In 2022, Atola held an unprecedented number of offline and online meetings with our customers. On the one hand, offline conferences finally returned firmly into our business lives. On the other, we created opportunities to meet DFIR practitioners to explain our technology, exchange knowledge and find inspiration for further product development. Here are some of the questions asked and answered during these interactions.
What happens if a RAID member is damaged? Can TaskForce rebuild and image such RAIDs?
Depending on the kind of the drive’s damage and the RAID type, a few scenarios are possible.
To identify the RAID type, TaskForce reads data from the initial 3 million sectors of the RAID members and detects MBR, mirror pairs, parity blocks, etc. If there are errors on a drive, an Error tag will appear next to the corresponding RAID member.
If TaskForce comes across over 100 read errors in the initial sectors of a drive, it will stop the RAID configuration autodetection process. This is to avoid causing further damage to the damaged device. In this case, you can remove the drive from the list of RAID members by dragging it down to the trash icon and clicking the Add missing device button. TaskForce restarts autodetection automatically and will take this drive into consideration. If it is a parity-based RAID, TaskForce will use the parity blocks to rebuild data on the missing drive.
Once RAID has been reassembled, you have a high chance of getting a complete image of the RAID. Especially if you are dealing with a RAID that has data redundancy, TaskForce seamlessly rebuilds the complete image using the parity blocks or data from the mirrors. If there are errors that TaskForce cannot fill with data from parity blocks or a mirror member, the sector will be marked as bad, yet the remaining data will be successfully imaged, much like during the imaging of damaged individual drives.
If TaskForce finds mirror pairs during autodetection, the configuration will also be successfully identified. The data from just one set of mirrors will be sufficient to get a complete image of the RAID.
If the RAID configuration has not been recognized, you may also try to diagnose and image the damaged RAID member. In many cases, TaskForce’s multi-pass imaging system can overcome the errors and you will get a better set of data on a RAID member to work with. Then restart your RAID autodetection process.
Is drive diagnostics only useful for working with bad drives?
No, drive diagnostics gives vast amounts of information about any drive, whether it is in good or bad condition. This information helps you triage and prioritize drives and plan your work with storage devices.
Not only does diagnostics allow you to instantly make sure that the drive’s label corresponds to the information in the drive’s firmware, but it gives you other relevant information:
For instance, the media scan part of the report estimates the imaging time, which helps you plan your actions.
The file system check shows you if there are partitions on the drive, their size, type, and how much of the drive space appears empty.
The firmware part of the report, since 2019, even includes a temperature graph: a record of the time spans and drive’s temperature during the most recent sessions. It may help investigators in identifying how the drive had been used before its seizure.
The same part of the report will also identify any hidden areas of the drive created by the user (HPA, DCO and AMA zones can later be made available for imaging in the Other > Hidden drive areas section of TaskForce’s task bar).
You get this and much more information based on just a minute-long operation that triages all the subsystems of the drive. We highly recommend starting your work with any drive with this simple action to assess the media first.
Why does my Diagnostics report say there were no partitions detected?
Mind, that even if a drive does not appear to have any partitions, it does not mean that there is no data on it. There are at least four other possibilities:
- The volumes are encrypted
- The drive is a part of a RAID array
- The MBR/GPT is corrupted
- There are only remnants of a partition, data from which has been partially deleted, or there is a hidden partition
If the file system is not supported, TaskForce will still mention that there is a partition of an unknown type.
If the diagnostics report indicates that no partitions were found on a drive, we suggest that you look up the contents of the drive.
In TaskForce, try imaging the drive and look up the contents of the initial sectors in the HEX viewer and Signature tabs in the lower part of the imaging screen. If you see a pattern or the sectors are filled with zeros, the drive may indeed be blank. If you see many signatures being found in the course of imaging, then you are dealing with a drive that contains data. If no signatures are found but you see random bytes in the HEX viewer, it is likely an encrypted partition (BitLocker, VeraCrypt, or similar).
If you are using Atola Insight Forensic, look up the contents of the Source drive in Disk Editor. If data looks random, Insight lets you examine the entropy of data during imaging: if entropy is consistently high throughout the space of the drive, the partitions are likely encrypted.
Hashing options in Atola imagers
Atola calculates hash using any of the major algorithms: MD5, SHA-1, SHA-256, SHA-512.
In addition to the conventional linear hashing, Atola has a few alternatives, which exist for situations when it is impossible to calculate a single hash value for the whole space of the drive from the first segment to the last.
For damaged media, Atola has introduced the concept of Segmented hashing, letting you get hash values for segments of the drive (segment size is customizable). This way all data around an error can be verified: our imagers produce a table with the LBAs of the first and the last sectors of the segment along with the hash value for the segment next to them.
For compressed E01 files, segmented hashing is also a way to verify the imaged data.
For AFF4 files, we have supported its native block hashes that are calculated for small segments of data on the drive and are stored in a table inside AFF4 metadata, and there is a Block map hash that represents a single SHA-512 hash value for all the individual block hashes based on Merkle tree model.
Is there a warranty on Atola products?
Yes, Atola offers the best warranty terms in the industry: No matter how old your hardware forensic imager is, it is covered by our Lifetime warranty, for as long as your software update subscription is active. Just recently, we updated our warranty terms, and they now include not only the systems but extensions too!
Now your subscription covers:
- replacement of a device, component, extension module, or cable
- complimentary training to ensure you are aware of all the essential features of our imagers
- technical support from our team of developers who designed and built the systems
- 2 – 3 major software updates annually bringing you high-impact feature updates
The first year of subscription is included in the initial purchase of Atola devices, making you entitled to all the privileges outlined above. A newly purchased subscription starts working right away and is valid for the purchased period; there is no back-dating or extra cost involved.
Do Atola imagers have a decryption feature?
Decryption is a massive problem in the industry and requires specialized tools to work around.
Both Atola Insight Forensic and Atola TaskForce support the decryption of APFS partitions with a known password or recovery key.
Atola Insight also detects BitLocker volumes and displays its GUID and type during imaging and diagnostics. While imaging, Insight immediately adds a log record with the start LBA of a BitLocker volume when encountering it.
If TaskForce is used by multiple people simultaneously, how do I ensure that users do not interfere with each other’s work?
Yes, TaskForce’s web-based interface can be opened on multiple workstations in a Chrome browser. In 2022, we introduced a user management system that assigns admin and user roles to different operators. It ensures that only the admin can see other users’ tasks, while ordinary users are prevented from interfering or even seeing each other’s cases and drives in use.
To enable the user management system, just go to the User section of TaskForce’s settings and set Admin and User roles.
We have also provided an option of locking TaskForce after a period of inactivity to prevent others from interacting with the device. This can be especially handy for those using TaskForce for imaging in the field.
Can a Cat6 Ethernet cable be the speed bottleneck when imaging to a server?
To optimize data throughput in a 10Gbit network, it is best to use cables of these types: Cat6a, Cat7, Cat7a, and Cat8.
When it comes to Cat6 cables, they support 10BASE-T, 100BASE-TX, 1000BASE-T, and 10GBASE-T standards, as well as frequencies up to 250 MHz. Such cables handle 10Gbit throughput if their length does not exceed 55 meters.
What can I learn from Atola’s training sessions and demonstrations?
We organize free events for both new prospects and existing customers who want to update their knowledge of the system’s latest features or train new colleagues to use the imagers.
Our training program has been developed to give a comprehensive review of TaskForce and Insight but is easily tailored to suit the individual needs of customers with specific questions.
If you would like to arrange an online session, don’t hesitate to contact us.