We were exhibiting with Atola Insight Forensic at Enfuse and Techno Security conferences and received plenty of questions from people visiting our booth. Some of these questions were repeatedly asked, so sharing them and their corresponding answers in this blog makes sense. We do hope you find the information provided here helpful!
What is the maximum imaging speed?
You can always observe an actual imaging performance of 30 GB/min in Atola Insight Forensic v4.5 with a couple of Samsung 850 Pro solid-state drives used as source and target devices.
Why is Atola Insight Forensic better than competing products?
We produce the only solution that is specifically designed to support damaged media.
Our users usually begin with automatic diagnostics for an evidence drive. It takes a couple of minutes yet saves much of time and energy. It detects drive issues such as PCB instability, problems with motor, short circuit, firmware errors, degraded or even nonworking heads, and physical media surface damage. Afterward, you can make a decision on what to do next with the evidence drive.
Even if you work with severely damaged source device, the imaging engine enables you to:
- disable damaged heads
- automatically overcome much more serious problems than so-called ‘software bad sectors’
- track drive state before, during and after imaging
- have every imaging event logged in a forensically sound manner
Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).
Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.
What image formats can be used for target files?
Atola Insight Forensic supports imaging to three image file types:
- growing files: *.img
- preallocated files: *.imgp
- E01 files: *.e01
The first two are raw files, bit-to-bit source copies. The 3rd target file type is E01 (Encase). It can be either compressed or not. Imaging to non-compressed E01 is several times faster and does not depend on CPU speed and core count.
How exactly does Atola Insight imaging process cope with damaged drives?
We have two goals here when dealing with severely damaged source drives:
1) Get as much data as possible
2) Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive
Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time
Atola Insight’s ability to disable damaged heads can just save your evidence! Other imagers merely kill the drive during imaging. Imagine having seven of eight good heads. You can just image with all of them with the exception of the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky challenge.
The imaging engine contains many automatic rules. For example, it resets or power-cycles the source when the source drive freezes. It can apply a reverse imaging direction in particular cases. Here is what is useful when dealing with damaged evidence: Two imaging reports are created before and after the process. Both include not only imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.
You claim you have the fastest forensic imager. How much forensic is it?
All source ports are write-protected:
- SAS and PCIe as extension modules
On top of that, overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage.
Every action in Atola Insight is followed by automatically created case reports. The case management system gets a new report even if you physically flip the DiskSense unit’s write protection switch. Additionally, every case report includes mandatory information about the device, DiskSense unit, current PC, OS, and user.
Atola Insight Forensic 4.5 is released!
We put a great deal of effort on implementing the new imaging engine to improve image acquisition stability and performance at the same time. There are quite many changes to other parts of the product as well. In total, our internal issue tracking system has a record number of almost 250 tasks completed for 4.5 release.
Full Atola Insight Forensic 4.5 change log is available here: Version Log.
Atola Insight 4.5 benchmarks show speed-up of core disk operations (all numbers are MB/s):
Atola Insight Forensic 4.5
Atola Insight Forensic 4.4
|Imaging to SATA target
|Imaging to raw image file (1Gb network)
|Imaging to E01 file with MD5 and SHA1 (1Gb network)
|Imaging to compressed E01 file
The tests were performed using two drives of the following model: Samsung SSD 850 PRO 256GB EXM02B6Q.
New features in Imaging
The revamped Imaging engine introduces some smart and beautiful features. For example, it will now automatically clear ATA password and HPA on-the-fly after power cycle if they were temporarily removed (only temporary removal is supported for write protected source media).
Imaging progress bar is included in every resulting case report to visualize cloned data.
There is a new imaging setting “Stop hashing on first error”. It calculates and stores a correct hash for all sectors preceding the first read error on an evidence drive.
We improved logging verbosity during imaging. You can see the most noticeable change when ‘All sectors with data/metadata’ is selected. In that case the imaging log will contain information about found partitions.
Last but not least, Atola’s new media map manager offers better user experience to select custom partitions and ranges for imaging.
There are two new options in Miscellaneous tab that need to be explained:
- Power down SATA target device when operation finished
- Enable Target HEX viewer during Imaging
Power down SATA target device when operation finished
Before Atola Insight 4.5, all long-lasting operations (Imaging, Calculate Hash, Fill or Erase, Comparing) performed on Target ports have been followed by a mandatory power off. This is mainly done for safety reasons of target drives containing imaged source data. Put it another way, it is not necessarily expected under some circumstances. For instance, when you were wiping a drive with Fill or Erase and are instantly going to start Imaging afterward. A power cycle is not needed then. In that case, it is convenient to disable the option.
Enable Target HEX viewer during Imaging
The significance of disabling Target HEX viewer during Imaging arises when source imaging data is critically sensitive so that software user must not see it. In such a case Imaging runs from a source drive to a target drive having both plugged into the DiskSense system. Having Target HEX viewer disabled, we guarantee that source bytes flow will go through the DiskSense system only and will not enter the network and the host PC.
All other 4.5 changes are listed here: Atola Insight Forensic Changelog.
How to upgrade
Atola Insight Forensic 4.5 can be downloaded by all customers with an active software update subscription at no additional cost.
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, it can be done directly via Atola Technology, or from a distributor near you:
We still offer an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more detailed information:
We would like to share the newest speed achieved by the revamped Imaging engine. It will be shipped within 4.5 software update in May.
Total imaging performance was significantly improved during last 4 months. Just take a look at 503MB/s imaging speed in the screenshot below. It is more than 30 GB per minute.
The new imaging engine empowers you to clone 256GB Samsung 850 Pro just in 8.5 minutes!
Atola Insight Forensic 4.4 is ready for download now!
The newest version got 3 new extension modules supported, 130+ improvements and bug fixes. In particular, we have been working really hard on the major new features addressed below.
Full Atola Insight Forensic 4.4 change log is available here: Changelog.
SAS extension module
SAS extension module was designed to diagnose SAS drives and acquire images from them. It is really easy in use. As any other extension module, it should be plugged in the Extension port located on the DiskSense unit. Then you connect a SAS drive to it and simply start working.
Atola Insight Forensic 4.4 supports damaged SAS drives, senses currents during Automatic Checkup, provides short circuit and overvoltage protection as well as write protection.
10 GBit Ethernet extension module
The 10GBit Ethernet module is primarily targeted to accelerate data transfer speed between PC and DiskSense system. It speeds up imaging source drive to an image file from 100 MB/s to 300-400 MB/s. File recovery from SATA/USB drives receives the same level of acceleration.
The extension module works via 10G Cat6 copper cable with RJ45 (8P8C) interface for connection.
There are some tips in the manual helping to get optimum performance. To open the manual, launch Atola Insight Forensic 4.4 and press F1 .
M.2 PCIe/SATA extension module
This extension module allows to work with both PCIe and SATA drives with M.2 connector. It is another type of source drive you can select in Atola Insight. The extension supports damaged drives, write protection and lots of Atola Insight Forensic operations.
You can also find more information about this and other Atola Insight extension modules.
Revamped E01 image file support
We totally revamped E01 (Encase) image file support in order to make it faster and support Pause/Resume feature in Imaging. This also helped to increase compatibility of E01 files produced via Atola Insight with some third-party forensic tools which are not tolerant to E01 metadata deviations.
White/Black hash lists
New Atola Insight version allows to import text files containing huge lists of file hashes. Those can be treated as white or black hashes. The idea behind these types is simple:
- White hash term stands for a known good file created by known software.
- Black hash means some known bad file. It could be a malware, hacking script, hidden illicit data file.
Having hash lists imported to Atola Insight DB, File Recovery analyzes every calculated file hash against the database. If file hash belongs to either white or black hash list, special marks are shown on the left of file hash values:
- Files having white hashes detected are marked with ticks.
- Files having black hashes are marked with warning triangles.
On top of that, White/Black hash list filtering is supported throughout whole File Recovery. It is available as ‘Hash list’ condition in Search window, so one could quickly find all files with unknown hashes (those that are not white or black) and begin working on them.
File browsing filters have also received three new options: White, Black, Unknown. Here is the example below. You can see Linux partition with /usr/bin folder opened that normally contains more than 1300 files.
Case 1. No filters applied
All files are shown. The ticked files are good ones since they have white hashes (marked with ticks).
Case 2. Black and Unknown hash list filters applied
All good files having White hash are filtered out. Thus, we just see two files which are valuable for further analysis. Hash of malicious.file was found in the black hash list. shady.me is not marked which means it could contain some interesting data inside.
All other 4.4 changes are listed here: Atola Insight Forensic Changelog.
How to upgrade
Atola Insight Forensic 4.4 is available for download to all customers with an active software update subscription at no additional cost.
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
The extension modules can be acquired directly via Atola Technology.
We still have an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more specific information:
Tags: new features
DiskSense hardware system includes an internal HASP USB dongle. It contains unique activation and subscription information.
Having more than one DiskSense system in your network may result in HASP-related conflicts. These conflicts usually manifest as “Too many connections” or “Cannot located DiskSense unit” errors. The issue is caused by behavior of the HASP discovery system which by default picks a random HASP dongle on the network. In other words, one Atola Insight Forensic instance may establish the connection with one DiskSense system, however it will “use” the HASP dongle of another (random) system available on the network.
How to resolve multiple HASP connection issues
We would like to share the solution with you. HASP discovery system offers a web administration tool where one can easily set up IP filter specifying HASP dongle search locations.
- Access the URL with your browser: http://localhost:1947
- Click ‘Configuration’ link in the left side menu
- Click ‘Access to Remote License Managers’ tab
- Untick ‘Broadcast Search for Remote Licenses’ checkbox
- Enter specific DiskSense IP you want to be connected to
- Click ‘Submit’
After you perform the actions, the final screen should look like like this:
Note: 192.168.0.200 is used as an example.
Tags: connection, DiskSense, dongle, HASP