What File Systems does ATRIO™ read?

ATRIO™ can read and parse HFS+, NTFS, FAT16, FAT32, ExFAT, EXT2, EXT3, and EXT4. Additionally, ATRIO™ can read GPT and MBR partition tables.

What Files Does ATRIO™ Identify?























bash history

zsh history












































.ppt temp files














































 What does the output look like? 

ATRIO™ is designed to be as simple to use as possible, this includes the results. All output is in non-proprietary structures and formats. The output from ATRIO™ is an organized folder structure containing the exploited data with supplemental text and reporting html. The folders are organized by partitions so you know where the data came from and then each partition will contain the content type that ATRIO™ found. There is no need to download or learn additional software to review the results.

 Why does ATRIO™ prepend brackets to the front of the extracted file?

ATRIO™ does this to ensure no extracted files are overwritten. Similar to making a copy of a file in Windows where the copy has the (2) at the end of the name. Additionally, ATRIO™ places the inode number in the brackets so that a technical user can find that exact file later on. 

 Does ATRIO™ mount and analyze virtual machines or drives?

This is not a current capability but it is in development for future updates.

 Can ATRIO™ acquire a live system?

ATRIO™ can process previously acquired E01 and DD images, but does not currently have the ability to acquire a live system. 

 What size of drive can ATRIO™ process?

When using the simultaneous exploitation capability ATRIO™ can process up to seven terabytes. There is no limit when only acquiring, hashing, wiping, or exploiting.

 How does ATRIO™ handle an encrypted drive?

If ATRIO™ is able to read the partition table it will evaluate each partition for Bitlocker. If Bitlocker is detected it will note the encryption in the reporting, but will not parse or exploit the Bitlocker encrypted file system. If a drive is encrypted with another encryption method ATRIO™ will still acquire the drive as an E01 but will not parse the partition table or file system. Additional encryption handling is planned for future updates.

 Can I add my own file extensions?

The best way to add custom filetypes is to reach out to our customer service with your request. We will work with you to get those added via an update. We plan to release a process for the end user to add their own file types as soon as we can.

 Can I add my own hash lists?

Yes, you can put an MD5 hash list on the destination drive or a drive that you connect it to the utility port. ATRIO™ will identify the hash list and if a hashing feature is selected it will apply it to the requested process. 

 Can I customize the keypad?

Bespoke relationships can be accommodated, please contact customer service with your request and we will find a solution and capability to meet your needs.

 How do I update ATRIO™?

Simply download the updates to a USB drive and connect that drive to the destination or utility port. Select Settings, Update ATRIO™, and GO. ATRIO™ will detect and apply the updates followed by a reboot. 

 Can I imagine multiple devices?

Our base ATRIO™ model is a 1 to 1 device.

 What acquisition types can be created by ATRIO™?

ATRIO™ supports E01, AFF4, DD, and has the ability to clone a source device.

 Can ATRIO™ be used on cell phones?

We are working on the capability but do not currently support Android or iOS file systems.

 Does ATRIO™ need an internet connection?

ATRIO™ can function entirely as an air-gapped tool but does have some support for online services if the user chooses to activate them. The document translation capabilities can be enhanced by using Google services to translate text files. We will be expanding our connected capabilities in the near future. 

 How is ATRIO™ different from other tools on the market?

  • ATRIO™ has the ability to both acquire and exploit media on the fly with no or minimal impact to the acquisition timeline. The result is that the user has reviewable data as well as the forensic image in a time comparable to traditional acquisition times. 
  • ATRIO™ will automate additional exploitation processing like file carving, registry extraction, web browser history, and object detection to name a few avoiding the manual process of stepping through each task.
  • ATRIO™ has the ability to process multiple E01 images previously acquired and stored on a single source drive. This automates the process of exploiting multiple images.
  • ATRIO™ includes hashing, wiping, virus scanning, experimental AI support, and includes the NSRL database in the hashing capabilities. 
  • The user interface is designed to be operated quickly with minimal forensics experience. 

 Does ATRIO™ upload to a remote server?

Not at this time but if you have a specific requirement please contact customer support and we can talk through some possible options with you. 

 What if I need to testify in court, how can ATRIO™ be verified?

ATRIO™ is designed to enable less-technical professionals to process digital forensics data and make quicker, more informed decisions. It is recommended that a digital forensics expert independently review evidence prior to a court appearance. 

 I work at a small county sheriff's office and we don't have a forensic analyst, would ATRIO™ be right for us?

Yes! ATRIO™ is designed with offices in mind that don’t have immediate or rapid access to forensic staff. This empowers those offices to conduct an initial review of the data without having to send it to a lab.

 Is ATRIO™ battery powered?

ATRIO™ requires a standard US AC outlet. 

 Is ATRIO™ Forensically Sound?

ATRIO™ is a NIST approved Forensic Media Preparation Tool and Disk Imaging Tool and the reports are pending DHS publication. ATRIO™ uses an NIST tested software write block to maintain a read-only standard on the source port in order to protect the integrity of the data on the evidence device. At no point can the source port be used to auto mount a device or place it in a writeable configuration.

 I am a professional forensic examiner working in a lab setting processing cases from various government agencies, how would ATRIO™ fit into my workflow?

ATRIO™ is not designed to replace forensic professionals but it is designed to serve as a force multiplier for those individuals. Depending on the customer needs, ATRIO™ can process and deliver usable data as an automated, stand alone system; freeing up the already busy forensic examiners to focus on other tasks that take advantage of their expertise. ATRIO™ can help reduce backlog and get relevant data to more customers quicker.

 Does ATRIO™ really reduce wait time by 75%? I’ve been in this field for years and never come across any forensic tool that is that fast/that can do that? 

Mileage will vary depending on drive speeds and file destination, but ATRIO™ can reduce wait times significantly by performing acquisition and exploitation in parallel. Additionally, ATRIO™ will automate the entire exploitation task list, working around the clock even when the examiners are out of the office or working on other tasks. This will cut down on the number of business days required to provide reviewable data to a customer.

 I am a busy forensics examiner and don’t have time for lengthy training courses. What training is required for ATRIO™ and how much does it cost?

ATRIO™ is designed to be easy to learn and difficult to forget. Training is free through our online tutorials and depending on the need, can take anywhere from 30 minutes to three hours. 

 I am a specialist in the military in charge of MEDEX, could ATRIO™ replace the tools I use now, or would this be an add on?

ATRIO™ isn’t designed to replace existing forensic capabilities, or tools but it is situation dependent. For many tasks, ATRIO™ makes a great supplemental capability that will allow more people to process digital evidence without adding to the backlog of the existing forensic workforce.

 Who is the target user of ATRIO™?

ATRIO™ is designed for a wide range of users depending on their needs. In a lab, ATRIO™ is an excellent supplemental tool to reduce backlogs. In a hazardous or remote field environment, ATRIO™ can empower front line workers to process evidence when a forensics professional is unavailable.

 I work for a  law practice and we have to outsource our media evidence capture (e-discovery)  and retrieval, could we use ATRIO™ in house to manage this process?

ATRIO™ would allow an office to process digital evidence and begin reviewing content without a technical expert on site or without having to wait for a lab to process the data. It is advised that evidence to be used in court should be independently reviewed by a forensics professional.

 How does ATRIO™ know when to work with an E01 versus a physical source drive?

When the user selects “E01 AS SOURCE”, ATRIO™ will switch from evaluating the source drive as the subject and look on the source drive for an existing E01. 

 I suspect one of my employees has been downloading corporate proprietary information and sharing it with other firms. Could ATRIO™ be used in this situation/for our investigation/audit? 

ATRIO™ can be used to easily gather registry files, event logs, and recover deleted files to be used in an investigation like this, however specifics of this type of investigation would likely require a professional using a variety of specific tools.

 Can ATRIO™ be used by multiple people in the same office? Does it require each person to have a specific account/log in to operate?

Anyone can use ATRIO™. It is easy to learn and designed to be operated by people with a variety of skill sets and backgrounds. Anyone in the office has the ability to quickly learn how to use ATRIO™ and process digital evidence.

 Will I need to purchase additional hardware and software for ATRIO™? 

There is no additional software required to be purchased or installed. Everything that ATRIO™ produces is in non-proprietary formats so that anyone can work with the data. As long as the device can be connected via USB there is no additional hardware required. 

 Is ATRIO™ write blocked?

ATRIO™ maintains a read-only standard for the source drive. There is no built in hardware write-blocking feature.

 Can ATRIO™ translate from one language to another?

Offline, ATRIO™ can translate text files from 7 languages into English. If connected to a network via ethernet cable, ATRIO™ has an option to use Google translation services if that is an option for the users use case.

 Can I use any destination drive with ATRIO™?

Use a high speed SSD drive to get the benefits of the simultaneous exploitation processing. Using a spinning disk hard drive as the destination drive is not recommended because the write capability of the drive will slow the process down considerably.

 What is the processing power of ATRIO™?

ATRIO™ can image, scan, hash, and report on a drive with any size, however the simultaneous exploitation capability will only work with a drive 4TB and smaller. 

 Does ATRIO™ offer Virus Scanning?

ATRIO™ has the ability to scan a source drive, an existing E01 contained on the source drive, as well as the output from any exploitation or data extraction. ATRIO™ uses CLAM AV and when scanning files during exploitation, ATRIO™ will put infected files into an archive on the destination drive so that the user has access to them while minimizing the risk of infection.

 With some of these features enabled, any recommendation on size of the destination media vs. the source media?

This depends on the task, but we recommend using a destination drive that is twice the size of the source drive. Since the simultaneous exploitation process provides a forensic image as well as exploited files from the image, doubling the size is likely required. ATRIO™ will pre-assess the source as well as the additional space required to exploit the drive. If the destination is smaller than required, ATRIO™ will alert the user and wait for a larger drive. One caveat with file carving is that ATRIO™ can’t pre-calculate the amount of space needed for the results of unallocated file carving and the user will need to assess how large the drive should be when performing this task.

 Do you have an estimate of how fast the parallel processing is? For example, how quick will it image and process the data on a drive?

This depends on the tasks selected by the user and the file density of the source drive. With only the default options selected the parallel processing time is typically done in about the same amount of time as the acquisition. Sometimes the exploitation can take longer than the acquisition if there are a lot of files to be processed and sometimes the exploitation is finished before the acquisition because there were fewer files. Adding tasks like file carving, virus scanning, and hashing will extend the processing time but it’s fully automated!

 What does the "ADV" button mean and what does it do? 

ADV is our advanced features menu. These are typically tasks that more experienced users would use on occasion.

 What happens when you forget to click a feature and just hit GO, what would happen? 

ATRIO™ will acquire an E01 and exploit according to the default options if the only button pressed after power-on is GO. If the user forgot to select a feature, they have the option to cancel the processing, select the feature, and then restart. At this time, there is no way to add or remove tasks after processing starts. We plan on adding this feature in the future.

 How would I prove that this is forensically sound for court cases? Most DFIR tools have certificates proving it is safe. 

ATRIO™ is a NIST approved Forensic Media Preparation Tool and Disk Imaging Tool and the reports are pending DHS publication. ATRIO™ maintains a read-only standard for the source port in order to protect the integrity of the original data.