We are pleased to announce the release Atola TaskForce 2020.1!
This firmware’s key feature is imaging into a file on an encrypted target drive.
Target drive encryption
Atola TaskForce creates an encrypted exFAT partition using VeraCrypt with a 256-bit AES algorithm on the target drive, which the user locks with a password.
This way you make your Storage drive encrypted. All image files remain safe and protected during evidence preservation or transfer.
Mounting an encrypted Storage for further analysis of its images
To mount the encrypted volume for further use of the image file, a user can plug the target drive into a computer and use VeraCrypt soft.
Use the password set prior to the imaging session to access the encrypted data on the target drive.
All Changes
New Features
Imaging
Create encrypted password-protected VeraCrypt volume on a target drive to store images
Recent folder tiles in Device panel’s File section to speed up target file location choice
Optimization of TaskForce memory usage when imaging to E01
Visual checkmarks in reports to compare hashes during and after imaging
Support of SAS drives with non-standard sector sizes: 520, 528, 4080 bytes, etc.
Settings page shows MAC addresses of both TaskForce Ethernet ports
Web API, /check-task call
New query parameter – source. Example: /api/check-task?source=SATA5
New result fields: source, completionDate
User Manual is now built into TaskForce firmware
Bugfixes
Imaging
Issue mounting Oracle ZFS NAS to store image files
It was impossible to select a network target folder with password-protected Guest account
Small sector blocks were not visible in the imaging map progress bar
Other fixes
Possible E01 validation issue when selecting huge 10TB+ image
Occasional error when formatting a target drive to Storage with exFAT
False The disk claims that it won’t read multiple sectors at a time message in Diagnostics (a rare case)
Cancel button wasn’t properly working during the operations: Identifying device, Creating target file, Checking source device
Where to buy
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
We are currently looking for two awesome people to join Atola.
Our Quality Assurance team needs reinforcement to join them in their ongoing effort of ensuring the stability of our software.
In their turn, our Hardware Development team is facing the new challenge of expanding our production and expediting product design.
We are accepting applications and holding interviews in the upcoming weeks with start dates in late February/early March.
Candidates of different backgrounds are invited to apply! With the help of each new employee, we strive to continue building a team that is diverse in terms of both knowledge base and perspective, to create an inclusive and supportive environment for all to do the most rewarding work in their careers and fulfill their professional goals.
About the Hardware Engineer position
You will be joining a team of seasoned engineers with fantastic achievements under their belt. Our Hardware Development team consists of three people, whose meticulous work and dedication resulted in the creation of both Atola Insight Forensic and Atola TaskForce. They also developed the data recovery systems that we used to produce prior to joining the digital forensics market.
In broad terms, as a part of our Hardware Development team, you will be responsible for the research, design, development, assembling and testing of our hardware. That includes drive imaging systems based on server-grade components and add-ons that enhance the range of interfaces that our imagers can acquire data from. Hardware engineers also assist our software development teams with product decisions and testing protocols.
About you
You have a strong knowledge of modern CAD for electronic device development and modern mechanical CAD, and you are skilled in the integral design of cases and PCBs for devices.
You are able to work productively with extensive technical specifications (500 pages or more).
These skills will be a plus:
Experience
designing switching power supplies
General
understanding of high-speed interfaces
Experience
developing devices with PCIe interface
Experience
wiring BGA chips and
programming
microcontrollers as
well as practical
experience in mounting boards.
As a member of the hardware development team, you will be countering complexity and looking for simpler passes. You will be engineering devices that combine sophistication and ease of use. We provide the freedom and autonomy to develop custom solutions while ensuring you are able to share challenges and receive input from your peers.
We greatly appreciate systemic thinking and attention to detail.
About the QA Engineer position
At Atola you will participate in system testing at all stages of the product development lifecycle (software & hardware), write requirements and test documentation, perform regression testing, participate in product development meetings and suggest improvements of existing products.
About you
You understand QA Methodologies and are skilled in designing tests. Experience in testing is not required, but personal experience in testing any systems is necessary.
You are detail-oriented, adaptable, ready for proactive and continuous learning. You are great at clearly and concisely articulating your thoughts, and care to give and take constructive criticism.
These skills will be a plus:
An
understanding of web technologies
and client-server architecture
Experience
with web development tools (e.g. Chrome DevTools), basic knowledge
of HTML, CSS
Experience
with continuous integration tools (TeamCity) and version control
systems (Git)
Advanced
use of Windows, Linux
Within the QA team, you will cooperate with other QA engineers to develop effective testing strategies and test plans. Fast and effective cross-team communication is also key. If you are outgoing, a team player and get along with people well, you will thrive in this environment. If you are passionate about quality, we would like to meet you!
Join us if you share our values!
We value people who can take a stand and contribute to our common vision with their perspective. We subject new ideas to rigorous consideration and challenge each other. We love experimenting, assessing results and replicating success.
Sincerity and trust:
Try to understand first, and to be understood later
Helping a colleague is the first priority
Focus on each other’s strengths
This is fail-friendly environment. Making mistakes is ok and useful
Simplicity is king. We prefer simple solutions that are easy to change.
Pay and benefits
We provide competitive compensation and salary revision every 6 months. In us, you will find a friendly and supportive team. We use a customized agile approach in product development.
You will work from a cozy office downtown Kyiv, less than 5 minutes from the metro.
Our
schedule is flexible and
we all enjoy 25
days of vacation (24 + bonus vacation day on December 31).
Paid sick leave is provided, no need for a doctor’s note.
Atola also provides free snacks and beverages at the office and a weekly English speaking club with a teacher.
How to apply
Please send your application for QA or Hardware Engineer that would speak directly to this position.
We expect to take up to two days to review your application.
Applicants for QA Engineer position will hear from us by email about whether you’ve advanced to the online test assignment part of the application process. If that is successful, then on to an interview! Hardware engineers will be requested to answer technical questions during the interview.
Our interviews are 2 – 3-hour long, in person, with your future colleagues, on your schedule. You will meet both your future team and people from other parts of Atola business. We’ll talk through your experience, ask questions about your goals and interests and will answer the questions you may have too!
We aim to make an offer within hours of each interview, with a start date within two weeks of the offer.
With newest Atola TaskForce 2020.1 firmware, it is possible to image into files on an encrypted target drive using VeraCrypt for data encryption. Multiple target drives can be encrypted for the same or different sessions. After you have connected the source drive to a port in Source mode, take these steps:
1. Click on Image icon in the left-side taskbar
2. In Select source device panel, select the evidence drive
3. In Select target device menu, click on the tile in the File section
4. In Select image file window, click Add storage Click the link Create Image File on Target.
5. In Select device panel, choose the drive connected to a port in Target mode
6. Select Create an encrypted VeraCrypt container (exFAT) option and click Next
7. Enter and confirm the password for the encrypted volume on the drive
8. Confirm the formatting of the device by entering YES and clicking OK. After this step, the formatting will take a few seconds.
9. Click + Create file button
10. Enter the name of the image and choose the file format (E01, raw, img or dd).
11. Once you have created the file, you may add more image files in the same or a different folder
After you click the Continue button, TaskForce will image the evidence into the file on your encrypted target.
Upon completion of the imaging session, check the Imaging completed report.
Data Extraction
To find the VeraCrypt volume and the imaged file, plug the target drive into your computer;
Use VeraCrypt software to safely access encrypted data from your drive;
Select the drive label (A, B, C, etc.) on which you want the volume to be mounted;
Click Select device button;
In the pop-up window select your encrypted volume;
Click the Mount button.
Now you can view the partition name, size and encryption algorithm.
7. Next, use the password set prior to the imaging session to get access to the encrypted volume.
Once you have entered the password, the volume will be mounted and you can access it from Windows Explorer and use the image for subsequent operations.
The key feature of this release is imaging to segmented E01 files (to E01, E02, E03 and so forth).
For many forensic examiners, E01 segmentation makes sense for a more convenient way of storing data. Some back up the segmented images on BluRay drives, others want to avoid repeated attempts to copy large files to their server due to network failures.
E01 segmented images
When selecting E01 file as a target, you will notice a new Segment Size dropdown. Click it to switch from a single E01 file to a segmented image. The segment size can be equal to one of the popular defaults or customized by the user.
Segmented E01 can be created with our without compression.
Changelog
New Features
Imaging:
E01 segmented files (E01, E02, etc) supported
Web API. New targetFile parameter allowing to customize target image file name
Auto-mount of VeraCrypt-encrypted Storage when its diagnostics completes
Bugfixes
Few minor issues when doing case import from Storage
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
Atola dev team continues to work at full speed, without regard to the inconvenience of remote cooperation or the uncertainty caused by the current events. And today we are excited to release TaskForce software update 2020.3 with segmented hashing!
If you have ever dealt with a damaged evidence device or seen your images get corrupt over time, you will appreciate the new segmented hashing functionality in Atola TaskForce.
Segmented hashing option in imaging settings
By selecting Segmented hashing method in the imaging settings, along with an image you get a CSV file with hash values for the individual segments of the evidence drive.
Post-hashing option will also produce a table with segmented hashes for the image, which allows you to prove in court that the image has not been tampered with, even if the device got damaged or degraded.
A table with segmented hashes: hash value, first LBA, last LBA
To verify segmented hashes, we recommend using an open-sourced tool created by Atola: seghash on GitHub
Full changelog
New
Features
Imaging:
Segmented hashes – an alternative to linear hashing. It helps when dealing with damaged drives and provides greater resiliency against data corruption.
Bugfixes
TaskForce
browser-cached data was not always refreshed after firmware update
Target
files with long Chinese/Japanese names could not be created
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
Segmented hashing is a concept introduced into forensic imaging by Atola Technology in November of 2016.
This method of hashing allows verifying data imaged from damaged media, ensuring that the image can be verified even if data gets corrupt later in the case’s life cycle.
How does it work?
With the conventional hashing method, it is impossible to calculate hash for the entire space of a damaged evidence drive: linear hashing will stop upon encountering the first bad sector.
Segmented hashing can be performed during multi-pass imaging of a damaged drive. This method produces a set of hash values for individual LBA ranges of the evidence drive and the image. Hashes are calculated only for the successfully imaged areas, while all bad sectors are excluded from the calculation.
With segmented hashing, you can prove that the entire image has not been tampered with by verifying all hashes in a set, even if your evidence drive is damaged, or if the data in the image gets corrupt over time: only one the hash for the damaged segment of the drive becomes invalid.
Segmented hashing produces a CSV file in this format:
Hash,start LBA,end LBA
Imaging with segmented hashing and post-hashing of the target for immediate image verification
In the imaging settings, select Segmented hashing method and sector size: you can select size from a range of options (4 to 32 GB).
Make sure to enable post-hash of the target and receive both sets of hashes for both the evidence drive and image.
TaskForce’s highly optimized imaging and hashing algorithms ensure that hashing during imaging does not slow down the session:
After imaging is completed, post-hashing will commence.
Here are imaging results with the link to the file with segmented hashes. With the post-hashing of the target is enabled, you also receive the results of cross-checking between the hash sets of the evidence drive and the image.
Is there any disadvantage compared to linear hashing?
The only potential downside of segmented hashing is the lack of its support in third-party tools. To make verification of segmented hashes easy, we have developed and released a free open-source tool for the validation of segmented hashes: seghash on GitHub.
Atola TaskForce is designed to be the fastest forensic imager. It allows imaging multiple drives simultaneously at the overall speed of 15 TB/hour. The individual imaging sessions run at the top native speeds of most drives.
To test TaskForce imaging speed, we used various models of SSD, HDD & USB devices and compared the performance achieved with the read speed in sequential mode (sectors read and written to in linear order) at userbenchmark.com.
NB Imaging speed is limited by the speed of the slowest of the devices, participating in the imaging session. Therefore, the slowest of the two speeds (either the read speed of the source or the write speed of the target) will define the speed at which the imaging process is running.
#1. WDC WD 100EFAX-68LHPNO 10TB
Let’s begin our first imaging session with WDC WD 100EFAX-68LHPNO. We are going to use this HDD as the source and choose the appropriate target to check TaskForce imaging speed.
The TaskForce managed to develop an excellent imaging speed of 216 MB/s when imaging the drive.
According to userbenchmark.com,WDC WD 100EFAX-68LHPNO maximum read speed in sequential mode is 203 MB/s.
#2. Kingston DT HyperX USB 3.0 64 GB
The second device we are going to image is a Kingston USB flash stick. This device is pretty much worn out and thus perfect for showing a clear example of how a dated USB will perform during imaging.
Atola TaskForce: Kingston DT HyperX USB 3.0 64GB imaging
The USB device gained a good read speed of 234 MB/s. According to userbenchmark.com, this drive’s maximum read speed in sequential mode is 278 MB/s
#3. Samsung 860 Pro 256GB
Let’s take a popular SSD model Samsung 860 Pro 256GB as the source and an identical target to see how TaskForce will handle the imaging of this device type. This time, we are going to pay attention to the write speed in sequential mode at userbenchmark.com, as this speed will be slower and determine the speed of the session. These devices are continuously used by our QA team for various types of tests, which is why they are past their prime.
Atola TaskForce: Samsung 860 Pro 256GB imaging
Nevertheless, TaskForce managed to image Samsung 860 Pro 256GB source at 497 MB/s, having exceeded the maximum write speed for this SSD type at userbenchmark.com which constitutes 491 MB/s.
#4.Seagate ST1000NM0001 1TB
The next HDD we are going to use is Seagate ST1000NM0001 1TB. We have two identical devices to use as a source and a target. Therefore, we will again focus on the achieved write speed to compare it to the one at userbenchmark.com.
Atola TaskForce: Seagate ST1000NM0001 1TB imaging
TaskForce managed to copy data from Seagate HDD at 145 MB/s, matching the max write speed 145 MB/s at userbenchmark.com.
#5. Corsair Voyager GS 63GB
This USB device is a fast Corsair USB drive and it has been one of the frequently used cards by Atola QA team the past couple of years, which means that its condition is far from perfect.
Atola TaskForce: Corsair Voyager GS 63GB imaging
TaskForce managed to develop good imaging speed 231 MB/s. While it did not get really close to the max read speed for this very device at userbenchmark.com, which is 283 MB/s, it does the significantly exceed the average of 151 MB/s.
#6. SanDisk SDSSDA 120GB
Let us take SanDisk SDSSDA 120GB. This SSD is still in good condition, even though it is constantly used by Atola QA team for testing purposes.
Atola TaskForce: SanDisk SDSSDA 120GB imaging
TaskForce succeeded in imaging data from SanDisk SDSSDA 120GB at an excellent speed 496 MB/s, slightly exceeding the maximum read speed at userbenchmark.com for this very device, which is 494 MB/s.
NB Please note that the imaging process can be considerably slower when it comes to working with damaged drives. The speed heavily depends on the type and degree of such damage.
And last but not least, imagine all these imaging sessions running simultaneously, each individual process at its top speed! TaskForce’s server-grade hardware supports up to 18 imaging sessions at a time. And as long as you stay within the whooping 15 TB/hour overall capacity, none of the sessions will experience any penalty on its speed.
Hi! I am Vitaliy Mokosiy, CTO in Atola Technology. I have been working here with great enjoyment and enthusiasm since 2008. Today I am taking this opportunity to shed light on the development process of Atola products, how it drives me as well as our whole dev team.
We proudly presented Atola TaskForce to the forensic community almost two years ago. While the volume of digital evidence inevitably continues to grow, every day TaskForce imagers are out there helping save a great deal of time for our customers by imaging at 15 TB per hour of total performance.
From a user’s perspective it is simple:
you plug 12 SATA evidence drives into TaskForce
start imaging them simultaneously
save 6-18 imaging hours within a day
Under the hood, though, TaskForce is way more complex: due to server-grade hardware reliability, extreme imaging optimization, and damaged drive support.
But how does my team manage to make the product simple to use while hiding all the complexity?
I believe 5 pillars created a basis for our success:
Exceptional hardware expertise
Custom agile methodology
Customer-centered approach
Balanced quality assurance
Culture
Exceptional hardware expertise
15 years ago, Atola was a startup searching for product-solution fit and working business models. At that time, Dmitry Postrigan, Atola CEO, was inspired by the idea of automating mundane, repetitive tasks in hard drive data recovery. He already had 7 years of experience working with storage media in Seagate and few DR companies. MHDD, his low-level HDD diagnostics tool, was first released in 2001 and instantly became the most popular drive-related freeware in the world. So we had this unique knowledge base before designing our first hardware product. And it helps in understanding how Atola business instantly became profitable with no need to attract investors.
A great deal of time has gone by since then. Three Atola Insight devices, Atola Bandura, Atola Disk Recycler… These days our product line consists of Atola Insight Forensic and Atola TaskForce. All of our devices smartly handle damaged drives.
As I am writing this, I just realized no one has left our hardware team since day zero of Atola! Moreover, the hardware team accumulated design experience and has grown larger. Not only do we continue to create new hardware systems, but we also experiment and innovate way more than previously.
Andrew Tyschenko, who heads our hardware development team, has 12+ years of building robust Atola products under his belt. Sustaining the premium quality of hardware remains an absolute focus for our hardware team. Nothing compares with it in the market. In fact, our confidence in the quality of our products allows us to continue offering a lifetime warranty for every Atola TaskForce or Atola Insight Forensic unit we have ever sold.
Custom agile methodology
Atola product development process is based on persistent self-improvement cycles. It is not a SCRUM, Kanban or XP methodology as someone might expect. We adopt different practices in our belief that the current team and each of its members must be at the core, and not the methodology itself. Some practices are taken from existing methodologies like the ones mentioned above; others are created from scratch. In a nutshell, here is what we are using at this point:
Our retrospective meetings happen after every software release. They have a very significant impact on our subsequent development cycles through introduction of new practices, techniques, experiments approved by the whole team.
Customer-centered approach
“Know your customers, listen to them carefully, learn their pains” – the first piece of advice I give to young people trying out to run their startups. This approach is what defines many things and helps find great solutions in product design.
Steve Jobs once said: “Customers don’t know what they want until we’ve shown them”. Well, that is not how we do it at Atola. We always pay attention to what our customers say. It makes sense, and it makes a difference.
One of Henry Ford’s famous quote goes “If I had asked people what they wanted, they would have said faster horses.” Yes, a faster horse is a wish or customer-expected solution. But it conveys a true necessity: faster transportation. Not to mention the inconveniences deriving from horse riding.
Be attentive to your customers’ opinions. Figure out the pains. Ask smarter questions if you want to get better answers. While we have partners around the globe, we make a point of visiting 20+ conferences and training sessions annually. The understanding of forensic examiners’ pains while handling multiple evidence drives under tight deadlines is what pushed us to develop Atola TaskForce that is able to image 12 SATA drives simultaneously.
Balanced quality assurance
We focus on the end result, no matter what it takes. And QA is an extremely significant part of the process. Quality assurance requires an intellectual approach to produce a high-quality, low-risk product with optimum testing efforts. Finding that balance is key. At Atola we have a powerful QA team of 6 people who sometimes achieve what I personally regard as magic to discover and solve technical issues.
The way I would quantify our full quality assurance flow is:
System quantification and testing efforts optimization
Unit tests
Automated testing imitating user behavior
Continuous integration server that runs all automated tests and immediately notifies us
Several hundreds of HDDs, SSDs, USB devices used in testing
Exploratory testing
Smart manual QA considering specifics of different device families
Regression testing when our team goes through a wide test plan before every release
Atola culture
Our culture includes three team values: sincerity, experiments, and simplicity. It would take me three or more blogs to write about each of these values. Therefore I will only briefly describe how we are used to behaving:
Seek first to understand the other, and then to be understood
Helping a colleague is the first priority
Focus on each other’s strengths
An initiative is always welcome and discussed. We love to experiment.
Experiment as often as possible
Fail-friendly environment. Making mistakes is normal and helpful.
We prefer simple solutions that are easy to change
Simple helps focus on the task. Complex – distracts from the task.
With all of the above in mind, we like to put our heads together over tough technical problems. In my experience, it is the best way to resolve untrivial issues and evolve as a team. If one person solves a complex technical problem, only this person knows the details. It is better to have 2+ team members sharing expertise on something truly sophisticated.
We have personal performance reviews and one-on-ones every six months. That amplifies the focus on company results and personal growth. Salaries of our R&D office staff are reviewed every six months too. It is the consistent and sustainable growth of our business that enables us to keep things that way.
Last but not least, a conscious effort to maintain and improve team communication and collaboration brings you a massive boost in efficacy. It results in true synergy when 1+1 is not 2, not 3, it is 8. It is fair to say that benefits from effective team communication overshadow all other areas.
Life is never about goals as such. Life is about the journey. Atola team tries to enjoy every step of our work-life journey. We do not only work together – we live our lives together at work having a shared vision, sincerely discussing ideas, experiencing emotions yet being focused on goals.
Current global yet temporary circumstances have not impeded Atola dev team. We are releasing Atola Insight Forensic 4.16 today! The software update includes two new major features:
E01 segmented images (E01, E02, etc)
full support of SAS drives with non-standard logical sector sizes: 520, 524, 528 bytes and so on
E01 segmented images
We are grateful to our customers for valuable feedback. It is your feedback that got us focused on the development of E01 segment (chunk) functionality for Atola Insight Forensic. We know some of you have been waiting for the feature for quite some time. Finally, it has arrived!
When selecting E01 file as a target, you will notice a new Chunk size dropdown. Click it to select one of the predefined E01 segment sizes or enter a custom one.
Segmented E01 image file can be created with or without compression.
You can later dig into the image file with File Recovery subsystem, should it be necessary.
SAS drives with non-standard logical sector sizes
With Atola Insight’s SAS extension at your disposal, you can handle good and damaged SAS drives. That said, there was always a limitation by sector size: 512 bytes or 4096 bytes only. Atola Insight 4.16 gives you broader support covering the rest of SAS drives you can face in servers and NASes.
See the screenshots below demonstrating how the latest Insight software works against SAS SSD with 520-byte sector size.
SAS drive diagnostics
SAS drive imaging
Changelog
New Features
Support of SAS drives with non-standard sector sizes: 520, 524, 528, 4080 bytes, etc
Imaging:
E01 segmented files (E01, E02, etc) supported
head support for Toshiba HD models
SSD Trim. New mode added – Only sectors without data
Automatic checkup. Improved algorithm of degraded heads detection.
Bugfixes
Imaging:
Imaging could not be paused during E01 file growing its size which is caused by a forward jump
Removed the hasty head map detection attempt when opening imaging start page
Image files created on target drive had an invalid Created date
Minor UI fixes in Image File options dialog
Automatich checkup:
Removed a small check based upon obsolete ATA command
Minor issue with BitLockerGUID detection
Rare case when head speed graph labels might be missing
If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
In the brave new world of physical distancing, when so many of the digital forensics events get canceled or postponed, we want to fill the void and keep the conversation going.
Atola is inviting you to our virtual booth. Starting May 20, we will be available for an hour-long live conversation every week on Wednesdays.
On Tuesday, June 16 Atola’s Yulia Samoteykina spoke at Interpol’s annual Digital Forensic Expert Group. After the presentation about our imagers’ multi-pass imaging system and other damaged media functionality, we received a few follow-up questions. In this blog we would like to reiterate the answers to these questions:
Can Atola imager acquire evidence from damaged SSDs?
As is true with any type of media, the degree of damage will inform how we can help with data recovery from a specific device. SSD failures fall into three major categories: logical errors, hardware issues, firmware failure.
Atola imagers may be able to image data from an SSD with logical errors or hardware issues (e.g. NAND flash wear-out) with the help of our multi-pass imaging system. A good predictor of success can be the Media Scan stage of the diagnostics process.
How do you resolve an issue of imaging a drive (Ext4), if “Failed to copy” message showed up while using another forensic imager?
If there are bad sectors in the area where the metadata of the file system is stored, some of the files or the whole of the partition may not be found by regular tools. But the files could have been imaged without the file system’s metadata and may be available for acquisition with the help of Insight’s File Recovery functionality.
Can Atola imagers retrieve data from water-damaged hard drives?
Depending on the kind of contact (it can range from sprinkles to complete submergence), the duration of such impact and even the composition of the water (if there is residue in the form of salts), the impact on the drive could vary substantially. And in some cases, it can be quite dramatic. Therefore Atola engineers recommend you bring such drives to a cleanroom for the initial damage assessment, repair, and cleaning.
Once you receive the repaired drive back from the cleanroom, run diagnostics with an Atola imager. It is very likely that there has been damage to the platters, and our multi-pass imaging system will acquire the image as usual.
Will Atola TaskForce support AFF4 file format?
Yes, Atola is planning to support AFF4 and other logical image file formats (also including L01 and NFI) in our upcoming releases.
Is segmented hashing accepted in the court of law as a proper way of verifying data?
Yes, segmented hashing has been a principle successfully used by forensic examiners. This principle is well reflected in academic works, it is also widely used in cryptography and secure data modification. In digital forensics, the principle has been adopted by a number of vendors who support AFF4 image files, including X-Ways, BlackBag Macquisition, Evimetry.
With the forensic examiner’s proper understanding of the concept and ability to demonstrate it to the court, segmented hashing is as good a verification method as any.
Join us at our weekly virtual booth session. We always have an engineer with us, and we will be happy to answer any questions you may have!
A damaged hard drive, especially when it comes to evidence drives, requires a complex imaging approach to avoid the drive’s further deterioration and data loss. TaskForce system enhances your working with damaged evidence drives, minimizing the risk of losing data on the working part of the head stack.
Diagnostics and selective head imaging
TaskForce’s built-in drive diagnostics module automatically checks all subsystems of the evidence drive. At the end of the diagnostics process, it provides a clear and detailed report about its electronics and motor, head stack, media surface, firmware and file system.
In the Heads section of the diagnostics report, TaskForce forensic imager provides detailed information about the state of each head. In addition, it offers the recommendation of the optimal imaging strategy for your damaged hard drive.
The above diagnostics report informs the operator that the drive’s hardware has major issues and points to defects in the media and a damaged head (Head#3). The report recommends that the damaged head is disabled in the imaging settings so that the good heads can be imaged first.
Atola engineers recommend imaging the good heads first. The system will prompt you to disable the bad head when you attempt to image the drive.
Alternatively, click the Image category in the left-side menu, select your source and target devices, click Continue. When you get to the Settings page, click Change to adjust the settings for your imaging session. In the Settings screen’s What to Image section, click on All sectors to configure the selective imaging.
Atola TaskForce imaging settings
Unselect the damaged head, Click Save and then click the Start button to launch your imaging session.
Unselecting the damaged head
Multi-pass imaging of bad sectors
As the imaging session is running to its end, you can see that errors have been found on the space of the drive that is read with the Head#4. It is common for a drive with a bad head to also contain errors on the platters that are read with other heads.
Atola TaskForce: multi-pass imaging algorithm
When encountering a bad sector that belongs to a good head, TaskForce uses its multi-pass imaging algorithm to handle the errors and attempt retrieving data from the bad sectors upon completing the imaging of good sectors. To read more about the multi-pass imaging system, please follow this link.
When the selective imaging (from the good heads) is complete, the system pauses the imaging session and produces a detailed Imaging report that includes a log of all actions performed throughout the imaging session.
Atola TaskForce report
TaskForce automatically creates reports for every single action applied to each device connected to it. The reports are stored in the case management system.
Attempting to image the bad head
Having successfully retrieved data from the good heads of the damaged head evidence drive, you have two options:
Replace the head stack before you get down to imaging the remaining data. Please, keep in mind that data on the drive can become unreadable due to head stack replacement;
Try imaging data with the Degraded or Damaged head. To image the unselected bad head, simply click Resume.
Resuming imaging session to image the unselected bad head
Atola TaskForce resumes the imaging session and focuses only on the area that belongs to the damaged head. Depending on the severity of the damage, it will safely retrieve as much data as possible or will be skipping the unreadable sectors and log them in the imaging report.
Atola TaskForce: Damaged head imaging
When imaging the damaged head, pay attention to the progress. If the number of errors keeps growing, while the number of the imaged sectors remains unchanged, it is safe to assume that the head will not be able to read more sectors.
In such a case, it is advisable to pause the imaging and power down the drive to avoid more potential damage to the platters with the bad head.
Hash method and hash type
In the Imaging report you can see that TaskForce imaged 520,961,167 sectors out of 625,142,448, having extracted as much data from good heads as possible. TaskForce’s Segmented hashing functionality helps you verify the data on the evidence drive with the image, even if not all data was retrieved.
Now you can evaluate how critical the remaining data on the drive may be based on the data retrieved from the good heads. You may already have sufficient evidence. Alternatively, you can choose to bring the drive to a cleanroom, where the drive’s head will be replaced. Then you will be able to image the areas belonging to the replaced head.
This imaging strategy helps you save time by imaging the data from the good heads and avoid causing more damage to the media.
For more details about the successfully imaged sectors and those that failed to be imaged, scroll down the report and check the Log.
Today we are introducing the largest firmware update of Atola TaskForce ever – 2020.7. It adds a new facet to the product turning it into the first forensic hardware RAID imager in the world!
I’d like to start by revealing the pain digital forensic experts have these days.
Quotes of forensic examiners about RAID image acquisition:
“How would one go about imaging a “RAID server”
“I will normally use <data recovery tool> to reconstruct they RAID as I like their interface and the ability to manually select different RAID parameters.”
“I am looking for options to Image a RAID storage on a windows 10 computer”
“…image the drives individually, and then rebuild the RAID from the images. You would need to know the RAID type, drive order and stripe size, to rebuild.”
“I have 4 hard drive E01s that make up a RAID 10. I’ve got the stripe size and the order of the drives. Does anyone know of software that can be used to rebuild this so I can do analysis on it?”
“Personally, I hate rebuilding RAIDs”
“I have a Acer Predator Trion 500 laptop with two PCIe (NVME) drives setup as a RAID0. I’m now trying to figure out the stripe size of the raid but fumbling in the dark…”
We are excited and take pride in how the new RAID module will save time and energy for forensic examiners dealing with such tasks.
How forensic RAID rebuild works
In a nutshell, your happy path in Atola TaskForce 2020.7 is this:
Select RAID array source devices (drives, raw or E01 image files)
Wait a couple of minutes until Possible configuration hint pops up
Click Apply
Click Go to Image
What is the most impressive thing about rebuilding RAID arrays in TaskForce?
In many cases, you do not need to have RAID-related knowledge: RAID types, block size, orders, how RAID data is organized, etc. TaskForce automates the configuration selection process to the max.
Is every case that perfect?
Not yet:
1. In excessively complex cases, there can be multiple hints that require manual selection. For instance, TaskForce can detect RAID 10, showing which drives/images are mirrors of each other. Then it gives a hint of how to split it into two RAID 0 arrays and work with one of them.
2. Another example is the handling of 8+ drives/images in the RAID array is not yet optimized speed-wise.
The good news is that we are committed to improving it all very soon in the TaskForce firmware update 2020.7.1!
What is currently supported
TaskForce 2020.7 firmware supports RAID 0, 1, 5, and JBOD.
Partition preview works with NTFS and ext4/3/2 file systems so far.
Atola dev team will be adding new RAID types and file systems in the next releases. We believe forensic RAID rebuild is one of the most valuable product features for the industry.
Automated detection of RAID configuration
Let’s delve into the main UX mechanics built into the new RAID rebuild.
You don’t know the configuration, but you have an assumption. My advice is to try it out immediately. It leads us to one of the main features. Any RAID configuration change you perform prompts the bottom Partitions panelto refresh. If the configuration is correct, file systems are found and validated, you will see folders and files below.
This way you quickly receive feedback from your actions and can manually specify the correct RAID drive order and block size if you know the right configuration or have educated guesses to try out.
The smart auto-detection module helps out when you have no idea about the RAID configuration. Just follow its hints. Don’t hesitate to click Apply as soon as a Possible configuration hint appears! It makes forensic RAID rebuild faster, checking all possible configurations for you.
2020.7 changelog
New features
RAID support:
Autodetection of RAID configuration
Convenient assembly with partition preview
Supported RAID types: RAID 0, 1, 5 and JBOD
Missing drive support in RAID 5
Supported file systems for RAID autodetection: NTFS, ext4/3/2
Imaging:
Imaging assembled RAID array or its individual partitions
Add, change and delete passes of a paused imaging session
E01 evidence number, investigator, description are added to the final imaging report
Ability to restore image file to 4Kn drive
Save report in the target folder option became enabled by default
Case management:
SAVE TO button on Reports page. Allows to quickly save and export selected reports in a single ZIP file.
Remote work folder. Performance optimization for cases when 15+ tasks are running simultaneously.
Improved report search for non-English languages
Ability to reindex currently selected Work Folder
Support of SAS drives with sector size above 4096 sectors
UI changes on the device selection panel
Fast device actions: Power on/off, Reidentify, Unmount storage
Device power indication
Home page. Specific port indicated for each device report
Bugfixes
Imaging to E01 could not get started if source device’s serial number was longer than 50 characters
Resuming imaging session could fail if target image folder is password-protected
Out of memory error while importing large work folder package files
Possible minor issues with segmented hashes after imaging paused and resumed
Fixed HTML styling when a case report is opened outside TaskForce
Seagate SSD 600 Pro drive was not detected in the device selection panel
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
With 2020.7, Atola TaskForce supports RAID imaging and provides a breakthrough configuration autodetection module for RAID 0, 1 and 5 with NTFS and ext4/3/2 file systems. More RAID types and file systems will be supported in the upcoming releases with RAID 10 coming by the end of 2020. Imaging RAID 5 array with an unknown configuration is effortless in TaskForce.
1. Start by clicking on the new RAID icon in the left-side Task Menu.
2. Next, select the devices that make up the RAID array and click Continue.
NB You can also use images of the individual drives from the RAID array by browsing and selecting images in the FILE subsection of the Select source device menu.
Next you see the RAID configuration screen. It consists of three parts: RAID configuration part at the top is where you see the selected devices or files. Underneath it, there is the RAID Partitions viewer, which allows a preview of partitions and files within them upon a successful RAID assembly. In the right-hand part of the screen, Autodetection module starts running as soon as the screen has been loaded and produces an output of RAID configuration suggestions.
NB Autodetection module reads data on all devices or images that make up the RAID to identify its configuration, namely: RAID type (level), start LBA, block size and block order. If these parameters are known, the operator can set them manually. Depending on the RAID type, its volume, and how metadata is distributed on the drives in the RAID, Autodetection can produce configuration suggestions within a period of 30 seconds to a few hours (when dealing with a RAID of 9+ drives). In some cases, Autodetection can produce several configuration suggestions, which can be applied one by one to find the exact match.
3. Click the Apply button to apply the configuration suggested by the Autodetection module.
If the suggested configuration matches the RAID native configuration, partitions of the RAID will be displayed and a preview of data within the partition will be enabled.
4. Click GO TO IMAGE button in the left bottom corner of the screen to adjust the imaging settings and define the target for the image.
5. Select the target for the imaging session. Both a local server and a target device in Storage mode can be used for imaging of a RAID array.
6. Click + CREATE FILE button and fill out the image details in the Create image file window and click Create.
7. In the Settings page, click the Change button and then the imaging pass settings.
8. Then, in Edit imaging pass window, you can select the individual partitions to be imaged if selective imaging is required and click Save.
9. Click the START button to proceed with imaging.
TaskForce will be imaging RAID 5 array or its partitions as configured in the imaging settings.
At the end of imaging, TaskForce will produce an Imaging completed report with all the details of the source drives, the RAID configuration, the target, the partition, the timestamps, etc.
TaskForce is equipped with RAID configuration detection module and an ability to sustain multiple high-speed imaging sessions on its 18 ports. This makes it uniquely positioned to perform assembly of RAID with an unknown configuration and fast forensic imaging of such arrays.
Assembling and imaging RAID 0 array
To assemble RAID 0 follow these steps:
Connect the drives that make up a RAID array to the TaskForce hardware unit. Make sure to switch the ports to the Source mode;
Click the RAID button in the left-side taskbar
3. Select the drives in Select source device panel and click Continue
Let’s look at the RAID page in TaskForce interface. At the top of the page, there are key parameters of a RAID configuration:
RAID type
Start LBA
Block size
Block order (RAID 5 only)
TaskForce smartly uses defaults for these fields specific to the number of drives, found MBR and partition boot sectors. You can enter values manually if the RAID configuration is known. Or simply apply the results produced by the Autodetection module displayed in the right-hand part of the page.
Immediately upon the RAID page is loaded, the Autodetection module starts running. In Stage 1, TaskForce is linearly reading data on the drives to identify the RAID type.
NB You can add or remove drives if needed. Also, you can change the order of the drives in RAID configuration. Simply grab the drive and drag it to change its position or to remove it from the current array by dragging it to the bin.
In Stage 2, TaskForce goes through thousands of possible variants of RAID parameters (Block size, order, and Start LBA).
4. Click Apply as soon as Possible configuration tile appears. You don’t have to wait for Stage 2 to be completed:
After you click Apply, TaskForce automatically applies the suggested configuration and checks for partitions. At the bottom of the screen, a preview of the partitions is available.
6. After RAID is assembled, you can proceed with imaging RAID 0 array by clicking Go to Image button:
7. Select your target device and click the Continue button
8. Click the Start button to launch your imaging session
Please note that RAID imaging may take longer than ordinary drive-to-drive imaging due to the typically large size of an array. To optimize the speed of imaging, make sure you use a fast target device or a high-speed server.
Atola TaskForce automatically generates reports for every session.
Unmount RAID 0 array
You can unmount the RAID array to make the individual drives available for other tasks.
To unmount the assembled RAID, follow these steps:
Step 1. Click “Devices” in the top right corner;
Step 2. Scroll down to the bottom of the page and click RAID 0 array
Step 3. Click the Unmount RAID button at the bottom of the page
Now that RAID is unmounted, you can proceed with other sessions, using any of the 6 drives connected to the unit.
***
If you want to learn how to autodetect and image RAID 5 array with Atola TaskForce, read our blog:
As we watched TaskForce become a popular tool for in-the-field imaging, we decided to develop a screen cover to make its transportation safe and effortless.
Made of lightweight 2-mm aluminum, the cover protects the screen from scratches and other types of damage. Most importantly, it allows fast packing of the hardware unit for transportation.
Easily place and attach the cover to the unit against five magnetic screws on the unit’s top panel, which keep it securely fixed to the unit. Remove the cover with a careful pulling motion to detach it from the magnets.
The cover is available for all existing TaskForce users with a valid subscription. Just send us the unit’s serial number and we will send it to you!
All TaskForce hardware units assembled from this September onwards will come with the cover in the standard package.
NB The only magnetic parts used are the magnetic screws. While our tests have shown that they are not able to damage a drive, we recommend that no storage or other devices are placed near the magnets.
Today we are rolling out a new firmware update for Atola flagship product! While 2020.7.1 is considered a minor update, the new RAID and connectivity features are numerous and substantial. They will facilitate TaskForce’s connectivity capabilities and enhances autodetection of RAID arrays, the feature initially introduced in 2020.7.
RAID features
In v 2020.7 you might have seen an output of a multitude of detected possible configurations for a RAID array. The new 2020.7.1 firmware equips the RAID autodetection module with a more effective algorithm for file system validation. In 90+% of such cases, autodetection will narrow it down to a single possible RAID configuration!
The maximum number of autochecked configurations has been increased from 500,000 to 100,000,000.
This seemingly minor change allows accommodating cases with 8+ devices with complex configurations.
The number of variants to be checked for RAID arrays with 8+ devices can reach a few million. For example, a RAID 5 consisting of 8 drives would not have covered all the possible configurations in 2020.7 version but will work in 2020.7.1 due to the previous limit of 500,000 configurations:
For such RAID 5 arrays, TaskForce has to go through 12 block size variants, 4 possible block order variants and 8! (8 factorial for the order of the 8 devices included in the RAID), which adds up to 1,935,360 overall variants.
RAID 5. Adding Missing Device starts a new RAID autodetection
If you are trying to mount a RAID array, that is likely a RAID 5, and there is a damaged or missing device in the array, you can use the Missing Device button to add a virtual device. The moment you do that, Autodetection restarts and runs through all possible variants from scratch. This new search takes into consideration a missing device, taking advantage of the parity of the RAID 5 array.
Connectivity features
New network settings for an easier TaskForce configuration in an organization’s network: DNS nameserver, Default gateway.
Connect dialog allows specifying a full network folder path to facilitate access to folders on a server.
2020.7.1 changelog
New Features
RAID:
Improved RAID autodetection. Fine-tuned algorithms to narrow the possible configurations down to a single variant more frequently.
When multiple RAID assumptions are suggested, they are listed in the order of probability
New Error tag is displayed if read errors are encountered during RAID autodetection. The tag’s tooltip shows read error count.
Improved handling of a damaged drive when one of RAID devices freezes while reading sectors
Memory use optimized for RAID autodetection involving more than 8 devices
Maximum number of autochecked configurations increased from 500,000 to 100,000,000
RAID 5. Ability to add a Missing Device and start another RAID autodetection
RAID 5 based on mdadm. Automatic addition of a Missing Device.
Summary hint with recommendations is shown if RAID autodetection failed to find the right RAID configuration
Network setup + Imaging to server:
DFS (Distributed File System) supported
Connect dialog allows specifying a full network folder path
New network settings: DNS nameserver, Default gateway
Ability to work in networks having SMBv2 strictly disabled
Bugfixes
Imaging:
The following message was missing in the imaging log: Source device HPA was set to native max address until power cycle: 123,123,123
Imaging could not be started if limiting the target device to source size by HPA failed
Rare imaging interruption when attempting to start selective head imaging with some models of Toshiba drives
Imaging (Hashing, Wiping, as well) could not be started against NetAPP SAS drives
Disable read-look ahead setting was not working properly
Resuming imaging for RAID wasn’t possible after pausing imaging and changing the RAID configuration
Other fixes:
RAID. Serial numbers of selected devices were not always entirely visible on RAID configuration page
RAID. Add devices buttons and Remove device area missing when using screen tablet with 6+ devices selected
Storage drive automounting now works in Target mode only. Previously, it was running for both Source and Target modes.
Fixed a few minor issues with case reports created for RAID devices
Case import completed report might have no detailed information inside
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
How often are you faced with a case with multiple individual devices with different interfaces (HDDs, SSDs, NVMe, USB, etc.) or a whole RAID array? If all you have on your hands is one imager with no parallel imaging capacity, it can result in a prohibitive processing timeline.
To help you tackle such cases, we equipped TaskForce with huge performance capacity, backed by server-class hardware: TaskForce handles 12+ parallel imaging sessions on its 18 ports. In this blog, we show how the variety of supported devices can be imaged.
Atola TaskForce’s configurability
The product has been designed with the configurability, flexibility, and scalability in mind. It all makes TaskForce highly productive for various types of image acquisition:
drive-to-drive
drive-to-network
file-to-drive
RAID reassembly and image acquisition
imaging to a file on a target drive
imaging to a file on an encrypted target drive
Use as many of TaskForce’s 18 ports as you want to boost evidence acquisition: 6 SATA, 6 SATA/SAS, 4 USB, IDE, and Extension port (for Thunderbolt/Firewire, M.2 SSD including NVMe, Apple PCIe SSD devices).
All ports are switchable between Source and Target modes allowing you to configure the system to fit your needs at the moment. The Source mode is hardware write-protected.
Source and Target modes
Now let’s delve a little bit into each of the image acquisition options you have.
Drive-to-drive imaging
All you need for your drive-to-drive imaging session is the evidence drive and a target drive, connected to ports in the appropriate modes. Atola TaskForce allows imaging to up to 5 targets at a time at the top native speeds of good drives and supporting data recovery from damaged ones.
Drive-to-drive imaging is the fastest option of all. It is particularly fast when imaging from one SSD to another.
SSD-to-SSD imaging speed
Pro Tip: TaskForce can run 6 parallel SSD-to-SSD sessions with hash being calculated with no penalty on the top native speeds of the drives.
Drive-to-file imaging
When you want to create a file image, you have two main options:
Image to a network server
Image to a target drive
Types of supported file images:
RAW
E01
AFF4 (expected to be released in the next firmware update)
Types of supported file images
Imaging to a file on a network server
With TaskForce, there are two 10Gbit Ethernet ports at your disposal. We highly recommend to use 10Gbit network when imaging to a network server.
Bear in mind that imaging performance depends on multiple external factors like network speed, current network workload, write speed of server’s drives. Each of these factors can become a bottleneck that prolongs the imaging.
Pro Tips:
1. Make sure the server’s file system supports sparse files. Sparse files save space and time via optimized saving of sector ranges containing binary zeroes.
2. Imaging to an E01 compressed file can save you lots of time if the evidence drive contains unencrypted partitions. TaskForce has a powerful server-grade Xeon CPU, which easily handles compression of E01 chunks on-the-fly.
3. Imaging to a RAW target file is the best option when you face a severely damaged drive. The imaging engine will take advantage of the multi-pass system and its smart settings.
Imaging to a file on target drive
To be able to image to a file on target drive, the target must be configured to Storage mode. While reconfiguring the drive, it is formatted to exFAT with 32 MB cluster size for optimized imaging speed. Once in Storage mode, the target drive serves as a destination for multiple images.
SATA 3 drive in Storage mode
With Atola TaskForce 2020.1 and subsequent firmware versions, it is possible to image into files on an encrypted target drive. If you opt for it, the system creates an encrypted exFAT partition using VeraCrypt with a 256-bit AES algorithm on the target drive, which you lock with a password.
With encryption, your images are stored securely for storage transportation.
File-to-drive imaging
When you select an image file as an imaging source and a drive as the target, it creates an identical copy of the original evidence drive in a forensically sound way.
The feature works equally well with all supported image file types: E01, RAW, AFF4 (support of AFF4 is coming in the next firmware update).
And your source file can be located anywhere:
network shared folder
NAS
encrypted or unencrypted target drive (Storage)
RAID image acquisition
RAID Virtual Device is a special type of imaging source you can assemble with the help of TaskForce.
2020.7 firmware equipped TaskForce with the new capability to assemble drives and/or image files back into RAID arrays, automatically detect their configuration and create a forensically sound image of the volumes or the array in its entirety.
Whenever you are trying to assemble and image a source RAID 5 array, which has one drive missing or heavily damaged, Atola TaskForce uses RAID 5 redundancy to create a complete image of the RAID.
Pro Tip:
Imaging RAID 5 or RAID 1 consisting of drives with bad sectors is possible thanks to these RAIDs’ inherent parity. When a bad block is encountered on one of the RAID’s devices, reading of corresponding blocks other RAID devices or corresponding parity blocks is performed to complete the missing data.
Autodetection of RAID 5 with missing device
Atola TaskForce is so handy that you can also image the selected partitions of a RAID array to obtain an image of the evidence faster.
Summary
All the aforementioned source-target combinations can be imaged simultaneously. It’s simple. Start 12 or more imaging sessions with any types of selected sources and targets!
Our engineers keep developing new features to help forensic examiners handle the most challenging acquisition jobs. We strive to create solutions that save time and energy of our customers that they can focus on other stages of investigation.
The key vectors of TaskForce development are:
optimization of running parallel imaging sessions
enhancing RAID image acquisition
adding support of new file system types and encrypted partitions
enhancing support of damaged drives
supporting new forensic image file containers (AFF4)
Multiple imaging sessions from various source types
When working with evidence drives, data integrity is critical. Using ECC memory, which identifies and corrects common single-bit errors, would help dramatically improve data transfer reliability in digital forensic tools.
Why use ECC memory
Electrical, magnetic or even radioactive interference inside a system, may cause a single bit of DRAM (Dynamic Random-Access Memory) to flip to the opposite state, resulting in an error. While the single-bit error in an ordinary situation could be harmless or have a comparatively mild effect (like a wrongly colored pixel in a .jpeg file), in forensic imaging, it means that the whole image you get is compromised because its hash won’t be identical to that of the source.
ECC (Error Checking Code) memory provides extra reliability by adding a parity bit to each byte, which checks the remaining bits in the byte for integrity. In case one of the bits gets flipped, ECC detects the error and corrects it on the fly.
That’s why ECC RAM is used in most servers and computers where data corruption cannot be tolerated (e.g. at financial, scientific, medical). And the same should be true for digital forensics.
ECC RAM does have a much lower failure rate than standard non-ECC memory. The results of Kingston-held research (see graph above) remain valid. As well as this brilliant in-depth study named DRAM Errors in the Wild: A Large-Scale Field Study.
We find that in many aspects DRAM errors in the field behave very differently than commonly assumed. For example, we observe DRAM error rates that are orders of magnitude higher than previously reported, with FIT rates (failures in time per billion device hours) of 25,000 to 70,000 per Mbit and more than 8% of DIMMs affected per year. We provide strong evidence that memory errors are dominated by hard errors, rather than soft errors, which most previous work focuses on. We find that, out of all the factors that impact a DIMM’s error behavior in the field, temperature has a surprisingly small effect. Finally, unlike commonly feared, we don’t observe any indication that per-DIMM error rates increase with newer generations of DIMMs.
(C) DRAM Errors in the Wild: A Large-Scale Field Study Bianca Schroeder Dept. of Computer Science University of Toronto Toronto, Canada Eduardo Pinheiro Google Inc. Wolf-Dietrich Weber Google Inc.
Atola TaskForce and ECC
Because TaskForce is designed to sustain 12+ imaging sessions with the cumulative throughput of 15 TB/hour and the system handles enormous amounts of data, we made sure to back its smooth and accurate operation with the best hardware. That’s why our engineers enhanced the reliability of TaskForce with ECC memory to avoid even the tiniest chance of data corruption during imaging, hashing, wiping, etc.
Here is what the ECC RAM module we install in Atola TaskForce looks like:
To ensure that your image is acquired and hashed correctly, TaskForce’s ECC RAM does the following:
Automatically corrects 1-bit errors and saves you from data corruption
Logs 2-bit errors in BIOS. A 2-bit error is an extremely rare case when two 1-bit errors happen in the same byte at the same time. While ECC RAM cannot correct a 2-bit error, you can find the event in the BIOS log with a timestamp
This way ECC memory provides an unprecedented level of reliability in a digital forensic imager.
2020 was for sure an unusual year that tested our adaptability. Despite the challenges and disruptions of the past 9 months, we look back at this time with a sense of accomplishment and gratitude to our customers, partners and teammates, for continued support and cooperation.
RAID Support in TaskForce
TaskForce has become the first hardware RAID imager in the world!
With its 18 ports, TaskForce is uniquely suited to reassemble RAID arrays. But we went a huge step further: Atola introduced the automation of the RAID configuration search, and it is the breakthrough the forensic industry has been waiting for.
Now, if a RAID with an unknown configuration lands on your desk, you don’t have to spend hours (or days!) looking for the right configuration. TaskForce will do it automatically in minutes. We have already supported:
RAID 0, 1, 5, and JBOD, including imaging of RAID 5 wth errors or a missing RAID member.
Partition preview works with NTFS and ext4/3/2 file systems.
More RAID types and file systems are coming in the upcoming releases.
Imaging into a file on an encrypted target with TaskForce
Atola TaskForce creates an encrypted exFAT partition using VeraCrypt with a 256-bit AES algorithm on the target drive, which the user locks with a password. This way you make your Storage drive encrypted. All image files remain safe and protected during evidence preservation or transfer.
Continued TaskForce integration into Magnet AUTOMATE
Firmware releases 2020.1 and 2020.2 further enhanced TaskForce integration in Magnet AUTOMATE. New parameters were added to the Web API command set to improve communication between the tools.
Insight got enhanced with broader SAS drive support in May and its January software release will bring the support of AFF4!
New team members (and more are expected)
We never stop growing and welcomed Yuliia and Igor to the team in March. Igor brought his international experience building military-grade equipment. He immediately enhanced our hardware development team with his unique skillset. Yuliia, in her turn, has demonstrated an impressive learning curve since joining us as a QA engineer. This is her first job in software development, and we are happy to have taken the risk: she has become a valuable asset to Atola!
We can’t wait for the social distancing requirements to be over to invite more talent!
Atola Virtual Booth
This year we went above and beyond to keep conversations with the industry players going. In May, we set up a virtual booth to facilitate communication in the absence of face-to-face meetings and events. The booth ran every week through December and we had dozens of exciting conversations with our friends, partners and customers.
After just a few conferences at the start of the season, we all watched digital forensics events were getting canceled or moved online. We thank the organizers of the online events for creating these opportunities to share knowledge and exchange ideas through online presentations and online booths. We are hoping for offline events to return in 2021 and meeting you there!
We get it. It has been a year like no other
With the team doing our best to stay focused on the result, the team experimented the first few months of complete uncertainty with different communication methods to coordinate our efforts and to be present for each other.
As this year is coming to an end, we are all back at the mothership, doubling down on our efforts to bring you more great solutions in 2021!
Thank you!
Overall, 2020 was a good year for us as a company and we are grateful for finishing it stronger and with a sense of optimism.
The Atola team wishes you peace, joy and prosperity throughout the coming year. Thank you for your commitment in 2020 to keep things running and improving no matter what. We look forward to working with you in 2021.
