Atola Technology

Evidence acquisition workflow in 5 steps

For more information please read about the suggested workflow and hashing during imaging.

Artifacts: Image & analyze on the fly

Imaging is a time-consuming part of the evidence acquisition process, especially when dealing with damaged drives.

Even though Atola Insight Forensic is the fastest forensic imaging tool in the world (there is literally no penalty on a drive speed when you image it with Insight!), we want to help expedite forensic process even further. That is why our team of engineers has developed the artifact search feature, which allows analysis of data from an evidence device during imaging.

Artifacts settings

1. Go to Imaging category of the left-side menu
2. Click Create new session link and select the target device
3. In Preset line click Show settings link
4. Open the Artifacts tab.

In this tab it is possible to view, select or deselect the artifacts you want to be searched in the course of imaging.

For each of these artifacts we have not only applied well-known algorithms including the Luhn formula used to validate credit card numbers, but also applied our own smart filters to eliminate false results (e.g. if there are two slashes near the number that has preliminarily been identified as a credit card number, that will eliminate it from the search results, as it is likely to be a part of a URL).

Keywords and regular expressions can be added to the search parameters in a txt file with one artifact per line. Click the View link next to Keywords category in Artifacts tab before imaging and make sure the keywords are displayed correctly. Keyword encoding can be adjusted to Unicode, Unicode (UTF-8), Unicode (Big-Endian) or US-ASCII.

A few of the artifacts are selected by default, namely: GPS, MAC, Phone numbers, URL. You can adjust these default settings and click Save settings button. This will affect all future imaging sessions (including those on new source drives) unless you re-adjust the settings or restore the default settings by clicking the corresponding link. The paths to the files with keywords and regular expressions will also remain saved, although should any changes by made to the txt files in the saved directory, the changes will be uploaded at the start of each imaging session.

NB. It is advisable that no more than 4 artifacts are selected at a time, otherwise imaging will slow down considerably. Also, keywords consisting of less than 4 symbols or regular expressions consisting of less than 6 symbols; large number of keywords (more than 2000) or regular expressions (more than 10) may also slow down imaging process. This is due to the large number of results such search parameters are capable of producing.

Once you have ticked the boxes next to the artifacts you would like to be searched for, click Start Imaging button.

Browsing through the artifacts in the course of imaging

Once imaging has begun, go to the Artifacts tab in the bottom part of Insight window and watch the selected artifacts being found: the numbers of artifacts and the corresponding diagram change on the go.

To see the artifacts in a list, press on any of the categories or the diagram.

In the table, each artifact is assigned an Id number, each found Value is shown in the context (including 20 bytes before and 20 bytes after the artifact in grey color), the LBA and the offset are also displayed in the table to help locate the artifact.

There are many options to help find, sort, filter and view the artifacts: it is possible to view one or a few categories of artifacts in one list, use the Search bar to find a specific value (search examples are provided in the bottom right corner of the window), filter results for unique values by clicking the Show unique artifacts link.

The latter option is quite valuable as it helps identify the values most frequently occurring on the drive: to sort the results click Count in the table header.

To promptly find the sector where an artifact is located, you can double click the artifact you would like to examine more thoroughly.

Exporting artifacts

Export to CSV button is disabled during imaging. You can wait until imaging is completed or pause it, make an export and restart imaging, should it be necessary to start analyzing the current artifact search output with an external tool:

1. Pause imaging.
2. In the Imaging results page click on Artifacts link.
3. In the Artifacts page you can select the artifacts you would like to be exported (e.g. one or multiple artifact categories, unique artifacts or only those fitting certain search criteria), and then click Export to CSV file button.
4. Select the path for the file and click Export
5. Once the export is completed (which normally takes no longer than a few seconds), restart imaging.

There is Export artifact link now in the Imaging category of Insight’s menu. If the source drive was imaged in multiple sessions, and artifact lists were created during different imaging sessions, by clicking this link you can download a merged list of artifacts from multiple imaging sessions.

Atola Insight Forensic 4.10 – Search of forensic artifacts in the course of imaging

On December 5 Atola Technology releases Atola Insight Forensic 4.10.

The key feature is the search of artifacts capability while imaging a source evidence media. It allows to search the source drive for credit cards, emails, URLs, IPs, GPS coordinates, phone numbers, keywords etc. in the course of imaging. This feature will help forensic specialists expedite investigation in urgent cases or when dealing with a damaged drive that takes hours to image.

The full list of Atola Insight Forensic 4.10 changes can be found here: Atola Insight Forensic Changelog.

Imaging settings now have a new Artifacts tab where different types of artifacts can be selected and lists of keywords or regular expressions can be uploaded.

For each of the artifacts, we have not simply applied well-known algorithms (e.g. Luhn formula used to validate credit card numbers). We have developed our own smart filters to eliminate false results (e.g. if there are two slashes near the number that has preliminarily been identified as a credit card number, that will eliminate it from the search results, as it is likely to be a part of a URL).

We have added a new Artifacts tab in the bottom part of Insight’s imaging window: the numbers of the found artifacts and the corresponding diagram change on the go.

The list of found artifacts is opened by a click on any of the categories or the diagram itself.

In the table, each artifact’s Value is shown in the context (including 20 bytes before and 20 bytes after the artifact), the LBA and the offset are also displayed in the table to help locate the artifact.

There are many options to help find, sort, filter and view the artifacts: it is possible to view one or a few categories of artifacts in one list, use the search bar to find a specific value, filter results for unique values by clicking the Show only unique artifacts link.

The latter option is quite valuable as it helps identify the values most frequently occurring on the drive. It often accelerates the whole process of specific artifact search.

For more information about the Artifacts feature please read our next week’s blog post or follow this link to our manual:
http://atola.com/products/insight/manual

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

Please contact our Atola Technology sales to receive more specific information:

P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.

Calculating segmented hash of a damaged drive

When you work with a damaged device, and imaging can only be performed in multiple passes due to bad sectors or physically damaged areas or heads, it is impossible to calculate linear hash of the drive. This can become a serious challenge if you need to prove evidence integrity in the court of law. And it is for such cases that Atola Insight Forensic has Segmented hashing functionality.

According to the recommended workflow, run Automatic checkup of the evidence drive.

If the drive has hardware or bad sector issues, it is likely that imaging will not be completed within one pass, and you can calculate the hash for such drive only with Segmented hashing.

Furthermore, we recommend that you calculate hash and image the drive simultaneously: this way data on the drive is only read once for both processes and you avoid further deterioration of the drive:

  1. Press on Create new session link in Imaging category of the left-side menu and select the target drive
  2. Click on Show settings link in Preset line
  3. Tick the box next to Hash source during imaging
  4. Select Segmented option in Hash method drop-down menu
  5. Click Start imaging button

Please note that Segmented hashing option disables imaging in reverse direction on all passes.

Just as imaging narrows down the problematic areas and reads the data within these areas on each subsequent pass, Segmented hash is calculated for the successfully read spans of data.

Once imaging is completed, you can find the set of hashes calculated in the course of imaging. Go to the imaging report

In the excel file with segmented hashes you can find the hash calculated for all the 4 GB segments of the drive space, as configured in the settings. Some of the segments are smaller due to an encountered bad sector, which, in accordance with the multi-pass imaging algorithm forced Insight to jump by a preconfigured number of sectors. Lower in the table you can find hash calculated for smaller segments within the jump area within the first three passes illustrating the concept:

This way segmented hashing allows obtaining a hash even for a severely damaged drive.

Please follow this link to learn how you can easily verify segmented hashes:
http://atola.com/products/insight/manual/Verify-Image-with-Segmented-Hashing.html

__

In November 2016 Atola Technology introduced a new hashing method called Segmented hashing.

Atola’s open-source tool Seghash, which was written in Go and has been released under MIT license, works on Windows, Linux and macOS. Atola Technology has published the tool on its Github page and encouraged the adoption of the segmented hashing algorithm by software vendors who want to provide their users with a superior hashing option.

Successful use of Insight in investigations: Our clients’ presentation

Ever since Atola Technology has shifted its focus from data recovery to forensic market, we have been researching our clients’ needs and developed Atola Insight Forensic in close cooperation with law enforcement agencies and forensic experts to meet their demand in speedy evidence acquisition tool for both good and damaged media.

We find it very rewarding that our systems have been indispensable in a huge number of investigations and appreciate the feedback from our customers that we have been receiving throughout the years.

Among the forensic experts who have been successfully solving cases with the help of our devices are Derek Frawley and John Farrugia from the Police of Ontario, Canada.

In June 2017 Derek and John were invited to speak at the Techno Security and Digital Forensics Conference. In the presentation, they shared their experience in streamlined child exploitation investigations and dedicated 6 slides to Atola Insight Forensic and its functionality that makes this device essential to their investigation process.

We are deeply touched by the fact that our expertise in data recovery makes an impact in investigations as important to children, families and communities as these, and we would like to share this presentation with you.

Streamlined Child Exploitation Investigations by D. Frawley & J. Farrugia

Streamlined Child Exploitation Investigations by D. Frawley & J. Farrugia