On Tuesday, June 16 Atola’s Yulia Samoteykina spoke at Interpol’s annual Digital Forensics Expert Group. After the presentation about our imagers’ multi-pass imaging system and other damaged media functionality, we received a few follow-up questions. In this blog we would like to reiterate the answers to these questions:
Can Atola imager acquire evidence from damaged SSDs?
As is true with any type of media, the degree of damage will inform how we can help with data recovery from a specific device. SSD failures fall into three major categories: logical errors, hardware issues, firmware failure.
Atola imagers may be able to image data from an SSD with logical errors or hardware issues (e.g. NAND flash wear-out) using our multi-pass imaging system. A good predictor of success can be the Media Scan stage of the diagnostics process.
How do you resolve the issue of imaging a drive (Ext4), if the “Failed to copy” message showed up while using another forensic imager?
If there are bad sectors in the area that stores metadata of the file system, some of the files or the whole of the partition may not be recognizable for regular tools. But the imaging of the files without the file system’s metadata may have been possible. Subsequently, they may be available for acquisition with the help of Insight’s File Recovery functionality.
Can Atola imagers retrieve data from water-damaged hard drives?
Depending on many factors, the impact on the drive could vary substantially. First of all, the kind of contact (it can range from sprinkles to complete submergence), the duration of such impact and even the composition of the water (if there is residue in the form of salts). And in some cases, it can be quite dramatic. Therefore, Atola engineers recommend that you bring such drives to a cleanroom. At the cleanroom, engineers will perform the initial damage assessment, repair, and cleaning.
After that, run diagnostics with an Atola imager. It is very likely that there was damage to the platters, and our multi-pass imaging system will acquire the image as usual.
Will Atola TaskForce support AFF4 file format?
Yes, Atola is planning to support AFF4 and other logical image file formats (also including L01 and NFI) in our upcoming releases.
Do courts of law accept segmented hashing as a proper way of verifying data?
Yes, segmented hashing has been a principle forensic examiners successfully follow in their work. This principle is well laid out in academic works and is also widely used in cryptography and secure data modification. Meanwhile, in digital forensics, a number of vendors who support AFF4 image files have adopted the same principle. Among them X-Ways, BlackBag Macquisition, Evimetry.
Most importantly, with the forensic examiner’s proper understanding of the concept and ability to demonstrate it to the court, segmented hashing is as good a verification method as any.
Join us at our weekly virtual booth session. We always have an engineer with us, and we will be happy to answer any questions you may have!
He believes in saving time & energy of people doing mission-critical work. Therefore, all his efforts are focused on leading R&D of innovative Atola products.
Gamification enthusiast. Agile development proponent.
- Atola TaskForce 2023.4.2 stability update - August 7, 2023
- Wipe multiple drives in Atola Insight Forensic 5.2 - May 26, 2022
- Logical imaging in TaskForce 2022.4 - April 11, 2022
Vitaliy Mokosiy
Atola CTO He believes in saving time & energy of people doing mission-critical work. Therefore, all his efforts are focused on leading R&D of innovative Atola products. Gamification enthusiast. Agile development proponent.
