Fast forensic imaging. Even with bad drives

Call us: 10am – 6pm ET

+1 888 540-2010
+1 416 833-3501

Call us: 10am – 6pm ET

+1 888 540-2010
+1 416 833-3501
Contact us

TaskForce workflow

Atola TaskForce provides a complete feature set for has a forensically sound evidence acquisition process. Based on our own decade-long experience of working with data storage devices as well as the experience of our clients in digital forensics market we strongly recommend this workflow:

1. Diagnose the drive

TaskForce is equipped with a fully-automated diagnostics module, which diagnoses all drive systems: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.

After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.

Diagnostics of damaged drive

Diagnostics of damaged drive

2. Get access to the hidden drive areas

Unclip or change HPA, DCO, AMA limitations

TaskForce detects hidden areas on the drive Host Protected Area (HPA), Device Overlay Configuration (DCO), or Accessible Max Address (AMA) and can automatically recover/remove them. To avoid change the state of the drive, HPA reset until power cycle option is available.

3. Image the evidence

To ensure efficient imaging of both good and damaged drives, TaskForce is equipped with a sophisticated and powerful imaging module that creates a bit-to-bit copy of the evidence. Based on the diagnostics report, image drives with default settings or adjust them, should the media be damaged and require special treatment.

Imaging damaged drive

Imaging damaged drive

Imaging good SSD. Speed: 550 MB/s

Imaging good SSD. Speed: 550 MB/s

4. Calculate hash

To ensure forensically sound evidence acquisition process, remember to calculate hash of the evidence and the image. It is essential way to prove image integrity.

With damaged devices, it is best to calculate hash during imaging (using segmented hashing*). This way data on a fragile device is only read once, and less potential damage to the media is caused.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. When it encounters a bad sector, linear hash calulation is discontinued. In upcoming releases we will support Segmented hashing so that hash can be calculated for damaged drives.

Back to Manual start page