Atola Technology

Atola Insight Forensic 4.10 – Search of forensic artifacts in the course of imaging

On December 5 Atola Technology releases Atola Insight Forensic 4.10.

The key feature is the search of artifacts capability while imaging a source evidence media. It allows to search the source drive for credit cards, emails, URLs, IPs, GPS coordinates, phone numbers, keywords etc. in the course of imaging. This feature will help forensic specialists expedite investigation in urgent cases or when dealing with a damaged drive that takes hours to image.

The full list of Atola Insight Forensic 4.10 changes can be found here: Atola Insight Forensic Changelog.

Imaging settings now have a new Artifacts tab where different types of artifacts can be selected and lists of keywords or regular expressions can be uploaded.

For each of the artifacts, we have not simply applied well-known algorithms (e.g. Luhn formula used to validate credit card numbers). We have developed our own smart filters to eliminate false results (e.g. if there are two slashes near the number that has preliminarily been identified as a credit card number, that will eliminate it from the search results, as it is likely to be a part of a URL).

We have added a new Artifacts tab in the bottom part of Insight’s imaging window: the numbers of the found artifacts and the corresponding diagram change on the go.

The list of found artifacts is opened by a click on any of the categories or the diagram itself.

In the table, each artifact’s Value is shown in the context (including 20 bytes before and 20 bytes after the artifact), the LBA and the offset are also displayed in the table to help locate the artifact.

There are many options to help find, sort, filter and view the artifacts: it is possible to view one or a few categories of artifacts in one list, use the search bar to find a specific value, filter results for unique values by clicking the Show only unique artifacts link.

The latter option is quite valuable as it helps identify the values most frequently occurring on the drive. It often accelerates the whole process of specific artifact search.

For more information about the Artifacts feature please read our next week’s blog post or follow this link to our manual:
http://atola.com/products/insight/manual

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

Please contact our Atola Technology sales to receive more specific information:

P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.

Calculating segmented hash of a damaged drive

When you work with a damaged device, and imaging can only be performed in multiple passes due to bad sectors or physically damaged areas or heads, it is impossible to calculate linear hash of the drive. This can become a serious challenge if you need to prove evidence integrity in the court of law. And it is for such cases that Atola Insight Forensic has Segmented hashing functionality.

According to the recommended workflow, run Automatic checkup of the evidence drive.

If the drive has hardware or bad sector issues, it is likely that imaging will not be completed within one pass, and you can calculate the hash for such drive only with Segmented hashing.

Furthermore, we recommend that you calculate hash and image the drive simultaneously: this way data on the drive is only read once for both processes and you avoid further deterioration of the drive:

  1. Press on Create new session link in Imaging category of the left-side menu and select the target drive
  2. Click on Show settings link in Preset line
  3. Tick the box next to Hash source during imaging
  4. Select Segmented option in Hash method drop-down menu
  5. Click Start imaging button

Please note that Segmented hashing option disables imaging in reverse direction on all passes.

Just as imaging narrows down the problematic areas and reads the data within these areas on each subsequent pass, Segmented hash is calculated for the successfully read spans of data.

Once imaging is completed, you can find the set of hashes calculated in the course of imaging. Go to the imaging report

In the excel file with segmented hashes you can find the hash calculated for all the 4 GB segments of the drive space, as configured in the settings. Some of the segments are smaller due to an encountered bad sector, which, in accordance with the multi-pass imaging algorithm forced Insight to jump by a preconfigured number of sectors. Lower in the table you can find hash calculated for smaller segments within the jump area within the first three passes illustrating the concept:

This way segmented hashing allows obtaining a hash even for a severely damaged drive.

Please follow this link to learn how you can easily verify segmented hashes:
http://atola.com/products/insight/manual/Verify-Image-with-Segmented-Hashing.html

__

In November 2016 Atola Technology introduced a new hashing method called Segmented hashing.

Atola’s open-source tool Seghash, which was written in Go and has been released under MIT license, works on Windows, Linux and macOS. Atola Technology has published the tool on its Github page and encouraged the adoption of the segmented hashing algorithm by software vendors who want to provide their users with a superior hashing option.

Successful use of Insight in investigations: Our clients’ presentation

Ever since Atola Technology has shifted its focus from data recovery to forensic market, we have been researching our clients’ needs and developed Atola Insight Forensic in close cooperation with law enforcement agencies and forensic experts to meet their demand in speedy evidence acquisition tool for both good and damaged media.

We find it very rewarding that our systems have been indispensable in a huge number of investigations and appreciate the feedback from our customers that we have been receiving throughout the years.

Among the forensic experts who have been successfully solving cases with the help of our devices are Derek Frawley and John Farrugia from the Police of Ontario, Canada.

In June 2017 Derek and John were invited to speak at the Techno Security and Digital Forensics Conference. In the presentation, they shared their experience in streamlined child exploitation investigations and dedicated 6 slides to Atola Insight Forensic and its functionality that makes this device essential to their investigation process.

We are deeply touched by the fact that our expertise in data recovery makes an impact in investigations as important to children, families and communities as these, and we would like to share this presentation with you.

Streamlined Child Exploitation Investigations by D. Frawley & J. Farrugia

Streamlined Child Exploitation Investigations by D. Frawley & J. Farrugia

 

 

 

Tracking a drive’s SMART table status before and after imaging

Being able to evaluate the drive’s state before it has exhausted its resources can make all the difference between a case won or a case lost in a court of law.

SMART table is a valuable source of information about a hard drive’s health. SMART (Self-Monitoring, Analysis and Reporting Technology) provides stats of a drive’s operation, thus helping predict its future failure. Making a definitive conclusion based on the indices in SMART table is not easy: not all parameters are critical, it is usually a combination of bad values of a few parameters that point to a trouble, time factor plays a role too (how fast has the state of the drive been deteriorating).

To view SMART table of a drive:

  1. Go to View SMART subcategory of Diagnostics category of the left-side menu
  2. Click Read SMART button

SMART table attributes may differ depending on the drive manufacturer. The most critical attributes are:

  • Reallocated sectors count
  • Current pending sector count
  • Uncorrectable sector count

When RAW value of any of these attributes is greater than zero, Insight will highlight it in yellow.

The worse the values, especially in these critical attributes, the more carefully the drive needs to be treated.

To keep track of the changes occurring to the attributes of the SMART table, Insight records SMART table indices prior and after each imaging session.

To open both SMART tables for side-by-side comparison:

  1. Go to Imaging Results
  2. In SMART data line click View link.

By comparing the two tables, operator can evaluate whether the health of a drive has been deteriorating throughout the imaging session and thus assess how quickly its health has been getting worse.

Whenever you need to evaluate how the state of the drive has been changing long-term, you can go to previous imaging sessions and look up SMART table. Insight will store this information in its case management system.

Q&A during Techno Security and Digital Forensics Conference in San Antonio, Texas

We have just returned from Techno Security & Digital Forensics Conference, which took place on September 18-20 in San Antonio, Texas. Here are some of the questions asked at this event, which we would like to share with you, along with our answers to them. Should you have further queries, please don’t hesitate to write a comment below or send us a message here.

Question: Is there a reason why segmented hashing should be used to calculate hash of drives that are not damaged?

Answer: Yes, segmented hash allows you to verify evidence on the drive and its image even if either of them becomes damaged at some point in the future. With regular hashes you will get a hash mismatch upon verification and the entire image becomes useless. But with segmented hashing only a single hash value will become invalid while the rest of the image can still be validated.

 

Question: Is it possible to adjust imaging settings during imaging?

Answer: Yes, it is possible to do that by clicking Imaging settings link in the upper part of Insight’s window.

It is possible to adjust the following settings:

  • post-hash target device(s)
  • reverse direction on individual passes
  • disable read look-ahead
  • maximum number of consecutive power cycles
  • actions on consecutive read errors
  • compare source and target after imaging
  • power down source device when finished
  • read SMART information before the beginning and after the end of imaging
  • head selection
  • enable email status notification

However, certain options cannot be adjusted on the fly (e.g. number of passes and some of their preferences, hash method and type, filling errors with patterns etc.). If you need to make changes to these settings, pause the current session and click Add new session link located under the paused session, and adjust settings before clicking Start Imaging button.

 

Question: Can Insight achieve top imaging speeds when saving an image file to a location on a local network?

Answer: Insight’s 10Gbit Ethernet extension module allows imaging drives to a local network at top speeds as well as performing file recovery, compare, write from file.

However, a few minor adjustments need to be made:

  1. Update the 10GbE driver on PC workstation to the latest version
  2. Link 10GbE Ethernet extension module and 10GbE PC workstation LAN adapter with a Cat6 ethernet cable
  3. Open Windows Network and Sharing Center
  4. Click Change adapter settings link
  5. Locate 10GbE Ethernet card and open its Properties by clicking with the right mouse button
  6. Click Configure button
  7. Select Advanced tab
  8. Change Jumbo Packet value to 9014

Note that PC motherboard quality can have an impact on the resulting network performance and ensure that the PC drive is able to read/write at speeds above 300 MB/s.

 

Question: If an imaging session is paused, and then a new imaging session with the same source and target devices is created, will Insight image all sectors in range all over again?

Answer: No, Insight will only image the sectors that remained unimaged after the previous session.

e.g. if Insight has already imaged sectors 0 – 5,000,000 before imaging was paused, it will image sectors 5,000,001 onwards when imaging from the same source to the same target is started. However, if a different target device is connected, imaging will start from sector 0.