Atola Technology

Network database setup in Atola Insight Forensic

Atola Insight Forensic enables working with remote database shared between many users. Here is the scenario how to setup such a network database and connect different PCs with Atola Insight to it.

1. Pre-install SQL Server 2012 or 2014 on the network server PC

2. Launch Atola Insight Forensic on the user PC

3. Navigate to Insight -> Database Connection Settings from the top menu

A. Select Server type: Remote

B. Specify network server name, select SQL server instance and database names

C. Enter SQL server login and password as shown in the picture below:

Network database Atola Insight Forensic

4. Click OK and re-launch Atola Insight Forensic on the user PC.

5. It will create the remote database and ask for the Work Folder name:

Network work folder in Atola Insight Forensic

Hint: Work Folder is necessary to store large files that do not fit into the database: imaging maps, logs, file recovery hash lists.

6. Change the Work Folder to the shared folder on the network server PC.

Example: The network folder successfully selected
Network work folder in Atola Insight Forensic

 

Now you have the Atola Insight network database prepared for remote use! You can connect Atola Insight Forensic software from the other PCs. Just set up the same database settings as you did in the step 3. No need to specify Work Folder anymore given Atola Insight will load it from the remote SQL server on the network server PC.

The only limitation: Two users will not be able to work on the same case simultaneously.

Q&A during Enfuse and Techno Security conferences

Atola booth

We were exhibiting with Atola Insight Forensic at Enfuse and Techno Security conferences and received plenty of questions from people visiting our booth. Some of these questions were repeatedly asked, so sharing them and their corresponding answers in this blog makes sense. We do hope you find the information provided here helpful!

What is the maximum imaging speed?

You can always observe an actual imaging performance of 30 GB/min in Atola Insight Forensic v4.5 with a couple of Samsung 850 Pro solid-state drives used as source and target devices.

Why is Atola Insight Forensic better than competing products?

We produce the only solution that is specifically designed to support damaged media.

Our users usually begin with automatic diagnostics for an evidence drive. It takes a couple of minutes yet saves much of time and energy. It detects drive issues such as PCB instability, problems with motor, short circuit, firmware errors, degraded or even nonworking heads, and physical media surface damage. Afterward, you can make a decision on what to do next with the evidence drive.

Even if you work with severely damaged source device, the imaging engine enables you to:

  • disable damaged heads
  • automatically overcome much more serious problems than so-called ‘software bad sectors’
  • track drive state before, during and after imaging
  • have every imaging event logged in a forensically sound manner

Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).

Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.

What image formats can be used for target files?

Atola Insight Forensic supports imaging to three image file types:

  • growing files: *.img
  • preallocated files: *.imgp
  • E01 files: *.e01

The first two are raw files, bit-to-bit source copies.  The 3rd target file type is E01 (Encase). It can be either compressed or not. Imaging to non-compressed E01 is several times faster and does not depend on CPU speed and core count.

How exactly does Atola Insight imaging process cope with damaged drives?

We have two goals here when dealing with severely damaged source drives:
1) Get as much data as possible
2) Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive

Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time

Atola Insight’s ability to disable damaged heads can just save your evidence! Other imagers merely kill the drive during imaging. Imagine having seven of eight good heads. You can just image with all of them with the exception of the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky challenge.

The imaging engine contains many automatic rules. For example, it resets or power-cycles the source when the source drive freezes. It can apply a reverse imaging direction in particular cases. Here is what is useful when dealing with damaged evidence: Two imaging reports are created before and after the process. Both include not only imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.

You claim you have the fastest forensic imager. How much forensic is it?

All source ports are write-protected:

  • SATA
  • IDE
  • USB
  • SAS and PCIe as extension modules

On top of that, overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage.

Every action in Atola Insight is followed by automatically created case reports. The case management system gets a new report even if you physically flip the DiskSense unit’s write protection switch. Additionally, every case report includes mandatory information about the device, DiskSense unit, current PC, OS, and user.

Atola Insight Forensic 4.5 release

Atola Insight Forensic 4.5 is released!

We put a great deal of effort on implementing the new imaging engine to improve image acquisition stability and performance at the same time. There are quite many changes to other parts of the product as well. In total, our internal issue tracking system has a record number of almost 250 tasks completed for 4.5 release.

Full Atola Insight Forensic 4.5 change log is available here: Version Log.

Improved performance

Atola Insight 4.5 benchmarks show speed-up of core disk operations (all numbers are MB/s):

Atola Insight Forensic 4.5

Atola Insight Forensic 4.4

Imaging to SATA target 500

418

Imaging to raw image file (1Gb network) 120

110

Imaging to E01 file with MD5 and SHA1 (1Gb network)

118

85

Imaging to compressed E01 file

57

30

MD5 calculation

482

 449

The tests were performed using two drives of the following model: Samsung SSD 850 PRO 256GB EXM02B6Q.

 

New features in Imaging

The revamped Imaging engine introduces some smart and beautiful features. For example, it will now automatically clear ATA password and HPA on-the-fly after power cycle if they were temporarily removed (only temporary removal is supported for write protected source media).

Password reset

 

Imaging progress bar is included in every resulting case report to visualize cloned data.

Imaging progress bar

 

There is a new imaging setting “Stop hashing on first error”.  It calculates and stores a correct hash for all sectors preceding the first read error on an evidence drive.

Stop hashing on read error

 

We improved logging verbosity during imaging. You can see the most noticeable change when ‘All sectors with data/metadata’ is selected. In that case the imaging log will contain information about found partitions.

Found partitions

 

Last but not least, Atola’s new media map manager offers better user experience to select custom partitions and ranges for imaging.

Imaging media map manager

 

New preferences

There are two new options in Miscellaneous tab that need to be explained:

  • Power down SATA target device when operation finished
  • Enable Target HEX viewer during Imaging

Image 008

Power down SATA target device when operation finished

Before Atola Insight 4.5, all long-lasting operations (Imaging, Calculate Hash, Fill or Erase, Comparing) performed on Target ports have been followed by a mandatory power off. This is mainly done for safety reasons of target drives containing imaged source data. Put it another way, it is not necessarily expected under some circumstances. For instance, when you were wiping a drive with Fill or Erase and are instantly going to start Imaging afterward. A power cycle is not needed then. In that case, it is convenient to disable the option.

Enable Target HEX viewer during Imaging

The significance of disabling Target HEX viewer during Imaging arises when source imaging data is critically sensitive so that software user must not see it. In such a case Imaging runs from a source drive to a target drive having both plugged into the DiskSense system. Having Target HEX viewer disabled, we guarantee that source bytes flow will go through the DiskSense system only and will not enter the network and the host PC.

 

All other 4.5 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Atola Insight Forensic 4.5 can be downloaded by all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, it can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

We still offer an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more detailed information:

 

Imaging speed improvements preannounced in Atola Insight Forensic 4.5

We would like to share the newest speed achieved by the revamped Imaging engine. It will be shipped within 4.5 software update in May.

Total imaging performance was significantly improved during last 4 months. Just take a look at 503MB/s imaging speed in the screenshot below. It is more than 30 GB per minute.

imaging-speed

 

The new imaging engine empowers you to clone 256GB Samsung 850 Pro just in 8.5 minutes!

256GB imaged in 8.5 minutes

Atola Insight 4.4: 10Gbit Ethernet, SAS, M.2 extensions

Atola Insight Forensic 4.4 is ready for download now!

The newest version got 3 new extension modules supported, 130+ improvements and bug fixes. In particular, we have been working really hard on the major new features addressed below.

Full Atola Insight Forensic 4.4 change log is available here: Changelog.

SAS extension module

SAS extension module was designed to diagnose SAS drives and acquire images from them. It is really easy in use. As any other extension module, it should be plugged in the Extension port located on the DiskSense unit. Then you connect a SAS drive to it and simply start working.

Atola Insight Forensic 4.4 supports damaged SAS drives, senses currents during Automatic Checkup, provides short circuit and overvoltage protection as well as write protection.

Forensic SAS extension module

Forensic SAS drive extension module

 

10 GBit Ethernet extension module

The 10GBit Ethernet module is primarily targeted to accelerate data transfer speed between PC and DiskSense system. It speeds up imaging source drive to an image file from 100 MB/s to 300-400 MB/s. File recovery from SATA/USB drives receives the same level of acceleration.

The extension module works via 10G Cat6 copper cable with RJ45 (8P8C) interface for connection.

There are some tips in the manual helping to get optimum performance. To open the manual, launch Atola Insight Forensic 4.4 and press F1 .

Forensic 10 GB extension module for Atola Insight

Forensic 10GB extension module

 

 M.2 PCIe/SATA extension module

This extension module allows to work with both PCIe and SATA drives with M.2 connector. It is another type of source drive you can select in Atola Insight. The extension supports damaged drives, write protection and lots of Atola Insight Forensic operations.

M2 PCIe Sata- SSD extension

 

M2 PCI SATA SSD extension moduleYou can also find more information about this and other Atola Insight extension modules.

Revamped E01 image file support

We totally revamped E01 (Encase) image file support in order to make it faster and support Pause/Resume feature in Imaging. This also helped to increase compatibility of E01 files produced via Atola Insight with some third-party forensic tools which are not tolerant to E01 metadata deviations.

Imaging Pause/Resume support for E01 image files

White/Black hash lists

New Atola Insight version allows to import text files containing huge lists of file hashes. Those can be treated as white or black hashes. The idea behind these types is simple:

  • White hash term stands for a known good file created by known software.
  • Black hash means some known bad file. It could be a malware, hacking script, hidden illicit data file.

Having hash lists imported to Atola Insight DB,  File Recovery analyzes every calculated file hash against the database. If file hash belongs to either white or black hash list, special marks are shown on the left of file hash values:

  • Files having white hashes detected are marked with ticks.
  • Files having black hashes are marked with warning triangles.

On top of that, White/Black hash list filtering is supported throughout whole File Recovery. It is available as ‘Hash list’ condition in Search window, so one could quickly find all files with unknown hashes (those that are not white or black) and begin working on them.

File browsing filters have also received three new options: White, Black, Unknown. Here is the example below. You can see Linux partition with /usr/bin folder opened that normally contains more than 1300 files.

Case 1. No filters applied

All files are shown. The ticked files are good ones since they have white hashes (marked with ticks).

All files are shown without filtering

Case 2. Black and Unknown hash list filters applied

All good files having White hash are filtered out. Thus, we just see two files which are valuable for further analysis. Hash of malicious.file was found in the black hash list. shady.me is not marked which means it could contain some interesting data inside.

File Recovery black and unknown hashes interested

All other 4.4 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Atola Insight Forensic 4.4 is available for download to all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

The extension modules can be acquired directly via Atola Technology.

We still have an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more specific information:

 

Tags: