Call us: 10am – 6pm ET

888 540-2010, 416 833-3501

TaskForce workflow

Atola TaskForce provides a complete feature set for has a forensically sound evidence acquisition process. Based on our own decade-long experience of working with data storage devices as well as the experience of our clients in digital forensics market we strongly recommend this workflow:

1. Diagnose the drive

TaskForce is equipped with a fully-automated diagnostics module, which diagnoses all drive systems: printed circuit board (PCB), spindle motor, head stack, firmware, and file systems. Diagnostics will work properly even if the drive has burnt parts or damaged head stack – the routine makes use of the current monitor that is embedded into DiskSense unit.

After diagnostics finishes, the tool will prepare a report and let you know the exact issue with the drive; it will also suggest the next step to be able to retrieve the data.

Diagnostics of damaged drive

Diagnostics of damaged drive

2. Get access to the media

HPA and DCO recovery

TaskForce detects hidden areas on the drive set via Host Protected Area (HPA) or Device Overlay Configuration (DCO) and can automatically recover/remove them. To avoid change the state of the drive, HPA or DCO reset until power cycle option is available with software version 2018.2.

3. Image the evidence

To ensure efficient imaging of both good and damaged drives, TaskForce is equipped with a sophisticated and powerful imaging module that creates a bit-to-bit copy of the evidence. Based on the diagnostics report, image drives with default settings or adjust them, should the media be damaged and require special treatment.

Imaging damaged drive

Imaging damaged drive

Imaging good SSD. Speed: 538 MB/s

Imaging good SSD. Speed: 538 MB/s

4. Calculate hash

To ensure forensically sound evidence acquisition process, remember to calculate hash of the evidence and the image. It is essential way to prove image integrity.

With damaged devices, it is best to calculate hash during imaging (using segmented hashing*). This way data on a fragile device is only read once, and less potential damage to the media is caused.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. When it encounters a bad sector, linear hash calulation is discontinued. In upcoming releases we will support Segmented hashing so that hash can be calculated for damaged drives.