Extracting files directly from a potentially failing storage device is dangerous because the media can stop working at any moment. So the operator must image the data quickly and safely from the original HDD to a backup HDD. Only then proceed with further evidence analysis using the backup copy.
Atola Insight Forensic is the industry's most efficient system. It is a hardware disk duplicator and imager for SATA and SAS HDDs, SSDs and USB mass storage media quickly and safely. The system's maximum imaging speed is 500 MB/s.
Please note that this number represents the real measured speed that we achieved on real hard drives and not "theoretically achievable" speed that many other tools claim.
Physically damaged hard drives require a complex imaging approach. Specifically, the following techniques are used in Atola Insight Forensic in order to achieve the best results:
A few words on block size control. While using small block sizes helps in retrieving as much data as possible, it also significantly slows down the imaging process. Atola Insight's multipass imaging engine allows using large blocks with short timeouts on the first few passes. On the last passes, when only few sectors are left to be imaged, Insight uses the smallest block sizes.
This technique allows achieving real imaging speeds of up to 500 MB/sec on good areas of the drive, while approaching bad areas in the most gentle way possible, thus achieving an unbeatable overall speed of disk imaging.
Atola Insight Forensic handles block sizes automatically to provide the best possible results in the shortest amount of time.
Atola Insight Forensic images source media to 1, 2 or 3 targets simultaneously. The following target types are supported:
Atola Insight Forensic searches for artifacts during imaging. This allows on-the-fly overview, sorting and search of the found values. Supported artifacts include:
In the Artifacts tab, at the bottom of Insight's interface, the numbers of artifacts and the corresponding diagram change on the go.
The Artifacts table displays each artifact with an assigned Id number. The values are shown in the context (20 bytes before and 20 bytes after the artifact in grey color) along with their LBAs and offsets to help locate each artifact.
The real time data viewer shows the raw data extracted from the source drive during imaging. There are two modes available:
- Automatic with refresh interval slider
- Manual by means of Read sector button
Automated sector analysis checks each sector for file system structures (NTFS File Record, boot sectors, etc.)
Atola Insight Forensic performs file signature analysis during imaging. It shows live stats of all found signatures while the data is being transferred with no negative effect on imaging performance. Moreover, you can easily check raw sector data for any found file using the HEX Viewer without even pausing the imaging process.
Atola Insight can image the entire hard drive, select partitions or specific sector ranges. The newly created image can be stored either on a destination hard drive or the host computer. A data wipe function is available. It allows quickly and effortlessly writing any pattern to the destination hard drive. This can be necessary to prepare the target for a new image.
All parameters can be easily adjusted to fine-tune the process and meet the requirements of a specific case. Atola Insight can image damaged or unstable hard drives in the field that cannot be imaged by regular forensic disk duplicator hardware or software. So digital forensic experts can image more storage devices in the field without needing to take them back to lab.
Multiple hashing methods are available and hashes are calculated on the fly.
Atola Insight's real-time imaging status screen shows all necessary information to the operator, providing full control over the process.
Visual feedback includes:
The operator can make on-the-fly changes to the parameters based on the information. For example, the operator can add a specific behavior on a certain condition (power cycle after X errors, etc), or modify timeout settings.
You can perform these actions during imaging:
Once the imaging is over, all status information is automatically sent to the Case Management and File Recovery modules.
An imaging report contains all necessary information including SMART table of the source drive before and after imaging process.
Atola Insight can image the source disk into an image file. Just select a storage location on the host PC and specify the image file size: put all data in a single image file or "chop" the data into a series of smaller chunks.
Supported image file types:
This option allows imaging only the sectors containing data from the source hard drive. The empty areas of the source hard drive will not be imaged. This can substantially reduce the time spent on data transfer and relieve strain on the source hard drive.
Supported file systems: NTFS, APFS (with encrypted volumes), XFS, ext4/3/2, ExFAT, HFS/HFS+, FAT32, FAT16
This imaging mode allows copying the absolute minimum amount of data for file browsing to work. This allows for imaging of specific files.
At the end of the imaging process, the Atola Insight Forensic creates a Bad Sector Map and stores it in the Case History. The File Recovery module automatically refers to the Bad Sector Map, and marks all files hit by bad sectors.
It is a big time-saver: a list of recovered files has already been recorded during imaging, and the data is ready for browsing. This system is much more efficient than using one product for imaging and another for file recovery.
1. How does the Atola Insight Forensic compare to other imagers?
Atola Insight Forensic is the strongest imaging/disk duplicator hardware available on the market. It has every feature advertised by other products and much more. Atola products also have the smoothest, most user friendly interface of any imager on the market and we offer the strongest technical support to help users maximize their success with our product.
2. How often does the Insight actually image at the “max” speeds that are listed on this website?
The max speeds reaching 500 MB/s have been lab-tested for accuracy on modern hard drives. The actual speed of imaging (or any data transfer) depends on the speed of hard drives used in the process. During HDD-to-HDD imaging, the slower hard drive determines the actual transfer speed. That is because one hard drive can only receive data as fast as the other can send it, and visa versa.
3. Does Atola Insight Forensic utilize BIOS and/or Operating System functions in the DiskSense Ethernet unit to image data?
DiskSense unit runs a Linux OS. We have built a highly-customized and fine-tuned kernel for this Linux OS. Our modifications block all BIOS and standard Linux I/O operations and allow the lowest level of control for SATA, USB and IDE ports. More information is available here: DiskSense Unit: under the hood
4. Why would I need to wipe/erase a hard drive before imaging data onto it?
Certain forensic investigation scenarios require the target hard drive to be wiped/erased. This is usually done to make sure the software being used to recover files won’t extract old data that was previously on the destination HDD.