What do you need in logical imaging functionality? Here are some of the answers from Atola’s customers accumulated over the years:
“We would want to be able to verify with the client the number of successful files recovered, preferably by extension (JPG, PDF, DOC, etc).”
“I need to image XFS files because Windows doesn’t see XFS partitions.”
“Our first step is selecting and imaging all document files, including those stored in Zips.”
“We have two active investigations (homicide and child pornography) that resulted in large seizures (approx. 75+ devices for each case). I was wondering if it’s possible to build in a file explorer into the TaskForce software? We are looking at triaging the devices and if files have not been accessed within the past two years they will be omitted from the analysis.”
April’s 2022.4 firmware release of TaskForce firmware has introduced the initial portion of logical imaging functionality to help you save time by focusing on specific files and folders on an evidence drive.
By default, logical imaging is set to image all files from the drive. Here is how to fine-tune your selection and save more time.
Include what you need:
- All or selected partitions
- Manually selected files and/or folders
- Select files types: archives, emails, documents, databases, financial, virtual machine, audio, video, pictures, security keys
- Folder types: only user or only OS folders
- Time spans: when files were accessed, created, or modified
- File size: from 1 byte to infinity
Exclude what is irrelevant:
- Exclude filters allow using the same parameters to eliminate irrelevant files and folders for further precision of your search
Save the settings for subsequent searches, or export to share with colleagues using a different TaskForce.
THE LOGICAL ACQUISITION OF RAID ARRAYS
If logical imaging is a time saver when acquiring data from a drive, imagine the amount of time it saves when getting evidence from a RAID array!
TaskForce’s RAID Autodetection module allows you to reassemble even RAIDs with an unknown configuration. Next, you can do either physical imaging or a logical one. The same filters can be applied to the logical acquisition of RAIDs and will result in a much quicker acquisition of the selected data.
12+ PARALLEL LOGICAL IMAGING SESSIONS
TaskForce’s 18 ports (6 SATA, 6 SAS/SATA, 4 USB, IDE and Extension for NVMe, PCIe, Apple PCIe, Thunderbolt/Firewire interfaces) are always available for all kinds of forensic jobs including running 12 logical imaging sessions.
TaskForce’s server-grade hardware and 2 10-Gbit ports will ensure the high throughput of data, and its ECC memory will ensure its reliability at all times.
No time to finish the job now? TaskForce’s pause-resume function works for logical imaging sessions.
When you are running out of time, hit the Pause button and resume the session to complete the imaging to the same L01 file later. Only the remaining sectors with data from selected files will be imaged after the resume. Even if you need to use another TaskForce to complete the job, a simple export and import of the case will let you seamlessly complete the job on another machine.
THE LOGICAL IMAGE
TaskForce images to L01 files, either compressed or not, with SHA-1 and/or MD5 hash.
The L01 file can be stored on a target drive or your local network.
Atola is already working on adding filters to the logical imaging module and integrating it with other parts of TaskForce’s functionality to boost your ability to detect and image critical data from evidence drives.
Is there a way to make this or other functionality work better for you and your organization? Let us know at firstname.lastname@example.org