Today we are releasing Atola Insight Forensic 4.6.
The killer feature is AtolaScript language and the script execution engine. Now Atola Insight empowers you to perform the most sophisticated tasks by combining over 50 commands the way you want. Those include custom ATA commands, various commands to scan throughout the entire media to find specific data, read/write tests, and many others.
Full Atola Insight Forensic 4.6 change log is available here: Changelog.
AtolaScript language is probably the simplest one you have ever seen. Scripts consist of one line instructions without semicolons. Conditions (if) as well as while, for, foreach loops are available in C# syntax. It is easy to run multiple scripts over different SATA, USB, SAS, IDE devices at the same time.
With all that being mentioned, the best thing about scripting is a wide variety of simple yet powerful commands designed by Atola team.
Custom ATA commands
Atola Insight Forensic has just become the first forensic solution that enables to execute any ATA command for any SATA/IDE drive.
There are three AtolaScript commands to run custom ATA commands depending on necessity of data-transfer or its direction:
A few examples:
Remark: Built-in Source port write-protection rejects any custom ATA command that can modify device state (i.e. perform a write operation).
Ultimate pattern/word/phrase search
The scripting system includes an internal search engine which is based upon Intel Hyperscan, a high-performance multiple regex matching library. It enables you to run searches everywhere including unallocated space with the help of three commands:
The commands work for all SATA, USB, SAS, IDE devices plugged into the DiskSense system.
The command performs a search of words or phrases over the whole media space or specified region. One the coolest FindWords features is that it attempts to match words/phrases in different encodings: ASCII, UTF-8, UTF-16LE, UTF-16BE. Now you can quickly perform a search in a multi-language environment.
In the example below you can see how FindWords outputs found matches for three words: Dubai, Quebec, Venice.
We have also implemented FindHEX for high-performance HEX pattern search.
The screenshot shows us how amazingly simple is to look for BitLocker volumes:
Find is a powerful way to run a regular expression search over specified disk region. You can find absolutely everything using the command: emails, GPS coordinates, phone numbers, home addresses, IPs, credit card numbers and so forth.
Other handy AtolaScript commands
There are more than 50 commands available at your disposal. For instance, you can freely wipe, compare, hash drives or specific (or calculated) sector intervals.
Below I include a few more examples of what AtolaScript can do.
SMART attribute check
Data entropy calculation
Running benchmark test commands in parallel with scripts running on other devices
Friendly AtolaScript editor
The editor comes with a number of helpful UI options to turn scripting into a pleasant experience. Wherever these signs show up:
one can click them and merely select a command looking at its description and sample code, and then edit command parameters with some additional help.
All other 4.6 changes are listed here: Atola Insight Forensic Changelog.
How to upgrade
Atola Insight Forensic 4.6 can be downloaded by all customers with an active software update subscription at no additional cost.
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
We still have an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more specific information:
Atola Insight Forensic enables working with remote database shared between many users. Here is the scenario how to setup such a network database and connect different PCs with Atola Insight to it.
1. Pre-install SQL Server 2012 or 2014 on the network server PC
2. Launch Atola Insight Forensic on the user PC
3. Navigate to Insight -> Database Connection Settings from the top menu
A. Select Server type: Remote
B. Specify network server name, select SQL server instance and database names
C. Enter SQL server login and password as shown in the picture below:
4. Click OK and re-launch Atola Insight Forensic on the user PC.
5. It will create the remote database and ask for the Work Folder name:
Hint: Work Folder is necessary to store large files that do not fit into the database: imaging maps, logs, file recovery hash lists.
6. Change the Work Folder to the shared folder on the network server PC.
Example: The network folder successfully selected
Now you have the Atola Insight network database prepared for remote use! You can connect Atola Insight Forensic software from the other PCs. Just set up the same database settings as you did in the step 3. No need to specify Work Folder anymore given Atola Insight will load it from the remote SQL server on the network server PC.
The only limitation: Two users will not be able to work on the same case simultaneously.
We were exhibiting with Atola Insight Forensic at Enfuse and Techno Security conferences and received plenty of questions from people visiting our booth. Some of these questions were repeatedly asked, so sharing them and their corresponding answers in this blog makes sense. We do hope you find the information provided here helpful!
What is the maximum imaging speed?
You can always observe an actual imaging performance of 30 GB/min in Atola Insight Forensic v4.5 with a couple of Samsung 850 Pro solid-state drives used as source and target devices.
Why is Atola Insight Forensic better than competing products?
We produce the only solution that is specifically designed to support damaged media.
Our users usually begin with automatic diagnostics for an evidence drive. It takes a couple of minutes yet saves much of time and energy. It detects drive issues such as PCB instability, problems with motor, short circuit, firmware errors, degraded or even nonworking heads, and physical media surface damage. Afterward, you can make a decision on what to do next with the evidence drive.
Even if you work with severely damaged source device, the imaging engine enables you to:
- disable damaged heads
- automatically overcome much more serious problems than so-called ‘software bad sectors’
- track drive state before, during and after imaging
- have every imaging event logged in a forensically sound manner
Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).
Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.
What image formats can be used for target files?
Atola Insight Forensic supports imaging to three image file types:
- growing files: *.img
- preallocated files: *.imgp
- E01 files: *.e01
The first two are raw files, bit-to-bit source copies. The 3rd target file type is E01 (Encase). It can be either compressed or not. Imaging to non-compressed E01 is several times faster and does not depend on CPU speed and core count.
How exactly does Atola Insight imaging process cope with damaged drives?
We have two goals here when dealing with severely damaged source drives:
1) Get as much data as possible
2) Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive
Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time
Atola Insight’s ability to disable damaged heads can just save your evidence! Other imagers merely kill the drive during imaging. Imagine having seven of eight good heads. You can just image with all of them with the exception of the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky challenge.
The imaging engine contains many automatic rules. For example, it resets or power-cycles the source when the source drive freezes. It can apply a reverse imaging direction in particular cases. Here is what is useful when dealing with damaged evidence: Two imaging reports are created before and after the process. Both include not only imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.
You claim you have the fastest forensic imager. How much forensic is it?
All source ports are write-protected:
- SAS and PCIe as extension modules
On top of that, overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage.
Every action in Atola Insight is followed by automatically created case reports. The case management system gets a new report even if you physically flip the DiskSense unit’s write protection switch. Additionally, every case report includes mandatory information about the device, DiskSense unit, current PC, OS, and user.
Atola Insight Forensic 4.5 is released!
We put a great deal of effort on implementing the new imaging engine to improve image acquisition stability and performance at the same time. There are quite many changes to other parts of the product as well. In total, our internal issue tracking system has a record number of almost 250 tasks completed for 4.5 release.
Full Atola Insight Forensic 4.5 change log is available here: Version Log.
Atola Insight 4.5 benchmarks show speed-up of core disk operations (all numbers are MB/s):
Atola Insight Forensic 4.5
Atola Insight Forensic 4.4
|Imaging to SATA target
|Imaging to raw image file (1Gb network)
|Imaging to E01 file with MD5 and SHA1 (1Gb network)
|Imaging to compressed E01 file
The tests were performed using two drives of the following model: Samsung SSD 850 PRO 256GB EXM02B6Q.
New features in Imaging
The revamped Imaging engine introduces some smart and beautiful features. For example, it will now automatically clear ATA password and HPA on-the-fly after power cycle if they were temporarily removed (only temporary removal is supported for write protected source media).
Imaging progress bar is included in every resulting case report to visualize cloned data.
There is a new imaging setting “Stop hashing on first error”. It calculates and stores a correct hash for all sectors preceding the first read error on an evidence drive.
We improved logging verbosity during imaging. You can see the most noticeable change when ‘All sectors with data/metadata’ is selected. In that case the imaging log will contain information about found partitions.
Last but not least, Atola’s new media map manager offers better user experience to select custom partitions and ranges for imaging.
There are two new options in Miscellaneous tab that need to be explained:
- Power down SATA target device when operation finished
- Enable Target HEX viewer during Imaging
Power down SATA target device when operation finished
Before Atola Insight 4.5, all long-lasting operations (Imaging, Calculate Hash, Fill or Erase, Comparing) performed on Target ports have been followed by a mandatory power off. This is mainly done for safety reasons of target drives containing imaged source data. Put it another way, it is not necessarily expected under some circumstances. For instance, when you were wiping a drive with Fill or Erase and are instantly going to start Imaging afterward. A power cycle is not needed then. In that case, it is convenient to disable the option.
Enable Target HEX viewer during Imaging
The significance of disabling Target HEX viewer during Imaging arises when source imaging data is critically sensitive so that software user must not see it. In such a case Imaging runs from a source drive to a target drive having both plugged into the DiskSense system. Having Target HEX viewer disabled, we guarantee that source bytes flow will go through the DiskSense system only and will not enter the network and the host PC.
All other 4.5 changes are listed here: Atola Insight Forensic Changelog.
How to upgrade
Atola Insight Forensic 4.5 can be downloaded by all customers with an active software update subscription at no additional cost.
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, it can be done directly via Atola Technology, or from a distributor near you:
We still offer an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more detailed information:
We would like to share the newest speed achieved by the revamped Imaging engine. It will be shipped within 4.5 software update in May.
Total imaging performance was significantly improved during last 4 months. Just take a look at 503MB/s imaging speed in the screenshot below. It is more than 30 GB per minute.
The new imaging engine empowers you to clone 256GB Samsung 850 Pro just in 8.5 minutes!