Atola Insight Forensic 4.7 is released!

This release comes with the new hashing concept which protects you from damaged target images and works in parallel with the multi-pass imaging engine.

The full list of Atola Insight Forensic 4.7 changes can be found here: Atola Insight Forensic Changelog.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.

All segment hashes are saved in a CSV file with the following simple format:

Hash,start LBA,end LBA



… And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing algorithms prevent imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Enabling segmented hashing allows the use of multiple passes and more efficient handling of damaged drives, while still hashing all good areas.

Hashes are calculated only for the imaged regions, while all bad sectors are excluded from the calculation.

Segmented hashing in Imaging

Better resiliency

Another reason to use segmented hashes is to provide for better resiliency against target image data corruption. If your acquired evidence image is damaged at some point in the future, with regular hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only one hash from a set becomes invalid.

Example – imaging with segmented hashing enabled

Here are imaging results with the link to segmented hashes file.

Imaging results with segmented hashes

Segmented hashes are saved in a CSV file with the simple “Hash,start LBA,end LBA” format:

Segmented hashes in CSV file

Example – verification of segmented hashes

There is a new operation added to Atola Insight – Verify Segmented Hashes. It is an automated way to take existing CSV files containing segmented hashes and verify all of them against the target image.

Let us take a closer look at the example to see how it works.

Step 1. First, let’s simulate a change of the evidence image. We can do so by selecting the target image and changing one byte at sector #35,000,000.

Change one byte in Disk Editor


Step 2. Now we go to Verify Segmented Hashes. Select the file with segmented hashes calculated during imaging and click Start.

Start segmented hash verification


Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Segmented hash verification in progress


Step 4. Hash verification finishes with the proper case report automatically created.

Segmented hash verification report


If you want to learn more about other 4.7 changes, visit this page: Atola Insight Forensic Changelog.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:


P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.


Vitaliy Mokosiy

Vitaliy Mokosiy

Atola CTO He believes in saving time & energy of people doing mission-critical work. Therefore, all his efforts are focused on leading R&D of innovative Atola products. Gamification enthusiast. Agile development proponent.

Leave a Reply

Your email address will not be published. Required fields are marked *