Atola Technology

Atola Insight Forensic 4.7 – Segmented hashing

Atola Insight Forensic 4.7 is released!

This release comes with the new hashing concept which protects you from damaged target images and works in parallel with the multi-pass imaging engine.

The full list of Atola Insight Forensic 4.7 changes can be found here: Atola Insight Forensic Changelog.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.

All segment hashes are saved in a CSV file with the following simple format:

Hash,start LBA,end LBA

Example:

75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

… And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing algorithms prevent imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Enabling segmented hashing allows the use of multiple passes and more efficient handling of damaged drives, while still hashing all good areas.

Hashes are calculated only for the imaged regions, while all bad sectors are excluded from the calculation.

Segmented hashing in Imaging

Better resiliency

Another reason to use segmented hashes is to provide for better resiliency against target image data corruption. If your acquired evidence image is damaged at some point in the future, with regular hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only one hash from a set becomes invalid.

Example – imaging with segmented hashing enabled

Here are imaging results with the link to segmented hashes file.

Imaging results with segmented hashes

Segmented hashes are saved in a CSV file with the simple “Hash,start LBA,end LBA” format:

Segmented hashes in CSV file

Example – verification of segmented hashes

There is a new operation added to Atola Insight – Verify Segmented Hashes. It is an automated way to take existing CSV files containing segmented hashes and verify all of them against the target image.

Let us take a closer look at the example to see how it works.

Step 1. First, let’s simulate a change of the evidence image. We can do so by selecting the target image and changing one byte at sector #35,000,000.

Change one byte in Disk Editor

 

Step 2. Now we go to Verify Segmented Hashes. Select the file with segmented hashes calculated during imaging and click Start.

Start segmented hash verification

 

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

 

Step 4. Hash verification finishes with the proper case report automatically created.

Segmented hash verification report

 

If you want to learn more about other 4.7 changes, visit this page: Atola Insight Forensic Changelog.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

 

P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.

 

Battery for Atola Insight Forensic

Today we are introducing our new product – Atola Battery.

The forensic world has been becoming more and more mobile. This is the reason why our team decided to come up with our first battery solution. It will help make your life less dependent on the availability of an electrical network when using Atola Insight Forensic. There are two main forensic use cases we see and want to emphasize.

  • Start image acquisition even when there is no electrical power.
  • Protect working DiskSense unit from power loss.

Atola Battery

Technical specifications

  • Work time: 3 hours 30 minutes, when imaging source HDD to target HDD with MD5 calculation
  • Standby time: more than 5 hours
  • Full charging: 2 hours
  • Capacity: 148 Wh
  • Input/output: 19V DC
  • Chemical: Lithium-ion
  • Dimensions: 7.5 x 7.3 x 2.1 in (192 x 185 x 54 mm)
  • Weight: 3.5 lb (1.6 kg)
  • LED charge indicators
  • Quiet mode switch
  • Сhaining with 1 or 2 additional batteries

Battery for Atola Insight Forensic

Battery chaining

Battery chaining is an exclusive feature from Atola Technology.

Imagine that you have two or three Atola batteries. All of them have standard DC inputs and outputs and are internally designed to be linked together. As a result, you will receive a cumulative effect—charges of all the batteries aggregate as a sum of distinct charges. This is how your battery work time can increase to up to more than 10 hours.

battery-chaining

Where to buy

The batteries are already in stock and ready to be shipped. You can purchase Atola battery following this link:

http://atola.com/wheretobuy/

Please contact our Atola Technology sales to receive more specific information:

Atola Insight Forensic 4.6 – Scripting

Today we are releasing Atola Insight Forensic 4.6.

The killer feature is AtolaScript language and the script execution engine. Now Atola Insight empowers you to perform the most sophisticated tasks by combining over 50 commands the way you want. Those include custom ATA commands, various commands to scan throughout the entire media to find specific data, read/write tests, and many others.

Full Atola Insight Forensic 4.6 change log is available here: Changelog.

Scripting

AtolaScript language is probably the simplest one you have ever seen. Scripts consist of one line instructions without semicolons. Conditions (if) as well as while, for, foreach loops are available in C# syntax. It is easy to run multiple scripts over different SATA, USB, SAS, IDE devices at the same time.

With all that being mentioned, the best thing about scripting is a wide variety of simple yet powerful commands designed by Atola team.

Custom ATA commands

Atola Insight Forensic has just become the first forensic solution that enables to execute any ATA command for any SATA/IDE drive.

There are three AtolaScript commands to run custom ATA commands depending on necessity of data-transfer or its direction:

  • Ata
  • AtaIn
  • AtaOut

A few examples:

Forensic scripts - Custom ATA commands

Forensic scripts - Custom ATA commands

Remark: Built-in Source port write-protection rejects any custom ATA command that can modify device state (i.e. perform a write operation).

 

Ultimate pattern/word/phrase search

The scripting system includes an internal search engine which is based upon Intel Hyperscan, a high-performance multiple regex matching library. It enables you to run searches everywhere including unallocated space with the help of three commands:

  • FindHEX
  • FindWords
  • Find

The commands work for all SATA, USB, SAS, IDE devices plugged into the DiskSense system.

FindWords

The command performs a search of words or phrases over the whole media space or specified region.  One the coolest FindWords features is that it attempts to match words/phrases in different encodings: ASCII, UTF-8, UTF-16LE, UTF-16BE. Now you can quickly perform a search in a multi-language environment.

In the example below you can see how FindWords outputs found matches for three words: Dubai, Quebec, Venice.

Forensic keyword search in Atola Insight

FindHEX

We have also implemented FindHEX for high-performance HEX pattern search.

The screenshot shows us how amazingly simple is to look for BitLocker volumes:

Forensic scripts - HEX search

Find

Find is a powerful way to run a regular expression search over specified disk region. You can find absolutely everything using the command: emails, GPS coordinates, phone numbers, home addresses, IPs, credit card numbers and so forth.

Forensic scripts - Find IP and MAC addresses via regex

 

Other handy AtolaScript commands

There are more than 50 commands available at your disposal. For instance, you can freely wipe, compare, hash drives or specific (or calculated) sector intervals.

Below I include a few more examples of what AtolaScript can do.

SMART attribute check

Forensic scripts - analyzing SMART

 

Data entropy calculation

Forensic scripts - Calculating entropy

 

Running benchmark test commands in parallel with scripts running on other devices

Forensic scripts - Multi-tasking

 

Friendly AtolaScript editor

The editor comes with a number of helpful UI options to turn scripting into a pleasant experience. Wherever these signs show up:

PlusEdit

 

one can click them and merely select a command looking at its description and sample code, and then edit command parameters with some additional help.

Forensic scripting command panel

Forensic scripting - Parameters panel

 

All other 4.6 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Atola Insight Forensic 4.6 can be downloaded by all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

We still have an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more specific information:

 

Network database setup in Atola Insight Forensic

Atola Insight Forensic enables working with remote database shared between many users. Here is the scenario how to setup such a network database and connect different PCs with Atola Insight to it.

1. Pre-install SQL Server 2012 or 2014 on the network server PC

2. Launch Atola Insight Forensic on the user PC

3. Navigate to Insight -> Database Connection Settings from the top menu

A. Select Server type: Remote

B. Specify network server name, select SQL server instance and database names

C. Enter SQL server login and password as shown in the picture below:

Network database Atola Insight Forensic

4. Click OK and re-launch Atola Insight Forensic on the user PC.

5. It will create the remote database and ask for the Work Folder name:

Hint: Work Folder is necessary to store large files that do not fit into the database: imaging maps, logs, file recovery hash lists.

6. Change the Work Folder to the shared folder on the network server PC.

Example: The network folder successfully selected
Network work folder in Atola Insight Forensic

 

Now you have the Atola Insight network database prepared for remote use! You can connect Atola Insight Forensic software from the other PCs. Just set up the same database settings as you did in the step 3. No need to specify Work Folder anymore given Atola Insight will load it from the remote SQL server on the network server PC.

The only limitation: Two users will not be able to work on the same case simultaneously.

Q&A during Enfuse and Techno Security conferences

Atola booth

We were exhibiting with Atola Insight Forensic at Enfuse and Techno Security conferences and received plenty of questions from people visiting our booth. Some of these questions were repeatedly asked, so sharing them and their corresponding answers in this blog makes sense. We do hope you find the information provided here helpful!

What is the maximum imaging speed?

You can always observe an actual imaging performance of 30 GB/min in Atola Insight Forensic v4.5 with a couple of Samsung 850 Pro solid-state drives used as source and target devices.

Why is Atola Insight Forensic better than competing products?

We produce the only solution that is specifically designed to support damaged media.

Our users usually begin with automatic diagnostics for an evidence drive. It takes a couple of minutes yet saves much of time and energy. It detects drive issues such as PCB instability, problems with motor, short circuit, firmware errors, degraded or even nonworking heads, and physical media surface damage. Afterward, you can make a decision on what to do next with the evidence drive.

Even if you work with severely damaged source device, the imaging engine enables you to:

  • disable damaged heads
  • automatically overcome much more serious problems than so-called ‘software bad sectors’
  • track drive state before, during and after imaging
  • have every imaging event logged in a forensically sound manner

Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).

Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.

What image formats can be used for target files?

Atola Insight Forensic supports imaging to three image file types:

  • growing files: *.img
  • preallocated files: *.imgp
  • E01 files: *.e01

The first two are raw files, bit-to-bit source copies.  The 3rd target file type is E01 (Encase). It can be either compressed or not. Imaging to non-compressed E01 is several times faster and does not depend on CPU speed and core count.

How exactly does Atola Insight imaging process cope with damaged drives?

We have two goals here when dealing with severely damaged source drives:
1) Get as much data as possible
2) Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive

Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time

Atola Insight’s ability to disable damaged heads can just save your evidence! Other imagers merely kill the drive during imaging. Imagine having seven of eight good heads. You can just image with all of them with the exception of the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky challenge.

The imaging engine contains many automatic rules. For example, it resets or power-cycles the source when the source drive freezes. It can apply a reverse imaging direction in particular cases. Here is what is useful when dealing with damaged evidence: Two imaging reports are created before and after the process. Both include not only imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.

You claim you have the fastest forensic imager. How much forensic is it?

All source ports are write-protected:

  • SATA
  • IDE
  • USB
  • SAS and PCIe as extension modules

On top of that, overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage.

Every action in Atola Insight is followed by automatically created case reports. The case management system gets a new report even if you physically flip the DiskSense unit’s write protection switch. Additionally, every case report includes mandatory information about the device, DiskSense unit, current PC, OS, and user.