Atola team is excited to announce arrival of the latest Atola Insight Forensic 4.15 release. From now on Insight supports imaging into a file on an encrypted target drive and is reinforced with a number of other great features.
Target image encryption
Using VeraCrypt with a 256-bit AES algorithm for strong data encryption, Atola Insight Forensic allows creating exFAT partition on the target drive, locking it with your password.
After the imaging session is completed, a user can safely plug the target drive into his/her computer and quickly find the VeraCrypt volume. To safely access encrypted data from your drive, simply use the password set prior to the imaging session.
Other features
Imaging to a file on a target drive:
Create encrypted password-protected VeraCrypt volume on a target drive to store images
Save image report in the target folder option supported for image files on target drives
Imaging:
Support of damaged USB flash sticks in read-only mode
A new format for Save image report in the target folder option – Text (Simplified)
Improved support of 4Kn drives
Identification and detection of locked WD Smartware drives
SSD Trim became a non-blocking operation: multi-tasking is available after SSD Trim is started
DiskSense information window shows MAC address of the active Ethernet card
Bugfixes
SMART. Fixed incorrect Power on Time for Samsung IDE drives
Attempt to open E01 file froze the software if the file was involved with a different task
Issue with changing IP from Dynamic to Static
Removed 20-second connection delay when switching between DiskSense units
Where to buy
If you would like to place an order for Atola Insight Forensic or extend the subscription to make use of this software updated, this can be done directly via Atola Technology, or from a distributor near you.
Please contact our Atola Technology sales to receive more specific information:
P.S. Dear customers, we appreciate your feedback and always take it into account when making changes to the product. Please feel free to write your thoughts or ideas as comments below.
Atola Insight Forensic supports imaging into a file on an encrypted target drive, using VeraCrypt for data encryption. After your source drive is identified by the system, take the following steps:
Go to the Imagingcategory in the left-side menu on the home screen;
Click the Create New Session link to launch an imaging session;
Tick your target device;
Click the link Create Image File on Target.
5. In the pop-up window, select Create an encrypted VeraCrypt container (exFAT) option and click the Next button.
6. To complete the creation of a VeraCrypt volume, enter the password.
7. Enter YES and click Format to confirm formatting the drive to create the encrypted partition.
Formatting will take a few seconds.
8. Name new image file, click the Add button and then click Select.
9. Specify the settings for this imaging session and click the Start Imaging button.
After you click the Start Imaging button, Insight will begin imaging data into the file on your encrypted target.
Upon completion of the imaging session, check the Imaging results screen.
Data Extraction:
To find the VeraCrypt volume and the imaged file, plug the target drive into your computer;
Use VeraCrypt software to safely access encrypted data from your drive;
Select the drive label (A, B, C, etc.) on which you want the volume to be mounted;
Click Select device button;
In the pop-up window select your encrypted volume;
Click the Mount button.
Now you can view the partition name, size and encryption algorithm.
7. Next, use the password set prior to the imaging session to get access to the encrypted volume.
Once you have entered the password, the volume will be mounted and you can access it from Windows Explorer and use the image for subsequent operations.
It is the final days of the year and we would like to reflect back on the fantastic year and a decade really!
In 2019 we have done a lot! The incomplete but impressive record looks like this:
3 versions of Atola TaskForce firmware
3 updated versions of Atola Insight Forensic software
Atola collaborated with Magnet Forensics to get our tools integrated
our team has grown again
we traveled the world to meet many of our customers
TaskForce integration into Magnet AUTOMATE’s workflows
In July, Atola TaskForce 2019.7 firmware introduced Web API built into TaskForce, which allows TaskForce integration into third-party automation tools.
As we are preparing this article, our software development team continues to work on the new batch of features for TaskForce that will be released in just a few weeks!
Insight Forensic: Target encryption
We introduced target encryption in Atola Insight Forensic 4.15 software release. Now an exFAT-formatted target drive can store a VeraCrypt volume and store one or multiple images.
Creating a VeraCrypt container on an exFAT-formatted drive
Insight Forensic: NVMe support
We continue to support new drive interfaces, file formats, etc. Our 4.13 release of Insight software included NVMe support via QNINE NVMe-to-USB adapter.
Insight Forensic: Imaging from a file on a source drive
With Insight, imaging from a file on a source drive has been available since January 2019. Simply select the file as a Source you want to image and proceed as usual:
The team growth
This year we welcomed Olga Milishenko to join our marketing team. Olga has since become an integral part of the Atola family and has contributed to our marketing efforts in 2019.
Atola in Events
In 2019 we participated in dozens of events worldwide and expanded our geography to Latin America!
Training sessions and presentations
In 2019 we continued to hold training sessions and presentations for our existing and potential customers. We thank all the great audiences we got to speak to!
See you in 2020!
Throughout this year we have been tweaking our process and experimenting with new development techniques and implementing innovative ideas, all to assist our users in solving more cases, faster! Our team is motivated by all the great feedback we have been receiving from our customers this year and we promise to keep up the good work!
We look at 2020 and the decade that follows with great optimism and ambition to contribute to the industry’s progress!
Here is a list of 50+ most prominent events in digital forensics held worldwide in 2020. These digital forensics conferences and exhibitions present an excellent opportunity to learn about the latest trends from the industry’s best speakers, get to know the newest technology showcased by vendors and network with other professionals working in the field.
This list is constantly updated, so if you want to keep up to date on the digital forensic conferences and exhibitions, save the link and check this page later. We keep track of new events and any changes to the already planned ones.
The events at which Atola Technology or our partners will be exhibiting are marked with an asterisk (*).
NB The registration fees in this table are indicative. Each conference has a range of fees based on the occupation, country of origin or the role of each participant. We mention only the basic rate which does not include discounts or special offers. Please check the websites of these forensic conferences to learn more about the applicable registration rates.
We are pleased to announce the release Atola TaskForce 2020.1!
This firmware’s key feature is imaging into a file on an encrypted target drive.
Target drive encryption
Atola TaskForce creates an encrypted exFAT partition using VeraCrypt with a 256-bit AES algorithm on the target drive, which the user locks with a password.
This way you make your Storage drive encrypted. All image files remain safe and protected during evidence preservation or transfer.
Mounting an encrypted Storage for further analysis of its images
To mount the encrypted volume for further use of the image file, a user can plug the target drive into a computer and use VeraCrypt soft.
Use the password set prior to the imaging session to access the encrypted data on the target drive.
All Changes
New Features
Imaging
Create encrypted password-protected VeraCrypt volume on a target drive to store images
Recent folder tiles in Device panel’s File section to speed up target file location choice
Optimization of TaskForce memory usage when imaging to E01
Visual checkmarks in reports to compare hashes during and after imaging
Support of SAS drives with non-standard sector sizes: 520, 528, 4080 bytes, etc.
Settings page shows MAC addresses of both TaskForce Ethernet ports
Web API, /check-task call
New query parameter – source. Example: /api/check-task?source=SATA5
New result fields: source, completionDate
User Manual is now built into TaskForce firmware
Bugfixes
Imaging
Issue mounting Oracle ZFS NAS to store image files
It was impossible to select a network target folder with password-protected Guest account
Small sector blocks were not visible in the imaging map progress bar
Other fixes
Possible E01 validation issue when selecting huge 10TB+ image
Occasional error when formatting a target drive to Storage with exFAT
False The disk claims that it won’t read multiple sectors at a time message in Diagnostics (a rare case)
Cancel button wasn’t properly working during the operations: Identifying device, Creating target file, Checking source device
Where to buy
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
We are currently looking for two awesome people to join Atola.
Our Quality Assurance team needs reinforcement to join them in their ongoing effort of ensuring the stability of our software.
In their turn, our Hardware Development team is facing the new challenge of expanding our production and expediting product design.
We are accepting applications and holding interviews in the upcoming weeks with start dates in late February/early March.
Candidates of different backgrounds are invited to apply! With the help of each new employee, we strive to continue building a team that is diverse in terms of both knowledge base and perspective, to create an inclusive and supportive environment for all to do the most rewarding work in their careers and fulfill their professional goals.
About the Hardware Engineer position
You will be joining a team of seasoned engineers with fantastic achievements under their belt. Our Hardware Development team consists of three people, whose meticulous work and dedication resulted in the creation of both Atola Insight Forensic and Atola TaskForce. They also developed the data recovery systems that we used to produce prior to joining the digital forensics market.
In broad terms, as a part of our Hardware Development team, you will be responsible for the research, design, development, assembling and testing of our hardware. That includes drive imaging systems based on server-grade components and add-ons that enhance the range of interfaces that our imagers can acquire data from. Hardware engineers also assist our software development teams with product decisions and testing protocols.
About you
You have a strong knowledge of modern CAD for electronic device development and modern mechanical CAD, and you are skilled in the integral design of cases and PCBs for devices.
You are able to work productively with extensive technical specifications (500 pages or more).
These skills will be a plus:
Experience
designing switching power supplies
General
understanding of high-speed interfaces
Experience
developing devices with PCIe interface
Experience
wiring BGA chips and
programming
microcontrollers as
well as practical
experience in mounting boards.
As a member of the hardware development team, you will be countering complexity and looking for simpler passes. You will be engineering devices that combine sophistication and ease of use. We provide the freedom and autonomy to develop custom solutions while ensuring you are able to share challenges and receive input from your peers.
We greatly appreciate systemic thinking and attention to detail.
About the QA Engineer position
At Atola you will participate in system testing at all stages of the product development lifecycle (software & hardware), write requirements and test documentation, perform regression testing, participate in product development meetings and suggest improvements of existing products.
About you
You understand QA Methodologies and are skilled in designing tests. Experience in testing is not required, but personal experience in testing any systems is necessary.
You are detail-oriented, adaptable, ready for proactive and continuous learning. You are great at clearly and concisely articulating your thoughts, and care to give and take constructive criticism.
These skills will be a plus:
An
understanding of web technologies
and client-server architecture
Experience
with web development tools (e.g. Chrome DevTools), basic knowledge
of HTML, CSS
Experience
with continuous integration tools (TeamCity) and version control
systems (Git)
Advanced
use of Windows, Linux
Within the QA team, you will cooperate with other QA engineers to develop effective testing strategies and test plans. Fast and effective cross-team communication is also key. If you are outgoing, a team player and get along with people well, you will thrive in this environment. If you are passionate about quality, we would like to meet you!
Join us if you share our values!
We value people who can take a stand and contribute to our common vision with their perspective. We subject new ideas to rigorous consideration and challenge each other. We love experimenting, assessing results and replicating success.
Sincerity and trust:
Try to understand first, and to be understood later
Helping a colleague is the first priority
Focus on each other’s strengths
This is fail-friendly environment. Making mistakes is ok and useful
Simplicity is king. We prefer simple solutions that are easy to change.
Pay and benefits
We provide competitive compensation and salary revision every 6 months. In us, you will find a friendly and supportive team. We use a customized agile approach in product development.
You will work from a cozy office downtown Kyiv, less than 5 minutes from the metro.
Our
schedule is flexible and
we all enjoy 25
days of vacation (24 + bonus vacation day on December 31).
Paid sick leave is provided, no need for a doctor’s note.
Atola also provides free snacks and beverages at the office and a weekly English speaking club with a teacher.
How to apply
Please send your application for QA or Hardware Engineer that would speak directly to this position.
We expect to take up to two days to review your application.
Applicants for QA Engineer position will hear from us by email about whether you’ve advanced to the online test assignment part of the application process. If that is successful, then on to an interview! Hardware engineers will be requested to answer technical questions during the interview.
Our interviews are 2 – 3-hour long, in person, with your future colleagues, on your schedule. You will meet both your future team and people from other parts of Atola business. We’ll talk through your experience, ask questions about your goals and interests and will answer the questions you may have too!
We aim to make an offer within hours of each interview, with a start date within two weeks of the offer.
With newest Atola TaskForce 2020.1 firmware, it is possible to image into files on an encrypted target drive using VeraCrypt for data encryption. Multiple target drives can be encrypted for the same or different sessions. After you have connected the source drive to a port in Source mode, take these steps:
1. Click on Image icon in the left-side taskbar
2. In Select source device panel, select the evidence drive
3. In Select target device menu, click on the tile in the File section
4. In Select image file window, click Add storage Click the link Create Image File on Target.
5. In Select device panel, choose the drive connected to a port in Target mode
6. Select Create an encrypted VeraCrypt container (exFAT) option and click Next
7. Enter and confirm the password for the encrypted volume on the drive
8. Confirm the formatting of the device by entering YES and clicking OK. After this step, the formatting will take a few seconds.
9. Click + Create file button
10. Enter the name of the image and choose the file format (E01, raw, img or dd).
11. Once you have created the file, you may add more image files in the same or a different folder
After you click the Continue button, TaskForce will image the evidence into the file on your encrypted target.
Upon completion of the imaging session, check the Imaging completed report.
Data Extraction
To find the VeraCrypt volume and the imaged file, plug the target drive into your computer;
Use VeraCrypt software to safely access encrypted data from your drive;
Select the drive label (A, B, C, etc.) on which you want the volume to be mounted;
Click Select device button;
In the pop-up window select your encrypted volume;
Click the Mount button.
Now you can view the partition name, size and encryption algorithm.
7. Next, use the password set prior to the imaging session to get access to the encrypted volume.
Once you have entered the password, the volume will be mounted and you can access it from Windows Explorer and use the image for subsequent operations.
The key feature of this release is imaging to segmented E01 files (to E01, E02, E03 and so forth).
For many forensic examiners, E01 segmentation makes sense for a more convenient way of storing data. Some back up the segmented images on BluRay drives, others want to avoid repeated attempts to copy large files to their server due to network failures.
E01 segmented images
When selecting E01 file as a target, you will notice a new Segment Size dropdown. Click it to switch from a single E01 file to a segmented image. The segment size can be equal to one of the popular defaults or customized by the user.
Segmented E01 can be created with our without compression.
Changelog
New Features
Imaging:
E01 segmented files (E01, E02, etc) supported
Web API. New targetFile parameter allowing to customize target image file name
Auto-mount of VeraCrypt-encrypted Storage when its diagnostics completes
Bugfixes
Few minor issues when doing case import from Storage
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
Atola dev team continues to work at full speed, without regard to the inconvenience of remote cooperation or the uncertainty caused by the current events. And today we are excited to release TaskForce software update 2020.3 with segmented hashing!
If you have ever dealt with a damaged evidence device or seen your images get corrupt over time, you will appreciate the new segmented hashing functionality in Atola TaskForce.
Segmented hashing option in imaging settings
By selecting Segmented hashing method in the imaging settings, along with an image you get a CSV file with hash values for the individual segments of the evidence drive.
Post-hashing option will also produce a table with segmented hashes for the image, which allows you to prove in court that the image has not been tampered with, even if the device got damaged or degraded.
A table with segmented hashes: hash value, first LBA, last LBA
To verify segmented hashes, we recommend using an open-sourced tool created by Atola: seghash on GitHub
Full changelog
New
Features
Imaging:
Segmented hashes – an alternative to linear hashing. It helps when dealing with damaged drives and provides greater resiliency against data corruption.
Bugfixes
TaskForce
browser-cached data was not always refreshed after firmware update
Target
files with long Chinese/Japanese names could not be created
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
Segmented hashing is a concept introduced into forensic imaging by Atola Technology in November of 2016.
This method of hashing allows verifying data imaged from damaged media and ensuring that the image can be verified even if data gets corrupt later in the case’s life cycle.
How does it work?
With the conventional hashing method, it is impossible to calculate hash for the entire space of a damaged evidence drive: linear hashing will stop upon encountering the first bad sector.
Segmented hashing can be performed during multi-pass imaging of a damaged drive. This method produces a set of hash values for individual LBA ranges of the evidence drive and the image. Hashes are calculated only for the successfully imaged areas, while all bad sectors are excluded from the calculation.
With segmented hashing, you can prove that the entire image has not been tampered with by verifying all hashes in a set, even if your evidence drive is damaged, or if the data in the image gets corrupt over time: only one the hash for the damaged segment of the drive becomes invalid.
Segmented hashing produces a CSV file in this format:
Hash,start LBA,end LBA
Imaging with segmented hashing and post-hashing of the target for immediate image verification
In the imaging settings, select Segmented hashing method and sector size: you can select size from a range of options (4 to 32 GB).
Make sure to enable post-hash of the target and receive both sets of hashes for both the evidence drive and image.
TaskForce’s highly optimized imaging and hashing algorithms ensure that hashing during imaging does not slow down the session:
After imaging is completed, post-hashing will commence.
Here are imaging results with the link to the file with segmented hashes. With the post-hashing of the target is enabled, you also receive the results of cross-checking between the hash sets of the evidence drive and the image.
Is there any disadvantage compared to linear hashing?
The only potential downside of segmented hashing is the lack of its support in third-party tools. To make verification of segmented hashes easy, we have developed and released a free open-source tool for the validation of segmented hashes: seghash on GitHub.
Atola TaskForce is designed to be the fastest forensic imager. It allows imaging multiple drives simultaneously at the overall speed of 15 TB/hour. The individual imaging sessions run at the top native speeds of most drives.
To test TaskForce imaging speed, we used various models of SSD, HDD & USB devices and compared the performance achieved with the read speed in sequential mode (sectors read and written to in linear order) at userbenchmark.com.
NB Imaging speed is limited by the speed of the slowest of the devices, participating in the imaging session. Therefore, the slowest of the two speeds (either the read speed of the source or the write speed of the target) will define the speed at which the imaging process is running.
#1. WDC WD 100EFAX-68LHPNO 10TB
Let’s begin our first imaging session with WDC WD 100EFAX-68LHPNO. We are going to use this HDD as the source and choose the appropriate target to check TaskForce imaging speed.
The TaskForce managed to develop an excellent imaging speed of 216 MB/s when imaging the drive.
According to userbenchmark.com,WDC WD 100EFAX-68LHPNO maximum read speed in sequential mode is 203 MB/s.
#2. Kingston DT HyperX USB 3.0 64 GB
The second device we are going to image is a Kingston USB flash stick. This device is pretty much worn out and thus perfect for showing a clear example of how a dated USB will perform during imaging.
Atola TaskForce: Kingston DT HyperX USB 3.0 64GB imaging
The USB device gained a good read speed of 234 MB/s. According to userbenchmark.com, this drive’s maximum read speed in sequential mode is 278 MB/s
#3. Samsung 860 Pro 256GB
Let’s take a popular SSD model Samsung 860 Pro 256GB as the source and an identical target to see how TaskForce will handle the imaging of this device type. This time, we are going to pay attention to the write speed in sequential mode at userbenchmark.com, as this speed will be slower and determine the speed of the session. These devices are continuously used by our QA team for various types of tests, which is why they are past their prime.
Atola TaskForce: Samsung 860 Pro 256GB imaging
Nevertheless, TaskForce managed to image Samsung 860 Pro 256GB source at 497 MB/s, having exceeded the maximum write speed for this SSD type at userbenchmark.com which constitutes 491 MB/s.
#4.Seagate ST1000NM0001 1TB
The next HDD we are going to use is Seagate ST1000NM0001 1TB. We have two identical devices to use as a source and a target. Therefore, we will again focus on the achieved write speed to compare it to the one at userbenchmark.com.
Atola TaskForce: Seagate ST1000NM0001 1TB imaging
TaskForce managed to copy data from Seagate HDD at 145 MB/s, matching the max write speed 145 MB/s at userbenchmark.com.
#5. Corsair Voyager GS 63GB
This USB device is a fast Corsair USB drive and it has been one of the frequently used cards by Atola QA team the past couple of years, which means that its condition is far from perfect.
Atola TaskForce: Corsair Voyager GS 63GB imaging
TaskForce managed to develop good imaging speed 231 MB/s. While it did not get really close to the max read speed for this very device at userbenchmark.com, which is 283 MB/s, it does the significantly exceed the average of 151 MB/s.
#6. SanDisk SDSSDA 120GB
Let us take SanDisk SDSSDA 120GB. This SSD is still in good condition, even though it is constantly used by Atola QA team for testing purposes.
Atola TaskForce: SanDisk SDSSDA 120GB imaging
TaskForce succeeded in imaging data from SanDisk SDSSDA 120GB at an excellent speed 496 MB/s, slightly exceeding the maximum read speed at userbenchmark.com for this very device, which is 494 MB/s.
NB Please note that the imaging process can be considerably slower when it comes to working with damaged drives. The speed heavily depends on the type and degree of such damage.
And last but not least, imagine all these imaging sessions running simultaneously, each individual process at its top speed! TaskForce’s server-grade hardware supports up to 18 imaging sessions at a time. And as long as you stay within the whooping 15 TB/hour overall capacity, none of the sessions will experience any penalty on its speed.
Hi! I am Vitaliy Mokosiy, CTO in Atola Technology. I have been working here with great enjoyment and enthusiasm since 2008. Today I am taking this opportunity to shed light on the development process of Atola products, how it drives me as well as our whole dev team.
We proudly presented Atola TaskForce to the forensic community almost two years ago. While the volume of digital evidence inevitably continues to grow, every day TaskForce imagers are out there helping save a great deal of time for our customers by imaging at 15 TB per hour of total performance.
From a user’s perspective it is simple:
you plug 12 SATA evidence drives into TaskForce
start imaging them simultaneously
save 6-18 imaging hours within a day
Under the hood, though, TaskForce is way more complex: due to server-grade hardware reliability, extreme imaging optimization, and damaged drive support.
But how does my team manage to make the product simple to use while hiding all the complexity?
I believe 5 pillars created a basis for our success:
Exceptional hardware expertise
Custom agile methodology
Customer-centered approach
Balanced quality assurance
Culture
Exceptional hardware expertise
15 years ago, Atola was a startup searching for product-solution fit and working business models. At that time, Dmitry Postrigan, Atola CEO, was inspired by the idea of automating mundane, repetitive tasks in hard drive data recovery. He already had 7 years of experience working with storage media in Seagate and few DR companies. MHDD, his low-level HDD diagnostics tool, was first released in 2001 and instantly became the most popular drive-related freeware in the world. So we had this unique knowledge base before designing our first hardware product. And it helps in understanding how Atola business instantly became profitable with no need to attract investors.
A great deal of time has gone by since then. Three Atola Insight devices, Atola Bandura, Atola Disk Recycler… These days our product line consists of Atola Insight Forensic and Atola TaskForce. All of our devices smartly handle damaged drives.
As I am writing this, I just realized no one has left our hardware team since day zero of Atola! Moreover, the hardware team accumulated design experience and has grown larger. Not only do we continue to create new hardware systems, but we also experiment and innovate way more than previously.
Andrew Tyschenko, who heads our hardware development team, has 12+ years of building robust Atola products under his belt. Sustaining the premium quality of hardware remains an absolute focus for our hardware team. Nothing compares with it in the market. In fact, our confidence in the quality of our products allows us to continue offering a lifetime warranty for every Atola TaskForce or Atola Insight Forensic unit we have ever sold.
Custom agile methodology
Atola product development process is based on persistent self-improvement cycles. It is not a SCRUM, Kanban or XP methodology as someone might expect. We adopt different practices in our belief that the current team and each of its members must be at the core, and not the methodology itself. Some practices are taken from existing methodologies like the ones mentioned above; others are created from scratch. In a nutshell, here is what we are using at this point:
Our retrospective meetings happen after every software release. They have a very significant impact on our subsequent development cycles through introduction of new practices, techniques, experiments approved by the whole team.
Customer-centered approach
“Know your customers, listen to them carefully, learn their pains” – the first piece of advice I give to young people trying out to run their startups. This approach is what defines many things and helps find great solutions in product design.
Steve Jobs once said: “Customers don’t know what they want until we’ve shown them”. Well, that is not how we do it at Atola. We always pay attention to what our customers say. It makes sense, and it makes a difference.
One of Henry Ford’s famous quote goes “If I had asked people what they wanted, they would have said faster horses.” Yes, a faster horse is a wish or customer-expected solution. But it conveys a true necessity: faster transportation. Not to mention the inconveniences deriving from horse riding.
Be attentive to your customers’ opinions. Figure out the pains. Ask smarter questions if you want to get better answers. While we have partners around the globe, we make a point of visiting 20+ conferences and training sessions annually. The understanding of forensic examiners’ pains while handling multiple evidence drives under tight deadlines is what pushed us to develop Atola TaskForce that is able to image 12 SATA drives simultaneously.
Balanced quality assurance
We focus on the end result, no matter what it takes. And QA is an extremely significant part of the process. Quality assurance requires an intellectual approach to produce a high-quality, low-risk product with optimum testing efforts. Finding that balance is key. At Atola we have a powerful QA team of 6 people who sometimes achieve what I personally regard as magic to discover and solve technical issues.
The way I would quantify our full quality assurance flow is:
System quantification and testing efforts optimization
Unit tests
Automated testing imitating user behavior
Continuous integration server that runs all automated tests and immediately notifies us
Several hundreds of HDDs, SSDs, USB devices used in testing
Exploratory testing
Smart manual QA considering specifics of different device families
Regression testing when our team goes through a wide test plan before every release
Atola culture
Our culture includes three team values: sincerity, experiments, and simplicity. It would take me three or more blogs to write about each of these values. Therefore I will only briefly describe how we are used to behaving:
Seek first to understand the other, and then to be understood
Helping a colleague is the first priority
Focus on each other’s strengths
An initiative is always welcome and discussed. We love to experiment.
Experiment as often as possible
Fail-friendly environment. Making mistakes is normal and helpful.
We prefer simple solutions that are easy to change
Simple helps focus on the task. Complex – distracts from the task.
With all of the above in mind, we like to put our heads together over tough technical problems. In my experience, it is the best way to resolve untrivial issues and evolve as a team. If one person solves a complex technical problem, only this person knows the details. It is better to have 2+ team members sharing expertise on something truly sophisticated.
We have personal performance reviews and one-on-ones every six months. That amplifies the focus on company results and personal growth. Salaries of our R&D office staff are reviewed every six months too. It is the consistent and sustainable growth of our business that enables us to keep things that way.
Last but not least, a conscious effort to maintain and improve team communication and collaboration brings you a massive boost in efficacy. It results in true synergy when 1+1 is not 2, not 3, it is 8. It is fair to say that benefits from effective team communication overshadow all other areas.
Life is never about goals as such. Life is about the journey. Atola team tries to enjoy every step of our work-life journey. We do not only work together – we live our lives together at work having a shared vision, sincerely discussing ideas, experiencing emotions yet being focused on goals.
Current global yet temporary circumstances have not impeded Atola dev team. We are releasing Atola Insight Forensic 4.16 today! The software update includes two new major features:
E01 segmented images (E01, E02, etc)
full support of SAS drives with non-standard logical sector sizes: 520, 524, 528 bytes and so on
E01 segmented images
We are grateful to our customers for valuable feedback. It is your feedback that got us focused on the development of E01 segment (chunk) functionality for Atola Insight Forensic. We know some of you have been waiting for the feature for quite some time. Finally, it has arrived!
When selecting E01 file as a target, you will notice a new Chunk size dropdown. Click it to select one of the predefined E01 segment sizes or enter a custom one.
Segmented E01 image file can be created with or without compression.
You can later dig into the image file with File Recovery subsystem, should it be necessary.
SAS drives with non-standard logical sector sizes
With Atola Insight’s SAS extension at your disposal, you can handle good and damaged SAS drives. That said, there was always a limitation by sector size: 512 bytes or 4096 bytes only. Atola Insight 4.16 gives you broader support covering the rest of SAS drives you can face in servers and NASes.
See the screenshots below demonstrating how the latest Insight software works against SAS SSD with 520-byte sector size.
SAS drive diagnostics
SAS drive imaging
Changelog
New Features
Support of SAS drives with non-standard sector sizes: 520, 524, 528, 4080 bytes, etc
Imaging:
E01 segmented files (E01, E02, etc) supported
head support for Toshiba HD models
SSD Trim. New mode added – Only sectors without data
Automatic checkup. Improved algorithm of degraded heads detection.
Bugfixes
Imaging:
Imaging could not be paused during E01 file growing its size which is caused by a forward jump
Removed the hasty head map detection attempt when opening imaging start page
Image files created on target drive had an invalid Created date
Minor UI fixes in Image File options dialog
Automatich checkup:
Removed a small check based upon obsolete ATA command
Minor issue with BitLockerGUID detection
Rare case when head speed graph labels might be missing
If you still do not have an Atola Insight Forensic and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
In the brave new world of physical distancing, when so many of the digital forensics events get canceled or postponed, we want to fill the void and keep the conversation going.
Atola is inviting you to our virtual booth. Starting May 20, we will be available for an hour-long live conversation every week on Wednesdays.
On Tuesday, June 16 Atola’s Yulia Samoteykina spoke at Interpol’s annual Digital Forensic Expert Group. After the presentation about our imagers’ multi-pass imaging system and other damaged media functionality, we received a few follow-up questions. In this blog we would like to reiterate the answers to these questions:
Can Atola imager acquire evidence from damaged SSDs?
As is true with any type of media, the degree of damage will inform how we can help with data recovery from a specific device. SSD failures fall into three major categories: logical errors, hardware issues, firmware failure.
Atola imagers may be able to image data from an SSD with logical errors or hardware issues (e.g. NAND flash wear-out) with the help of our multi-pass imaging system. A good predictor of success can be the Media Scan stage of the diagnostics process.
How do you resolve an issue of imaging a drive (Ext4), if “Failed to copy” message showed up while using another forensic imager?
If there are bad sectors in the area where the metadata of the file system is stored, some of the files or the whole of the partition may not be found by regular tools. But the files could have been imaged without the file system’s metadata and may be available for acquisition with the help of Insight’s File Recovery functionality.
Can Atola imagers retrieve data from water-damaged hard drives?
Depending on the kind of contact (it can range from sprinkles to complete submergence), the duration of such impact and even the composition of the water (if there is residue in the form of salts), the impact on the drive could vary substantially. And in some cases, it can be quite dramatic. Therefore Atola engineers recommend you bring such drives to a cleanroom for the initial damage assessment, repair, and cleaning.
Once you receive the repaired drive back from the cleanroom, run diagnostics with an Atola imager. It is very likely that there has been damage to the platters, and our multi-pass imaging system will acquire the image as usual.
Will Atola TaskForce support AFF4 file format?
Yes, Atola is planning to support AFF4 and other logical image file formats (also including L01 and NFI) in our upcoming releases.
Is segmented hashing accepted in the court of law as a proper way of verifying data?
Yes, segmented hashing has been a principle successfully used by forensic examiners. This principle is well reflected in academic works, it is also widely used in cryptography and secure data modification. In digital forensics, the principle has been adopted by a number of vendors who support AFF4 image files, including X-Ways, BlackBag Macquisition, Evimetry.
With the forensic examiner’s proper understanding of the concept and ability to demonstrate it to the court, segmented hashing is as good a verification method as any.
Join us at our weekly virtual booth session. We always have an engineer with us, and we will be happy to answer any questions you may have!
A damaged hard drive, especially when it comes to evidence drives, requires a complex imaging approach to avoid the drive’s further deterioration and data loss. TaskForce system enhances your working with damaged evidence drives, minimizing the risk of losing data on the working part of the head stack.
Diagnostics and selective head imaging
TaskForce’s built-in drive diagnostics module automatically checks all subsystems of the evidence drive. At the end of the diagnostics process, it provides a clear and detailed report about its electronics and motor, head stack, media surface, firmware and file system.
In the Heads section of the diagnostics report, TaskForce forensic imager provides detailed information about the state of each head. In addition, it offers the recommendation of the optimal imaging strategy for your damaged hard drive.
The above diagnostics report informs the operator that the drive’s hardware has major issues and points to defects in the media and a damaged head (Head#3). The report recommends that the damaged head is disabled in the imaging settings so that the good heads can be imaged first.
Atola engineers recommend imaging the good heads first. The system will prompt you to disable the bad head when you attempt to image the drive.
Alternatively, click the Image category in the left-side menu, select your source and target devices, click Continue. When you get to the Settings page, click Change to adjust the settings for your imaging session. In the Settings screen’s What to Image section, click on All sectors to configure the selective imaging.
Atola TaskForce imaging settings
Unselect the damaged head, Click Save and then click the Start button to launch your imaging session.
Unselecting the damaged head
Multi-pass imaging of bad sectors
As the imaging session is running to its end, you can see that errors have been found on the space of the drive that is read with the Head#4.
It is common for a drive with a bad head to also contain errors on the platters that are read with other heads: in the case with this drive, it is likely that the Head#3 was damaged in a way that allowed it to cause scratches on the areas of the drive normally read with Head#4.
Atola TaskForce: multi-pass imaging algorithm
When encountering a bad sector that belongs to a good head, TaskForce uses its multi-pass imaging algorithm to handle the errors and attempt retrieving data from the bad sectors upon completing the imaging of good sectors. To read more about the multi-pass imaging system, please follow this link.
When the selective imaging (from the good heads) is complete, the system pauses the imaging session and produces a detailed Imaging report that includes a log of all actions performed throughout the imaging session.
Atola TaskForce report
TaskForce automatically creates reports for every single action applied to each device connected to it. The reports are stored in the case management system.
Attempting to image the bad head
Having successfully retrieved data from the good heads of the damaged head evidence drive, you have two options:
Replace the head stack before you get down to imaging the remaining data. Please, keep in mind that data on the drive can become unreadable due to head stack replacement;
Try imaging data with the Degraded or Damaged head. To image the unselected bad head, simply click Resume.
Resuming imaging session to image the unselected bad head
Atola TaskForce resumes the imaging session and focuses only on the area that belongs to the damaged head. Depending on the severity of the damage, it will safely retrieve as much data as possible or will be skipping the unreadable sectors and log them in the imaging report.
Atola TaskForce: Damaged head imaging
When imaging the damaged head, pay attention to the progress. If the number of errors keeps growing, while the number of the imaged sectors remains unchanged, it is safe to assume that the head will not be able to read more sectors.
In such a case, it is advisable to pause the imaging and power down the drive to avoid more potential damage to the platters with the bad head.
Hash method and hash type
The Imaging report you can see that TaskForce imaged 520,961,167 sectors out of 625,142,448, having extracted as much data from good heads as possible. TaskForce’s Segmented hashing functionality helps you verify the data on the evidence drive with the image, even if not all data was retrieved.
Now you can evaluate how critical the remaining data on the drive may be based on the data retrieved from the good heads. You may already have sufficient evidence. Alternatively, you can choose to bring the drive to a cleanroom, where the drive’s head will be replaced. Then you will be able to image the areas belonging to the replaced head.
This imaging strategy helps you save time by imaging the data from the good heads and avoid causing more damage to the media.
For more details about the successfully imaged sectors and those that failed to be imaged, scroll down the report and check the Log.
Today we are introducing the largest firmware update of Atola TaskForce ever – 2020.7. It adds a new facet to the product turning it into the first forensic hardware RAID imager in the world!
I’d like to start by revealing the pain digital forensic experts have these days.
Quotes of forensic examiners about RAID image acquisition:
“How would one go about imaging a “RAID server”
“I will normally use <data recovery tool> to reconstruct they RAID as I like their interface and the ability to manually select different RAID parameters.”
“I am looking for options to Image a RAID storage on a windows 10 computer”
“…image the drives individually, and then rebuild the RAID from the images. You would need to know the RAID type, drive order and stripe size, to rebuild.”
“I have 4 hard drive E01s that make up a RAID 10. I’ve got the stripe size and the order of the drives. Does anyone know of software that can be used to rebuild this so I can do analysis on it?”
“Personally, I hate rebuilding RAIDs”
“I have a Acer Predator Trion 500 laptop with two PCIe (NVME) drives setup as a RAID0. I’m now trying to figure out the stripe size of the raid but fumbling in the dark…”
We are excited and take pride in how the new RAID module will save time and energy for forensic examiners dealing with such tasks.
How forensic RAID rebuild works
In a nutshell, your happy path in Atola TaskForce 2020.7 is this:
Select RAID array source devices (drives, raw or E01 image files)
Wait a couple of minutes until Possible configuration hint pops up
Click Apply
Click Go to Image
What is the most impressive thing about rebuilding RAID arrays in TaskForce?
In many cases, you do not need to have RAID-related knowledge: RAID types, block size, orders, how RAID data is organized, etc. TaskForce automates the configuration selection process to the max.
Is every case that perfect?
Not yet:
1. In excessively complex cases, there can be multiple hints that require manual selection. For instance, TaskForce can detect RAID 10, showing which drives/images are mirrors of each other. Then it gives a hint of how to split it into two RAID 0 arrays and work with one of them.
2. Another example is the handling of 8+ drives/images in the RAID array is not yet optimized speed-wise.
The good news is that we are committed to improving it all very soon in the TaskForce firmware update 2020.7.1!
What is currently supported
TaskForce 2020.7 firmware supports RAID 0, 1, 5, and JBOD.
Partition preview works with NTFS and ext4/3/2 file systems so far.
Atola dev team will be adding new RAID types and file systems in the next releases. We believe forensic RAID rebuild is one of the most valuable product features for the industry.
Automated detection of RAID configuration
Let’s delve into the main UX mechanics built into the new RAID rebuild.
You don’t know the configuration, but you have an assumption. My advice is to try it out immediately. It leads us to one of the main features. Any RAID configuration change you perform prompts the bottom Partitions panelto refresh. If the configuration is correct, file systems are found and validated, you will see folders and files below.
This way you quickly receive feedback from your actions and can manually specify the correct RAID drive order and block size if you know the right configuration or have educated guesses to try out.
The smart auto-detection module helps out when you have no idea about the RAID configuration. Just follow its hints. Don’t hesitate to click Apply as soon as a Possible configuration hint appears! It makes forensic RAID rebuild faster, checking all possible configurations for you.
2020.7 changelog
New features
RAID support:
Autodetection of RAID configuration
Convenient assembly with partition preview
Supported RAID types: RAID 0, 1, 5 and JBOD
Missing drive support in RAID 5
Supported file systems for RAID autodetection: NTFS, ext4/3/2
Imaging:
Imaging assembled RAID array or its individual partitions
Add, change and delete passes of a paused imaging session
E01 evidence number, investigator, description are added to the final imaging report
Ability to restore image file to 4Kn drive
Save report in the target folder option became enabled by default
Case management:
SAVE TO button on Reports page. Allows to quickly save and export selected reports in a single ZIP file.
Remote work folder. Performance optimization for cases when 15+ tasks are running simultaneously.
Improved report search for non-English languages
Ability to reindex currently selected Work Folder
Support of SAS drives with sector size above 4096 sectors
UI changes on the device selection panel
Fast device actions: Power on/off, Reidentify, Unmount storage
Device power indication
Home page. Specific port indicated for each device report
Bugfixes
Imaging to E01 could not get started if source device’s serial number was longer than 50 characters
Resuming imaging session could fail if target image folder is password-protected
Out of memory error while importing large work folder package files
Possible minor issues with segmented hashes after imaging paused and resumed
Fixed HTML styling when a case report is opened outside TaskForce
Seagate SSD 600 Pro drive was not detected in the device selection panel
If you still do not have an Atola TaskForce and would like to place an order, this can be done directly via Atola Technology, or from a distributor near you:
P.S. Dear customers, we appreciate your feedback and take it into consideration when updating our products. Please feel free to write your thoughts and ideas in the comments section below.
With 2020.7, Atola TaskForce supports RAID imaging and provides a breakthrough configuration autodetection module for RAID 0, 1 and 5 with NTFS and ext4/3/2 file systems. More RAID types and file systems will be supported in the upcoming releases with RAID 10 coming by the end of 2020. Imaging RAID 5 array with an unknown configuration is effortless in TaskForce.
1. Start by clicking on the new RAID icon in the left-side Task Menu.
2. Next, select the devices that make up the RAID array and click Continue.
NB You can also use images of the individual drives from the RAID array by browsing and selecting images in the FILE subsection of the Select source device menu.
Next you see the RAID configuration screen. It consists of three parts: RAID configuration part at the top is where you see the selected devices or files. Underneath it, there is the RAID Partitions viewer, which allows a preview of partitions and files within them upon a successful RAID assembly. In the right-hand part of the screen, Autodetection module starts running as soon as the screen has been loaded and produces an output of RAID configuration suggestions.
NB Autodetection module reads data on all devices or images that make up the RAID to identify its configuration, namely: RAID type (level), start LBA, block size and block order. If these parameters are known, the operator can set them manually. Depending on the RAID type, its volume, and how metadata is distributed on the drives in the RAID, Autodetection can produce configuration suggestions within a period of 30 seconds to a few hours (when dealing with a RAID of 9+ drives). In some cases, Autodetection can produce several configuration suggestions, which can be applied one by one to find the exact match.
3. Click the Apply button to apply the configuration suggested by the Autodetection module.
If the suggested configuration matches the RAID native configuration, partitions of the RAID will be displayed and a preview of data within the partition will be enabled.
4. Click GO TO IMAGE button in the left bottom corner of the screen to adjust the imaging settings and define the target for the image.
5. Select the target for the imaging session. Both a local server and a target device in Storage mode can be used for imaging of a RAID array.
6. Click + CREATE FILE button and fill out the image details in the Create image file window and click Create.
7. In the Settings page, click the Change button and then the imaging pass settings.
8. Then, in Edit imaging pass window, you can select the individual partitions to be imaged if selective imaging is required and click Save.
9. Click the START button to proceed with imaging.
TaskForce will be imaging RAID 5 array or its partitions as configured in the imaging settings.
At the end of imaging, TaskForce will produce an Imaging completed report with all the details of the source drives, the RAID configuration, the target, the partition, the timestamps, etc.
TaskForce is equipped with RAID configuration detection module and an ability to sustain multiple high-speed imaging sessions on its 18 ports. This makes it uniquely positioned to perform assembly of RAID with an unknown configuration and fast forensic imaging of such arrays.
Assembling and imaging RAID 0 array
To assemble RAID 0 follow these steps:
Connect the drives that make up a RAID array to the TaskForce hardware unit. Make sure to switch the ports to the Source mode;
Click the RAID button in the left-side taskbar
3. Select the drives in Select source device panel and click Continue
Let’s look at the RAID page in TaskForce interface. At the top of the page, there are key parameters of a RAID configuration:
RAID type
Start LBA
Block size
Block order (RAID 5 only)
TaskForce smartly uses defaults for these fields specific to the number of drives, found MBR and partition boot sectors. You can enter values manually if the RAID configuration is known. Or simply apply the results produced by the Autodetection module displayed in the right-hand part of the page.
Immediately upon the RAID page is loaded, the Autodetection module starts running. In Stage 1, TaskForce is linearly reading data on the drives to identify the RAID type.
NB You can add or remove drives if needed. Also, you can change the order of the drives in RAID configuration. Simply grab the drive and drag it to change its position or to remove it from the current array by dragging it to the bin.
In Stage 2, TaskForce goes through thousands of possible variants of RAID parameters (Block size, order, and Start LBA).
4. Click Apply as soon as Possible configuration tile appears. You don’t have to wait for Stage 2 to be completed:
After you click Apply, TaskForce automatically applies the suggested configuration and checks for partitions. At the bottom of the screen, a preview of the partitions is available.
6. After RAID is assembled, you can proceed with imaging RAID 0 array by clicking Go to Image button:
7. Select your target device and click the Continue button
8. Click the Start button to launch your imaging session
Please note that RAID imaging may take longer than ordinary drive-to-drive imaging due to the typically large size of an array. To optimize the speed of imaging, make sure you use a fast target device or a high-speed server.
Atola TaskForce automatically generates reports for every session.
Unmount RAID 0 array
You can unmount the RAID array to make the individual drives available for other tasks.
To unmount the assembled RAID, follow these steps:
Step 1. Click “Devices” in the top right corner;
Step 2. Scroll down to the bottom of the page and click RAID 0 array
Step 3. Click the Unmount RAID button at the bottom of the page
Now that RAID is unmounted, you can proceed with other sessions, using any of the 6 drives connected to the unit.
***
If you want to learn how to autodetect and image RAID 5 array with Atola TaskForce, read our blog:
As we watched TaskForce become a popular tool for in-the-field imaging, we decided to develop a screen cover to make its transportation safe and effortless.
Made of lightweight 2-mm aluminum, the cover protects the screen from scratches and other types of damage. Most importantly, it allows fast packing of the hardware unit for transportation.
Easily place and attach the cover to the unit against five magnetic screws on the unit’s top panel, which keep it securely fixed to the unit. Remove the cover with a careful pulling motion to detach it from the magnets.
The cover is available for all existing TaskForce users with a valid subscription. Just send us the unit’s serial number and we will send it to you!
All TaskForce hardware units assembled from this September onwards will come with the cover in the standard package.
