When Atola Insight Forensic performs Imaging, it approaches bad sectors in the most gentle yet thorough way with high overall speed. But most importantly, Insight is unbeatable at imaging severely damaged drives, while providing all the necessary tools for evidence verification and proper data storage formats. Insight’s ability to succeed even with the drives that freeze in the course of imaging makes it indispensable for forensic specialists.
So why do damaged drives freeze?
When a drive receives and runs a Read sectors command, and comes across a physically or logically damaged sector, the device is unable to return a good result. Therefore it goes into Retry mode, repeatedly attempting to retrieve data from the damaged area.
However, often the drive is unable to read data from the damaged sectors and the Retry mode can last for a very long time before it decides to give up on a particular sector and return an Error.
How does Insight handle this issue?
If Insight simply waited for each Read sectors command to be completed:
- it would take ages to get an Image of a drive with numerous errors;
- it could cause the drive to slip into complete freeze;
- in the worst-case scenario, further damage could be caused to the data on the drive.
For these reasons, Insight issues a Reset command whenever a drive attempts to read a block of sectors for longer than allowed by the pre-configured Timeout. Reset is a device interface operation, using which Insight (the host) stops the previously sent Read sectors (or any other) ATA command so that Insight continues imaging from the next planned block on the drive.
If the device is still running Read Sectors command, even after Reset attempt, Insight will wait 3 seconds and perform another Reset command. At the moment of the second Reset, a new entry will appear in the Imaging Log reading Device hangs while reading block X – Y.
If 20 seconds after the second Reset, the drive has not been able to abandon the current block, Insight will perform Power cycle by forcibly cutting power to the drive for 5 seconds. At this point Insight will add two entries to the log: Performing power cycle… (when the power is cut off) and Waiting for the device to become ready… (when the power is switched back on).
Should Power cycle prove successful and the drive become ready to accept the next command, there will be a final log entry for this problematic block of sectors saying: Cannot read block of data at X – Y (Timeout).
If Power cycle is ineffective, it means that the drive is still in Busy state that prevents it from becoming ready to run the next command. After that, Insight will make one or more additional power cycles. In Insight’s default settings the Max consecutive Power Cycles option is set to five. Should all five Power cycles be unsuccessful, Imaging will be automatically terminated. It can be resumed afterwards, and Insight will continue to image all remaining sectors.
While users are able to change the default maximum numbers of Resets and Power cycles, these are set based on our decades-long experience and balance the need of data retrieving with the risk of further data loss.
NB If prior to Imaging, you applied Change Max Address temporarily (until power cycle) option, the Power cycles performed in the course of Imaging will not affect it. The Host Protected Area will remain accessible throughout the Imaging process. Insight will temporarily remove HPA max address restriction after each Imaging-related Power cycle.
The same is true for Reset Password until power cycle option. Insight will keep the password reset throughout the Imaging process, without regard to the Power cycles applied.
Atola Insight Forensic 4.8 is released! In this version of Atola Insight Forensic software, we included a range of improvements to our core features.
The full list of Atola Insight Forensic 4.8 changes can be found here: Atola Insight Forensic Changelog.
Password recovery support on new drive models
Password recovery now works on new Hitachi hard drives including Hitachi HCxxxxxxxA7A3xx, HTxxxxxxxA9E3xx, HTxxxxxxxA9E6xx. The latter is used in Sony PlayStation PS4 Pro gaming consoles, which was launched worldwide in November 2016.
Consolidation of segmented hashes
For imaging sessions that include calculation of segmented hashes, we created a feature enabling you to consolidate the hashes calculated during each separate imaging session. To perform consolidation, click Export consolidated hashes for all sessions:
In the pop-up window, you will be asked to select the folder, where the file with consolidated hashes will be saved. Click OK button in the dialog box pop-up window, and all the separate .csv files s that contain segmented hashes from previous imaging session will be consolidated into one file.
SMART table attributes
Insight automatically saves a drive’s SMART table before and after completion of imaging. Quite often there are differences in the two SMART tables. From now on, the changes will be highlighted in the After Imaging table to draw attention to the attributes that have changed.
Power down source device upon completion
A similar option was available for SATA target drives involved in long-running operations (Calculate Hash, Verify Segmented Hashes, Fill/Erase, Comparing, Media Recovery, Write From File). This new option can work on all source devices that support power management. To activate it:
- Go to Insight category in the top-level menu
- Click Preferences
- In the Preferences window go to Miscellaneous tab
- Tick Power down source device upon completion
- Click Apply button
Please note that for Imaging you can still use the Power down source device when finished option located in the Miscellaneous tab of the Imaging settings.
Custom signature tag field
Insight allows you to add custom signatures to the already available 392 file signatures. Before this release, there were three columns in the table with the additional signatures:
Name, Bytes in Hex codes, Extension
Now there is a new column named Tag. This column is optional, and it enables you to mark specific (or all) additional signatures with any text in the Tag field to make them easily trackable.
On top of that, multi-column sorting in Found File Signatures table is now way more convenient. There is no need now to press any keys: just click on any category (first click = sort ascending; second click = sort descending; third click = no sorting) to make it the primary sorting category and then on another one for sorting by secondary category.
If you want to learn more about other 4.8 changes, visit this page: Atola Insight Forensic Changelog.
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
Please contact our Atola Technology sales to receive more specific information:
P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.
With each passing year, speed becomes a yet bigger issue for forensic specialists: while the capacity of hard drives grows exponentially, their speed does not keep up. A common 4TB drive’s speed constitutes up to 200 MB/s or 12 GB/min, which translates to more than 5 hours of imaging. And it may take prohibitive amounts of time to image a drive with damaged zones. Therefore, the ability to simultaneously run different operations on several devices is more vital than ever.
To provide users with greater productivity, Atola Insight Forensic’s high-capacity multi-core CPU supports up to 15 concurrent tasks, that can be assigned to different drives or image files.
You can start Imaging process from a Source drive to one or multiple Target drives and/or image files. Then you can click on the Plus icon and open another target drive to start another operation.
For example, you can launch Fill/Erase on this Target drive to get it ready for the next Imaging session:
It is also possible to Calculate Hash on yet another Target drive:
Other long-running operations you can perform simultaneously include:
- Automatic Checkup
- Verifying Segmented Hashes
- File Recovery
- Scripting (e.g. search files, files types, words, phrases or patterns, specific information type like email address, telephone, address, GPS coordinates etc.).
- Comparing data on drive with a pattern
- Media Scan
Hard drives with physical damage require a complex imaging approach. This guide will explain how to retrieve data with the minimal risk of data loss on a drive with a damaged head stack.
If an Automatic Checkup report indicates that there is a problem with the heads, look at the status of each head.
If the status of a head or multiple heads is Degraded or Damaged, the drive will not be able to read all the data. What’s worse, even more sectors may soon become unavailable due to incorrect functioning of the drive’s hardware.
We recommend that you start by imaging the heads, whose status is OK, as soon as possible. To do that:
Step 1. Go to Imaging category of the left-side menu, click on Create New Session link and select the device or file to which the data will be imaged.
Step 2. In the Start new imaging session page go to Heads line and click on Select heads to use link.
Step 3. Unselect the damaged head.
Step 4. Click on Start Imaging button.
As a result, you get as much data from the drive’s viable heads as possible before even beginning to work with the damaged head. This way the risk of losing data on the working part of the head stack is minimized.
Now that this data has been successfully retrieved, you have two options:
- To have the head stack replaced before imaging the remaining data. However, as a result of head stack replacement data on the drive can become unreadable.
- To attempt Imaging data with the Degraded or Damaged head. Follow the same procedure as with the good heads, only this time, during Step 3 unselect all the working heads and leave only the Degraded/Damaged one(s) before clicking on Start Imaging.
Atola Insight Forensic’s sophisticated functionality enables users to retrieve maximum data even from the severely damaged drives.
Now that you have an image of the source evidence including the data copied from the damaged head, you can take the risk and get the head stack fixed. Afterwards, you can start a new session to complete the initially created image with data from previously unreadable sectors.
If you need to extract or reset an unknown password or perform drive recovery on a Seagate hard drive, use a Serial cable to connect the drive to the DiskSense unit.
Take a minute to familiarize yourself with the Serial cable’s three connectors. On one side of the cable, there are two connectors. Both are 2-pin RX-TX (receive-transmit) connectors. The slightly larger one has 2.5-mm pin pitch and is used for IDE drives. The smaller one has 2-mm pin pitch and is used for SATA drives.
On the opposite side of the Serial cable, there is a 3-pin TX-RX-GND (transmit-receive-grounding) connector. This connector is inserted in the Serial port on the back side of the DiskSense unit.
Connecting 3.5-inch and 2.5-inch Seagate SATA drives
When you look at a Seagate SATA drive (either 3.5-inch or 2.5-inch), there is a 4-pin jumper block right next to the SATA port.
Connect the 2-mm RX-TX end of the serial cable to the two jumper pins located closest to the SATA port so that the red RX (receive) wire is connected to the pin closer to the SATA port.
Connecting 3.5-inch Seagate IDE drives
Desktop IDE drives have an 8-pin jumper block between IDE port and Power port. For the purpose of this manual, we shall call the pair of pins located closest to the IDE port and used for Master/Slave settings the first pair of pins. The next, second pair of pins is usually used for Cable Select settings. The third pair of pins is the one we will connect the Serial cable to.
Please note that IDE hard drives must be set to Master mode for password extraction and reset or drive recovery. To use the drive in Master mode, place a jumper on the first pair of pins (closest to the IDE port), as shown in the picture below.
Attach the 2.5-mm RX-TX connector to the third pair of jumper pins, as shown in the picture below. Make sure that red RX (receive) wire is facing down and the black TX (transmit) wire is facing up. The second pair and the fourth pair of pins must be left open.
Connecting 2.5-inch Seagate IDE drives
Similar to desktop hard drives, laptop Seagate hard drives also must be set to Master mode to perform password extraction and reset or drive recovery. Master mode on a 2.5-inch device is set by removing all jumpers.
There is a 3.5″-to-2.5″ IDE adapter included in the package with the DiskSense unit. It consists of the following components:
- IDE port J1 for IDE interface cable
- 2.5-inch IDE port J2 to connect the drive to
- Power port J3 for IDE power cable
- 4-pin block J4, where each pin is marked with letter A, B, C, and D.
Use the adapter to connect the drive to IDE interface cable and IDE power cable. Then attach the 2.5-mm RX-TX connector to pins marked A and C, as shown in the picture below. Make sure that the black TX (transmit) wire is connected to the pin A, and red RX (receive) wire is connected to the pin C.
Please note that to use the 2.5-inch Seagate IDE drive in Slave mode, the 2.5-mm RX-TX connector must be detached from the adapter and instead a jumper must be placed on pins A and B.
Configuring the Baud rate
Once the Seagate hard drive is connected to the unit, follow these instructions to configure the Baud rate of Seagate Terminal, which allows you to use an extensive set of commands on a Seagate drive:
- If there is only one source drive connected to the DiskSense unit, it will automatically be identified and displayed in the Source disk port. However, if there are multiple hard drives connected to the DiskSense unit as Source drives, go to Source category of the top level menu, click on Select Source and choose the Seagate drive.
- Power down the selected drive.
- In the Windows category of the top level menu click on Terminal and in the COM Port Settings window select the Baud rate compatible with the drive. Please note that for Seagate 7200.10 and older Baud rate will be 9600; for 7200.11 and newer Baud rate will be 38400 (Atola Insight Forensic will suggest the baud rate by setting a default value in the Terminal window for the drive connected to it).
- Then click OK. But do not close the Terminal window just yet.
- Power on the drive again. There must be a valid output in the Terminal window (see the picture below).
Should there be no output in the Terminal window or should it consist of random symbols, try to change the Baud rate until you get a good response.
Now proceed with password extraction or send Seagate Terminal commands to the drive.