I would like to announce that we are dropping support for Windows XP and Vista for our products listed below:
- Atola Insight
- Atola Imager
- Atola Forensic Imager
- Atola Disk Recycler
It was not an easy decision, but after weighing our options we are certain that this is the only way to ensure quality of our products in the future releases.
Therefore, the upcoming software updates for the above mentioned products will not install on Windows XP or Vista anymore.
I know there are people who still have warm feelings about Windows XP, and I am one of them. However, recently we have found ourselves fixing quite a bit of things that were only broken because Windows XP does not support something. Not only that, but because certain things work quite differently on Windows XP in comparison to Windows 7 and 8, we need to extensively test each release for Windows XP compatibility. And we’ve got a feeling that we’re wasting our time.
We want concentrate our efforts on what matters. Supporting these obsolete operating systems takes more and more of our resources which we could otherwise spend developing cool features. This is especially valid since fewer and fewer of our customers still use these OS’s. Dropping support of Windows XP and Vista will also allow us to spend less time doing quality assurance, which means shorter time between releases.
So, if you are still running one of these operating systems, now is a good time to upgrade to either Windows 7 or Windows 8; all our products run perfectly on both.
We would like to present the short interview with Bobby Rose, one of Atola customers. He provides DR services at Data Recovery Hollywood which is a subsidiary of Hollywood PC Repair.
Please tell me about your company and your current role?
Hollywood PC Repair and Data Recovery provides flat fee data recovery services to the community in Hollywood, California. The majority of our customers are lower income individuals who cannot afford expensive data recovery services.
What is the most challenging aspect of your work?
Breaking the news to customers in cases where their hard drive will require expensive clean-room recovery.
How often do you use your Atola system(s) and how does it help you in your work? (please also indicate Atola system(s) used)
I use my Atola Bandura every day. It is either recovering data or wiping target drives for the next recovery.
How often do you work with SSD disks, does our system assist you with them?
Not often, they seem very reliable.
What are your recommendations regarding further improvements of your Atola system(s)?
Better logging; many operations are not logged if they are not completed to the very last possible step; also, the ability to accurately set the date and time on the system.
What would you most like to see changed or improved in the field of Data Recovery/Forensics?
Lower prices for cleanroom operations.
One of Atola’s most significant releases ever, Insight 3.0, has been launched already!
You will be pleasantly surprised by its many improvements and the increased opportunities it offers. With Atola Insight 3.0 take advantage of even more capabilities!
Just take a look at the considerable number of improvements created for Insight 3.0. You can find the full list of improvements on the change log.
New interface for effective work with 2 HDD
In general, the data recovery process deals with both a source disk and a target disk or an image file to make a sector-by-sector copy. Our new interface is specifically designed to ensure more efficient operations between source and target disks.
The new interface of Insight 3.0 allows independent work with 2 disks (or with a disk and an image file). The focus between the 2 ports can be easily changed.
Left port is used for a source-disk. It shows a disk that is connected to the source-port of a DiskSense.
Right port is used for connection to a target-disk and image files. You can choose the following:
- Disk, connected to a target port of a DiskSense Ethernet unit.
- Disk, connected directly to PC.
- File on a disk that is going to be used as an image file.
The Source port can perform all possible functions of the Insight software and most functions can now also be performed through the target port.
An independent work with ports
To make the data recovery process more effective, Atola Technology offers you 2 separate and independent ports for enhanced work flow choices. Separate and simultaneous long-term operations on 2 disks are now possible and you can you move from one port to another at any time.
For example, while the Source port is performing a diagnostic, you can prepare a target disk by erasing old data. For that you just run automatic checkup at the Source port:
Then click the Target Port and start Fill or Erase for target disk simultaneously:
Atola Insight 3.0 foresees all important drive parameters that are grouped in one place. It ensures quick estimation of a situation, a better chance to avoid possible mistakes and provide a high level of work.
The Source port contains a complete set of circuit control devices. Depending on unit types, circuit control devices can also be changed by the Target port.
Source port in Atola Insight 3.0
Other Atola Insight 3.0 new features and improvements
We are happy to claim the following features were released in the Insight 3.0:
- Live stats of file signatures discovered during imaging.
- Added the ability to create a list of files containing sectors recovered with Read Long command.
- Single-button, fully automatic HPA and DCO unclipping.
- New Imaging setting: “Limit target disk size to source size using HPA”.
- GPT partitions support for ext2/3/4 in File Recovery and Imaging.
- Added the ability to (re-)wipe sectors on target drive that were not copied from source.
- Speed of MD5 and SHA checksum calculation was improved.
- Speed of imaging and file recovery operations has been improved on Ethernet unit
- Imager will now give a warning when the Source hard drive is clipped via either HPA or DCO.
- Terminal history is now saved into the case management.
- Case tracking now also tracks actions for Target disks separately; this is completely seamless.
- Modification dates of recovered files are now preserved.
Brilliant work with damaged disks
Atola Insight is specifically designed to ensure the most efficient work with even badly damaged disks. The special hardware in the DiskSense Unit, allows settings of time-outs for reading operations, opportunity to make soft and hard resets and more.
Any program for Windows is able to get all these benefits after mounting a disk in a system through Insight. This way, your in-house utilities may be integrated by Insight while working and connected by a DiskSense Unit.
Atola Insight 3.0 now possesses more power, capacity and amazing enhancements.
It’s your fantastic opportunity to achieve even more results than you can imagine!
Don’t miss the chance to empower your work flow!
Hard drives are built in a way so that they never return unreliable data. This means that if the hard drive cannot guarantee 100% accuracy of the data requested, it will simply return an error and will never give away any data at all.
Understanding Bad Sectors
General causes for bad sector formation are physical or magnetic corruption. Physical corruption is easy to understand – it occurs when there is physical damage done to the media surface. Magnetic corruption occurs when hard drive miswrites data to a wrong location. While the latter may seem to be less damaging, it is actually as dangerous as physical damage, since miswritten data may not only damage adjacent sectors, but also servo sectors.
Regardless of the cause of damage, there are several possible outcomes:
- Address Mark field corruption
- Data corruption
- ECC field corruption
- Servo sector corruption
- Or any combination of these
What is common with all these types of corruption is that your Operating System or normal data recovery tools cannot read the data from those sectors anymore.
Let’s find out exactly what happens when a tool tries to read a sector that has one of the above mentioned problems.
Address Mark corruption
When Address Mark is corrupted, the hard drive simply cannot find the requested sector. The data might still be intact, but there is no way for the hard drive to locate it without the proper ID. Some modern hard drives do not actually use sector ID or Address Mark in the sector itself; instead, this information is encoded in the preceding servo sector.
To verify data integrity, a hard drive will always validate it with the Error Checking and Correction algorithm using the ECC code written after the data field (see above diagram). When data is corrupted, the hard drive will try to recover it with the same ECC algorithm. If correction succeeds, the drive will return the sector data and will not report any error. However, if correction fails, the drive will only return an error and no data, even if the data is partially intact.
ECC field corruption
Although this is rare, the ECC code can also get corrupted. In this case the drive reads perfectly good data from the sector, and checks its integrity against the ECC code. The check fails due to the bad ECC code, and the drive returns an error and no data at all, because there is no way to verify data integrity.
Servo sector corruption
There are up to a few hundred servo sectors on a single track. Servo sectors contain positioning information that allows the hard drive to fine tune the exact position of the head so that it stays precisely on track. They also contain the ID of the track itself.
Servo sectors are used for head positioning in the same way a GPS receiver uses satellites – to exactly determine the current location. When a servo sector is damaged, the hard drive can no longer ensure that the data sectors following the servo sector are the ones it is looking for, and will abort any read attempt of the corresponding sectors.
How Bad Sector Recovery Works
Once again, hard drives are built to never return data that did not pass integrity checks.
However, it is possible to send a special command to the hard drive that specifically instructs it to disable error checking and correction algorithms while reading data. The command is called Read Long and was introduced into ATA/ATAPI standard since its first release back in 1994. It allowed reading the raw data + ECC field from a sector and returning it to the host PC as is, without any error checking or correction attempt. The command was dropped from the ATA/ATAPI-4 standard in 1998; however, most hard drive manufacturers kept supporting it.
Later on, when hard drives became larger in capacity and LBA48 was introduced to accommodate drives larger than 128 GiB, the command was officially revived in a SMART extension called SMART Command Transport or SCT.
Obviously, since the drive does not have to verify the integrity of data when the data is requested via the Read Long command, it would return the data even if it is inconsistent (or, in other words, the sector is “Bad”). Hence, this command quickly became standard in bad sector recovery.
There is also another approach which is based on the fact that some hard drives leave some data in the buffer when a bad sector is encountered. However, our tests have shown that chances of getting any valid data this way are exactly zero.
Debunking Bad Sector Recovery
So, to “recover” data from a bad sector, one would simply need to issue the Read Long command instead of “normal” Read Sectors command. That is really it! It is so simple any software developer who is familiar with hard drives can do it. And, sure enough, more and more data recovery tools now come with a Bad Sector Recovery option. In fact, it has come to the point when if a tool does not have a bad sector recovery feature, it automatically falls into a second-grade category.
Error checking and correction algorithms were implemented for a reason, which is data integrity. When hard drive reads a sector with the Read Long command, it disables these algorithms and hence there is no way to prove that you get valid data. Instead, you get something, which may or may not resemble your customer’s data.
Tests in our lab had shown that in reality, by using this approach you will get much more random bytes than anything else. Yes, there are cases when this approach allows recovering original data from a sector, but these cases are extremely rare in real data recovery scenarios, and even then, only a part of the recovered sector will contain valid data.
Even when we got some data off the damaged sector, what exactly should we do with its other (garbled) part? And how exactly do we tell which part of the sector has real data in it and which is just random bytes? Nobody is going to manually go through all sectors in a HEX editor and judge which bit is valid and what is not. Even if someone did, there is no way to guarantee that what they see is valid data.
And this is where the real problem starts.
Dangers of Read Long approach
Imagine a forensic investigator recovering data off a suspect’s drive while the drive has some bad sectors on it. To get more data off the drive, the investigator enabled Bad Sector Recovery option in his data acquisition tool. In the end, his tool happily reported that all sectors were successfully copied, so he began extracting data from the obtained copy.
When looking for clues, he found a file that had social security numbers in it. He then used these numbers in one way or another for his investigation.
What he did not know is that one of the sectors that contained these numbers was recovered via the Read Long command, and some bits were flipped (which is very common for this approach). So, instead of 777-677-766 he got 776-676-677, causing him and other people a whole lot of unnecessary trouble. Another example: when recovering a damaged file system, even slightly altered data in an MFT record can mislead the file recovery algorithm and in the end do much more harm than if there was no data copied at all in that sector.
Once again, error checking and correction algorithm is in place for a great reason. There is absolutely no magic in bad sector recovery; it is impossible to recover something that just isn’t there.
There are tools that claim better bad sector recovery because they utilize a statistical approach, an algorithm where the tool reads the bad sector a number of times and then reconstructs the “original” sector by locating the bits that occur most often in the sector. While these tools claim this approach could improve the outcome, there is no evidence to back up the validity of such claims. Furthermore, re-reading the same spot many times while the hard drive is failing is a good way to cause permanent damage to the media or heads.
So what about Atola Insight?
Like all high end data recovery tools, Atola Insight supports bad sector recovery via the Read Long approach.
Atola Insight 3.0 which is going to be released in January 2013 has even more profound functionality. Again, we are one important step ahead of competition: the locations of recovered sectors are automatically stored in the case management database. After imaging is complete, Atola Insight 3.0 automatically marks all files that contain sectors recovered with the Read Long command.
This way the operator has the ability to disregard such “unreliable” files and manually verify file integrity if it is an important one.
Once again, if you are after valid data, avoid using any bad sector recovery algorithms. These algorithms will never offer data integrity no matter how complex their implementation is. If you absolutely must recover data from bad sectors, make sure you use a tool that properly accounts for these recovered sectors.
We always advise our customers to avoid using a bad sector recovery option until absolutely required. In Atola Insight you can always create an image without bad sector recovery first, try recovering files, and, if unsatisfactory, go back to Imaging and improve the image by enabling new options, including a bad sector recovery, and running the imager only on bad sectors.
When it comes to bad sector recovery, make sure your data recovery tool offers this level of flexibility.
How do you start your working day?
Data recovery (DR) and Forensic specialists are highly known because of their workplace, aren’t they? A computer with the case removed and wires sticking out, piles of hard disc drives with various stickers and labels, and more wires is typically a confusing, disorganized mess.
You have just come to work and you are still sleepily looking towards your plans for the day, and suddenly, the telephone rings! It’s your biggest client, and he is asking lots of questions. But how do you keep all these data in your mind? Of course, you can have notes somewhere, but is that really useful and effective?
What if you have a lack of information and your client needs an update NOW?
Even on your best days, it is not so easy to remember in what order you have checked a disc, what problems you found, and what you did do or did not! This time, your client is asking new questions again and again, and needs to know now. It’s an awkward situation, isn’t it?
That’s why Atola Technology specifically designed the Case Management System for the Atola Insight!
Proper Case Management is a unique feature that makes your work easier and more available to others. Atola Insight offers the most highly developed and user-friendly case management system of any DR solution on the market.
Main features at a glance:
- All reports, firmware files, notes and logs related to a case are automatically saved and can easily be retrieved at any time.
- Every hard drive is recognized immediately upon connection.
- It records all case data without stopping to input notes.
- It keeps the entire case history at your fingertips.
- It recalls any case quickly and easily.
You will be positively surprised every day how comfortable and useful it is to use.
Want to learn more about Case Management?
Please follow the link.
Tags: data recovery, forensic