How ATRIO Fits In Your Organization’s Forensics Workflow

Jun 3, 2021 |

As we described in Blog 01: What is ATRIO? ATRIO is a small, rugged, powerful digital forensic device capable of completing the full forensic workflow with the push of a few buttons. ArcPoint developed ATRIO because we know that not every organization that needs forensic data has seasoned and experienced forensic examiners on staff or onsite where they work. Professional examiners require a lot of specialized training and organizations may be hard pressed to find or afford to have enough of them in all the locations their support is required. ATRIO was conceptualized and designed to help those organizations by empowering anyone to conduct forensic examinations.
So, how exactly does ATRIO fit into someone’s workflow or help their organization? First let’s review how ATRIO works and what it can do, and then we’ll look at how different organizations can leverage those capabilities.

Essential Forensic Tasks
ATRIO handles all the expected features of a typical forensic tool including imaging, cloning, formatting, wiping, parsing of data. It also includes advanced capabilities, such as machine learning-based object detection, and natural language processing (NLP) automated translation. A feature unique to ATRIO is how you are able to image and process your data at the same time, which significantly cuts down on “time to evidence”. And the killer highlight is how easy we made it. With fast, free, online training, ATRIO is easy enough for anyone to understand and use. Just connect your source drive and your destination drive, use the intuitive button panel to follow the simple options menu, and then you can “set it and forget it”. You’ll come back with the intelligently organized data that you need, which is ready to be reviewed. The accessibility of ATRIO is even evident in the output since there’s no proprietary reporting format or output container. If you know how to navigate a normal computer file system, you’re able to look through the results ATRIO provides and find what you’re looking for.

Now let’s look at some key use cases for ATRIO.

Forward Deployed Military Personnel
The military conducts MEDEX (media exploitation) and uses forward deployed service members and contractors in warzones and other downrange locations to obtain valuable intelligence for follow-on operations. Many ArcPoint examiners have personally supported these missions in austere environments, with little or no support for their forensic tools. Keeping track of forensic dongles, downloading updates, and even having a stable internet connection are all challenges that can make work difficult in these parts of the world. Sometimes military service members are deployed on short term rotations and don’t have the forensic background to know what to look for. And when there’s a need for technical support, it can take days or even weeks to get an experienced forensic examiner out to the forward-deployed location for assistance.
When potentially valuable hard drives and media are obtained during military operations, there’s often a delay because of the need to ship that media back to a central hub for further processing. But military follow-on targeting requires an extremely fast turnaround of intelligence and any delay in processing interferes with the time-sensitive nature of military operations because it could potentially allow the nefarious actors to get away. ATRIO virtually eliminates the delay in “time to intelligence” because as soon as the media is obtained, it can be immediately imaged, processed and triaged by any team member. Personnel can literally pull ATRIO out of their go-bag and use it wherever there is a power supply – no internet connection, dongles, or other accessories required. Results can be viewed immediately on any laptop or tablet, with documents, pictures, videos, and other data neatly displayed for review and analysis. Empowering frontline personnel in these situations is perhaps the most valuable advantage ATRIO provides.

Law Enforcement Organizations
Law enforcement organizations are increasingly dependent on digital forensic evidence to close cases. Larger organizations may have a digital forensic lab onsite, while smaller organizations have to outsource this process. ATRIO can help both of these types of organizations. For smaller organizations with no onsite lab resources, or even larger ones where evidence is needed quickly in a time-sensitive investigation, investigators can easily learn to use ATRIO to process their media themselves to obtain evidence.

For media that is sent to a law enforcement forensic lab, ATRIO creates more efficiency in the lab-based workflow by imaging, and processing media concurrently. There’s no need for multiple pieces of software and time-consuming data transfer for the forensic workflow to be completed. ATRIO provides the automated, all-in-one solution that allows you to be hands-off while it is working so you can focus on other cases until your results are ready. For forensic labs that are inundated with cases, and have a constant stream of media and data that need to be reviewed, this efficiency can significantly reduce backlogs.

Corporate Environments
Companies, large and small, often need to examine hard drives used for corporate business. But most don’t keep a full-time forensic examiner around just for that purpose. It’s simply not cost effective. Organizations have to be lean and often rely on security and other personnel who are on-site and have access to the evidence in question, but may not have the experience to conduct a thorough forensic examination using complex tool suites and software programs. ATRIO can be the solution in this scenario because it’s extremely user friendly and requires minimal training to get up and running. Here are just a couple of examples. Let’s say there is a piece of media you suspect an employee is using to obtain and exfiltrate internal company documents. You need to know what has been downloaded from the company server and where those documents have been sent. In that case, you won’t even need to select any options on ATRIO. The default options will automatically identify all the documents contained within the drive (even deleted ones!), as well as browser history, event logs, and registry files. If you discover that the employee has documents they should not have, or a suspicious pattern of downloading certain types of proprietary data, then you know it’s time to do a deeper investigation. Even if your onsite investigator doesn’t have the skills to piece together all of the clues from the extracted registry files, event logs, and browser history, these results can then easily be outsourced to a professional examiner to perform the advanced extrapolation and analysis tasks needed to determine how these files may have been used and where these files may have been sent. You can be confident this is a good investment based on the evidence already collected by ATRIO onsite. In another example, what if you suspect a machine has malware that created additional unauthorized users? ATRIO can quickly pull out registry files, parse them, and give you a list of all the users on the drive, so you can compare what’s supposed to be there versus what actually is there. From insider threat to external corporate espionage risks, ATRIO provides the in-house capabilities you need for many, if not most, forensic operations.

A Tool in Your “Best Practice” Toolkit
Maybe your organization has all the forensic tools and software it could ever need and your workflow is already in place. ATRIO can also serve as the fast solution you need to institute the best practice of verifying your other tools. Every lab needs to periodically verify the functionality of their tools and, in many cases, to validate the evidence they collect as a backup for a court case. ATRIO provides a fast and efficient way to confirm that your other tools are working properly and make doubly sure the evidence you have obtained is sound. In time, you may even find you prefer to make ATRIO your main tool and use the other more time consuming tools for occasional verification!

ATRIO can help any organization involved in digital forensics because it:

  • Allows more people in the field to be a part of the forensic process, which speeds investigations
  • Handles complex tasks but is simple to use and provides results in a way that anyone can review them.
  • Creates significant efficiencies in the lab environment.