Atola Insight Forensic is hitting a remarkable milestone today with the release of v5.2! This update brings some great new productivity features and more consistent performance.
The major changes in the 5.2 software update allow to:
- wipe multiple drives
- launch a third-party CLI app after image acquisition is over
Let’s delve into the new features to see how they can make you more efficient and productive at work.
Wipe multiple drives
One of the most popular use cases of Atola Insight Forensic is wiping multiple drives to prepare them for further digital forensic activities. Most of our customers prefer to wipe several drives connected to DiskSense unit simultaneously. To ease the launch of multiple wiping operations, there is a new menu item called Multi-launch. It includes two operations for now:
- Fill or Erase
- SSD Trim
While SSD Trim enables to trim all of SSDs plugged into the DiskSense unit, Fill or Erase via Multi-launch helps run up to 7 forensic wiping processes in parallel.
In Multi-launch mode, Atola Insight suggests a variety of wiping methods:
- Custom pattern
- LBA number in each sector
- Secure Erase
- DoD 5220.22-M
- NIST 800-88
For SSD drives, it is highly recommended to use Secure Erase in Enhanced mode. It acts as a simple generation of the internal crypto key because the SSD NAND memory is encrypted by default. It makes data unrecoverable from all memory blocks, including the over-provisioning zone.
Look how quick the launch of wiping for 7 drives via Multi-launch is:
Launch a CLI app after image acquisition is over
More imaging automation comes with the new feature to help you become more efficient.
You can find it as After imaging option.
Using it, one can launch any CLI app or even BAT-file containing the chain of CLI apps immediately after imaging is completed.
Insight 5.2 assists in specifying default arguments of Autopsy, X-Ways, Forensic Explorer and OSFMount.
In such a case, the typical workflow will be:
- Enable the option
- Specify CLI app and its arguments, where %1 is a full path to target image file that will be created during
- Start imaging
- Leave it working (creating image of modern 10+ TB drives can take 10-15 hours)
- After imaging completion, Atola Insight removes the target image file from the top port panel, closing the file handle
- Then Atola Insight launches the specified CLI app against it
- Not only is the source evidence imaged, but also it is processed with your favorite forensic analysis app!
Example. Atola Insight Forensic with KAPE against created E01 image
KAPE is a wonderful free triage tool developed by Eric Zimmerman. Digital forensic experts love it for high performance and effectiveness in collecting evidence files.
The tool works with folders and files and cannot parse partitions in E01 image file. The workaround is creating BAT file with three instructions:
- mount a partition from E01 file with OSFMount
- run KAPE
- unmount the partition with OSFMount
We collect all browser user data using KAPE in this example.
After imaging is over, Atola Insight executed the BAT file, which resulted in the following text file. The text file is added to Atola Insight case report.
Insight Forensic 5.2 changelog
Multi-launch of Fill or Erase and SSD Trim operations. It makes wiping of all drives possible in a few clicks.
- Launch of CLI app against the created target image file upon imaging completion
- Performance increase by 50% when imaging smaller sector blocks (≤ 256 sectors)
- Improved imaging of a freezing drive with a bad head disabled in settings
- Option to omit invalid partitions when starting the imaging of all sectors with data/metadata
- Post-hashing of segmented hashes now uses the ranges calculated during imaging
- SAS drives. DIF Type 2 protection is detected and reported
- NVMe drives. Vendor ID added to report
Head support for WDC Digital Caviar family
Support of parsing of NTFS partitions with cluster size ≥ 128K
FAT partition validation improvement
Support of MS SQL Server 2019
Imaging. Rare possible error when comparing source drive SMART tables before and after image acquisition
Automatic checkup. Error during head check of an old 40 MB drive
- UI fixes of information alignment and wrapping in the locate sectors message box
- Case report view and printing fixes
- Memory leak when working with APFS volumes
- Memory leak when handling partitions with 100K+ files
- XFS only. Incorrect hash calculation for sparse files
- Issues with support of NTFS compressed files
- Issues when reading ext2/3/4 sparse files
- Redundant error box after double-click in attempt to view file via external viewer
Comparing. Rare mismatch issue when comparing 4K-sector source device with 2+ other targets
NTFS partition created by Xbox S could not be recognized
APFS containers without volumes were missing in UI
Rare case when exFAT partition could not be parsed
Selection of image file on source drive (IFoS) was not working for USB, SAS, IDE and extension ports since the 5.0 software update
UI fixes for extremely long file paths and names
It was impossible to move Insight work folder if it was assigned to a root partition folder (D:\, for instance)
Work folder transfer issues occurred for a case associated with image file on target device (IFoT)
Home page, SAS drives. Last LBA field value was larger by one sector than expected.
Application crash happened after opening a missing attached file of case
DiskSense 2 unit only. Some SSD models could not be identified on SATA ports after power cycling the unit
You can download the latest update here: Insight Forensic 5.2
Where to buy
If you still do not have an Atola Insight Forensic and would like to place an order, contact Atola Technology directly, or a distributor near you:
Please contact Atola Technology sales department to receive more specific information:
- Call us: +1 888 540-2010, +1 416 833-3501 10am – 6pm ET
- Or email us
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.