Atola software development team has long been focused on supporting more filesystems for the different system modules as well as RAID types to enhance the work with arrays of drives with an unknown configuration. The 2021.8 release also includes additions to the imaging module.
XFS is a popular high-performing filesystem in the Linux world and its support has been requested by some of our customers. XFS is now supported across the TaskForce functionality. Crucially, in these three modules:
- RAID autodetection
- Browse files
Added value: TaskForce uses Atola’s own custom algorithms to search, parse and validate a filesystem. While other tools rely on Linux’s own response regarding the filesystem, TaskForce makes use of the raw data it reads. This way it is able to identify and mount even an XFS volume that is stored on a damaged drive, within an image file or a different non-standard media.
HEX viewer and Signatures tabs in Imaging
In the Imaging progress page, the new tabs are located below the imaging graph along with the Log tab.
- Signatures: the live stats of file signatures is a new addition for on-the-fly tracking of the parsed data. The tab indicates the number of predefined or custom file signatures found on the drive and provides access to the statistics.
- HEX viewer tab shows the real-time sectors read result in both HEX and ASCII modes with a freeze option that allows a closer look.
Use case: By addressing these tabs during imaging, users can understand whether the drive is blank, encrypted or filled with data. This enables timely re-prioritization of the imaging jobs. If the Signature tab registers zero results during imaging, it implies that the evidence drive is either blank or the data being imaged belongs to an encrypted partition. To conclude whether the drive contains data, switch to the Target HEX viewer tab. If the imaged sectors are filled with zeros, or a pattern, it is a blank drive. But random data within sectors will suggest that the data belongs to an encrypted partition.
RAID 10 is an addition to RAID 0, 1, 5 and JBOD that are already supported in TaskForce. This RAID type has high performance and data security properties and is often used for production and hosting servers. It is frequently encountered in investigations and has been requested by our customers.
Use case: Drives from RAID arrays often arrive in a lab as a bunch of drives, without information about the controller or configuration of the RAID they belonged to. TaskForce’s RAID configuration autodetection module identifies the RAID type, helps arrange the drives in the correct order and suggests suitable RAID configurations. Upon the application of the detected configuration, the RAID is mounted and its contents are available for preview in the Partition section of the screen. The RAID can then be imaged in its entirety or its individual partitions can be selected for acquisition.