Logical imaging

Creating a full bit-by-bit image of modern evidence drives could take a tremendous amount of time. For instance, to physically image a 10TB SATA drive in good condition, you may need up to 12 hours on average. And with a newer 20TB drive or an assembled 30-60TB RAID, it would be much more.


Atola TaskForce lets you save valuable time by acquiring only specific files rather than copying every single bit from every sector of an evidence device. Logical image acquisition is a way to capture evidence in a forensically sound manner, without altering the original content of a source drive and its metadata, like file names and creation dates.

The logical imaging module produces an image file in L01 format. It contains only partitions, folders, and files you selected manually or using smart include/exclude filters, as well as their MD5/SHA1 hashes calculated during imaging.

Logical imaging: main page.

Logical imaging: main page.

Sources for logical imaging

Run more than 12 simultaneous logical imaging sessions for the following types of source devices:

  • NVMe, SATA, SAS, USB, MacBook, IDE drives
  • reassembled RAID arrays
  • Raw/E01/AFF4 image files located on a network or a storage drive

The file systems supported by the logical imaging module are:

  • NTFS,
  • FAT32/16,
  • ext4/3/2,
  • XFS,
  • APFS (with encrypted volumes),
  • HFS/HFS+
  • exFAT

Targets for logical imaging

As an imaging target, you can select an L01 file or ZIP archive

  • in a network folder
  • on a storage drive, connected directly to the TaskForce unit

For an L01 forensic file, TaskForce also supports compression.

L01 image format

Smart include and exclude filters

The logical imaging module in TaskForce has powerful and flexible filtering settings.

To fine-tune your selection, include or exclude what you need:

  • All or selected partitions
  • Manually selected files or folders
  • Predefined file types (you don't have to come up with the file extensions, it's already built in):
    • audio
    • video
    • pictures
    • emails
    • documents
    • archives
    • databases
    • financial
    • security keys
    • virtual machines
  • Predefined folder types:
    • User folders
    • OS folders
  • Time spans: when files were accessed, created, modified
  • File size: from 1 byte to infinity

Pause/Resume logical imaging

Although logical imaging is much faster than creating a full bit-by-bit copy of an evidence device, with modern multi-terabyte drives it still can take more time than you have at the moment.

As with physical imaging, TaskForce lets you pause the logical imaging process and resume it later. The software reliably stores an unfinished L01 image without losing any data.

Pausing and resuming a logical acquisition process can be useful when you don’t want to leave a running task unattended or need to share the case with your colleague. Here are workflow examples for these scenarios.

Scenario 1. You want to keep an eye on a running task:

  1. Pause your logical imaging session.
  2. Power off the TaskForce and leave your workplace.
  3. On returning, power on the TaskForce.
  4. Resume the logical acquisition process from the same point where you paused.

Scenario 2. You want to share the case with your colleague:

  1. Pause your logical imaging session.
  2. Export the case into a file.
  3. Transfer the source drive with the case file to a different location that has another TaskForce.
  4. Resume the logical acquisition process.