. Limitation type supported by the particular drive will be shown in green on the Hidden drive areas page.

The drive supports DCO and HPA limitations, but does not support AMA.

The drive supports DCO and HPA limitations, but does not support AMA.

The DCO and HPA can co-exist on the same drive: max address limited via HPA should be less than DCO.

Expectedly, AMA is supported by new drives and can't exist if DCO or HPA is supported, and vice versa.

If your target device is larger than your source device, but you need hash values for the source and for the target devices to be identical, see Clip target drive to source evidence size.

To set or change DCO limitation:

  1. Make sure that the drive is in the Target mode.
  2. On the left, click Other and then Hidden drive areas.
  3. Select device.
  4. Enter new Native max address. Notice that ID sector max address changes accordingly.
  5. Click Change.
Setting new DCO limitation.

Setting new DCO limitation.

To set or change HPA limitation:

  1. Make sure that the drive is in the Target mode.
  2. On the left, click Other and then Hidden drive areas.
  3. Select device.
  4. Enter new ID sector max address.
  5. Optional: Check Change ID sector max address temporarily (until power cycle) if needed.
  6. Click Change.
Setting new HPA limitation.

Setting new HPA limitation.

To set or change AMA limitation:

  1. Make sure that the drive is in the Target mode.
  2. On the left, click Other and then Hidden drive areas.
  3. Select device.
  4. Enter new ID sector max address.
  5. Click Change.
Setting new AMA limitation.

Setting new AMA limitation.

Calculating hash during imaging

Atola TaskForce 2 supports hash calculation of both the evidence drive and the image in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures, while avoiding further damage to fragile media.

To calculate hash of both the evidence and the image:

  1. On the left, click Image.
  2. Select the source and target device.
  3. On the imaging Settings page, click Change.
  4. On the Hashes tab, toggle one or several options how you want to calculate hash:
    • Pre-hash source device
    • Hash source during imaging
    • Post-hash target device
Selecting hash methods.

Selecting hash methods.

Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, TaskForce 2 only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

Post-hash target device option lets you to properly record the calculated hash in the case.

Imaging results with hash values for both hash during imaging and post-hash.

Imaging results with hash values for both hash during imaging and post-hash.

Calculating dual hash of an existing E01 file

Some source evidence drives and their images can be involved in a long-running investigation case and wait to be presented in court for months or years on end. Data stored on such drives and their image files may eventually get corrupt. Therefore it may be critical for an investigator to ensure the integrity of data on such devices or image files before resuming to work with them or presenting them in court.

Over the years, E01 file format has become a popular format for forensic purposes due to its ability to store not both the image of the drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hash values.

View the previously calculated hash

To view the previously calculated hash calculated for an E01 file with Atola TaskForce, open the imaging report in the case management system. It contains the hash values calculated during imaging.

Alternatively, you can look up the metadata stored in the E01 file itself:

  1. At the top, click Devices.
  2. Expand the File category and click Select file.
  3. Select the E01 file in the file browser.
Hash calculated during imaging stored in E01 file's metadata.

Hash calculated during imaging stored in E01 file's metadata.

Recalculate the hash for an E01 file

To ensure the integrity of the data in the file, you can recalculate its hash.

  1. On the left, click Other, and then Hash.
  2. To choose the file for which you want to calculate hash, expand the File category and click Select file.
  3. Select the E01 file in the file browser.
  4. Adjust hashing settings. Make sure to select the same hashing types (MD5, SHA1, etc.)
  5. Click Start.
Starting hash calculation.

Starting hash calculation.

When the hash calculation is completed, you can make sure that the two sets of hashes are identical.

Comparing the calculated hash values to the ones calculated during imaging.

Comparing the calculated hash values to the ones calculated during imaging.

Segmented hashing for data verification

Segmented hashing allows verifying data, imaged from damaged media. The image can be verified even if data gets corrupt over time.

Segmented hashing produces a CSV file in the following format:

Segmented hashing vs regular hashing

With conventional hashing method you get a single hash for the entire image, while segmented hashing allows getting many hashes of corresponding LBA ranges of the image. The sum LBA ranges represents the entire image.

Verifying all hashes in a set allows you to prove that the entire image has not been modified.

Segmented hashing and post-hashing of the target for immediate image verification

  1. Go to the imaging Settings.
  2. On the Hashes tab, select Segmented hashing method.
  3. To obtain both sets of hashes for the evidence drive and the image, toggle Post-hash target devices.
Selecting hashing method.

Selecting hashing method.

Hashing while imaging does not slow down the imaging session:

TaskForce 2 imaging session.

TaskForce 2 imaging session.

Post-hashing will commence as soon as the imaging session is completed:

Atola TaskForce 2: Post-hashing.

Atola TaskForce 2: Post-hashing.

In the Imaging completed report you can see imaging results with the link to the file with segmented hashes.

In case you select the post-hashing of the target, you also get the results of cross-checking between the hash sets of the evidence drive and the image.

Atola forensic imager: Imaging results

Atola forensic imager: Imaging results

Verify damaged images with segmented hashing

Segmented hashing is a non-linear hashing method that allows hashing damaged drives. Hashes are calculated only for the good areas of evidence media, while bad areas, that are impossible to read and image, are left out of the calculation.

In Atola TaskForce 2, the segmented hashing module produces a list of hashes of corresponding LBA ranges of the image. Then hashes are saved into a CSV file in the following format: Hash, start LBA, end LBA.

The sum of the LBA ranges represents the entire image. By verifying all hashes in a set you can prove that the entire image has not been modified.

Benefits of segmented hashing

With the conventional linear hashing method you get a single hash for the entire image. As the linear hashing stops upon encountering the first bad sector, it is impossible to calculate hash for the entire space of the source evidence drive.

With segmented hashing, hashing can be performed during the multipass imaging of a damaged drive. Hashes are calculated only for the successfully imaged areas, while all bad sectors are excluded from the calculation.

If an acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless. With segmented hashes only the hash of the damaged segment will become invalid.

Calculate segmented hashes of a source and target devices

To calculate segmented hashes of a damaged drive during imaging and post-hash the target for immediate image verification, do the following:

  1. Go to the imaging Settings.
  2. On the Hashes tab, select Segmented hashing method and specify Segment size.
  3. To obtain both sets of hashes for the evidence drive and the image, toggle Post-hash target devices.
Selecting hashing method.

Selecting hashing method.

Hashing while imaging does not slow down the imaging session:

TaskForce 2 imaging session.

TaskForce 2 imaging session.

Post-hashing commences as soon as the imaging session is completed:

Atola TaskForce 2: Post-hashing.

Atola TaskForce 2: Post-hashing.

In the Imaging completed report, you can see imaging results with the link to the file with segmented hashes.

In case you select the post-hashing of the target, you also get the results of cross-checking between the hash sets of the evidence drive and the image.

Atola TaskForce 2: Imaging results.

Atola TaskForce 2: Imaging results.

Verify an image of a drive with segmented hashing

To verify an acquired image file of an evidence drive with segmented hashing, do the following:

  1. In the TaskForce window, go to Other > Verify segmented hashes.
  2. The Verify segmented hashed command on the Other page.

    The Verify segmented hashed command on the Other page.

  3. The Select device panel opens. Expand the File section and click Select file.
  4. The Select device panel.

    The Select device panel.

  5. Select an image file you want to verify. The E01, AFF4 and Raw formats are supported.
  6. Selecting an image file to verify segmented hashes.

    Selecting an image file to verify segmented hashes.

  7. Select the CSV file with segmented hashes that relates to your image file:
    1. Choose either Local folder or Network folder or Storage.
    2. Click Select.
    3. Find and select a CSV file with segmented hashes.
  8. Click Start.
  9. Selecting a CSV file with a list of segmented hashes.

    Selecting a CSV file with a list of segmented hashes.

  10. TaskForce 2 starts the data verification process.
  11. The process of verifying segmented hashes.

    The process of verifying segmented hashes.

  12. If TaskForce encounters a hash value mismatch, it is reflected in the Hash mismatches counter and in the event log, with Start and End LBA of the respective segment.
  13. Hashes of one of the segments do not match.

    Hashes of one of the segments do not match.

  14. Once verification of segmented hashes is completed, TaskForce 2 generates a detailed report about its results. The report contains information about the verified image and the file with its segmented hashes, hash type, number of processed hashes and found mismatches if any.
  15. The report about completed verification of segmented hashes.

    The report about completed verification of segmented hashes.

Case management system and report types

TaskForce's case management system records every step of the data acquisition process: every operation is automatically added to the case from the moment a device is identified including date, time, imaging map and hash values. When a hard drive is imaged, its imaging map is recorded detailing all the sectors that have been skipped.

Whenever an operator connects a hard drive to the TaskForce 2, the system makes an automatic database lookup and retrieves all past records associated with that particular hard drive. New entries will be added seamlessly to the database. You do not need to enable case management or take any additional actions for it to start functioning; it is fully embedded into TaskForce 2 and works at all times.

Case number can be assigned and changed at any time. The system also allows browsing through all cases and reports, without corresponding devices being connected to the unit.

Report types and formats

There are two types of reports in TaskForce 2:

  1. Device reports are created every time an action is taken to the drive: drive identification, imaging, hashing, wiping and other operations related to the drive are documented in these reports.
  2. Non-device reports are created to register any changes made to the cases: case opening, case details change, case import and export.

All reports have these key elements: a header that provides device and case details, an action summary and task details (task settings, task log, etc.).

Imaging report in Atola TaskForce 2.

Imaging report in Atola TaskForce 2.

A diagnostics report contains even more details: it lists the checkup results for all subsystems of a drive and includes oscillograms, SMART table, etc.

Diagnostics report in Atola TaskForce 2.

Diagnostics report in Atola TaskForce 2.

Add a case

When you identify a device in Atola TaskForce 2 for the first time, the system automatically creates a new case for that device and records every single operation performed with the device or with the case itself. To know more about how it works, see Case management system and report types.

Until you specify case details, Case ID shows in TaskForce interface as Not assigned.

To distinguish and search your cases by a case number, investigator’s name, and case description, you can add a case and enter these case details. Also, you can set TaskForce 2 to remind you to enter case details before starting any task.

There are several ways to create a new case in TaskForce 2:

  • From the Devices menu.
  • From the Cases page.
  • From the Device page.

Add a case from the Devices menu

  1. Connect a device to TaskForce 2.
  2. In the TaskForce main window, click Devices.
  3. In the Select device panel, in the port with your device, click More icon, and then select Add case.

      Adding a device to a new case from the Devices menu.

Adding a device to a new case from the Devices menu.

  1. Enter case details and click Continue. TaskForce 2 creates a new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

      The Case created report on the Home screen.

The Case created report on the Home screen.


      Case created report details.

Case created report details.

Add a case from the Cases page

  1. Connect a device to TaskForce 2.
  2. In the TaskForce main window, click Cases.
  3. On the Cases page, click Add case.
  4. In the Select device panel, click on your device.
  5. Enter case details and click Continue. TaskForce 2 creates a new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

      The Enter case details dialog.

The Enter case details dialog.

Add a case from the Device page

  1. Connect a device to TaskForce 2.
  2. In the TaskForce main window, click Devices.
  3. In the Select device panel, click on the port with your device. TaskForce 2 takes you to the Device page.
  4. Optional: If TaskForce 2 hasn’t identified your device yet, then, on the Device page, click Re-identify.
  5. In Case ID pane, open the drop-down menu, and then click New.

      Change active case menu is opened on the Device page.

Change active case menu is opened on the Device page.

  1. Enter case details and click Continue. TaskForce 2 creates a new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

Enter case details before starting any task

Entering case details before performing any operation with a device helps you to keep your cases organized and searchable. TaskForce 2 can be set to request that you enter case details before starting any task.

To enable this feature, do the following:

  1. In the TaskForce main window, go to the Menu > Settings.
  2. In the Cases section, toggle Set case details before task start.

Now, TaskForce 2 will ask you to enter case details before performing any operation with a device.


      The Set case details before task start toggle on the Settings page.

The Set case details before task start toggle on the Settings page.


      Atola TaskForce 2 asks a user to enter case details before starting diagnostics.

Atola TaskForce 2 asks a user to enter case details before starting diagnostics.

Show 'Add case' button

You can add cases right from TaskForce Home screen before working with the device. To do that, set TaskForce 2 to show Add case button in the top panel:

  1. In the TaskForce main window, go to the Menu > Settings.
  2. In the Cases section, toggle Show 'Add case' button on TaskForce top panel.

Now, TaskForce 2 shows Add case button in the top panel.


      The toggle in the Cases section on the Settings page.

The toggle in the Cases section on the Settings page.


      The Add case button in the Atola TaskForce 2 main window.

The Add case button in the Atola TaskForce 2 main window.

Add one device to several cases

In Atola TaskForce, you can include the same device in several new or existing cases using the Case management system. When a device is added to more than one case, TaskForce keeps the tasks and reports, which are associated with each case, separate.

Add a device to another new case

To add your device to several new cases, do the following:

  1. Connect a device to TaskForce and identify it.
  2. Add first new case and include your device to it. For guidance, see Add a case.

After you have added your device to the first case, do the following steps:

  1. In the TaskForce user interface, click Devices.
  2. In the Select device window, click on the port with your device. TaskForce takes you to the Device page.
  3. In Case ID pane, open the drop-down menu, and then click New.

      The New button in the Change active case menu on the Device page.

The New button in the Change active case menu on the Device page.

  1. Enter case details and click Continue.

TaskForce creates another new case and adds your device to it. The Case created report appears on the Home screen and on the Reports page.

Add a device to another existing case

When you already added your device to one case and want to add that device to another existing case, do the following:

  1. Connect a device to TaskForce.
  2. In the TaskForce user interface, click Devices.
  3. In the Select device window, click on the port with your device. TaskForce takes you to the Device page.
  4. Optional: If TaskForce hasn’t identified your device yet, then, on the Device page, click Re-identify.
  5. In Case ID pane, open the drop-down menu, and then click Select.

      The Select button in the Change active case drop-down menu on the Device page.

The Select button in the Change active case drop-down menu on the Device page.

  1. In the Select active case window, chose your existing case. If needed, use the Search field to find it. TaskForce adds your device to the selected case.

      List of all your cases in the Select active case window.

List of all your cases in the Select active case window.

Switch between cases on the Device page

When a device is added to more than one case, TaskForce keeps reports, which are associated with each case, separate.

To switch between cases on the Device page:

  1. In Case ID pane, open the drop-down menu.
  2. Click on the case you want to make active. TaskForce shows reports, associated with selected case.

      List of all cases associated with the device in the Case ID pane.

List of all cases associated with the device in the Case ID pane.

Add several devices to one case

In Atola TaskForce 2, you can have a forensic case that contains more than one device. TaskForce 2 lets you add several devices either to a new or an existing forensic case.

To add several devices to a new case, you need to create a case first. For guidance, see Add a case.

To add another device to an existing case, do the following:

  1. Connect a device to TaskForce 2.
  2. In the TaskForce user interface, click Devices.
  3. In the Select device window, click on the port with your device. TaskForce takes you to the Device page.
  4. Optional: If TaskForce hasn’t identified your device yet, then, on the Device page, click Re-identify.
  5. In Case ID pane, open the drop-down menu, and then click Select.

    Change active case menu is opened on the Device page.

Change active case menu is opened on the Device page.

  1. In the Select active case window, choose your existing case. If needed, use the Search field to find it.

    List of all your cases in the Select active case window.

List of all your cases in the Select active case window.

Now, when you open your case, the Case details page lists all devices associated with the case. The Case details page also contains active tasks and reports for each device included in the case.


    All devices, active tasks, and reports associated with the case.

All devices, active tasks, and reports associated with the case.

Find and edit cases

Atola TaskForce 2 automatically creates reports for every single action applied to each drive connected to it. Whether it is a source drive or a target drive, any action, be it imaging, wiping or physically switching write protection on or off, will be documented and stored in the system.

To find a case, click Cases in the top left corner, it will redirect you to the case management system.

Opening case management system.

Opening case management system.

Search for a specific case or device in the Search bar (by case ID, investigator's name or device details) and sort results by any column.

Searching and sorting cases in the list.

Searching and sorting cases in the list.

To open a case, click the respective line in the list.

A case page contains case details, information about the devices associated with the case (name, serial number, capacity etc.), as well as reports for all tasks applied to the device.

Edit case details

To change case details, click Edit at the top of a case page.

Case page

Case page

It is possible to change the case ID, Description and Investigator. Click Save when done editing.

Changing case details.

Changing case details.

Finding reports

Atola TaskForce 2 automatically creates reports for every single action applied to each drive connected to it. The system also allows browsing through all cases and reports, without corresponding devices being connected to the unit. The reports are listed and can be easily retrieved in different parts of TaskForce 2 software.

1. Via case page

All reports related to the case are listed at the bottom of the case page. Scroll down and turn pages to view all the reports, sort them by date or by title, use the search bar to look for specific reports by their titles.

To open a report, click the respective line.

Case page with reports.

Case page with reports.

2. Via Reports page

If you need to search among all existing reports, click Reports at the top.

The Reports button.

The Reports button.

This will redirect you to the page with all existing report that can be filtered by date, title, case ID or device details. Search for a specific report by entering report title or drive details.

Open the report you need by clicking it in the list.

The Reports page.

The Reports page.

3. Via Home screen

Similarly, recent reports can also be found on the Home screen underneath the Active tasks.

On the Home screen you can look up active and completed tasks and view reports for all completed tasks.

Quickly find specific reports by entering filters in the search field.

Finding reports on the Home screen.

Finding reports on the Home screen.

Printing reports from a case

When you work on an investigation and want to have complete information about the evidence drive and all operations that have been taken to diagnose, image, calculate hash, etc., you can address Atola TaskForce’s case management system to print out all reports concerning your evidence.

To do that:

  1. At the bottom of the case page, click Print.
The Print button an the bottom on the case page.

The Print button an the bottom on the case page.

  1. Optional: If you want the printed reports to include logs, go to the the Menu > Settings, scroll down to the Print settings section and toggle Logs.
     
  2. Optional: If you want the printed reports to include the description of all storage devices contained in current TaskForce system, go to the the Menu > Settings, scroll down to the Print settings section and toggle Information about unit's components.
The Logs toggle in the Print settings section.

The Logs toggle in the Print settings section.

  1. After you click Print on the case page, TaskForce takes you to a page with full reports. There they are arranged in same the order, in which they were listed on the case page (either by date or by title).
Generated reports.

Generated reports.

Generated report listing all storage devices contained in current TaskForce unit.

Generated report listing all storage devices contained in current TaskForce unit.

On this page, there is another Print button. After clicking it you can configure printing settings.

Each report will be printed on a new page.

FAQ

Imaging

How do I clone a drive and create multiple identical copies?

TaskForce 2 is perfectly suited for cloning! Here is how to clone into 4 SATA drives and 1 RAW file simultaneously.

When you need to create multiple copies, simply:

  1. Go to Image.
  2. Select a source device.
  3. Select up to 5 targets (SATA, USB, SAS or RAW, E01 files) and click Continue.
  4. Click Start.

What's more, TaskForce 2 has 26 ports in total including IDE and Extension ports in combination with huge overhead capacity to handle many imaging sessions or other operations concurrently. So if you start a 1-to-5 cloning, you still have at least 20 ports left for additional cloning/imaging sessions to run simultaneously. TaskForce is designed to minimize the imaging time.

How do I image to an E01 or a RAW file?

When selecting targets in the slide-out panel, click the Select file tile. It only works if TaskForce 2 is connected to a network and with an accessible network folder.

How can I create an E01 image?

To image a source evidence drive to an E01 file, you have to create a new target file:

  1. Go to Image.
  2. Select the source evidence drive.
  3. On the Select target devices panel, click Select file.
  4. In the file selector, find the folder to store the image and click Create file.
  5. In the Create image file dialog, select the E01 file type.
  6. Fill in E01 file information, and then click Create.
  7. On the Select target devices panel, click Continue.

How do I set up an automated launch of AXIOM after imaging?

You cannot launch a third-party software from TaskForce 2 itself. However, there are automation tools that allow TaskForce to be integrated into a workflow with Magnet AXIOM. For instance, Magnet AUTOMATE. Atola team closely cooperates with Magnet's developers to support and enhance this integration. See how it works.

Another option is a folder monitor/watchdog. Use an app that tracks when a new image file appears in a specific folder. After that, such an app can launch Magnet AXIOM against the newly created image. There are many watchdog tools on the web.

Is there a way to delete an imaging session and start imaging all over again?

When you select source and target drives that were previously used in an imaging session, TaskForce 2 will indicate the progress status of the previous session and you will be allowed to resume it.

To start a new imaging session with the same source and target, you will need to delete the previous one:

  1. Go to Image.
  2. Select the source drive.
  3. On the Select target devices panel, select the target and click Continue.
  4. Right-click the imaging session.
  5. In the context menu, click Allow imaging map deletion. A Trash icon appears in each imaging progress status tile.
  6. To delete the previous imaging session, click the Trash icon. Now you are able to start a new session to the same target.

To disable imaging map deletion, click the imaging session again and select the option in the context menu.


RAID configuration autodetection & imaging

Can TaskForce 2 identify a RAID’s configuration if I include drives that are not RAID members (the drives are not marked properly)?

Normally, TaskForce 2 can identify the type of an unknown RAID within a minute. TaskForce reads data from the initial 3 million sectors of each drive and searches for the correct relation between the RAID members.

With an odd drive, the module will need more time to identify the configuration.

  • In case of RAID 1 or 10, detected mirrors will be arranged into groups, the odd drive will be placed separately, partitions will be mounted successfully.
  • If it is a JBOD, the partitions will likely be identified and the order of the drives will be correct, with the odd drive placed at the end.
  • As for RAID 0 or 5, TaskForce won't reassemble such array: data from the odd drive is taken into account when TaskForce combines data from all members.

NB The autodetection module attemps identifying configuration from scratch each time you remove or add a drive. Try removing a drive that seems odd. Normally, RAID members are drives of the same capacity and usually, of the same type, made by the same manufacturer, etc.

Can I image a RAID array that contains a damaged drive?

RAID assembly module requires good, readable drives to find a configuration. When one of the RAID's drives is damaged, it's best to image the drive first and attempt the reassembly using the image.

However, if the configuration is known and no search is required, you can try to mount the RAID even with a malfunctioning device. In this case, specify the configuration manually and proceed with imaging. TaskForce's multipass imaging engine copes with RAID arrays with such issues effectively.

If you are dealing with a RAID 5, RAID 6, or RAID 1, TaskForce 2 will use the RAID's redundancy when encountering internal read errors.

When one of the drives in a RAID 5 array is seriously damaged, you can add a virtual Missing device instead of the damaged device. Next, it is possible to reassemble and image the RAID 5 array from the remaining healthy drives and 1 "stub" device. TaskForce reconstructs data from such arrays on-the-fly in the course of imaging.


Performance

How to reach 25 TB/h?

TaskForce 2 was designed as an ultimate multitasking tool with huge overhead capacity. Given that most imaged devices are HDDs, whose data transfer rate is 200 - 220 MB/s at best, it is not frequently that you will be seeing TaskForce reach the limits of its capacity.

Our QA team achieves the speed of 25 TB/hour with this specific setup:

  • imaging 8 SAS ports to 8 SATA ports (all SSD drives)
  • imaging 2 NVMe ports to 2 NVMe ports
  • imaging 1 USB ports to 1 USB ports (all SSD drives)
  • imaging 2 USB ports to network files (10Gb connection)
  • imaging IDE port (with an IDE drive attached) to a network file (10Gb connection)

Instead of cloning, target drives can be formatted as Storage for E01/AFF4/RAW image files.

In most cases, you deal with HDDs as source devices, and they are half as fast as SSDs, which creates a bottleneck.

Another potential performance bottleneck is network bandwidth. To achieve maximum throughput, connect ETH1 port to a network or NAS, and ETH2 port to another network or NAS. It will give you 20Gb/s of throughput. It also depends on your network hardware and setup.

To learn about network throughput optimization, read the official TaskForce manual:

Performance when imaging to a remote USB drive (write cache + exFAT)

There are two ways to boost imaging performance:

  1. Format the target drive to exFAT. It works faster than NTFS.
  2. Enable Windows write cache:
    1. Go to Device Manager.
    2. In the Disk Drives category, select your drive.
    3. On the Policies tab, switch to Better performance.
    4. Confirm the reboot of the PC.

Important: When the last imaging session completes, use Eject Removable media icon in the system tray to guarantee cache-flushing of the last portions of written data. Here is an article explaining how it works.


Connectivity

How do I extend my server network with a DHCP-enabled switch

Here is an example of switch that supports static IP setup via simple web admin. To set the IP addresses for each current server network node:

Ubiquiiti EdgeSwitch 16 XG
Four 10Gb Ethernet ports, twelve 10Gb SFP ports

To configure a Ubiquiti DHCP server:

  1. Connect PC and TaskForce to Ubiquiti switch.
  2. Set static IP address of PC to 192.168.1.4.
  3. Open a browser and enter 192.168.1.2 (default Ubiquiti switch IP).
  4. Log in with default credentials: ubnt (both name and password).
  5. Go to System > Advanced Configuration > DHCP server > Global.
  6. Activate Admin mode by checking the required checkbox and clicking the Submit button.
  7. Go to Pool Summary and click Add to make a new address pool
  8. Enter your:
    • pool name
    • network base address (192.168.1.0 for example)
    • network mask (255.255.255.0)
    • put Default Router Address and DNS

    After creating your pool, you can change it via Pool configuration tab.

  9. Click the Save configuration button in the right upper corner of the window and then Save.

Alternatively, there is a tutorial on Youtube.

To enable 10Gb with jumbo frames:

  1. Go to Basic > Port summary.
  2. Select ports 0/13, 0/14, 0/15, 0/16 and click Edit.
  3. In the Edit Port configuration window, change Maximum Frame Size to 9014.

There is no DHCP server on our internal lab network. How do I assign a static IP address to TaskForce 2?

  1. In TaskForce, click the menu button in the top right corner.
  2. Click Settings.
  3. In the Network section, you will find IP settings for both 10Gb Ethernet cards.
  4. Click the pencil button to see Use static IP checkbox.

Atola TaskForce demo video includes a basic explanation of the network settings. Here's a Youtube video on that.

How do I set up Windows Server share?

In Control panel:

  1. Enable Guest account (Administrative tools - AD users and computers - Users)
  2. Next, go to Network and sharing center - Change advanced sharing settings - Turn On network discovery + Turn on sharing (file and printers + public folders)
  3. In the shared folder access options, add Guest or Everyone

If the shared folder demands restricted access, please follow this guide.

How do I connect TaskForce 2 to a network domain?

TaskForce 2 does not require a preliminary setup for working in a domain. Instead, your flow would be:

  1. Click the Image icon in the left-side taskbar
  2. Select the source in the left slideout panel
  3. To select the target, click Select file in the FILE section
  4. In the file manager's Local network section, click Connect button
  5. A new dialog will appear with the Domain field

The entered server will remain in the Local Network section list.

Additionally, in Web API, there's a targetFolderDomain parameter of /start-image command that may be of use.

How do I setup Synology DS218?

  1. Go to Control panel > File services > SMB > Advanced settings.
  2. Set Maximum protocol to SMB3.
  3. Go to Control panel > Shared folder.
  4. Click Create button and specify network folder details.

If you need to get a guest account working, run the next actions:

  1. Go to Control panel > User.
  2. Edit for Guest user.
  3. Untick Disable this account.

Wiping

How does SSD Trim work and does it wipe a drive completely?

SSD Trim doesn't instantly wipe sectors (NAND memory cells) of a drive. It instructs SSD's firmware which sectors can be wiped by marking them as 'dirty'.

Time of erasure of 'dirty' sectors depends on the SSD manufacturer and firmware. For instance, recent Samsung SSDs have a so-called foreground garbage collection. It wipes any erased file almost immediately thanks to a TRIM command proactively executed by the operating system. In older SSDs, trimmed sectors can remain intact for minutes or even hours.

The most secure way to erase an SSD entirely is using one of the following methods:

  • Secure Erase - for SATA drives
  • Format NVM - for NVMe drives
The drive's internal implementation of these commands is vendor-specific. In most drives, it ensures full erasure of an SSD including non-addressable areas.


Case management & reports

Can all reports listed in the main page be sorted, managed, or deleted?

Yes, they can be filtered, sorted, exported, and deleted. The quickest way to perform a search is by using the Search field above the reports on the main page. Entering task name (Image, Diagnose, Wipe) and/or device model/serial helps getting a more specific output.

To sort, export, or delete reports, you can go to Reports in the top menu, where all case reports are shown in a table view. Save to helps download the selected reports in a single ZIP file. There is also a Delete button in the bottom right corner for your needs.

Can reports only be exported in PDF, can I export them into RTF format instead?

It should be possible to save a page into RTF. For example, in this Chrome AddOn you can select the reports and click Print. It will generate a single page with all selected reports, which can be exported to .RTF file.


Subscription

How do I activate my unit in a network-free environment?

There is a single way to perform TaskForce 2 activation or subscription extension:

  1. Enter the TaskForce 2 serial number. It can be found at the bottom of the unit.
  2. TaskForce 2 generates a license key (Internet connection is not required).
  3. You find an Internet-connected PC and visit the website: a.atola.com.
  4. You enter the license key and several other details.
  5. The website generates a TaskForce activation code.
  6. You write the code down or take a photo, and then enter it in TaskForce activation screen.

Troubleshooting

Imaging issues


A healthy drive appears to have many bad sectors during imaging

The issue is likely caused by a loose port connection, leading to read errors and even drive identification issues.

To completely reset the physical link, unplug the cable from both the port and the storage device, wait for a whole minute and plug it snugly back in.


When I click Continue upon selecting targets, TaskForce does not open the Imaging Settings page

The issue must have been caused by the browser cache.

  1. Go to Chrome browser settings
  2. Open Clear browsing data option
  3. Clear all the data after selecting All time range

Please note that TaskForce works properly only with the Chrome browser.


When I image to the network, the speed is low

When imaging to network, there are two potential bottlenecks:

1. Network performance

It can be enhanced with 10Gb connection. Another important thing: Jumbo frames should be enabled in TaskForce settings, target computer/NAS network card and network switches/routers in between them.

2. Write speed of target network drive

It can be more difficult to improve. In particular, if one images several drives to the same network location. It leads to a situation when 8 source SSDs are read with 500 MB/s speed but the total writing capability of target network drive cuts it to just 400 MB/s. Distributed between 8 sessions, the speed becomes too low (400/8=50 MB/s per session).

The best solutions to achieve top speeds with target network locations:

  • A RAID consisting of SSDs
  • A NAS combined with a 10Gb switch. E.g. Ubiquiti EdgeSwitch 16 XG
  • A network server with many drives and great writing performance.


TaskForce issues


TaskForce booting does not get completed.

To make sure TaskForce boots correctly, reset TaskForce:

  1. Power off TaskForce
  2. Detach all devices and cables from the system (including PSU cable, Extension module, SATA cables, USB devices/cables etc). So the TaskForce should be just by itself with nothing attached to it at all.
  3. Give it 3-5 minutes to fully reset. There are a few internal circuits that need up to a minute to fully reset after power off, but I recommend waiting at least 5 minutes to be sure.
  4. Plug only the power cable back in (no network/USB/SATA cables etc).
  5. Power TaskForce on and wait for 3-4 minutes.

Internet Explorer renames TaskForce's .AFM2 firmware file into a ZIP file.

Internet Explorer identifies an AFM2 file as a ZIP file and automatically renames it to ZIP. Read this article about the reason Explorer does this. This issue only occurs in the Internet Explorer.

We suggest using other popular browsers, such as Chrome or Firefox.


IP address does not show when an Ethernet cable is plugged into the unit

Usually, your network router is responsible for assigning IP addresses to other computers or devices in the same network.

Make sure your router has DHCP support and it is enabled.


I want to see the syslog for more information about the issue I am facing

To download the TaskForce logs:

  1. Connect TaskForce to the network so that you can access it from your PC
  2. An IP address is shown in the IP screen on the front panel of the unit. Let's say, it is 10.0.0.33
  3. On your PC, open Chrome browser and enter http://10.0.0.33/syslog
  4. Click Save
  5. This will download the logs to your PC's Downloads folder.

I cannot find my network shared folder

Follow these steps to setup Windows network folder:
  1. Go to Settings > Network & Internet > Status > Sharing Options
  2. Open Private (current profile) section
  3. Select Turn on network discovery
  4. Select Turn on file and printer discovery
  5. Open Guest or Public section
  6. Repeat steps 3 and 4 for Guest or Public section
  7. Open All Networks section
  8. Select Turn on sharing so anyone with network access can read and write files in the Public folders
  9. Select Turn off password protected sharing
  10. Click Save changes
If the above has not fixed the issue, edit the folder share permissions:
  1. Open Computer Management window (pressing Win button and type in Computer Management)
  2. Expand System Tools > Shared Folders and click Shares in the left-side tree
  3. Right-click the shared folder in the central pane and click Properties
  4. Select Share Permissions tab
  5. Click Add to assign permissions to the shared folder for a user group
  6. In the dialog box, type Everyone and click OK
  7. Select Full control permission (Read & Write permissions) for the user group you have just added
  8. Click OK

We strongly recommend using the latest OS versions: Windows 10, Windows Server 2019/2016, Centos 7, Ubuntu 18.4. It is crucial for reaching high network transfer speeds.