Atola Technology introduces iSCSI support for imaging remote drives in its flagship TaskForce and TaskForce 2 forensic hardware imagers.
Firmware update 2025.4 also features numerous improvements for reassembling and imaging RAIDs and a built-in Hex viewer for byte-level analysis.
“We’re proud to release one of the biggest updates in Atola’s history,” says Vitaliy Mokosiy, CTO at Atola Technology. “The firmware will add muscle to your TaskForce in many ways. We’ve enabled remote drive imaging via iSCSI, doubled NVMe-to-NVMe imaging speed, introduced an interactive Hex viewer for all drives, image files, and logical files, and added support for imaging of Synology NAS RAID with one missing device.”
iSCSI Support for Imaging Remote Drives
TaskForce now supports imaging remote drives connected via iSCSI. This is especially useful when a drive is soldered to the motherboard or cannot be physically removed from a computer due to legal, logistical, or technical constraints.
With iSCSI, the remote system exposes its drive as a network-attached block device, which TaskForce detects and can image like any locally connected storage.
To help users quickly set up remote drives on Linux as iSCSI targets, Atola Technology provides a free, ready-to-use script at GitHub.
Built-in Hex Viewer
A new built-in Hex viewer is now available for all drives, image files, and logical files. It lets users dive deeper into the data at the byte level to identify unusual data patterns or analyze file structure in depth.
[img-2]
The Hex viewer features seamless scrolling and an option to jump to a specific sector of a drive or an image file.
During logical acquisition or browsing files, Hex Viewer provides the ability to see all the bytes of a file or examine its specific portion using the ‘Go to offset’ command.
RAID Module Improvements
New features of the RAID module are designed to ensure faster, more accurate detection and offer more flexibility, especially in complex cases.
Support for Synology NAS RAIDs with a missing device: TaskForce automatically detects if a member of Synology NAS RAID is missing and rebuilds an array anyway using parity information from other devices included in the RAID.
Pause/Resume during RAID autodetection: It provides more flexibility for finding complex array configuration.
New RAID cheat sheet: It isdisplayed when autodetection fails and helps recover configurations manually.
Max RAID members increased from 16 to 64 to handle large, enterprise-grade arrays.
Smarter auto-reassembly when the Master Boot Record is offset.
Reduced memory usage during intensive RAID operations.
[img-3]
Enhanced Imaging Speed, Case Management, and Connectivity
With the new firmware update, Atola TaskForce and TaskForce 2 have received a variety of other improvements. Here are some of them:
2x faster NVMe-to-NVMe imaging: Significantly speeds up the acquisition process.
New template variables:{EVIDENCE_ID}, {NUM+} for dynamic naming. This improvement automates routine when a file exists in a folder and autoincrements a corresponding part of the file name.
Case management: Added fields for Evidence ID and Evidence Examiner.
Diagnostics: Improved detection of specialized partitions, like Microsoft Reserved and macOS Boot.
Wiping: Added an option to format drives to exFAT after wiping.
Network: Full IPv6 support and improved behavior when connecting to password-free shares.
All enhancements and fixes included in the firmware update 2025.4 are listed in the product changelog.
The firmware update 2025.4 is already available for download at atola.com.
About Atola TaskForce
Atola TaskForce is a high-performance forensic hardware imager with 18 ports, capable of running 12+ parallel imaging, hashing, or wiping sessions at 15 TB/hour cumulative speed. Atola TaskForce supports automated RAID reassembly and imaging with a missing device, has Express mode for time-saving self-launching imaging, and provides Web API for automating forensic data acquisition workflow.
About Atola TaskForce 2
Atola TaskForce 2 is a new version of the TaskForce forensic imager, designed primarily for in-lab usage. The new device has 26 ports, including four M.2 NVMe ports, and can image 25+ drives simultaneously, even the damaged ones, reaching 25 TB/hour cumulative speed. TaskForce 2 has all the features of TaskForce, including RAID and damaged drives support, Express mode, and Web API for workflow automation.
About Atola Technology
Atola Technology is an innovative company based in the Vancouver area, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
To learn more, visit us at atola.com and find us on LinkedIn.
In this interview, we speak with Andrew Tyshchenko, the Head of Hardware at Atola Technology. With over 18 years at Atola, Andrew has led the design of all the company’s hardware products. Today, we discuss Atola’s latest release, the TaskForce 2 forensic imager, and explore the innovative solutions his team developed to make it a robust tool for forensic labs.
FF: Launched in July 2023, TaskForce 2 arrived exactly five years after the first-generation TaskForce. What challenges were you looking to address with the new imager?
We designed TaskForce 2 to meet the growing needs of digital forensic examiners. Our customers reported the increasing challenge of faster evidence processing due to the ever-growing number of drives involved in cases and their increasing sizes.
Each of our forensic devices has surpassed its predecessor in capabilities and complexity. TaskForce 2 is an evolution of the TaskForce architecture, featuring more processing power and additional ports for various types of connections.
To better understand the differences between these two imagers, it’s important to note that TaskForce was designed as a dual-purpose product: a compact yet powerful field unit, which can also be a stationary device for a forensic lab. Its physical dimensions were a key factor when choosing its computing platform, power consumption, and heat dissipation. TaskForce’s hardware was a balanced solution that met the requirements for both use cases.
Andrew and part of his team working at the Kyiv office
With the development of TaskForce 2, we wanted to provide an even more powerful computing platform to empower our users with the capability to image 26 drives in parallel.
FF: How did your team choose the key components for TaskForce 2?
TaskForce 2 incorporates over 250 types of components, totaling more than 1,500 pieces. Let’s dive into a few of the key components.
To meet the demands of the features already implemented in TaskForce—like RAID autodetection and hash calculation, along with a significant increase in the number of ports—we required a powerful processor and motherboard. We started by selecting a Supermicro motherboard that supports 3rd Gen Intel Xeon scalable processors in the LGA-4189 socket.
Out of the whole range of supported CPUs, we chose a Xeon Silver 4309Y, with 8 cores, 16 threads, 12MB of cache, and a moderate 105W thermal output, ideal for handling parallel imaging streams. We also designed a custom cooling system using Dynatron N11 coolers and magnetic levitation fans and custom air ducts to keep the system cool while minimizing noise levels. Acoustic comfort is important to our customers, therefore we provide fan speed controls in software settings.
When the computing load is low, the user can keep the fans at a minimum speed and increase the speed when the computing load increases. For example, when many imaging sessions with hash calculation are running.
The chosen motherboard supported a variety of drive ports: SATA, NVMe PCIe 4.0, and USB 3.2. To meet the desired product specifications, all we lacked was the support of 8 SAS ports, which we supported using a PCIe add-on card.
TaskForce 2 includes 16GB DDR4 server-grade ECC RAM for error detection and correction. It also features an IcyDock four-slot drive bay for convenient M.2 and U.2 drive connections, which was a highly requested feature by our customers.
FF: Why did you opt for a server rack-mountable design?
TaskForce 2’s increased processing power and heat output required a higher-capacity power supply and cooling system. This led us to opt for a larger casing suitable for server rack mounting. Our customers, who already use racks for their servers and networks, found this addition exciting. The unit fits into a 19″ rack and can also be used on a desk.
Atola TaskForce 2
For the use on a server rack, the front panel had to be the primary location for controls and drive connections: 25 of the 26 ports including 8 SATA, 8 SAS, 4 NVMe M.2/U.2, 4 USB drives and an IDE drive via adapter are located on the front panel. In addition, there is a PCI Express port on the back side of the unit used for extensions that support M.2 SSD, Apple PCIe SSD and Thunderbolt interfaces.
We managed to fit all these ports and controls into a front panel that’s only 100mm high, which is a little less than 2.5U (U aka “rack unit” is a standard measurement unit for the height of server rack equipment and equals 1.75” or 44 mm).
Fun trivia: The first TaskForce 2 prototype was made from a cardboard box. All the ports and indicators were drawn with a felt-tip pen! We designed this prototype in a group and it was presented at Atola’s Innovation Day, an annual event where employees work in hackathon mode on new ideas.
FF: Why did you decide to add color LED indicators to the device?
TaskForce 2 introduces dual LED indicators on each port for at-a-glance feedback on system status and drive operations. The Source/Target indicator shows the port’s mode, helping to prevent accidental data overwrites and ensuring the integrity of evidence. The second indicator provides real-time feedback on the task performed on the connected hard drive.
Since the launch of its first imager in 2008, Atola has incorporated diffuse round green LEDs as a signature design element in its devices. This time, we switched to programmable RGB LEDs for more nuanced and informative indicators that enhance the communication of process status on each port.
Implementing the new RGB LEDs presented a significant engineering challenge. The LEDs’ appearance required a light pipe, and we found a transparent material with excellent light transmission capabilities that can be precisely manufactured to tolerances of 0.1 mm for a component measuring 19×2 mm.
We initially explored milling technology to create the light pipe components, but the results proved inconsistent. Then we tried out low-volume molding using silicone molds, a process that delivered high-quality parts at an acceptable cost. The outcome was remarkable: the new indicators looked fantastic, exceeding the expectations of the entire team.
Here’s a breakdown of the color scheme used for a port’s status indication:
Green blinking: Indicates that an active process, such as imaging or another task, is in progress on the port.
Green steady: Signals the successful completion of a task on the port.
Yellow steady: Indicates that a task has been completed, but with some issues encountered during the process.
Red steady: Signifies that a task on the port has failed.
This design empowers users to effortlessly monitor and assess the progress of their tasks.
Fun fact: If you’re at a forensics conference, stop by the Atola booth and ask them to turn on the police lights on the TaskForce 2. You’ll see what these LEDs are capable of.
FF: The heart of every device is its motherboard. What are the other boards you included and what functions do they serve?
TaskForce 2 is based on a commercially available motherboard and relies on 7 other proprietary PCBs developed by Atola. The boards responsible for power management, status indication, and Source/Target mode control for individual SATA, SAS, USB and PCIe ports are the most important to the end user. Their core features are:
Protection of the imager from a short circuit, generated by a connected faulty drive.
Control of the drive power supply.
Measurement of electric current. For SATA and SAS drives, we track the current on the 5V and 12V lines. For PCIe, the 3.3V and 12V lines. USB devices use only 5V, so we only measure the current on that line. You can find the graphs of the current consumption in the drives’ diagnostic reports.
The so-called Main PCB has additional features:
Overcurrent protection for 4 NVMe ports rated at 5A level for 5V and 12V, without measuring current.
Fan speed control to maintain an optimal balance of cooling and noise.
An alphanumerical OLED display shows the unit’s IP address and other information.
Andrew and Oleksiy with the proprietary PCBs used in TaskForce 2
Here is another fun fact: the SATA/SAS Main PCB contains only power connectors for hard drives. The eSATA connectors for data transfer tend to wear out faster than their respective power connectors, so they were placed on smaller, separate boards. It is optimized for fast, cost-effective replacement when they wear out. This way, we provided for TaskForce’s 2 efficient maintenance during its long lifecycle.
FF: How are the drives connected to the device?
It depends on the drive’s interface. If it’s a 2.5″ or 3.5″ SATA or SAS, we use a universal cable, which TaskForce 2 has inherited from our previous imagers: DiskSense 2 and TaskForce. This cable has an eSATA connector for data transfer and a Molex Microfit 4-pin for power supply. On the drive side, it has an SFF-8482 connector (also known as SAS 29-pin), which is compatible with both SAS and SATA drives.
For drive connections, Atola continues to rely on universal cables, which are more reliable than drive racks with built-in contacts. When a cable wears out, it’s easy to diagnose and replace, and the problem is limited to a single device port. If we used a drive bay, we would have to replace the entire bay, resulting in longer downtime.
To connect USB drives, we use USB 3.2 Type-A ports, and the drive is connected using its standard cable. To connect NVMe drives, we use an IcyDock, a fast, user-friendly and durable solution.
FF: Why did you opt for NVMe docks?
We looked at different ways of connecting M.2 NVMe drives. IcyDock products stood out because of their excellent design. Atola and IcyDock designs have a lot in common and both have a solid black painted metal case. The ability to easily hot-swap drives was another key benefit: you plug an M.2 drive into the connector and put it in the tray, which is then securely inserted into the IcyDock.
IcyDock bays for M.2 and U.2 drives
We tried out a few Icy Dock models and settled for the MB699VP model due to its user-friendly design, allowing for frequent and effortless drive swaps. It was originally designed for U.2 drives up to 15mm in height, the support of which is now a bonus feature. To connect M.2, an adapter is used: the M.2 drive sits in the dock and connects to an internal card with an M.2 connector, while externally this card has a U.2 connector that mimics the concept of SATA/SAS connectors, which were designed and tested for numerous connection cycles.
And the best thing about this solution is the speed of 4.5 GB/sec on each of the M.2 ports. You have never acquired NVMe or PCIe drives faster!
FF: Is TaskForce 2 compatible with other existing Atola extensions?
We made sure that the new unit works with all existing Atola extensions. The Atola extension port is an extended version of the PCIe interface from the motherboard, protected against ESD and excessive power consumption.
TaskForce 2 has a PCIe 4.0 x16 interface with a theoretical maximum data transfer rate of 32GB/s. The new imager’s extension interface is a big step forward in bandwidth compared to the previous Atola products, which had a PCIe 3.0 x8 interface.
FF: How did you get the idea for the device rack?
Compact drive placement in the forensic workplace has been one of the most requested features since 2018. When designing TaskForce 2 in 2021, we realized the new unit would require a dedicated drive organization system.
The core of the drive organization system is a case that is installed in a 19″ rack right next to TaskForce 2, within reach of our standard drive cables. This design must be compatible with all possible 3.5″ and 2.5″ disk form factors, and all possible drive height variations, from 7mm to 15mm for some server SAS models.
We were looking for a simple and reliable solution, inspired by an idea I came across a long time ago in a science fiction novel by British author Arthur C. Clarke: “No machine may contain any moving parts”. It is a utopian ideal, almost unattainable in reality. It implies that the fewer parts there are in a device, the better: fewer parts mean fewer potential points of failure and lower production and assembly costs.
For our project, this idea meant minimizing the number of moving parts, ideally to zero. At the same time, the rack had to ensure a fast and effortless drive swap. The task was complicated by the fact that each cell of the rack had to fit all known form factors:
SATA/SAS desktop drives of 102 x 147 mm, up to 26mm high
Mobile SATA drives of 70 x 100 mm, 7mm or 9.5mm high
Mobile SAS drives of 70 x 100 mm, up to 15 mm high
We have looked at different design options and settled for the most suitable concept: A simple shelf is divided into disk cells, in which you can place a drive horizontally, secured with corners preventing the drives from slipping out if you accidentally pull a cable.
As straightforward as the design may sound, its practical implementation was much trickier.
Four drives take up almost the entire width of a 19″ rack. We still had to fit the case and cell walls. The hardware engineers had to really “rack their heads” but we did tackle all the challenges and designed a rack that holds 8 drives and has a fan to keep them cool. A rack can be installed in a 19-inch rack or sit on a desk; it can be placed above or under TaskForce 2. Optimally, a rack above TaskForce 2 is used for all the drives plugged into SATA ports and another one is underneath to accommodate the drives in SAS ports.
The racks brought a substantial improvement to the user experience, and we could not be happier with the outcome.
TaskForce 2 with drive racks
FF: What’s next for Atola in terms of hardware design?
We are busy developing a brand new standalone imager. With a comprehensive range of ports and market-unique features, it will be crafted to handle the most complex tasks with ease. While I can’t reveal too much yet, this imager is set to redefine your workflow and elevate your forensic toolkit.
Stay tuned for more sneak peeks and behind-the-scenes updates by following Atola on LinkedIn!
Atola Technology introduces system-wide support for the Btrfs file system and Logical volume manager (LVM) in a new software update for Insight Forensic. This fast forensic imaging system can run 3 simultaneous imaging sessions and work with damaged media.
Version 5.6 also offers up to 60% faster imaging to compressed E01 files thanks to the new optimized Deflate method and rapid adaptive algorithm.
System-Wide Btrfs and LVM Support
Insight Forensic 5.6 can identify and manage Btrfs and LVM, widely used on Linux-based operating systems. This includes diagnostics, imaging, file recovery, locate sectors, and all other modules.
In Insight’s user interface, LVM’s volume groups and logical volumes are shown as containers with nested partitions:
[img-2]
Faster Imaging to a Compressed E01 File
With Insight Forensic 5.6, imaging to an E01 compressed file has become up to 60% faster when source data is encrypted or compressed.
Thanks to the implementation of a new optimized Deflate method and rapid adaptive algorithm, Atola’s engineers were able not only to speed up the imaging process but also significantly reduce CPU load:
CPU load reduction from 70% to 30% (per one imaging session) on your PC and DiskSense 2 unit
Improvements In iSCSI Support, Diagnostics, and Case Reports
Other new features introduced in Insight Forensic 5.6 include:
iSCSI source devices
Ability to connect to iSCSI device via DNS.
A new Details button was added to show IQN, IP/DNS, device name and serial number.
Diagnostics
Improvements in Firmware check for devices connected via USB adapters.
Case reports
Unit IP и Unit serial renamed to Atola IP and Atola serial in the headers of all reports.
About Atola Insight Forensic system
Atola Insight Forensic is a fast forensic imager with the capacity to perform 3 simultaneous imaging sessions on a wide range of media. It also offers complex yet highly automated data recovery functions on failing storage devices and provides utilities for accessing hard drives at the lowest level. The system includes DiskSense 2 hardware forensic unit, hardware extension modules, and Insight Forensic software to operate them.
About Atola Technology
Atola Technology is an innovative company based in Vancouver, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers, including its founder and CEO Dmitry Postrigan, have strong expertise in storage media and data recovery and focus on creating highly efficient and user-friendly forensic imagers.
With the latest firmware update, Atola Technology enables automatic reassembly and imaging of Synology NAS RAIDs in its flagship TaskForce and TaskForce 2 forensic hardware imagers.
Firmware update 2024.6 introduces an improved RAID module that supports Synology NAS systems, Btrfs, and LVM (Logical Volume Manager). It also brings a wide range of other new features, such as the ability to group ports in Express mode and assign different imaging settings for each group.
“We’re thrilled to announce the biggest software release for TaskForces ever, packed with a record-breaking number of new features,” says Vitaliy Mokosiy, CTO at Atola Technology. “Among all the improvements and tweaks we’ve prepared for you in this update, I’d like to mention three major ones: system-wide support for Synology NAS, port groups in Express mode, and offline contextual help.”
Automatic Reassembly and Imaging of Synology NAS RAIDs
TaskForce forensic imagers now offer system-wide support for Synology Network Attached Storage, including SHR RAID management system, Btrfs storage format, and Logical Volume Manager (LVM), which are widely used on Synology devices.
[img-2]
Forensic experts can now automatically reassemble Synology NAS RAIDs and then create full bit-by-bit copies or image only selected partitions, folders, and files to save time and storage space.
TaskForce’s Autodetection module provides detailed information about all the RAID arrays that constitute a particular Synology storage pool.
Enhanced RAID Module
Start LBA for RAID autodetection: if the experts know that members of the array have a particular disk offset, they can specify that parameter in the Autodetection module. This way, autodetection can find a suitable RAID configuration faster.
Schematic RAID representation: the new Layout tab on the RAID configuration screen shows a clear schematic representation of the selected RAID type.
Clearer view of the RAID parameters and contents thanks to the expandable/collapsable areas on the RAID configuration screen.
Port Groups With Different Settings in Express Mode
To streamline forensic acquisition workflow, TaskForce in Express mode starts the imaging process with predefined settings automatically once an examiner connects a drive. But what if a forensic lab deals with different types of drives that require different approaches?
With the new update, it is possible to combine any number of TaskForce ports into a custom group with specific imaging parameters for Express mode:
Where to save an image file
Which image file format to use
Which type of hash to calculate
Whether to diagnose source device before imaging
And more
[img-3]
For example, to balance reading and writing speeds, users can image new NVMe drives to a faster server and older/smaller SATA drives to a slower storage device. Or image healthy drives to the “Good” folder and faulty ones to the “Bad” folder to treat them differently later.
New Web API Commands and Features
Web API is used to link TaskForce imaging system to DFIR software that performs evidence analysis and reporting. Some of your customers do not even use the graphical UI preferring to integrate TaskForce into their automated workflows. According to their requests, we have added the following API capabilities:
Login as user with the new POST call /login, which validates user credentials from HTTP request body.
Diagnose a drive with the new GET call /diagnose.
Use API when the user management system is activated to separate tasks started by different persons.
Contextual Tips and Guides on How to Use TaskForce
To provide instant help and step-by-step guidance, TaskForce has divided the offline manual into chunks so that forensic examiners can open only those articles that are relevant to their work.
Many page headers in the TaskForce interface are now links to the articles, and this built-in contextual help system is fully available offline.
In addition, helpful hints pop up after the user performs various actions.
About Atola TaskForce
Atola TaskForce is a high-performance forensic hardware imager with 18 ports, capable of running 12+ parallel imaging, hashing, or wiping sessions at 15 TB/hour cumulative speed. Atola TaskForce supports automated RAID reassembly and imaging with a missing device, has Express mode for time-saving self-launching imaging, and provides Web API for automating forensic data acquisition workflow.
About Atola TaskForce 2
Atola TaskForce 2 is a new version of the TaskForce forensic imager, designed primarily for in-lab usage. The new device has 26 ports, including four M.2 NVMe ports, and can image 25+ drives simultaneously, even the damaged ones, reaching 25 TB/hour cumulative speed. TaskForce 2 has all the features of TaskForce, including RAID and damaged drives support, Express mode, and Web API for workflow automation.
About Atola Technology
Atola Technology is an innovative company based in the Vancouver area, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
Atola Technology released a software update for Atola Insight Forensic, a fast forensic imaging system with the capacity to run 3 simultaneous imaging sessions and work with damaged media.
Version 5.5 brings support for the iSCSI protocol, enabling remote imaging of:
drives that are soldered into a motherboard,
working servers that couldn’t be turned off, or
storage devices for which examiners have a legal warrant to access but not seize.
“We are happy to introduce such a highly anticipated feature to our customers” said Vitaliy Mokosiy, CTO at Atola Technology. “Now, thanks to iSCSI support in Insight Forensic, you can add up to 3 remote network drives simultaneously and image them in parallel.”
The iSCSI support is available for both DiskSense 1 and DiskSense 2 hardware units.
[img-2]
Insight Forensic version 5.5 also features a new status bar for NVMe drives, which enables real-time monitoring of the different properties of an evidence device, such as temperature and power status. Moreover, two more parameters of an NVMe drive are now available in its Diagnostic report:
A table with all possible power states of a drive provides details about max power consumption and latency of switching between power states.
Warning and Critical temperature levels show when a drive starts overheating. These parameters are received from controller data.
[img-3]
About Atola Insight Forensic system
Atola Insight Forensic is a fast forensic imager with the capacity to perform 3 simultaneous imaging sessions on a wide range of media. It also offers complex yet highly automated data recovery functions on failing storage devices and provides utilities for accessing hard drives at the lowest level. The system includes DiskSense 2 hardware forensic unit, hardware extension modules, and Insight Forensic software to operate them.
About Atola Technology
Atola Technology is an innovative company based in Vancouver, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers, including its founder and CEO Dmitry Postrigan, have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
Atola Technology introduces the long-awaited support for RAID 6 in a new firmware version 2023.10 for both its forensic hardware imagers: the portable TaskForce with 18 ports and the newest TaskForce 2 with 26 ports, including four M.2 NVMe ports, and a cumulative speed of 25 TB/hour.
From now on, the forensic experts who use TaskForce or TaskForce 2, can:
Automatically reassemble RAID 6 arrays consisting of drives, images, or both.
Rebuild a RAID 6 array even if one or two of its members are missing or damaged.
Create a full physical image of RAID 6 or perform logical imaging of only selected partitions, folders, and files.
“We’ve put a lot of work into this TaskForce update to support RAID 6. In addition to JBOD, RAID 0, 1, 10, and 5, you can now automatically detect, reassemble, and image this popular RAID type,” said Vitaliy Mokosiy, the CTO of Atola Technology. “Thanks to RAID 6 extra redundancy with two parity blocks, both TaskForce and TaskForce 2 can rebuild RAID 6 arrays with two damaged or missing devices. On top of that, we are excited to introduce many other features related to the imaging process, NVMe drives, and case management.”
Rebuilding and Imaging RAID 6
After automatically reassembling RAID 6 arrays, TaskForce creates a bit-by-bit or logical forensic copy of an array.
If the RAID parameters are known, they can be selected manually including the order of the RAID members. Since RAID 6 arrays feature not one, but two types of parity blocks (XOR parity and Reed-Solomon parity), the Parity block order parameter is also available for manual selection when the RAID type is set to RAID 6.
If the RAID configuration is unknown, the built-in Autodetection module searches through thousands or even millions of possible combinations to find a suitable one in a matter of minutes.
For RAIDs created by mdadm in Linux, TaskForce instantly recognizes their configuration using RAID metadata.
Thanks to the extra redundancy of RAID 6 arrays with two parity block types instead of one, TaskForce can rebuild a RAID 6 array even if two of its members are missing. After a possible configuration is applied during the autodetection (or manual selection of parameters), TaskForce rebuilds the array, parses its file systems, and validates the partitions. Users can preview volumes, folders, and files before proceeding to the physical or logical imaging.
[img-2]
More Control Over NVMe Drives
In the firmware version 2023.10, Atola Technology introduced a new status bar for NVMe drives. It is situated at the bottom of the imaging page and shows details about the NVMe drive’s state, providing more control over the imaging process.
A range of indicators provides information about device presence, readiness to accept commands, power consumption, and temperature.
[img-3]
The Diagnostics report for NVMe drives has also been enhanced. Now it features three more parameters that describe the drive’s configuration and condition:
PCIe generation of a drive gives an insight into the drive’s max bandwidth and performance.
A table with all possible power states of a drive provides details about max power consumption and latency of switching between power states.
Warning and Critical temperature levels show when a drive starts overheating. These parameters are received from controller data.
Enhanced Imaging Process, Case Management, and NVMe Wiping
With the 2023.10 firmware, Atola TaskForce and TaskForce 2 have received a variety of other improvements related to the imaging process, NVMe drives, and case management. Here are some of them:
RAID: The autodetection of RAID configuration, detection of partition types, and display of device tags have been improved. To view MBR/GPT table information, users can now hover over the corresponding device tag.
Imaging: Users can check network speed when selecting a folder for a target image. In case of power or network connection loss, TaskForce autosaves the imaging progress to seamlessly resume the process later.
NVMe drives: A new wiping method – Sanitize – is available.
Case management: Users can now delete devices from a case and use non-unique case names. The case contains a new list of target images and drives used with a source drive.
About Atola TaskForce
Atola TaskForce is a high-performance forensic hardware imager with 18 ports, capable of running 12+ parallel imaging, hashing, or wiping sessions at 15 TB/hour cumulative speed. Atola TaskForce supports automated RAID reassembly and imaging with a missing device, has Express mode for time-saving self-launching imaging, and provides Web API for automating forensic data acquisition workflow.
About Atola TaskForce 2
Atola TaskForce 2 is a new version of the TaskForce forensic imager, designed primarily for in-lab usage. The new device has 26 ports, including four M.2 NVMe ports, and can image 25+ drives simultaneously, even the damaged ones, reaching 25 TB/hour cumulative speed. TaskForce 2 has all the features of TaskForce, including RAID and damaged drives support, Express mode, and Web API for workflow automation.
About Atola Technology
Atola Technology is an innovative company based in the Vancouver area, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
Atola Technology introduces a fully revamped Disk editor module for convenient in-depth evidence analysis in a new software update for Atola Insight Forensic, a fast forensic imaging system with the capacity to run 3 simultaneous imaging sessions and work with damaged media.
Version 5.4 of Insight Forensic also includes more than 35 new features and bugfixes and can now detect two or more ambiguous file systems hidden within a single partition.
“For this software update, we’ve thoroughly overhauled our Disk Editor module to make byte-level analysis much easier,” said Vitaliy Mokosiy, CTO at Atola Technology. “Another nice feature: Insight Forensic now recognizes two or more file systems intentionally squeezed into the same sector range and notifies a user about it during the diagnostics. Not to mention more than two dozen small tweaks and improvements to make the examiner’s work more comfortable.”
The New Disk Editor: Find, Read, or Edit Bytes Quicker and Easier
The Disk editor module included in Insight Forensic for analyzing device data on the byte level received a fresher look and feel. Now it lets forensic examiners navigate through disk sectors faster, search for hex strings more easily, and interpret bytes quickly.
Insight Forensic now seamlessly reads device space in infinite mode: bytes are loaded automatically as a user scrolls the hex viewer up or down. To quickly jump to a certain position, examiners can press the Go to sector button or use the Ctrl + G keyboard shortcut. And two more convenient shortcuts: Ctrl + Home immediately brings users to the first sector of a drive and Ctrl + End gets them to the last sector.
To quickly find a certain byte sequence, examiners can go to the Data inspector tab or press Ctrl + F shortcut and enter a string they are searching for. Also, there are Find previous and Find next buttons to see each instance of the found byte sequences.
The new Data inspector feature saves time when interpreting bytes. It converts hex value to decimal (8-, 16-, 24-, 32-bit integer) or binary format on the fly.
Insight Forensic detects file system structures automatically. Master Boot Record, GPT sector, FAT/NTFS/ext Boot Sector, HFS headers, NTFS File Record and other structures are automatically recognized and parsed into a human-readable form.
[img-2]
Find Two or More Ambiguous File Systems Hidden Within a Single Partition
What if someone managed to place two or even more fully functional file systems within a single file system partition on the storage device to conceal data?
Researchers Janine Schneider, Maximilian Eichhorn, and Felix Freiling in their paper titled “Ambiguous File System Partitions” showed that it is possible to create ambiguous file system partitions by integrating a guest file system into the structures of a host file system. The authors point out that since typical file systems that occur in forensic analysis are usually unambiguous, ambiguous file system partitions may serve as useful corner cases in forensic tools and processes.
The Atola engineers were so inspired by this paper that they decided to implement ambiguous file system detection in our product.
Insight Forensic 5.4 now detects host and guest file systems placed within the same sector range during the Automatic checkup and notifies the user about it in the Diagnostics report.
Moreover, forensic examiners can image one or both partitions and also correctly access their files in the File recovery module.
A nice-to-have feature for deep-dive analysis.
[img-3]
About Atola Insight Forensic system
Atola Insight Forensic is a fast forensic imager with the capacity to perform 3 simultaneous imaging sessions on a wide range of media. It also offers complex yet highly automated data recovery functions on failing storage devices and provides utilities for accessing hard drives at the lowest level. The system includes DiskSense 2 hardware forensic unit, hardware extension modules, and Insight Forensic software to operate them.
About Atola Technology
Atola Technology is an innovative company based in Vancouver, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers, including its founder and CEO Dmitry Postrigan, have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
Atola Technology releases TaskForce 2, a new version of its flagship forensic imager. The new device has 26 ports, including four M.2 NVMe ports, and can image25+ drives simultaneously, including damaged media, reaching 25 TB/hour cumulative speed.
With TaskForce 2, forensic examiners can automatically reassemble and image RAIDs with an unknown configuration, benefit from workflow automation tools, thanks to the built-in Web API, and collaborate with colleagues using a single high-performance hardware unit.
“With TaskForce 2, its 26 ports, powerful server-grade hardware and damaged drive support we’re taking forensic imaging to a whole new level,” said CTO Vitaliy Mokosiy. “We invested a great deal of time and effort in engineering, development and testing to help forensic specialists across the globe reduce their backlogs of ever-growing amounts of evidence data.”
26 ports, including M.2/U.2 NVMe, SATA, SAS, and USB
To simultaneously image more than 25 evidence devices and run other forensic tasks at 25 TB per hour, TaskForce 2 has ports of all popular types on its front panel. They include eight SATA, eight SAS/SATA, four NVMe (M.2 or U.2), four USB, and one IDE port. The additional Extension port is situated on the back side and designed for connecting M.2 SSD, Apple PCIe SSD, and Apple Thunderbolt extension modules.
All 26 ports can be configured according to examiners’ needs: each port can be set either to the source or target mode. The source mode turns on the hardware write protection to eliminate any possibility of altering digital evidence. A dedicated LED indicator next to each port signals that the source mode on this particular port is enabled. The target mode allows using a drive as an imaging target, altering or securely erasing its contents.
Additional color-coded port LEDs on the front panel indicate that a task is running or finished, a process is OK or there are issues.
TaskForce’s Express mode simplifies repeated tasks by automatically launching an imaging session with predefined settings once a drive is connected to TaskForce 2. This allows getting dozens of drives imaged into the same destination with zero clicks. Express mode can also be used for speeding up wiping or hash calculation.
Atola Device Rack
To neatly organize evidence drives while imaging them, exclusively for TaskForce 2, the dev team designed Atola Device Rack. One Device Rack stores up to eight drives and can either be placed on top of or below TaskForce 2 hardware unit or mounted on a server rack.
Each of the eight numbered bays can contain one 3.5-inch or 2.5-inch drive and is high enough for the tallest SAS drives. Bay numbering suggests the most convenient scheme to place drives connected to the respective SATA or SAS ports of TaskForce 2.
[img-2]
To cool down the drives during resource-consuming operations, Device Rack is equipped with two fans situated on its back panel.
Server Rack Compatibility
TaskForce 2 is designed primarily for in-lab usage and can be mounted into a standard server rack, along with one or two Atola Device Racks. The size of the rackmount for both TaskForce 2 and Atola Device Rack is 3U.
[img-3]
Workflow Automation Tools
The built-in Web API enables the integration of TaskForce 2 into an automated evidence processing sequence, created using Magnet AUTOMATE and other commercially available or in-house workflow automation tools.
To enable the integration, API provides the ability to launch, track and stop physical or logical imaging operations via Web API.
Automated RAID Reassembly
TaskForce 2 functionality makes it possible to automatically identify unknown configurations of RAID arrays and reassemble RAID 0, 1, 5, 10, or JBOD. For RAID 5, TaskForce 2 software can rebuild an array even with a missing or damaged device, using parity blocks.
The RAID module works even with damaged media and supports both physical drives and their images.
After RAID configuration is automatically detected and applied, a forensic examiner can preview the RAID contents and image the whole array or only selected partitions, folders, and files.
Multi-User Access
Thanks to a web-based user interface and built-in user management system, forensic specialists can use a single hardware unit to perform acquisition tasks simultaneously. Each user’s processes, reports, and cases are kept separate and confidential.
The control interface is user-friendly and accessible in the Chrome browser on any device within the same local network: a computer, tablet, or phone.
About Atola Technology
Atola Technology is an innovative company based in the Vancouver area, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
Atola Technology has released a new software update for Atola Insight Forensic, a fast forensic imaging system with the capacity to run 3 simultaneous imaging sessions and work with damaged media.
Version 5.3 can now perform cryptocurrency artifact search and securely wipe NVMe drives with Sanitize and Format NVM methods. It has also received a substantial performance boost and widened its multitasking capabilities.
“With this update we introduce highly expected cryptocurrency artifact search in our Artifact Finder module, which now detects Bitcoin and Ethereum wallet addresses and BIP39 mnemonic phrases,” said Vitaliy Mokosiy, CTO at Atola Technology. “We’ve also added two secure wiping methods for NVMe drives and extended our Multi-launch functionality to support simultaneous launch on up to 7 drives of four more commands, including drive diagnostics and hash calculation. On top of that, we’ve tuned up our algorithms to increase the hashing speed by up to 110 percent. All these improvements will save a great deal of time for forensic experts using our product.”
Search cryptocurrency artifacts with Artifact Finder
Insight Forensic provides much more than simple imaging software. It supports copying of damaged drives and handles 3 parallel imaging sessions at high speeds with ease. To speed up the evidence search and optimize acquisition process, it performs artifact detection on a sector level during imaging.
In addition to emails, IP and MAC addresses, GPS and URLs, credit card and phone numbers, keywords and regular expressions, Insight Forensic 5.3 can now do a live search of cryptocurrency artifacts:
BIP39 mnemonic phrases,
Bitcoin wallet addresses,
Ethereum wallet addresses.
Enhanced Artifact finder provides preliminary overview of evidence on a drive as you image it.
Securely wipe NVMe drives with Sanitize and Format NVM
For secure wiping of NVMe M.2 drives with Fill or Erase command, Atola team has added support for two new methods based on NVMe 1.4 specification: Format NVM and Sanitize.
Both Format NVM and Sanitize methods utilize SSD controller’s internal wiping algorithms specified in NVM Express standard.
For the Format NVMemethod two erase modes are supported: Data Erase and Cryptographic Erase.
The Sanitize method allows you to select different options for altering user data in all locations on the drive in which user data may be stored:
Block Erase uses a low-level block erase method specific to the media.
Crypto Erase changes the media encryption keys.
Overwrite writes a fixed data pattern or related patterns.
Launch more tasks simultaneously with Multi-launch
The Multi-launch functionality for simultaneous wiping of up to 7 devices was introduced in Insight Forensic version 5.2.
To run more similar tasks on all connected devices at once, Insight 5.3 adds four more commands to the Multi-launch menu:
Artifact Finder for artifacts search.
Automatic Checkup for drive diagnostics.
Calculate hash.
Locate sectors for finding files, which correspond to certain sets of sector ranges.
To boost multitasking productivity even more, we’ve added the Detect all devices option to the Port menu. With this command, a user can power up and identify all attached drives in one go.
Calculate hash up to 110% faster
We’ve rebuilt our algorithms to boost productivity and calculate hashes even faster. As a result, hash calculation performance has increased by up to 110% depending on the hash type.
Here’s the speed comparison in MB/s of hash calculation on NVMe drives:
[img-2]
About Atola Insight Forensic system
Atola Insight Forensic is a fast forensic imager with the capacity to perform 3 simultaneous imaging sessions on a wide range of media. It also offers complex yet highly automated data recovery functions on failing storage devices and provides utilities for accessing hard drives at the lowest level. The system includes DiskSense 2 hardware forensic unit, hardware extension modules, and Insight Forensic software to operate them.
About Atola Technology
Atola Technology is an innovative company based in Vancouver, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers, including its founder and CEO Dmitry Postrigan, have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
In 2022, Atola held an unprecedented number of offline and online meetings with our customers. On the one hand, offline conferences finally returned firmly into our business lives. On the other, we created opportunities to meet DFIR practitioners to explain our technology, exchange knowledge and find inspiration for further product development. Here are some of the questions asked and answered during these interactions.
What happens if a RAID member is damaged? Can TaskForce rebuild and image such RAIDs?
Depending on the kind of the drive’s damage and the RAID type, a few scenarios are possible.
To identify the RAID type, TaskForce reads data from the initial 3 million sectors of the RAID members and detects MBR, mirror pairs, parity blocks, etc. If there are errors on a drive, an Error tag will appear next to the corresponding RAID member.
If TaskForce comes across over 100 read errors in the initial sectors of a drive, it will stop the RAID configuration autodetection process. This is to avoid causing further damage to the damaged device. In this case, you can remove the drive from the list of RAID members by dragging it down to the trash icon and clicking the Add missing device button. TaskForce restarts autodetection automatically and will take this drive into consideration. If it is a parity-based RAID, TaskForce will use the parity blocks to rebuild data on the missing drive.
Once RAID has been reassembled, you have a high chance of getting a complete image of the RAID. Especially if you are dealing with a RAID that has data redundancy, TaskForce seamlessly rebuilds the complete image using the parity blocks or data from the mirrors. If there are errors that TaskForce cannot fill with data from parity blocks or a mirror member, the sector will be marked as bad, yet the remaining data will be successfully imaged, much like during the imaging of damaged individual drives.
If TaskForce finds mirror pairs during autodetection, the configuration will also be successfully identified. The data from just one set of mirrors will be sufficient to get a complete image of the RAID.
If the RAID configuration has not been recognized, you may also try to diagnose and image the damaged RAID member. In many cases, TaskForce’s multi-pass imaging system can overcome the errors and you will get a better set of data on a RAID member to work with. Then restart your RAID autodetection process.
Is drive diagnostics only useful for working with bad drives?
No, drive diagnostics gives vast amounts of information about any drive, whether it is in good or bad condition. This information helps you triage and prioritize drives and plan your work with storage devices.
Not only does diagnostics allow you to instantly make sure that the drive’s label corresponds to the information in the drive’s firmware, but it gives you other relevant information:
[img-2]
For instance, the media scan part of the report estimates the imaging time, which helps you plan your actions.
The file system check shows you if there are partitions on the drive, their size, type, and how much of the drive space appears empty.
The firmware part of the report, since 2019, even includes a temperature graph: a record of the time spans and drive’s temperature during the most recent sessions. It may help investigators in identifying how the drive had been used before its seizure.
The same part of the report will also identify any hidden areas of the drive created by the user (HPA, DCO and AMA zones can later be made available for imaging in the Other > Hidden drive areas section of TaskForce’s task bar).
You get this and much more information based on just a minute-long operation that triages all the subsystems of the drive. We highly recommend starting your work with any drive with this simple action to assess the media first.
Why does my Diagnostics report say there were no partitions detected?
Mind, that even if a drive does not appear to have any partitions, it does not mean that there is no data on it. There are at least four other possibilities:
The volumes are encrypted
The drive is a part of a RAID array
The MBR/GPT is corrupted
There are only remnants of a partition, data from which has been partially deleted, or there is a hidden partition
If the file system is not supported, TaskForce will still mention that there is a partition of an unknown type.
If the diagnostics report indicates that no partitions were found on a drive, we suggest that you look up the contents of the drive.
In TaskForce, try imaging the drive and look up the contents of the initial sectors in the HEX viewer and Signature tabs in the lower part of the imaging screen. If you see a pattern or the sectors are filled with zeros, the drive may indeed be blank. If you see many signatures being found in the course of imaging, then you are dealing with a drive that contains data. If no signatures are found but you see random bytes in the HEX viewer, it is likely an encrypted partition (BitLocker, VeraCrypt, or similar).
[img-3]
If you are using Atola Insight Forensic, look up the contents of the Source drive in Disk Editor. If data looks random, Insight lets you examine the entropy of data during imaging: if entropy is consistently high throughout the space of the drive, the partitions are likely encrypted.
Hashing options in Atola imagers
Atola calculates hash using any of the major algorithms: MD5, SHA-1, SHA-256, SHA-512.
In addition to the conventional linear hashing, Atola has a few alternatives, which exist for situations when it is impossible to calculate a single hash value for the whole space of the drive from the first segment to the last.
For damaged media, Atola has introduced the concept of Segmented hashing, letting you get hash values for segments of the drive (segment size is customizable). This way all data around an error can be verified: our imagers produce a table with the LBAs of the first and the last sectors of the segment along with the hash value for the segment next to them.
For compressed E01 files, segmented hashing is also a way to verify the imaged data.
For AFF4 files, we have supported its native block hashes that are calculated for small segments of data on the drive and are stored in a table inside AFF4 metadata, and there is a Block map hash that represents a single SHA-512 hash value for all the individual block hashes based on Merkle tree model.
Is there a warranty on Atola products?
Yes, Atola offers the best warranty terms in the industry: No matter how old your hardware forensic imager is, it is covered by our Lifetime warranty, for as long as your software update subscription is active. Just recently, we updated our warranty terms, and they now include not only the systems but extensions too!
Now your subscription covers:
replacement of a device, component, extension module, or cable
complimentary training to ensure you are aware of all the essential features of our imagers
technical support from our team of developers who designed and built the systems
2 – 3 major software updates annually bringing you high-impact feature updates
The first year of subscription is included in the initial purchase of Atola devices, making you entitled to all the privileges outlined above. A newly purchased subscription starts working right away and is valid for the purchased period; there is no back-dating or extra cost involved.
Do Atola imagers have a decryption feature?
Decryption is a massive problem in the industry and requires specialized tools to work around.
Both Atola Insight Forensic and Atola TaskForce support the decryption of APFS partitions with a known password or recovery key.
Atola Insight also detects BitLocker volumes and displays its GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encountering it.
If TaskForce is used by multiple people simultaneously, how do I ensure that users do not interfere with each other’s work?
Yes, TaskForce’s web-based interface can be opened on multiple workstations in a Chrome browser. In 2022, we introduced a user management system that assigns admin and user roles to different operators. It ensures that only the admin can see other users’ tasks, while ordinary users are prevented from interfering or even seeing each other’s cases and drives in use.
To enable the user management system, just go to the User section of TaskForce’s settings and set Admin and User roles.
We have also provided an option of locking TaskForce after a period of inactivity to prevent others from interacting with the device. This can be especially handy for those using TaskForce for imaging in the field.
Can a Cat6 Ethernet cable be the speed bottleneck when imaging to a server?
To optimize data throughput in a 10Gbit network, it is best to use cables of these types: Cat6a, Cat7, Cat7a, and Cat8.
When it comes to Cat6 cables, they support 10BASE-T, 100BASE-TX, 1000BASE-T, and 10GBASE-T standards, as well as frequencies up to 250 MHz. Such cables handle 10Gbit throughput if their length does not exceed 55 meters.
What can I learn from Atola’s training sessions and demonstrations?
We organize free events for both new prospects and existing customers who want to update their knowledge of the system’s latest features or train new colleagues to use the imagers.
Our training program has been developed to give a comprehensive review of TaskForce and Insight but is easily tailored to suit the individual needs of customers with specific questions.
If you would like to arrange an online session, don’t hesitate to contact us.
On November 21 Atola Technology released a firmware update for Atola TaskForce, a high-performance forensic imager capable of running 12+ parallel imaging sessions at 15 TB/hour cumulative speed.
Automatically reassemble RAID arrays, even with a missing member
Securely wipe NVMe drives
Create and manage several user profiles for one TaskForce unit
“We are proud to announce these highly anticipated features, which we created to further help forensic experts in their day-to-day work,” said Vitaliy Mokosiy, CTO at Atola Technology. “Our customers from all over the world asked us a lot about APFS support and user management system for better control of their work with evidence. As for autodetection of RAIDs with a missing device, it is another improvement to the RAID configuration autodetection module that we are adding to increase our customers’ chances of reassembling and imaging such RAIDs. Today, we are happy to present these new and enhanced features.”
APFS Support
With TaskForce firmware update 2022.10, the Atola team has added support for the APFS file system, created by Apple. Now, TaskForce lets you unlock APFS volumes with a known password or recovery key and create a physical orlogical image of the Apple device you are processing.
The RAID module in TaskForce also supports physical and logical imaging of arrays with unencrypted APFS volumes.
Automatic RAID reassembly, even with missing drive
Atola TaskForce can now automatically reassemble RAID 5, even when you don’t know that one drive in the array is missing.
[img-2]
Powered by anenhanced RAID autodetection algorithm, TaskForce identifies the RAID type and checks millions of possible RAID configurations to find a suitable one.
If one of the array members is missing, TaskForce now automatically detects that and reconstructs the whole array anyway using parity information that is distributed across the drives.
NVMe drives secure wiping with Format NVM
With updated functionality, Atola TaskForce now securely wipes M.2 NVMe drives using Format NVM method, which utilizes SSD controller’s internal wiping algorithm.
Our users can choose between two erase modes, both of which follow NVMe standard: Data Erase and Cryptographic Erase.
User management system
For those forensic examiners who need to lock their TaskForce unit with a password or protect their cases from colleagues with whom they share one TaskForce unit, Atola has developed a user management system.
With this update, TaskForce users can:
Create one or several user profiles.
Protect user profiles with passwords.
Grant access to TaskForce only for authenticated users.
See and manage cases independently.
Automatically lock TaskForce screen after a certain time of inactivity.
[img-3]
When user management is enabled, TaskForce asks the user to enter their password, while colleagues who share one TaskForce can’t see each other’s cases and interrupt each other’s tasks.
About Atola TaskForce
Atola TaskForce is a high-performance forensic hardware imager with 18 ports, capable of running 12+ parallel imaging, hashing, or wiping sessions at 15 TB/hour cumulative speed. Atola TaskForce supports automated RAID reassembly and imaging with a missing device, has Express mode for time-saving self-launching imaging, and provides Web API for automating forensic data acquisition workflow.
About Atola Technology
Atola Technology is an innovative company based in Vancouver, Canada, specializing in creating forensic imaging hardware tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
What do you need in logical imaging functionality? Here are some of the answers from Atola’s customers accumulated over the years:
“We would want to be able to verify with the client the number of successful files recovered, preferably by extension (JPG, PDF, DOC, etc).”
“I need to image XFS files because Windows doesn’t see XFS partitions.”
“Our first step is selecting and imaging all document files, including those stored in Zips.”
“We have two active investigations (homicide and child pornography) that resulted in large seizures (approx. 75+ devices for each case). I was wondering if it’s possible to build in a file explorer into the TaskForce software? We are looking at triaging the devices and if files have not been accessed within the past two years they will be omitted from the analysis.”
April’s 2022.4 firmware release of TaskForce firmware has introduced the initial portion of logical imaging functionality to help you save time by focusing on specific files and folders on an evidence drive.
THE FILTERS
By default, logical imaging is set to image all files from the drive. Here is how to fine-tune your selection and save more time.
Time spans: when files were accessed, created, or modified
File size: from 1 byte to infinity
Exclude what is irrelevant:
Exclude filters allow using the same parameters to eliminate irrelevant files and folders for further precision of your search
Save the settings for subsequent searches, or export to share with colleagues using a different TaskForce.
THE LOGICAL ACQUISITION OF RAID ARRAYS
If logical imaging is a time saver when acquiring data from a drive, imagine the amount of time it saves when getting evidence from a RAID array!
TaskForce’s RAID Autodetection module allows you to reassemble even RAIDs with an unknown configuration. Next, you can do either physical imaging or a logical one. The same filters can be applied to the logical acquisition of RAIDs and will result in a much quicker acquisition of the selected data.
[img-2]
12+ PARALLEL LOGICAL IMAGING SESSIONS
TaskForce’s 18 ports (6 SATA, 6 SAS/SATA, 4 USB, IDE and Extension for NVMe, PCIe, Apple PCIe, Thunderbolt/Firewire interfaces) are always available for all kinds of forensic jobs including running 12 logical imaging sessions.
[img-3]
TaskForce’s server-grade hardware and 2 10-Gbit ports will ensure the high throughput of data, and its ECC memory will ensure its reliability at all times.
THE PAUSE/RESUME
No time to finish the job now? TaskForce’s pause-resume function works for logical imaging sessions.
When you are running out of time, hit the Pause button and resume the session to complete the imaging to the same L01 file later. Only the remaining sectors with data from selected files will be imaged after the resume. Even if you need to use another TaskForce to complete the job, a simple export and import of the case will let you seamlessly complete the job on another machine.
THE LOGICAL IMAGE
TaskForce images to L01 files, either compressed or not, with SHA-1 and/or MD5 hash.
The L01 file can be stored on a target drive or your local network.
THE FUTURE
Atola is already working on adding filters to the logical imaging module and integrating it with other parts of TaskForce’s functionality to boost your ability to detect and image critical data from evidence drives.
Is there a way to make this or other functionality work better for you and your organization? Let us know at contact@atola.com
“I keep on telling my field techs to at least mark the order of the drives in a tower when they are pulling them out!” says our new acquaintance at one of the first post-pandemic offline events. These bunches of drives land on her desk without any data about the type of RAID or its controller. Forget the remaining critical parameters.
“I am lucky if detectives mark the first drive in a server they need to be examined”. “It is hours of trials and errors when I try mounting a RAID.” “I had to image all of the drives and then play with 10 images for days to get the parameters right.”
It is stories like these that made us think about solutions and realize that we had the perfect hardware for RAID reassembly and its subsequent forensic imaging.
For starters, Atola TaskForce has 18 ports, and 16 of them can be used for SATA devices:
6 SATA ports
6 SAS ports that can also be used for SATA devices
4 USB ports, to which SATA devices can be connected in enclosures.
In addition, you can use image files as remaining RAID members.
To be able to connect all RAID members and manually enter their key parameters is already a great improvement to an examiner’s routine. But TaskForce does so much more!
Autodetection of RAID configuration
“Imagine connecting members of a RAID with an unknown configuration to TaskForce, just make it scan the drives to identify the block size and RAID type,” suggested one of our key European customers who pointed out our uniquely suited hardware. It is from this customer and his colleagues who worked on an in-house RAID identification solution that we got key insights and inspiration for further research and development of an automated RAID configuration detection.
A manual RAID configuration check often takes a prohibitive amount of time. To speed things up and eliminate any guesswork by the examiner, our team looked to automate the identification of all critical parameters including drive order, start LBA, parity symmetry.
When it comes to the time required for configuration search, the number of array members remains the most influential factor. Thankfully, TaskForce’s server-grade CPU has the capacity to process millions of possible configurations of a RAID, and an array consisting of 2 – 6 drives takes only a minute to identify and reassemble. However, when you are dealing with a larger RAID, the time of configuration search grows exponentially due to the sheer number of possible variants. For instance:
A RAID 5 consisting of 5 drives can have just under 6 thousand different configurations
A RAID 5 consisting of 10 drives results in 132 million configurations to try out
Now imagine doing this work manually!
Expediting configuration search with heuristic algorithms
When configuration autodetection deals with potentially hundreds of millions of possible configurations, the process must be made smart and some configurations must be prioritized over others based on the information you are able to read from the drives. To create such sophisticated search algorithms and smarter ways of verifying the right configuration, Atola engineers dove deep into the specifics of file data distribution on RAID members.
What gave us the edge when working on optimizing the configuration autodetection algorithms, was our decades-long expertise in hard drives, data distribution on them, and file system validation principles that we have developed over the years.
How exactly does TaskForce find the right configuration?
Selecting the members in the RAID module instantly launches the autodetection process:
In Stage 1, it reads the initial 3 million sectors on the drives to detect block size and identify spare drives, mirrors, parity blocks. This stage helps deduce the RAID type and focus on other parameters during the following stage of autodetection.
In Stage 2, TaskForce reads data from the drives again, and attempts combining the drives into the hypothetically acceptable configurations, mounting the RAID, and validating file systems on it. In the process, the autodetection module goes through thousands, sometimes millions of possible configuration variants. To speed up the search, our team developed heuristic algorithms that prioritize more probable variants.
TaskForce produces an output of acceptable configurations that resulted in successfully validated partitions. In most cases, there is one suitable configuration. Rarely, there can be a few and they are listed in the order of probability.
Of course, it is not only multiple ports and optimized algorithms that make TaskForce perfect for this task. It is also its almighty motherboard and CPU that are capable of managing thousands of complex calculations in a matter of seconds for this processor-consuming feature.
Fast imaging of RAIDs or their partitions
The RAID partition preview helps identify which partitions are of interest for the investigation. Whether it is the whole RAID or its individual partitions that need to be acquired, the required scope of data is easy to select in the imaging settings.
The speed of imaging varies depending on the RAID type and block size of the RAID members as well as on the type and condition of the media. Any assembled RAID will be imaged by TaskForce faster than an individual drive, imaging of RAID 10 being particularly fast and achieving 1 GB/sec.
What if RAID members are missing or damaged?
Atola, having its background in data recovery, always keeps its eyes on the end goal: getting all data or as much as possible if the medium is damaged, missing or access is restricted.
TaskForce retrieves data from every readable sector and rebuilds the complete image of a RAID that has any data redundancy:
RAID 5 data will be imaged in its entirety even if one member is absent: the missing data will be rebuilt from the parity blocks. Data can be reconstructed even if multiple drives are in shaky condition as long as the bad sectors of one drive can be rebuilt from parity blocks of the other one.
RAID 1 and RAID 10 will be rebuilt completely if one set of mirrors is intact.
RAID 0 or JBOD have no redundancy, therefore the image can be acquired lest for the bad sectors, which will be mapped accordingly.
What happens if the drives from a RAID are not marked properly and got mixed with drives that are not a part of it?
Normally, TaskForce only needs a minute or two to identify all RAID parameters. In cases where there is a drive that is not a part of the RAID, the module will require more time:
For RAID 1 or 10, the RAID module will group the detected mirrors into corresponding groups, and the odd drive will be placed separately. The partitions will be mounted successfully.
For JBOD, the partitions will likely be identified and the order of the drives will be correct, with the odd drive placed at the end.
RAID 0 or 5 may not be reassembled: the data from the odd drive will be taken into consideration when the RAID module tries to combine the data from all the members. TaskForce’s autodetection module will try identifying the configuration from scratch each time you remove or add a drive. So try removing a drive that seems odd.
What has been accomplished and what lies ahead
In 2020 and 2021, Atola released a few firmware updates for TaskForce which included the support of the prevalent RAID types: 0, 1, 5, 10 and JBOD. The supported filesystems as of the end of 2021 include NTFS, ext4/3/2, XFS, exFAT, HFS/HFS+.
We continue adding more RAID types and file systems to cover the most frequently occurring arrays, and further improving the autodetection algorithm to help your RAID acquisitions take less time and effort!
For more information about Atola and our products, visit our website atola.com
Atola software development team has long been focused on supporting more filesystems for the different system modules as well as RAID types to enhance the work with arrays of drives with an unknown configuration. The 2021.8 release also includes additions to the imaging module.
XFS support
XFS is a popular high-performing filesystem in the Linux world and its support has been requested by some of our customers. XFS is now supported across the TaskForce functionality. Crucially, in these three modules:
Imaging
RAID autodetection
Browse files
Added value: TaskForce uses Atola’s own custom algorithms to search, parse and validate a filesystem. While other tools rely on Linux’s own response regarding the filesystem, TaskForce makes use of the raw data it reads. This way it is able to identify and mount even an XFS volume that is stored on a damaged drive, within an image file or a different non-standard media.
HEX viewer and Signatures tabs in Imaging
In the Imaging progress page, the new tabs are located below the imaging graph along with the Log tab.
Signatures: the live stats of file signatures is a new addition for on-the-fly tracking of the parsed data. The tab indicates the number of predefined or custom file signatures found on the drive and provides access to the statistics.
HEX viewer tab shows the real-time sectors read result in both HEX and ASCII modes with a freeze option that allows a closer look.
Use case: By addressing these tabs during imaging, users can understand whether the drive is blank, encrypted or filled with data. This enables timely re-prioritization of the imaging jobs. If the Signature tab registers zero results during imaging, it implies that the evidence drive is either blank or the data being imaged belongs to an encrypted partition. To conclude whether the drive contains data, switch to the Target HEX viewer tab. If the imaged sectors are filled with zeros, or a pattern, it is a blank drive. But random data within sectors will suggest that the data belongs to an encrypted partition.
[img-2]
RAID 10
RAID 10 is an addition to RAID 0, 1, 5 and JBOD that are already supported in TaskForce. This RAID type has high performance and data security properties and is often used for production and hosting servers. It is frequently encountered in investigations and has been requested by our customers.
Use case: Drives from RAID arrays often arrive in a lab as a bunch of drives, without information about the controller or configuration of the RAID they belonged to. TaskForce’s RAID configuration autodetection module identifies the RAID type, helps arrange the drives in the correct order and suggests suitable RAID configurations. Upon the application of the detected configuration, the RAID is mounted and its contents are available for preview in the Partition section of the screen. The RAID can then be imaged in its entirety or its individual partitions can be selected for acquisition.
In July, Atola Technology released a new generation of hardware units for Atola Insight Forensic. The new unit is named DiskSense 2 and it comes with a range of improvements.
Insight’s hardware enhancement
DiskSense 2 is equipped with a server-grade motherboard and CPU, ECC RAM and additional SATA ports.
The ports are 3 SATA sources, 3 SATA targets, 1 USB source, 1 USB target, 1 extension slot for source SAS, M.2 NVMe/SATA/PCIe SSD, Apple SSD, Thunderbolt/Firewire devices. Two 10Gb Ethernet ports ensure fast throughput of data.
These enhancements of the hardware enable Insight users to image 3 evidence drives at a time. Image to up to 3 targets per session, and the targets can be any combination of image files and raw data on the local server, host computer and target devices.
Imaging three sources in parallel
Insight’s user interface has changed a little to accommodate additional source ports to launch multiple sessions. Switching between the source ports makes it fast and easy to launch imaging.
Thanks to the new powerful hardware, each imaging session can run at the top native speeds of the drives involved.
[img-2]
Why parallel imaging sessions are a great enhancement to Insight users
Whether you are dealing with three drives in good or bad condition, Insight is at your service to get them imaged as fast as their native speed allows. Insight will also retrieve data from the bad drives automatically and with great effectiveness.
While Insight handles damaged drives deliberately in the most gentle way, damaged hardware may be difficult to control, and, as a result, a severely damaged drive may take a long time to image.
[img-3]
This is why it is a great improvement to the routines of forensic experts worldwide: take as much time as you need to image a damaged drive and use the remaining ports for imaging other evidence drives!
Atola Technology
Atola Technology is a hardware and software development company based in Vancouver, Canada specializing in creating hard drive imaging tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
On July 5, Atola Technology announced the release of a new hardware imager for Atola Insight Forensic. The new device supports simultaneous imaging of 3 drives with other concurrent forensic tasks such as hashing and wiping.
The hardware unit under the name DiskSense 2 is equipped with 6 source ports:
3 SATA/SAS
USB
IDE
Extension port (SAS, M.2 NVMe/PCIe/SATA SSD, Thunderbolt, Apple PCIe SSD)
3 simultaneous imaging sessions are backed by server-grade motherboard and CPU. The device’s ECC RAM helps further secure the data integrity. Its two built-in 10Gbit ports allow imaging drives into the network at top speeds.
Software updates in 2021
Atola Insight Forensic 5.0: the initial software release for the DiskSense 2 hardware units only. It is released on July 5.
Starting with Atola Insight Forensic 5.1, we will be releasing software updates for both units (DiskSense and DiskSense 2) simultaneously. The updated functionality will be the same for both systems, lest for the enhanced performance features unique to the DiskSense 2 hardware unit.
DiskSense hardware units (2014 – 2021)
Atola ceases to produce the previous generation of DiskSense imagers. However, the existing units remain under lifetime warranty for all subscribed users and will be supported in the upcoming releases.
The new units are available for purchase starting today! The hardware upgrade program for the existing customers will be announced in 2022: due to high demand, we are focused on accommodating existing pre-orders and new purchases.
Atola Technology
Atola Technology is a hardware and software development company based in Vancouver, Canada specializing in creating hard drive imaging tools for the global forensic market.
Atola’s engineers – including its founder and CEO Dmitry Postrigan – have strong expertise in storage media and data recovery, and focus on creating highly efficient and user-friendly forensic imagers.
