Atola team recently attended a few European events and had lots of great conversations with participants from Germany, the United Kingdom, Switzerland, Lithuania, Czechia, Kuwait, Austria, Romania, Hungary, South Korea, Singapore, Egypt, the Netherlands, Denmark, Israel, Ukraine, Georgia, Saudi Arabia, Italy, France and many other countries!
We are thrilled to have had the exchange of ideas these events have enabled. Our team of engineers always draws inspiration from the feedback we receive from you. We are certainly looking forward to more!
But most importantly, we got a chance to explain how our tools can help you in solving your daily tasks. Here are some of the questions asked and the answers given.
How do TaskForce and Insight compare in terms of imaging speed, file formats, parallel capabilities etc?
Both Atola TaskForce and Atola Insight Forensic’s latest hardware include server-grade motherboard and CPU. These components secure parallel imaging at the top native speed of the source and targets. ECC RAM further secures the reliability of data transfer.
While Insight images three drives in parallel (plus a bunch of other tasks), TaskForce supports up to the whopping 18 sessions at the cumulative speed of 15 TB/hour.
Both Atola Insight Forensic and Atola TaskForce work with raw (img, dd), E01 and AFF4 file formats. Depending on the format and other parameters of a file (compressed, sparse) and the type of the drive used, the speed may be vastly different. For instance, both tools achieve 500 MB/sec on modern SSDs and 1.3 GB/sec on new NVMe drives.
When imaging to a server, TaskForce gives you a performance advantage. Use a 10Gbit Ethernet switch and activate Jumbo frames to achieve great speeds.
What is the compression level for forensic files in Insight and TaskForce?
TaskForce supports imaging to compressed E01 files and compressed AFF4 files.
The supported AFF4 compression algorithms are LZ4 and Snappy (aka Zippy). Both these compression methods are very fast: up to 250 MB/sec for Snappy and 400 MB/sec for LZ4.
E01 file format only employs zlib algorithm, which achieves up to 270 MB/sec.
Both Insight’s and TaskForce’s file compression levels are set to 2. This gives the best speed with a good enough compression ratio. The actual compression ratio (%) is highly dependent on the contents of the drive and the type of data on it. Therefore it is impossible to give a universal value.
Can you recover data from a deleted file?
Even if a user deletes a file from a computer or even the Recycle Bin, it does not mean that all data of the file has been erased from the drive. While the record of the file in the filesystem has been removed, the data pertaining to the file remain in the sectors to which they had been recorded. However, the old data may be overwritten with new files and their data. Therefore the more the drive is being used, the less probability there is that data from a deleted file remains intact.
Here is how Insight can help you in retrieving this data:
If you know any details from the file contents, search for the keywords or other artifacts in Insight’s Artifact Finder. Unlike most other forensic analysis tools, Insight’s Artifact Finder parses data not on the file system level but on the sector level. This gives you the advantage of finding data from deleted files.
The File Recovery module includes the capability to recover deleted files in these file systems: NTFS (all versions), FAT16, FAT32, HFS, HFS+, HFSX.
Please note that modern SSDs wipe the sectors belonging to the deleted files at the command of an operating system (Windows, Linux, MacOS) shortly after files have been deleted:
- the operating system sends the Trim command to the sectors belonging to the deleted files
- SSD controller decides when to wipe them
- the trimmed sectors are replaced by new ones from the over-provisioning zone
- trimmed sectors are then shortly used for new data
This means that SSDs provide a much lesser chance of recovering such data from deleted files.
How easy is it to integrate TaskForce into my organization’s automated workflow?
TaskForce can be easily integrated into any workflow automation tool by employing a set of Web API protocol commands. Atola team made them public from the start. This interface has helped dozens of organizations to integrate their TaskForce into their automated workflows. Some of the automation tools are custom, in-house, and others are vendor automation tools.
Can I enter the parameters of a RAID if the configuration has not been identified?
As of now, TaskForce is able to automatically detect and mount RAID arrays of these types: JBOD, RAID 0, 1, 5, 10. More RAID types will be supported in the upcoming releases.
If you know the parameters of a RAID, you can enter them manually at the top of the RAID screen.
However, as of now, the only RAID types TaskForce can mount and show the contents of, are the supported ones. Our engineers are investigating the ways to allow manual reassembly of rare RAID types. We will keep you posted!
Director of Marketing Yulia believes that with a product that is exceptionally good at solving tasks of forensic experts, marketing is about explaining its capabilities to the users. Yulia regularly represents Atola at DFIR events, holds free workshops and webinars about Atola imagers functionality and advocates on the users' behalf to ensure that Atola keeps on adding value and raising the bar for the industry.