Atola Technology

Creating a logical image of a source drive

While physical imaging involves sector-for-sector copying the whole evidence drive from the first LBA to the last one, logical acquisition implies bit-for-bit copying of the file structure.

Logical acquisition is handy, when time is limited and you need to quickly start working with the file structure. At the same time, logical image does not include remaining fragments of previously deleted files, which makes this imaging method incomplete. On top of that, hash values of the source and the target will not be identical. Therefore, for profound investigation, it is still preferable to use a physical image.

This guide will show how Atola Insight Forensic’s flexible imaging functionality enables users to perform selective logical imaging.

In the Imaging category of the left-side menu there is I want to image drop-down menu, where you can select All sectors with data or All sectors with metadata options.

When you choose All sectors with data, you can image the whole system structure of the drive including folders and files, while omitting the areas with no data or fragments of previously deleted files.

By going for All sectors with metadata option you can image the system structure without data within its files (e.g. MFT in NTFS) for file browsing and selecting specific files to be imaged in full. For more information on this please watch this video guide: Benefits of Imaging Metadata.

When you select either of these two options, imaging log adds a message about the partitions Insight has been able to find.

Once imaging is complete, you can view the structure of the logical image you have obtained by clicking Analyze target image.

This will open the Target port.

  1. Click Scan partitions button
  2. Select any of the imaged partitions you want to
  3. Click Open partition button

In our example, we have imaged all sectors with data, and the partition we open contains the file structure and files, which we can explore, open and analyze.

Case Management: Finding and Opening a Case

Insight’s Case Management system records every step of data acquisition process saving them into reports grouped by cases.

To view the whole list of cases and their devices:

  1. Go to Case category in the top menu
  2. Click on Search/Open option

In the Search and Open Case window you will see the list of all the devices that have ever been connected and identified by your Insight.

It is possible to search for cases using multiple criteria and sort the results ascending or descending in any of the columns.

Please note that it is possible to store multiple devices under the same case number, allowing you to keep track of all devices related to a certain case.

Once a device is selected, you get a preview of the case including device details: when the case was created (i.e. the device was connected to the unit and identified by Insight for the first time), last time it was opened, the device model, serial number and description.

The case opens as a separate port in the Top Bar of the Insight window.

Q&A during Forensic Europe Expo

Atola team attended the annual Forensic Europe Expo on May 3 – 4 in London. We were pleased to meet both our existing and potential customers, and answer their questions about Atola Insight Forensic. Those of you who were not able to attend this event may have similar questions, so here are the most frequently asked ones at the Expo and our answers to them. We would be happy to answer any further queries you may have, so please don’t hesitate to write a comment below or send us a message here.

 

Question: Does write protection work for SATA source drives only?

Answer: No, write protection works for all source ports: SATA, IDE, USB & extensions.

 

Question: You claim that Atola Insight Forensic is capable of imaging even bad drives. What does a bad drive mean?

Answer: By bad drives we imply various types of drive issues, namely:

  • Scratches on the media surface
  • Magnetic layer wear-out
  • Degraded or even non-working head
  • Drive freeze after reading attempt
  • Firmware issues
  • Bad sectors

Atola Insight Forensic is capable of dealing with devices, which competitor products cannot even identify.

 

Question: What are the advantages of Atola Insight Forensic compared to ddrescue open source data recovery tool?

Answer: Here are some of the functions that Atola Insight Forensic provides and that ddrescue lacks:

  1. For Insight we have developed functionality that specifically helps image freezing damaged drives.
  2. Insight’s diagnostics function identifies damaged heads, while advanced imaging settings allow head selection to perform imaging in a fast and, most importantly, cautious manner to avoid causing further damage to the evidence drive.
  3. Insight can image to multiple targets at the same time, both hard drives and files.
  4. Forensic procedures require hash calculation to be a part of the acquisition process. Insight has a very flexible hash calculation functionality: it can simultaneously calculate MD5 and SHA hashes of the source before, during or after imaging, and target drive’s hash can be calculated in conjunction with imaging or as a separate action.
  5. Built-in write protection.
  6. Insight’s in-depth diagnostics helps identify the drive status and, based on that, the right way to handle the drive for successful data acquisition.
  7. Insight’s overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage to the system and the drive.
  8. Insight’s automatic password removal function can extract an unknown ATA password and unlock the drive in under 2 minutes with just a few mouse clicks.

These are just a few of the key features that Insight has to offer as opposed to ddrescue. For more information about the product please follow this link.

 

Question: When coming across bad sectors on the source drive in the course of imaging, how does Insight deal with the corresponding sectors on the target drive?

Answer: Such sectors can be either left alone (skipped), or filled with a pattern. The default pattern that is used to fill the sectors that are not readable is 00. However, it is possible to enter any other pattern or even load the pattern (of any length) from a file. To use this option:

  1. Navigate to Imaging category of the left-side menu
  2. Click the Create New Session link
  3. In the Preset line click the Show settings link
  4. Tick the check box next to Fill unreadable sectors with the following pattern (HEX):
  5. Leave the default pattern as it is or enter/upload a new one
  6. Click Save settings button if you would like to make this new pattern the default one or, should it not be the case, simply click Start imaging button.

Verifying Damaged Target Images with Segmented Hashing

Last November Atola Technology team presented a new hashing method called Segmented hashing. Unlike the conventional linear hashing, segmented hashing produces not a single hash, but a list of hashes of corresponding LBA ranges of the image saved into a CSV file in this format:

Hash, start LBA, end LBA

By validating all hashes in the list, you can prove that the entire image has not been modified. For more information about this hashing method, please follow this link: Segmented Hashing.

While this method of hashing has a number of benefits for forensic specialists, among its strongest advantages is its applicability to damaged drives.

For one, this non-linear hashing method allows calculating hashes of the good areas of evidence media, while bad areas that are impossible to read and image, are left out of the calculation.

Secondly, if your acquired evidence image is damaged at some point in the future, with the regular linear hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only the hash of the damaged segment will become invalid. For example, in the case of a 4TB hard drive, if the default 4GB segment size is applied, one invalid hash will account for only 0.1% of the drive, while the remaining 99.9% of hashes can still be verified.

Verifying segmented hashes

For instance, you have imaged a source drive and calculated its segmented hashes, the CSV file is stored on your computer. Now let’s simulate a change of the evidence image to see how Segmented hashing helps us identify the areas, whose integrity has not been compromised.

Step 1. Select the target image in the top Port bar. In the Disk Editor subcategory of Device Utilities category of the left-side menu, we can open any sector of the drive. There we can change one byte in sector #35,000,000.

Change one byte in Disk Editor

 

Step 2. In the Hashing category of the left-side menu there is Verifying Segmented Hashes subcategory. This is an automated way to verify the segmented hashes in an existing CSV file against the target image. Select the file with segmented hashes calculated during imaging and click Start.

Start segmented hash verification

 

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress

 

Step 4. Hash verification finishes with the proper case report automatically created, also in CSV format.

Segmented hash verification report

This is how segmented hashing helps you avoid the whole image being compromised when a small area of the evidence target is damaged.

Extracting and Resetting an Unknown ATA Password

Insight can recover and/or remove unknown HDD passwords (also known as ATA passwords) and for most hard drives the unlocking process is fully automated.

When a device is connected and identified as locked with an ATA password, there is a corresponding PWD indicator displayed in the port, and Security Status in the Home page says Locked, High or Locked, Maximum. High and maximum are password protection levels that the operator who locked the device selected. Although information about it may be relevant to the investigator, both security levels are supported by Insight’s password recovery functionality, therefore this information is not important for the purpose of this guide.

 

To perform a complete Diagnostics, Insight needs to have a hard drive unlocked. Therefore we suggest that when dealing with a locked device, password recovery is performed before running the Automatic Checkup.

Password Extraction, Reset and Reset until power cycle

Under Device Recovery category of the left-side menu select Password Recovery subcategory. There are 3 options of dealing with a locked hard drive:

  • To display the password without unlocking the device at this moment, click Extract button. This option does not require write protection on the source port to be switched off.
  • To work with the data on the drive without permanently resetting the password, tick Reset Password until power cycle checkbox and then click on Reset button. This way write protection stays enabled on the source port, and no changes can be made to the drive.

NB. If Reset Password until power cycle option is selected, no power cycles that are executed in the course of automatic checkup, imaging or other operations will affect the temporary unlocked status of the device. Only a deliberate power cycle, such as clicking on Power button, will change the Security status of the drive back to Locked.

  • Finally, to permanently unlock the device, switch off write protection and then click on Reset button.

For the list of hard drives currently supported by Insight’s automatic password recovery, please follow this link.

Please note that this guide is applicable to all supported Samsung, Toshiba and Western Digital hard drives. To unlock a Seagate drive, please connect the device to the Serial port of the DiskSense unit and then follow the same steps. Hitachi drives require the use of the password extraction adapter: for more information please follow this link.