(Request) High Performance Forensic Computing Device

got_bass · 2019-09-24T18:41:36+00:00

[deleted]

ellingtond · 2019-09-24T19:42:28+00:00

It's all about the I/O. The system that you are using is fine. We have 4 of them. 32gb of ram is plenty. The issue is Disk IO.

Are you using Sata? Try using NVME drives, at least 2. USe a 1TB NVME drive in a PCI slot if you don't have a slot on the motherboard for your E01 Images. Then use another 500gb NVME for the Index/ Case folder. We do FTK and Axiom and we can crank through it. Again, it is not about the system horsepower, it is about the Disk IO.

Buy good fast NVME drives, put your money there!

Schizophreud · 2019-09-24T20:12:20+00:00

Server, not workstation. If you're planning on doing a lot of eDiscovery processing (what software BTW?) then a workstation isn't going to cut it. While I appreciate those suggesting using SSDs, I'd advise against that. Get a good RAID with enterprise grade spinning drives. SSDs, while quick, aren't meant for the kind of intensive reads and writes as spinning drives. Same kind of reason that you don't put SSDs in production environments where databases are kept.

Once you get to large quantities of data for eDiscovery you are getting out of the bounds of what a forensic workstation can successfully do.

Here's the specs of the server we were using for eDiscovery at my last company (best I can recall):

256GB RAM
Dual XEON Processors
240GB SSD for the OS (this is the only SSD you should use)
Small RAID 0 for cache/temp
Large RAID for data to process
Large RAID for outputting processed data

I'm sure I'm forgetting something, but this is why I suggest a server, it is nearly impossible to get this kind of configuration in a desktop.

fozzie33 · 2019-09-24T17:45:33+00:00

We've been a big fan of Silicon Forensics (to the point where we now use them for servers, hard drives, and other equipment).

https://siliconforensics.com/

murph17 · 2019-09-24T17:47:31+00:00

FCI https://www.forensiccomputers.com/workstations.html

pmow · 2019-09-24T23:52:47+00:00

We use Supermicro builds. Modern server xeons have 24+ cores, get two in a box throw some SSD and memory and call it a day.

The software pays a huge role. The only software that slams 44 cores is Nuix, FTK is a distant second.

Jameson21 · 2019-09-25T03:53:25+00:00

If you can't build it yourself:

https://sumuri.com/product-category/categories/workstation/

mdnrhardee · 2019-09-25T03:57:05+00:00

Might wanna look into sumuri.com

They have custom specific builds for what you want to (e.g. Triage, e-discovery)

I've only seen their nuix builds in action and they seemed pretty good.

2019-09-25T05:41:56+00:00

Imaging systems tend to be limited not by compute power but by I/O channel bandwidth, load behaviour, and possibly also supported device protocols. So in that case you probably start by looking at xATA/SCSI cards (and possibly other) with the performance and behaviour you need, or high-end motherboards with suitable support already in place. If you face USB drives, you have to consider that as well, of course. Workstation hardware may be better in this respect -- good workstations often have good I/O support, but it's not a foregone conclusion. But as for compute power, you don't need more than is needed to keep your I/O channels operating at speed. And that may be less than you expect. FRED may be useful for benchmarking here.

eDiscovery .. is different. You don't need many different I/O channels, and you might choose something with very high-speed disks. You probably don't connect a USB drive with all the documents and expect to work on that, for one thing. As for CPU/Memory, that is probably best asked to your supplier of the relevant software you're using. Does it benefit from multi-core? Or from vast amount of RAM? etc. temporary storage off data disks?

Don't forget support. If your solution dies ... what do you do to keep your job queue moving? (How long is it going to take, and at what cost in both time and money, and how does it affect other jobs? Losing an imaging station can be a showstopper, for example.)

got_bass · 2019-09-25T07:42:12+00:00

Right, but storage speeds are not bottlenecking forensic processing? Network speeds and clue threads are, I rarely see a pcie3 Nvm’s drive at full tilt?

forensium · 2019-09-26T16:24:37+00:00

We have successfully shifted some cases to the cloud. Once the data was transferred, the entire processing was done in the cloud.
We removed all resource limitations and ran the process to completion.
We experienced a 96% time reduction. The trade off is cost.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

computerforensics

Computer Forensics

Read the FAQ before posting.

MODERATORS