What is ATRIO?
At its most basic physical form, ATRIO is a small computer with a rugged casing that has user selectable buttons on top and can fit in the palm of your hand. In order for it to function, its only requirement is to be plugged into an outlet. There’s no need for the usual suspects of a monitor, mouse, keyboard or even a dongle that seem to be the accepted norm to operate a digital forensics tool. This lack of traditional peripherals does not limit its capabilities; the real power and strength of ATRIO is what it can do with the push of a button. ArcPoint is getting you as close to “push button forensics” as possible while empowering every level of investigator.
Current Forensic Workflow
We’ve all been there, right? You’re an examiner with a backlog of cases and you’ve just been handed yet another piece of evidence to add to your caseload. What do you do? Obviously, this is time sensitive and, as usual, the final report with all the relevant artifacts was needed yesterday. You want to get started with your examination right away but first, you need to acquire an image of the evidence. You plug that drive into a write-blocker and then into your forensic workstation and then start the acquisition process to obtain a full forensic image that you can work from. Depending on the size of the drive, that could take hours. That piece of evidence could be on hold even longer if the drive is still imaging while your workday is done, and it has to sit idle overnight. Of course, you’ve got a major backlog of cases, so you get right to work on other cases while the imaging is taking place. As you wrap things up with your other cases, you’re finally able to get back to your evidence that was just imaged. But you’re still not done with the forensic process because you have to transfer that image file into your forensic software and start the processing to actually look through what may be of value to you and your investigation. Depending on your forensic workstation, processing your image file will take anywhere from hours to days to complete. And once the processing is complete an investigator has to actually go through the different files the forensic software came up with and identify what’s important and relevant to their case. All of this takes time that you don’t have. We know this is the normal workflow because as experienced digital forensic examiners, this was our normal workflow. We’re here to change that with ATRIO.
New Efficient Forensic Workflow
ATRIO stands for Acquisition, Triage, Review, Intelligent, Organization and it’s an all-in-one forensic imaging, triaging, processing and reporting tool that intelligently organizes your data. With one small box, the investigator’s only requirements are to plug in their evidence drive and their destination drive, select options, and hit GO. ATRIO is built for anyone to use so it immediately starts the forensic process by conducting basic checks. It ensures the destination drive is capable of handling the amount of data in the source drive. It checks what type of data is stored on the source drive so it can decide how to intelligently manage it. After the checks are complete, it will automatically (based on your initial selections) start processing and triaging while it’s imaging. And as it’s imaging, it’s organizing all the triaged data in an easy-to-follow folder structure so the examiner can dig through what really matters to them. Once ATRIO is complete, the destination drive that contains your image and your processed, organized data is ready to unplug. It’s as simple as you can get to conduct digital forensics. You didn’t have to wait for the imaging process to conclude, or for the processing portion to complete, to get actionable data. You’re not depending on one thing to ‘finish’ so you can get started on the next step. Once you hit GO, ATRIO takes care of all of the steps of the “old way” without needing any additional user interaction or feedback. ATRIO effectively runs the full forensic workflow of imaging, triaging, processing and reporting so that when you pull out the destination drive, there’s actionable data you can use.
ATRIO’s Features
ATRIO can handle the full forensic process of imaging, triaging, processing and reporting with the push of a single button. Or you can choose imaging only or exploitation only or a combination of both. It can take care of wiping drives, restoring images to drives, verify image hashes, extracting and carving unallocated and formatting destination drives (NTFS, exFAT, FAT32, ext4). Some features that separate ATRIO from other tools and make it a unique, must-have for your toolkit include:
ATRIO Highlights
Rugged and portable for use anywhere. Requires only a power source to operate.
Automatic detection of connected drives: Plug in your source and destination drive to whichever port you want it will automatically be detected.
Automatically checks for existing E01 files: Once your source drive is plugged in, ATRIO can automatically scan it and determine if there’s an e01 image. Once the e01 is detected, ATRIO will skip the imaging and go straight into processing your evidence files.
Automatically detects file systems and partitions from the source drive: ATRIO will scan your evidence drive to determine file systems and different partitions contained on the drive.
Concurrent triage and image: As your source drive is being imaged, ATRIO will be processing, triaging, and reporting on the evidence at the same time.
Ability to exploit only artifacts that are relevant to your case such as: Event log, Registry files, Microsoft Outlook files, photos, videos, audio.
Automatic analysis to determine if destination drive is suitable: ATRIO checks the destination drive for a number of things
A properly formatted drive. If the destination drive is not formatted correctly, ATRIO will alert the user and wait for a correctly formatted drive
Automatically check your destination drive to ensure that there is enough space to image and then exploit the source drive. If it’s not large enough, it will alert the user
Machine learning-based object detection enables users to program ATRIO to search for specific images in photos and videos
Who is ATRIO for?
ATRIO is for anyone already conducting forensic examinations or someone who needs to add that digital forensics processing to their skillset. From the front-line user who knows very little about forensics but is tasked with collecting evidence, to the tenured examiner who needs a faster solution to cut down on backlogs and work more efficiently, ATRIO has a role to play.
Front-line Investigator
ATRIO is extremely user-friendly and easy enough to use that it will enable someone with limited technical experience to conduct an investigation. ATRIO achieves this by removing the guesswork and employing the intuitive plug-and-play process described above. This empowers even more eyes on the evidence and a faster turn-around time. The person using ATRIO doesn’t need to know any of the ‘setup’ details forensic examiners typically need to program into their tools. They don’t need to know the file system format of the source drive because ATRIO automatically determines that when the source drive is plugged in. Instead of reporting on fragments of files that won’t open without specialized software, ATRIO will verify across all files that extensions match the headers, thus ensuring the files you see in the output will open correctly. There’s also no need to do any math in your head or guesstimate whether the destination drive is large enough to handle the output. ATRIO will determine all of that for you and prompt you for a large enough drive. ATRIO is smart and handles these details allowing you to focus on what’s important…finding those key pieces of evidence quickly and easily.
Full-time Professional Examiner
The seasoned examiner managing an organization’s digital forensics lab will likely have many forensic tools from different vendors at their disposal. And while no tool can claim to be the ‘one tool to rule them all’ ATRIO’s ability to concurrently image and process a drive provides a distinct advantage in terms of saving precious time in your forensic workflow. You know you’ll have a bit-for-bit forensic image with intelligently organized data that’s ready to be reviewed, with no labor-intensive transfer of data among tools to get those results. For most cases, because ATRIO conducts processing and triage, the output you receive from ATRIO will provide the core data set you need to pull the different threads of interest from your evidence. Of course, for some investigations, such as complex cybercrimes perpetrated by technically sophisticated cyber criminals, other specialized tools may be needed for a deep dive to uncover all nefarious activities. And the best practice of verifying evidence using multiple tools will remain an essential element of any investigation. But the time required for all of that is dramatically reduced with ATRIO’s fully automated forensic workflow. And the lab-based examiner’s most precious and scarce resource is precisely that…time!
Wrap-up
ATRIO is small, powerful, and extremely efficient. It was created for all levels of investigators and examiners. Not only does it do the job quickly, it also empowers more people to support forensic investigations. These two features combine to fill the critical need in the forensic workflow of cutting down on the ‘waiting game’. As we all know, processing backlogs and bottlenecks are the arch nemesis of any investigation. We believe every organization can benefit from ATRIO and we’re excited to share it with you.
