Atola Technology

Calculating Hash During Imaging

Atola Insight Forensic supports hash calculation of both source and target devices in conjunction with imaging. We have developed highly flexible functionality to help optimize evidence acquisition process to fit one’s internal procedures as well as avoid causing further damage to fragile media.

To view the hashing options:

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. Select the target device or file
  3. In Preset line click on the Show settings link
  4. In the upper part of the Passes and Hash tab there are three checkboxes:
  • Pre-hash source device
  • Hash source during imaging
  • Post-hash target device(s)

Multiselect is available, which allows an operator to use all three of these options.

However, Pre-hash source drive option must be used with caution: although pre-hashing can be required by an investigator’s internal procedures, when dealing with drives that have been diagnosed with hardware failure, this operation may cause further damage to the drive before essential data is imaged.

On the contrary, Hash source during imaging is the most appropriate way to calculate the hash of a fragile source evidence drive. In this case, Insight only needs to read the data on the drive once to both image and calculate the hash, thus minimally using the drive’s hardware.

NB Linear hash can only be calculated by reading data in sectors consecutively in one pass. Therefore ticking Hash source during imaging checkbox and selecting Linear or combined Linear and Segmented option in Hashing method drop-down menu leads the number of passes to be limited to one. When dealing with a damaged drive, we strongly recommend using Segmented hashing, as this method supports multi-pass imaging and handling of bad sectors and provides better resiliency against data corruption. For more details please follow this link: Segmented hashing.

Post-hash target device(s) option allows to properly record the calculated hash in the case. Since this operation does not require reading the source drive, it is safe to use this option while imaging either good or damaged drives.

Imaging a Source Drive to an E01 File with a Double Hash

In recent years, E01 file format has become the de facto standard format for forensic purposes due to its ability to store not only a physical or logical copy of a source drive, but also case and evidence details. E01 file can also contain both MD5 and SHA-1 hashes. And it is considered a good practice among forensic specialists to calculate both hashes while imaging the evidence so that they are included in the E01 file.

To image a source evidence drive to an E01 file you have to add a new target file.

Selecting a new E01 file

1. In Imaging category of the left-side menu you can click on Create New Session link and in the Target Device Selection window click on Add Image File link.

2. In the Image File Selection window select E01 file extension in the drop-down menu to create an image file with this extension and type the name you prefer in the File Name field.

3. Fill out all the relevant fields in the Image File Options window (you can also do it later in the Home page of the file when it is created):

4. Click on Select button in the Target Device Selection window.

As a result you get is an E01 file with current 0 bytes capacity created (its final capacity will be defined by the amount of imaged data it contains plus the metadata).

Imaging & calculating the hashes

  1. Go to Imaging category of the left-side menu and click on Create New Session link
  2. In Preset line click on the Show settings link
  3. In Passes and Hash tab check the Hash source during imaging box
  4. In Hash method drop-down menu select Linear
  5. In Hash type drop-down menu select MD5 and SHA-1
  6. Click on Start imaging button

Upon completion of imaging, you will see both MD5 and SHA-1 hashes indicated in Imaging Results page:

Screenshot Analysis: Imaging a Freezing Drive

Recently, we received an email from a long-standing client. The drive he was imaging contained a large number of errors. We would like to use this screenshot of a real-case imaging process to illustrate how well Atola Insight Forensic handles imaging hard drives in such dire state.

In the screenshot the numbers show that despite encountering over 1100 errors, Insight has already imaged 605 million sectors out of 1,745 million sectors it has attempted to image in this first pass. The speed may seem low, but Insight is actually able to read it, while most other imagers will likely be unable to even identify such device.

Second, in this screenshot we have yet another example of the freezing drive recovery algorithm in action, which helps make the imaging process much more efficient when imaging severely damaged drives like the one in our example. We have recently posted a guide explaining how it works and helps Insight avoid long idle periods waiting for the disk to become ready.

As for the situation in the screenshot: according to the algorithm, Insight issued two consecutive resets (only after executing the second reset Insight adds a message to the Log saying Device freezes while reading block X – Y, as shown in the red box area of the screenshot). Apparently, the drive has not become ready after both resets, and according to the freezing drive recovery algorithm, Insight executed a power cycle, which proved effective: the drive became ready to start reading the next planned block of sectors.

Finally, there are two graphs that reflect imaging progress: the upper one is called imaging map bar and shows imaging progress throughout the whole drive space. The lower one is called read speed graph and shows the time Insight spent reading recently imaged sectors. You might have noticed a few discrepancies about these graphs:

  • Why does the imaging map bar indicate that 10% of the drive have been imaged, but the progress bar looks more like 30% of the total drive space?
    The bar reflects the media space between the first and the last sectors. The percentage indicates only the ratio of successfully imaged sectors and does not include the skipped blocks: in its first pass Insight performs one-million-sector jumps when encountering bad sectors. When Insight returns to the skipped blocks during the following passes, it will allocate more time to read each sector and will add the successfully imaged sectors to that percentage.
  • Why do the red zones in the Imaging map bar look larger than those in the read speed graph?
    Each pixel in the Imaging map bar stands for thousands of sectors. The map gives priority to showing the location of errors as opposed to showing the location of good sectors. And being limited by the screen size and resolution, the imaging map bar may look very red in the course of imaging a drive with a large amount of errors. Especially during the first pass, before attempting to read the problematic sectors more thoroughly.
  • Why do the equally sized ranges in the read speed graph, contain substantially different numbers of sectors, according to the LBA values? 
    range 1. there are 819,200 sectors between 1,733,217,921 and 1,734,037,121,
    range 2. there are 4,802,816 sectors between 1,734,037,121 and 1,738,839,937,
    range 3. there are 6,794,624 sectors between 1,738,839,937 and 1,745,634,561.
    The spans are different because of the number of bad blocks of sectors located between them. During the first pass, Insight performs a jump by 1 million sectors each time it encounters a block of sectors, which it cannot read.

Wiping multiple drives simultaneously

Erasing data on destination drives guarantees accuracy of the imaged data and helps verify that the drive has no errors. In the course, all sectors are overwritten with the help of selected pattern or method.

When you need to prepare multiple hard drives for imaging, Insight’s multitasking capabilities enable you to do so much faster by launching Erase/Fill on multiple drives simultaneously, including those connected to the source port.

To wipe the drive connected to the source port, remember to switch off write protection on the port so that the indicator above the switch is off and there is a notification right below the port bar saying Note: Write protection of currently attached device is OFF (see the picture below).

Then follow these steps:
1. Under Device Utilities select Fill or Erase.
2. Select Fill method among the wide range of options and click on Next button.
3. Select the range of sectors to be erased on the drive and click on Start Fill / Erase button.
4. Finally, confirm that you want to erase data on the disk in the pop-up window.

To run a concurrent Fill/ Erase process on another drive, click on the + (plus) icon in the port bar and select a drive connected to a Target port:

 

Then repeat the same steps to launch the process on this device:

 

By following the same steps you can wipe data from one source drive and three target drives, all at the same time, as shown in the picture below.

This ability to perform Fill/Erase on multiple drives makes Insight exceptionally useful for forensic units dealing with multiple cases, where evidence acquisition is an ongoing activity.

Screencast: Imaging Drives with Damaged Heads

Watch this guide to learn how to optimize Insight’s imaging settings when working with a source drive with damaged or degraded heads.