We are happy to announce a new firmware update for Atola Insight Forensic. For version 5.4, we’ve thoroughly overhauled our Disk Editor module to make byte-level analysis much easier. The new update also includes more than 35 new features and bugfixes. And, a nice bonus: Insight Forensic can now detect two and more file systems intentionally squeezed into a single file system partition.
The new Disk editor: find, read, or edit bytes quicker and easier
The Disk editor module for analyzing device data on the byte level has got a fresher look and feel.
Here are the main improvements:
- Navigate faster. Insight Forensic now seamlessly reads device space in infinite mode: bytes are loaded automatically as you scroll the hex viewer up or down. Quickly jump to a certain position using the Go to sector button or Ctrl + G keyboard shortcut. And two more convenient shortcuts: Ctrl + Home immediately brings you to the first sector of a drive and Ctrl + End gets you to the last sector.
- Search for hex strings easily. To quickly find a certain byte sequence, go to the Data inspector tab or press Ctrl + F shortcut and enter a string you are searching for. Use Find previous and Find next buttons to cycle through found byte sequences.
- Understand bytes quicker. Save time when interpreting bytes thanks to the new Data inspector feature. It converts hex value to decimal (8-, 16-, 24-, 32-bit integer) or binary format on the fly.
Detect file system structures automatically
Master Boot Record, GPT sector, FAT/NTFS/ext Boot Sector, HFS headers, NTFS File Record and other structures are automatically detected and parsed into a human-readable form.
Find two or more ambiguous file systems hidden within a single partition
A brand new nice-to-have feature for deep-dive analysis. Imagine that someone managed to place two or even more fully functional file systems within a single file system partition on the storage device to conceal data.
Researchers Janine Schneider, Maximilian Eichhorn, and Felix Freiling in their paper titled “Ambiguous File System Partitions” showed that it is possible to create ambiguous file system partitions by integrating a guest file system into the structures of a host file system. The authors point out that since typical file systems that occur in forensic analysis are usually unambiguous, ambiguous file system partitions may serve as useful corner cases in forensic tools and processes.
We at Atola Technology were inspired by this paper and decided to implement ambiguous file systems detection in our product.
Insight Forensic 5.4 now detects host and guest file systems placed within the same sector range during the Automatic checkup and notifies the user about it in the Diagnostics report.
Moreover, you can image one or both partitions and also correctly access their files in the File recovery module.
Insight Forensic 5.4 Changelog
New Features
Fully revamped Disk Editor:
- Infinity mode when reading a drive or image file.
- Instant navigation with hotkeys: Ctrl + End, Ctrl + Home, Page Up, Page Down.
- HEX byte signature search: Ctrl + F hotkey.
- Go to the sector button (Ctrl + G hotkey).
- Data inspector to interpret bytes and groups of bytes in decimal and binary formats.
- Hashing of selected bytes: select bytes > right click > Hash.
- New automatic template: APFS NX Superblock.
Imaging:
- Improvement of Resume functionality for imaging in unexpected crash situations: PC power loss, unit power off, Windows process failure, etc.
- Live artifact keyword search runs in parallel against all ASCII, UTF-8, UTF-16 BE, UTF-16 LE encodings instead of one selected encoding.
- New Port field in Email notification settings.
- UX. When re-selecting a target drive with a Veracrypt container, its password does not have to be re-entered.
Imaging, Automatic Checkup, File Recovery. Added support for:
- ext4/3/2 and HFS partitions that have missing Group 0 padding.
- APFS volumes created on macOS Monterey and later versions.
- sealed APFS volumes.
- two or more partitions within one sector range (steganography). See Ambiguous File System Partitions – DFRWS USA 2022
Automatic Checkup. New validation checks for:
- XFS
- ext4/3/2
- HFS/HFS+/HFSX
Artifact Finder:
- Keyword search runs in parallel against all ASCII, UTF-8, UTF-16 BE, UTF-16 LE encodings instead of one selected encoding.
- Etherium address validation improved.
- BIP39 wordlist validation improved.
File Recovery. Optimized memory use for XFS file system.
System-wide improvement of event logs in all long-running processes. Improved user experience when scrolling through the log as new records are added.
Detect all devices action added to the first dialog you see after Insight launches.
Hotkeys were added for Detect All and Multi-launch actions in the top menu.
DiskSense 2 unit only:
- Ability to change the unit’s hostname.
- Supported Chinese and Japanese characters in metadata for E01 image files on the target drive.
Bugfixes
Imaging:
- Possible out-of-memory error when imaging 10+ TB source drive to E01 compressed segmented files.
- A few small issues when using the “After imaging” option.
- Rare error when formatting a target drive to store images with exFAT.
- Incorrect data mapping in Entropy graph view when imaging MacBook Pro 16.
- If ‘All sectors with data’ is selected and one of the partition areas is beyond the HPA/AMA address limit, imaging sometimes fails to start.
Automatic Checkup. Incorrect current measurement for 18+ TB Seagate Exos drives.
Artifact Finder. Hex viewer could freeze during the running Artifact finder process with a large number of artifacts (over 1 million).
Locate sectors. UI fixes for Sector ranges field and progress page texts.
Compare. Error when starting an operation with a USB drive and an image file having a size that is not divisible by 512.
Removed a redundant error message when refreshing the home screen with an unidentified USB drive.
Occasional error ‘An item with the same key has already been added’ when importing.
Fixed speed value precision when it exceeds 1GB/s.
DiskSense 2 unit only.
- False “Plug ethernet cable” message for 40 seconds after booting.
- Clicking Re-Identify on a Source port could deselect an image file on another Source port.
- Re-Identify in the top menu was working only for Source 1
Download
To get access to all new features, download Atola Insight Forensic 5.4 from our website.
Where to buy
To order an Atola DiskSense 2 hardware unit or extend your subscription, contact Atola Technology directly or find a distributor near you.
To get more information about Atola Insight Forensic or to discuss the details, please contact Atola Technology sales department:
- Call us: +1 888 540 2010, +1 416 833 3501 10AM-6PM ET
Or email us
- TaskForce 2024.9 update – Templates for target files - September 26, 2024
- E01 vs AFF4: Which image format is faster? - July 9, 2024
- Image Synology NAS RAIDs with TaskForce 2024.6 - June 27, 2024