Today we have released Atola Insight Forensic 4.1.

Our main efforts were put on bug fixing to make Atola Insight Forensic more stable and reliable, and version 4.1 includes over 100 fixes and improvements. The most significant changes are addressed below.

Full Atola Insight Forensic 4.1 change log is available here: Atola Insight Changelog.

Imaging: new Metadata-only option

New Metadata-only imaging mode allows copying of absolutely minimum amount of data for file browsing to work, this allows for imaging of specific files.

Creating imaging sessions from File Recovery

It is now possible to create an imaging session that would include sectors of specific files. It works perfect together with the new ‘All sectors with metadata’ option in Imaging. So here’s the most quick scenario to image a pack of files:

1. Start imaging with ‘All sectors with metadata’ selected.
2. After imaging finishes, switch to target port and go to File Recovery.
3. Find files you need to image and select them.
4. Click ‘Image selected…’ button.
5. Start new imaging session that copies data of the selected files.
6. Re-visit File Recovery and see the files are 100% copied.

Automated sector analysis

Automated sector analysis was built in to Disk Editor and Imaging. When viewing sectors, known metadata is automatically parsed into a human-readable form.

Metadata types supported:

• Master boot record
• NTFS boot sector
• NTFS file record
• NTFS index
• HFS volume header
• HFS plus B tree header
• ext super block
• exFAT boot sector
• FAT32 boot sector
• FAT boot sector

Imaging presets

Imaging settings can now be saved into custom presets. Export/import operations will be added in Insight v.4.2

How to order

You can order Atola Insight Forensic from us directly, or from a distributor near you:
http://atola.com/wheretobuy/

The post Atola Insight Forensic 4.1 appeared first on Official Atola Technology Blog.

In modern world hard drives are getting bigger and bigger. Amounts of data stored grow every day and demand more efforts from forensic experts. Thus, the performance of the data acquisition process becomes more and more critical.

One of the major improvements in the upcoming 4.2 release is a significant speed-up of core disk operations:

• Imaging
• Hashing
• Comparison
• Wiping

Here are the latest benchmark results:

Values represent Megabytes per second (MB/s).

The tests were performed on this couple of Samsung 840 PRO drives.

Benchmark screenshots

Disk imaging

MD5 hashing

Comparison with pattern

Disk wiping

The post Benchmark of the upcoming Atola Insight Forensic 4.2 appeared first on Official Atola Technology Blog.

Atola Insight Forensic 4.2 with support of image files on target media and greatly improved performance has been released.

The new version includes over 120 fixes and improvements. The most valuable changes are addressed below.

Full Atola Insight Forensic 4.2 change log is available here: Atola Insight Forensic Changelog.

World’s fastest forensic imager

Insight Forensic 4.2 got a great speed-up for imaging and other operations even being run on weak laptops. See our latest benchmark published in the blog.

Image files on target devices

Image files can now be created on exFat-formatted Target hard drives. The specific exFat-formatting with large cluster size is necessary for receiving good performance during imaging process.

So now you can take a big HDD, attach it to DiskSense unit and create as many image files as drive capacity allows. This is how image file on target can be created in Insight Forensic 4.2.

This is how Imaging source SSD to image file located on a target drive looks like.

Much better File Recovery user experience

File Recovery got lots of UI and performance improvements:

• More compact and meaningful file list where you can include all file cluster/sector numbers
• New cumulative filters
• Browsing and recovery 400% speed-up for USB devices
• Browsing and recovery 300% speed-up for ext4 partitions
• Improved look & feel
• Tracking of already recovered files: visual (green background) + filter (Recovered / Non-recovered)
• Added keyboard shortcuts and improved navigation

Some other significant features

Imaging presets can now be exported into files and imported back:

Two hashes can be simultaneously calculated during Imaging or Calculate Hash:

All other major Insight Forensic 4.2 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Insight Forensic 4.2 can be downloaded by all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

Additionally, we have  an upgrade program for owners of old Atola Insight. Please contact our Atola Technology sales to receive more specific information:

• Calls us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

The post Atola Insight Forensic 4.2 released appeared first on Official Atola Technology Blog.

We are introducing the new Atola Disk Recycler with full support for SAS drives. This release contains over 40 improvements and bug fixes.

Taking into consideration key features only, see how Recycler 2.0 is compared against the previous 1.8 version.

SAS support

We have created a new hardware system which has 4 ports with full support for both SAS and SATA drives.

New SAS and previous-generation SATA systems can be linked into a single network, both types will be properly recognized by the software.

We added support of some SAS commands including custom ones like Sas, SasIn, SasOut:

Faster report search

Search report system was completely re-written in Disk Recycler 2.0. Now it doesn’t use an external database; instead, high-performance search index was added to give more responsive user experience when dealing with dozens of hardware units.

The search window has got the following improvements:

• Smarter searches with wildcard support (see the screenshot below)
• Pagination with search result count
• Ability to export all found reports to CSV file

All other significant Atola Disk Recycler 2.0 changes are listed here: Changelog.

How to upgrade software

Atola Disk Recycler 2.0 software is available on this page: Download

Where to buy Recycler units with SAS/SATA support

If you want to buy our newest Recycler SAS equipment, it can be done directly via Atola Technology, or from a distributor near you:

http://recycler.atola.com/pricing.html

The post Atola Disk Recycler 2.0 with SAS support appeared first on Official Atola Technology Blog.

We thank you all for supporting our product and proudly present Atola Insight Forensic 4.3 release. Record 170 fixes and improvements included in the new version. So hurry up to update your software!

Several major changes we want to focus your attention on are described below.

The full list of Atola Insight Forensic 4.3 changes can be found here: Atola Insight Forensic Changelog.

Apple PCIe SSD support

Insight 4.3 is the first version that is able to work with the newest PCIe SSDs from Apple MacBooks (2013 – current models). It can be made via new Atola adapter pluggable in the Extension port which is located on the DiskSense unit’s side with cooling fans:

The new Insight version can perform SSD Trim, hash calculation, wiping, comparison, file recovery and of course imaging of the newest MacBook drives. By means of the new Atola extension adapter, Insight 4.3 can image such SSDs in a remarkably fast manner reaching 24 GB per minute speed.

Hashes in File Recovery

All files of any target port have hashing enabled by default in File Recovery. Files hashes are calculated in the background for every file set found during reading device folders. Calculated hashes are automatically saved into a respective target case folder to avoid calculating twice the same file hash .

Insight > Preferences has now the File Recovery tab allowing to switch on/off Hash and other columns. It can separately be set up either for source port or target ports.

We have also added “Hash all files” button that may help in situation when it is necessary to calculate all hashes before performing file recovery.

Advanced search options in File Recovery

Newly added file hashes can be specified in search conditions. Here’s the full list of search conditions added to Insight 4.3:

• Date accessed
• Date created
• Date modified
• File attributes (hidden)
• First bytes (file signature)
• Hash
• Size

Each of these can be specified many times with different values and operation (more/less than, equals, between, etc.)

All new filters are grouped into a preset and can be exported to a file and imported from it. Thus, you can share search presets with your co-workers.

E01 image files

The new version supports imaging to one or more E01 files. So now Insight Forensic has three types of image files what might be beneficial in different situations:

• E01 (EWF)
• Growing
• Preallocated

Case port on the top panel

You can now search and open cases on a separate new Case port while source port is running some operation. It allows to work with your case history in a faster and more convenient fashion while multi-tasking.

 Specific support of new drive models

Recovery of unknown passwords is enhanced for such drive models as:

• Hitachi: A9A3, CLA3, A7E6, A9E6 families
• Toshiba DT
• Samsung HD502IJ, HM160HI and similar models with certain firmware reading problems

Head-selection imaging and scanning is now possible for the following Toshiba drive families: MK, MQ, DT

Automatic Checkup head analysis become more robust after improvements made for specific WD, Hitachi and Toshiba drives.

All other major Insight Forensic 4.3 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Insight Forensic 4.3 is available for download by all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

The extension adapter for Apple SSDs can be acquired directly via Atola Technology.

Pay attention we have an upgrade program for owners of old Atola Insight. Please contact our Atola Technology sales to receive more specific information:

• Calls us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

P.S. Dear customers, your feedback is always welcomed, so please feel free to write comments below.

The post Atola Insight Forensic 4.3 with Apple SSD support appeared first on Official Atola Technology Blog.

DiskSense hardware system includes an internal HASP USB dongle. It contains unique activation and subscription information.

Having more than one DiskSense system in your network may result in HASP-related conflicts. These conflicts usually manifest as “Too many connections” or “Cannot located DiskSense unit” errors. The issue is caused by behavior of the HASP discovery system which by default picks a random HASP dongle on the network. In other words, one Atola Insight Forensic instance may establish the connection with one DiskSense system, however it will “use” the HASP dongle of another (random) system available on the network.

How to resolve multiple HASP connection issues

We would like to share the solution with you. HASP discovery system offers a web administration tool where one can easily set up IP filter specifying HASP dongle search locations.

1. Access the URL with your browser: http://localhost:1947
2. Click ‘Configuration’ link in the left side menu
3. Click ‘Access to Remote License Managers’ tab
4. Untick ‘Broadcast Search for Remote Licenses’ checkbox
5. Enter specific DiskSense IP you want to be connected to
6. Click ‘Submit’

After you perform the actions, the final screen should look like like this:

Note: 192.168.0.200 is used as an example.

The post How to resolve DiskSense / HASP connection issues appeared first on Official Atola Technology Blog.

Atola Insight Forensic 4.4 is ready for download now!

The newest version got 3 new extension modules supported, 130+ improvements and bug fixes. In particular, we have been working really hard on the major new features addressed below.

Full Atola Insight Forensic 4.4 change log is available here: Changelog.

SAS extension module

SAS extension module was designed to diagnose SAS drives and acquire images from them. It is really easy in use. As any other extension module, it should be plugged in the Extension port located on the DiskSense unit. Then you connect a SAS drive to it and simply start working.

Atola Insight Forensic 4.4 supports damaged SAS drives, senses currents during Automatic Checkup, provides short circuit and overvoltage protection as well as write protection.

10 GBit Ethernet extension module

The 10GBit Ethernet module is primarily targeted to accelerate data transfer speed between PC and DiskSense system. It speeds up imaging source drive to an image file from 100 MB/s to 300-400 MB/s. File recovery from SATA/USB drives receives the same level of acceleration.

The extension module works via 10G Cat6 copper cable with RJ45 (8P8C) interface for connection.

There are some tips in the manual helping to get optimum performance. To open the manual, launch Atola Insight Forensic 4.4 and press F1 .

 M.2 PCIe/SATA extension module

This extension module allows to work with both PCIe and SATA drives with M.2 connector. It is another type of source drive you can select in Atola Insight. The extension supports damaged drives, write protection and lots of Atola Insight Forensic operations.

You can also find more information about this and other Atola Insight extension modules.

Revamped E01 image file support

We totally revamped E01 (Encase) image file support in order to make it faster and support Pause/Resume feature in Imaging. This also helped to increase compatibility of E01 files produced via Atola Insight with some third-party forensic tools which are not tolerant to E01 metadata deviations.

White/Black hash lists

New Atola Insight version allows to import text files containing huge lists of file hashes. Those can be treated as white or black hashes. The idea behind these types is simple:

• White hash term stands for a known good file created by known software.
• Black hash means some known bad file. It could be a malware, hacking script, hidden illicit data file.

Having hash lists imported to Atola Insight DB,  File Recovery analyzes every calculated file hash against the database. If file hash belongs to either white or black hash list, special marks are shown on the left of file hash values:

• Files having white hashes detected are marked with ticks.
• Files having black hashes are marked with warning triangles.

On top of that, White/Black hash list filtering is supported throughout whole File Recovery. It is available as ‘Hash list’ condition in Search window, so one could quickly find all files with unknown hashes (those that are not white or black) and begin working on them.

File browsing filters have also received three new options: White, Black, Unknown. Here is the example below. You can see Linux partition with /usr/bin folder opened that normally contains more than 1300 files.

Case 1. No filters applied

All files are shown. The ticked files are good ones since they have white hashes (marked with ticks).

Case 2. Black and Unknown hash list filters applied

All good files having White hash are filtered out. Thus, we just see two files which are valuable for further analysis. Hash of malicious.file was found in the black hash list. shady.me is not marked which means it could contain some interesting data inside.

All other 4.4 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Atola Insight Forensic 4.4 is available for download to all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

The extension modules can be acquired directly via Atola Technology.

We still have an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more specific information:

• Calls us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

The post Atola Insight 4.4: 10Gbit Ethernet, SAS, M.2 extensions appeared first on Official Atola Technology Blog.

We would like to share the newest speed achieved by the revamped Imaging engine. It will be shipped within 4.5 software update in May.

Total imaging performance was significantly improved during last 4 months. Just take a look at 503MB/s imaging speed in the screenshot below. It is more than 30 GB per minute.

The new imaging engine empowers you to clone 256GB Samsung 850 Pro just in 8.5 minutes!

The post Imaging speed improvements preannounced in Atola Insight Forensic 4.5 appeared first on Official Atola Technology Blog.

Atola Insight Forensic 4.5 is released!

We put a great deal of effort on implementing the new imaging engine to improve image acquisition stability and performance at the same time. There are quite many changes to other parts of the product as well. In total, our internal issue tracking system has a record number of almost 250 tasks completed for 4.5 release.

Full Atola Insight Forensic 4.5 change log is available here: Version Log.

Improved performance

Atola Insight 4.5 benchmarks show speed-up of core disk operations (all numbers are MB/s):

The tests were performed using two drives of the following model: Samsung SSD 850 PRO 256GB EXM02B6Q.

New features in Imaging

The revamped Imaging engine introduces some smart and beautiful features. For example, it will now automatically clear ATA password and HPA on-the-fly after power cycle if they were temporarily removed (only temporary removal is supported for write protected source media).

Imaging progress bar is included in every resulting case report to visualize cloned data.

There is a new imaging setting “Stop hashing on first error”.  It calculates and stores a correct hash for all sectors preceding the first read error on an evidence drive.

We improved logging verbosity during imaging. You can see the most noticeable change when ‘All sectors with data/metadata’ is selected. In that case the imaging log will contain information about found partitions.

Last but not least, Atola’s new media map manager offers better user experience to select custom partitions and ranges for imaging.

New preferences

There are two new options in Miscellaneous tab that need to be explained:

• Power down SATA target device when operation finished
• Enable Target HEX viewer during Imaging

Power down SATA target device when operation finished

Before Atola Insight 4.5, all long-lasting operations (Imaging, Calculate Hash, Fill or Erase, Comparing) performed on Target ports have been followed by a mandatory power off. This is mainly done for safety reasons of target drives containing imaged source data. Put it another way, it is not necessarily expected under some circumstances. For instance, when you were wiping a drive with Fill or Erase and are instantly going to start Imaging afterward. A power cycle is not needed then. In that case, it is convenient to disable the option.

Enable Target HEX viewer during Imaging

The significance of disabling Target HEX viewer during Imaging arises when source imaging data is critically sensitive so that software user must not see it. In such a case Imaging runs from a source drive to a target drive having both plugged into the DiskSense system. Having Target HEX viewer disabled, we guarantee that source bytes flow will go through the DiskSense system only and will not enter the network and the host PC.

All other 4.5 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Atola Insight Forensic 4.5 can be downloaded by all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, it can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

We still offer an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more detailed information:

• Calls us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

The post Atola Insight Forensic 4.5 release appeared first on Official Atola Technology Blog.

We were exhibiting with Atola Insight Forensic at Enfuse and Techno Security conferences and received plenty of questions from people visiting our booth. Some of these questions were repeatedly asked, so sharing them and their corresponding answers in this blog makes sense. We do hope you find the information provided here helpful!

What is the maximum imaging speed?

You can always observe an actual imaging performance of 30 GB/min in Atola Insight Forensic v4.5 with a couple of Samsung 850 Pro solid-state drives used as source and target devices.

Why is Atola Insight Forensic better than competing products?

We produce the only solution that is specifically designed to support damaged media.

Our users usually begin with automatic diagnostics for an evidence drive. It takes a couple of minutes yet saves much of time and energy. It detects drive issues such as PCB instability, problems with motor, short circuit, firmware errors, degraded or even nonworking heads, and physical media surface damage. Afterward, you can make a decision on what to do next with the evidence drive.

Even if you work with severely damaged source device, the imaging engine enables you to:

• disable damaged heads
• automatically overcome much more serious problems than so-called ‘software bad sectors’
• track drive state before, during and after imaging
• have every imaging event logged in a forensically sound manner

Atola Insight has file recovery integrated with imaging. By browsing the target image directory tree, you can always see which source file sectors are bad sectors or even were read with the ReadLong ATA command (without ECC).

Last but not least, Atola Insight Forensic can clear any unknown ATA password from the hard disk drive in just a minute.

What image formats can be used for target files?

Atola Insight Forensic supports imaging to three image file types:

• growing files: *.img
• preallocated files: *.imgp
• E01 files: *.e01

The first two are raw files, bit-to-bit source copies.  The 3rd target file type is E01 (Encase). It can be either compressed or not. Imaging to non-compressed E01 is several times faster and does not depend on CPU speed and core count.

How exactly does Atola Insight imaging process cope with damaged drives?

We have two goals here when dealing with severely damaged source drives:
1) Get as much data as possible
2) Decrease the number of failed read attempts to finish imaging with a still-alive evidence drive

Atola Insight Forensic uses a fast imaging map, thereby enabling us to run the whole process in multiple passes. The tool uses large blocks with short time-outs on the first few passes and then smaller blocks with longer time-outs on the last pass to image the tough areas. This provides the best possible results in the shortest amount of time

Atola Insight’s ability to disable damaged heads can just save your evidence! Other imagers merely kill the drive during imaging. Imagine having seven of eight good heads. You can just image with all of them with the exception of the damaged one. Afterward, you can begin analysis of 87% of the acquired data and at the same time try to replace the damaged head. A physical head swap is always a risky challenge.

The imaging engine contains many automatic rules. For example, it resets or power-cycles the source when the source drive freezes. It can apply a reverse imaging direction in particular cases. Here is what is useful when dealing with damaged evidence: Two imaging reports are created before and after the process. Both include not only imaging information but also SMART tables, thus enabling you to see what happened to the source drive during the process.

You claim you have the fastest forensic imager. How much forensic is it?

All source ports are write-protected:

• SATA
• IDE
• USB
• SAS and PCIe as extension modules

On top of that, overcurrent protection detects when the hard drive draws abnormal current and stops the hard drive to prevent any further damage.

Every action in Atola Insight is followed by automatically created case reports. The case management system gets a new report even if you physically flip the DiskSense unit’s write protection switch. Additionally, every case report includes mandatory information about the device, DiskSense unit, current PC, OS, and user.

The post Q&A during Enfuse and Techno Security conferences appeared first on Official Atola Technology Blog.

Atola Insight Forensic enables working with remote database shared between many users. Here is the scenario how to setup such a network database and connect different PCs with Atola Insight to it.

1. Pre-install SQL Server 2012 or 2014 on the network server PC

2. Launch Atola Insight Forensic on the user PC

3. Navigate to Insight -> Database Connection Settings from the top menu

A. Select Server type: Remote

B. Specify network server name, select SQL server instance and database names

C. Enter SQL server login and password as shown in the picture below:

4. Click OK and re-launch Atola Insight Forensic on the user PC.

5. It will create the remote database and ask for the Work Folder name:

Hint: Work Folder is necessary to store large files that do not fit into the database: imaging maps, logs, file recovery hash lists.

6. Change the Work Folder to the shared folder on the network server PC.

Example: The network folder successfully selected

Now you have the Atola Insight network database prepared for remote use! You can connect Atola Insight Forensic software from the other PCs. Just set up the same database settings as you did in the step 3. No need to specify Work Folder anymore given Atola Insight will load it from the remote SQL server on the network server PC.

The only limitation: Two users will not be able to work on the same case simultaneously.

The post Network database setup in Atola Insight Forensic appeared first on Official Atola Technology Blog.

Today we are releasing Atola Insight Forensic 4.6.

The killer feature is AtolaScript language and the script execution engine. Now Atola Insight empowers you to perform the most sophisticated tasks by combining over 50 commands the way you want. Those include custom ATA commands, various commands to scan throughout the entire media to find specific data, read/write tests, and many others.

Full Atola Insight Forensic 4.6 change log is available here: Changelog.

Scripting

AtolaScript language is probably the simplest one you have ever seen. Scripts consist of one line instructions without semicolons. Conditions (if) as well as while, for, foreach loops are available in C# syntax. It is easy to run multiple scripts over different SATA, USB, SAS, IDE devices at the same time.

With all that being mentioned, the best thing about scripting is a wide variety of simple yet powerful commands designed by Atola team.

Custom ATA commands

Atola Insight Forensic has just become the first forensic solution that enables to execute any ATA command for any SATA/IDE drive.

There are three AtolaScript commands to run custom ATA commands depending on necessity of data-transfer or its direction:

• Ata
• AtaIn
• AtaOut

A few examples:

Remark: Built-in Source port write-protection rejects any custom ATA command that can modify device state (i.e. perform a write operation).

Ultimate pattern/word/phrase search

The scripting system includes an internal search engine which is based upon Intel Hyperscan, a high-performance multiple regex matching library. It enables you to run searches everywhere including unallocated space with the help of three commands:

• FindHEX
• FindWords
• Find

The commands work for all SATA, USB, SAS, IDE devices plugged into the DiskSense system.

FindWords

The command performs a search of words or phrases over the whole media space or specified region.  One the coolest FindWords features is that it attempts to match words/phrases in different encodings: ASCII, UTF-8, UTF-16LE, UTF-16BE. Now you can quickly perform a search in a multi-language environment.

In the example below you can see how FindWords outputs found matches for three words: Dubai, Quebec, Venice.

FindHEX

We have also implemented FindHEX for high-performance HEX pattern search.

The screenshot shows us how amazingly simple is to look for BitLocker volumes:

Find

Find is a powerful way to run a regular expression search over specified disk region. You can find absolutely everything using the command: emails, GPS coordinates, phone numbers, home addresses, IPs, credit card numbers and so forth.

Other handy AtolaScript commands

There are more than 50 commands available at your disposal. For instance, you can freely wipe, compare, hash drives or specific (or calculated) sector intervals.

Below I include a few more examples of what AtolaScript can do.

SMART attribute check

Data entropy calculation

Running benchmark test commands in parallel with scripts running on other devices

Friendly AtolaScript editor

The editor comes with a number of helpful UI options to turn scripting into a pleasant experience. Wherever these signs show up:

one can click them and merely select a command looking at its description and sample code, and then edit command parameters with some additional help.

All other 4.6 changes are listed here: Atola Insight Forensic Changelog.

How to upgrade

Atola Insight Forensic 4.6 can be downloaded by all customers with an active software update subscription at no additional cost.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

We still have an upgrade program for owners of old Atola Insight v3.x. Please contact our Atola Technology sales to receive more specific information:

• Calls us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

The post Atola Insight Forensic 4.6 – Scripting appeared first on Official Atola Technology Blog.

Today we are introducing our new product – Atola Battery.

The forensic world has been becoming more and more mobile. This is the reason why our team decided to come up with our first battery solution. It will help make your life less dependent on the availability of an electrical network when using Atola Insight Forensic. There are two main forensic use cases we see and want to emphasize.

• Start image acquisition even when there is no electrical power.
• Protect working DiskSense unit from power loss.

Technical specifications

• Work time: 3 hours 30 minutes, when imaging source HDD to target HDD with MD5 calculation
• Standby time: more than 5 hours
• Full charging: 2 hours
• Capacity: 148 Wh
• Input/output: 19V DC
• Chemical: Lithium-ion
• Dimensions: 7.5 x 7.3 x 2.1 in (192 x 185 x 54 mm)
• Weight: 3.5 lb (1.6 kg)
• LED charge indicators
• Quiet mode switch
• Сhaining with 1 or 2 additional batteries

Battery chaining

Battery chaining is an exclusive feature from Atola Technology.

Imagine that you have two or three Atola batteries. All of them have standard DC inputs and outputs and are internally designed to be linked together. As a result, you will receive a cumulative effect—charges of all the batteries aggregate as a sum of distinct charges. This is how your battery work time can increase to up to more than 10 hours.

Where to buy

The batteries are already in stock and ready to be shipped. You can purchase Atola battery following this link:

http://atola.com/wheretobuy/

Please contact our Atola Technology sales to receive more specific information:

• Calls us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

The post Battery for Atola Insight Forensic appeared first on Official Atola Technology Blog.

Atola Insight Forensic 4.7 is released!

This release comes with the new hashing concept which protects you from damaged target images and works in parallel with the multi-pass imaging engine.

The full list of Atola Insight Forensic 4.7 changes can be found here: Atola Insight Forensic Changelog.

How is segmented hashing different from regular hashing?

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.

All segment hashes are saved in a CSV file with the following simple format:

Hash,start LBA,end LBA

Example:

75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

… And so on until the last LBA.

Segmented hashes for multi-pass imaging

Conventional hashing algorithms prevent imaging source evidence in a non-linear way, which means no proper hash calculation when imaging damaged evidence drives. Enabling segmented hashing allows the use of multiple passes and more efficient handling of damaged drives, while still hashing all good areas.

Hashes are calculated only for the imaged regions, while all bad sectors are excluded from the calculation.

Better resiliency

Another reason to use segmented hashes is to provide for better resiliency against target image data corruption. If your acquired evidence image is damaged at some point in the future, with regular hashes you will get a hash mismatch upon verification, and the entire image becomes useless, whereas with segmented hashes only one hash from a set becomes invalid.

Example – imaging with segmented hashing enabled

Here are imaging results with the link to segmented hashes file.

Segmented hashes are saved in a CSV file with the simple “Hash,start LBA,end LBA” format:

Example – verification of segmented hashes

There is a new operation added to Atola Insight – Verify Segmented Hashes. It is an automated way to take existing CSV files containing segmented hashes and verify all of them against the target image.

Let us take a closer look at the example to see how it works.

Step 1. First, let’s simulate a change of the evidence image. We can do so by selecting the target image and changing one byte at sector #35,000,000.

Step 2. Now we go to Verify Segmented Hashes. Select the file with segmented hashes calculated during imaging and click Start.

Step 3. Hash verification is in progress. Here we see 18 segmented hashes checked. Hash for the interval that includes sector 35,000,000 is invalid.

Step 4. Hash verification finishes with the proper case report automatically created.

If you want to learn more about other 4.7 changes, visit this page: Atola Insight Forensic Changelog.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

• Call us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.

The post Atola Insight Forensic 4.7 – Segmented hashing appeared first on Official Atola Technology Blog.

We have released Seghash, an open source tool that does two things:

• calculates segmented hashes of image
• verifies calculated segmented hashes

Supported hash types: MD5, SHA1, SHA224, SHA256, SHA384, SHA512

Seghash is written in Go and released under MIT license. It works on Windows, Linux, and macOS. You can download the source and pre-built binaries from our Github account.

By releasing this open source tool we would like to encourage wide adoption of the segmented hashing algorithm by all software vendors who want to provide their users with a superior hashing option.

What is segmented hashing?

It is a hashing concept created by our company and implemented in Atola Insight Forensic.

With regular hashing, you get a single hash for the entire image.

With segmented hashing, you end up with many hashes of corresponding LBA ranges (chunks) of the image. The sum of these LBA ranges represents the entire image, just not necessarily in sequential order. By validating all hashes in a set, you can still prove that the entire image was not modified.

All segment hashes are saved in a CSV file with the following simple format:

Hash,start LBA,end LBA

Example:

75c92419e86ce82734ef3bbb781e6602,0,8388608
e2c7fc5264bae820e46c50b0502236d3,8388609,16777216
42718e48b5adb59563c98727cbce0619,16777217,25165824

… And so on until the last LBA.

The post Seghash – Open-source tool for segmented hashing appeared first on Official Atola Technology Blog.

When you image data from a drive involved in an investigation case, and the target drive will be holding a 1:1 clone of evidence data, in many cases it is critical that the target drive’s capacity is identical to that of the source drive. Should there be a difference in size between the source and the target devices, their hashes will be different too.

However, if your SATA target drive has a larger capacity, you can limit its size to that of the source drive using Host Protected Area (HPA). It will make the sectors beyond this limit inaccessible to the hashing tools as well as the end user.

To do that:

1. Go to Imaging category of the left-side menu and click Create New Session link
2. In Preset line click the Show settings link.
3. In Miscellaneous tab tick the box next to Limit target disk size to source size using HPA (SATA target ports only) option.

You can now proceed with the Imaging process by clicking Start Imaging button.

When Imaging is complete, you will see that target disk port now contains an HPA indicator, thus informing you that HPA has been enabled on this drive. There will also be a report created in the Case History.

This report will contain information about the time when HPA was enabled, a detailed device description and how this action was initiated. It will also indicate the initial max address as well as the current one.

Now you can calculate hashes on both disks to make sure they are identical.

Please note that enabling HPA is an option available only for SATA target drives.

The post Clip Target Drive to Source Evidence Size appeared first on Official Atola Technology Blog.

If you need to extract or reset an unknown password or perform drive recovery on a Seagate hard drive, use a Serial cable to connect the drive to the DiskSense unit.

Take a minute to familiarize yourself with the Serial cable’s three connectors. On one side of the cable, there are two connectors. Both are 2-pin RX-TX (receive-transmit) connectors. The slightly larger one has 2.5-mm pin pitch and is used for IDE drives. The smaller one has 2-mm pin pitch and is used for SATA drives.

On the opposite side of the Serial cable, there is a 3-pin TX-RX-GND (transmit-receive-grounding) connector. This connector is inserted in the Serial port on the back side of the DiskSense unit.

Connecting 3.5-inch and 2.5-inch Seagate SATA drives

When you look at a Seagate SATA drive (either 3.5-inch or 2.5-inch), there is a 4-pin jumper block right next to the SATA port.


Connect the 2-mm RX-TX end of the serial cable to the two jumper pins located closest to the SATA port so that the red RX (receive) wire is connected to the pin closer to the SATA port.

Connecting 3.5-inch Seagate IDE drives

Desktop IDE drives have an 8-pin jumper block between IDE port and Power port. For the purpose of this manual, we shall call the pair of pins located closest to the IDE port and used for Master/Slave settings the first pair of pins. The next, second pair of pins is usually used for Cable Select settings. The third pair of pins is the one we will connect the Serial cable to.

Please note that IDE hard drives must be set to Master mode for password extraction and reset or drive recovery. To use the drive in Master mode, place a jumper on the first pair of pins (closest to the IDE port), as shown in the picture below.

Attach the 2.5-mm RX-TX connector to the third pair of jumper pins, as shown in the picture below. Make sure that red RX (receive) wire is facing down and the black TX (transmit) wire is facing up. The second pair and the fourth pair of pins must be left open.

Connecting 2.5-inch Seagate IDE drives

Similar to desktop hard drives, laptop Seagate hard drives also must be set to Master mode to perform password extraction and reset or drive recovery. Master mode on a 2.5-inch device is set by removing all jumpers.

There is a 3.5″-to-2.5″ IDE adapter included in the package with the DiskSense unit. It consists of the following components:

• IDE port J1 for IDE interface cable
• 2.5-inch IDE port J2 to connect the drive to
• Power port J3 for IDE power cable
• 4-pin block J4, where each pin is marked with letter A, B, C, and D.

Use the adapter to connect the drive to IDE interface cable and IDE power cable. Then attach the 2.5-mm RX-TX connector to pins marked A and C, as shown in the picture below. Make sure that the black TX (transmit) wire is connected to the pin A, and red RX (receive) wire is connected to the pin C.

Please note that to use the 2.5-inch Seagate IDE drive in Slave mode, the 2.5-mm RX-TX connector must be detached from the adapter and instead a jumper must be placed on pins A and B.

Configuring the Baud rate

Once the Seagate hard drive is connected to the unit, follow these instructions to configure the Baud rate of Seagate Terminal, which allows you to use an extensive set of commands on a Seagate drive:

1. If there is only one source drive connected to the DiskSense unit, it will automatically be identified and displayed in the Source disk port. However, if there are multiple hard drives connected to the DiskSense unit as Source drives, go to Source category of the top level menu, click on Select Source and choose the Seagate drive.
2. Power down the selected drive.
3. In the Windows category of the top level menu click on Terminal and in the COM Port Settings window select the Baud rate compatible with the drive. Please note that for Seagate 7200.10 and older Baud rate will be 9600; for 7200.11 and newer Baud rate will be 38400 (Atola Insight Forensic will suggest the baud rate by setting a default value in the Terminal window for the drive connected to it).
4. Then click OK. But do not close the Terminal window just yet.
5. Power on the drive again. There must be a valid output in the Terminal window (see the picture below).

Should there be no output in the Terminal window or should it consist of random symbols, try to change the Baud rate until you get a good response.

Now proceed with password extraction or send Seagate Terminal commands to the drive.

The post Connecting Seagate Drives to Serial Port appeared first on Official Atola Technology Blog.

Hard drives with physical damage require a complex imaging approach. This guide will explain how to retrieve data with the minimal risk of data loss on a drive with a damaged head stack.

If an Automatic Checkup report indicates that there is a problem with the heads, look at the status of each head.

If the status of a head or multiple heads is Degraded or Damaged, the drive will not be able to read all the data. What’s worse, even more sectors may soon become unavailable due to incorrect functioning of the drive’s hardware.

We recommend that you start by imaging the heads, whose status is OK, as soon as possible. To do that:

Step 1. Go to Imaging category of the left-side menu, click on Create New Session link and select the device or file to which the data will be imaged.
Step 2. In the Start new imaging session page go to Heads line and click on Select heads to use link.
Step 3. Unselect the damaged head.
Step 4. Click on Start Imaging button.

As a result, you get as much data from the drive’s viable heads as possible before even beginning to work with the damaged head. This way the risk of losing data on the working part of the head stack is minimized.

Now that this data has been successfully retrieved, you have two options:

• To have the head stack replaced before imaging the remaining data. However, as a result of head stack replacement data on the drive can become unreadable.
• To attempt Imaging data with the Degraded or Damaged head. Follow the same procedure as with the good heads, only this time, during Step 3 unselect all the working heads and leave only the Degraded/Damaged one(s) before clicking on Start Imaging.

Atola Insight Forensic’s sophisticated functionality enables users to retrieve maximum data even from the severely damaged drives.

Now that you have an image of the source evidence including the data copied from the damaged head, you can take the risk and get the head stack fixed. Afterwards, you can start a new session to complete the initially created image with data from previously unreadable sectors.

The post Imaging Drives with Damaged Heads appeared first on Official Atola Technology Blog.

With each passing year, speed becomes a yet bigger issue for forensic specialists: while the capacity of hard drives grows exponentially, their speed does not keep up. A common 4TB drive’s speed constitutes up to 200 MB/s or 12 GB/min, which translates to more than 5 hours of imaging. And it may take prohibitive amounts of time to image a drive with damaged zones. Therefore, the ability to simultaneously run different operations on several devices is more vital than ever.

To provide users with greater productivity, Atola Insight Forensic’s high-capacity multi-core CPU supports up to 15 concurrent tasks, that can be assigned to different drives or image files.

You can start Imaging process from a Source drive to one or multiple Target drives and/or image files. Then you can click on the Plus icon and open another target drive to start another operation.

For example, you can launch Fill/Erase on this Target drive to get it ready for the next Imaging session:

It is also possible to Calculate Hash on yet another Target drive:

Other long-running operations you can perform simultaneously include:

• Automatic Checkup
• Verifying Segmented Hashes
• File Recovery
• Scripting (e.g. search files, files types, words, phrases or patterns, specific information type like email address, telephone, address, GPS coordinates etc.).
• Comparing data on drive with a pattern
• Media Scan

The post Multitasking Capabilities of Atola Insight Forensic appeared first on Official Atola Technology Blog.

Atola Insight Forensic 4.8 is released! In this version of Atola Insight Forensic software, we included a range of improvements to our core features.

The full list of Atola Insight Forensic 4.8 changes can be found here: Atola Insight Forensic Changelog.

Password recovery support on new drive models

Password recovery now works on new Hitachi hard drives including Hitachi HCxxxxxxxA7A3xx, HTxxxxxxxA9E3xx, HTxxxxxxxA9E6xx. The latter is used in Sony PlayStation PS4 Pro gaming consoles, which was launched worldwide in November 2016.

Source: ifixit.com

Consolidation of segmented hashes

For imaging sessions that include calculation of segmented hashes, we created a feature enabling you to consolidate the hashes calculated during each separate imaging session. To perform consolidation, click Export consolidated hashes for all sessions:

In the pop-up window, you will be asked to select the folder, where the file with consolidated hashes will be saved. Click OK button in the dialog box pop-up window, and all the separate .csv files s that contain segmented hashes from previous imaging session will be consolidated into one file.

SMART table attributes

Insight automatically saves a drive’s SMART table before and after completion of imaging. Quite often there are differences in the two SMART tables. From now on, the changes will be highlighted in the After Imaging table to draw attention to the attributes that have changed.

Power down source device upon completion

A similar option was available for SATA target drives involved in long-running operations (Calculate Hash, Verify Segmented Hashes, Fill/Erase, Comparing, Media Recovery, Write From File). This new option can work on all source devices that support power management. To activate it:

1. Go to Insight category in the top-level menu
2. Click Preferences
3. In the Preferences window go to Miscellaneous tab
4. Tick Power down source device upon completion
5. Click Apply button

Please note that for Imaging you can still use the Power down source device when finished option located in the Miscellaneous tab of the Imaging settings.

Custom signature tag field

Insight allows you to add custom signatures to the already available 392 file signatures. Before this release, there were three columns in the table with the additional signatures:

     Name, Bytes in Hex codes, Extension

Now there is a new column named Tag. This column is optional, and it enables you to mark specific (or all) additional signatures with any text in the Tag field to make them easily trackable.

On top of that, multi-column sorting in Found File Signatures table is now way more convenient. There is no need now to press any keys: just click on any category (first click = sort ascending; second click = sort descending; third click = no sorting) to make it the primary sorting category and then on another one for sorting by secondary category.

If you want to learn more about other 4.8 changes, visit this page: Atola Insight Forensic Changelog.

Where to buy

If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:

http://atola.com/wheretobuy/

Please contact our Atola Technology sales to receive more specific information:

• Call us: +1 888 540-2010, +1 416 833-3501  10am – 6pm ET
• Or email us: http://atola.com/support/inquiry.html?type=1

P.S. Dear customers, we appreciate your feedback and will take it into account when making changes to the product. Therefore, please feel free to write your thoughts or ideas as comments below.

The post Atola Insight Forensic 4.8 release appeared first on Official Atola Technology Blog.