Forensics 101, Hardware, Methodology, Software

Forensic Toolkit v3 Tips and Tricks – On a budget

While researching FTK 3X and Oracle, you just recently discovered that the best configuration of your Oracle database would be on a solid state drive (SSD). Solid state drives give the maximum level of performance to Oracle databases and in turn speed up your FTK 3X responsiveness.

You are a conscientious analyst and decide to try reinstalling your database on a SSD. You approach your boss, who is not a techno geek, and ask him to purchase a 256GB high performance SSD:

“Five hundred dollars!! For one drive? In this economy? If I buy in bulk I can get ten Terabyte hard drives for that price; get out of my office and close the door behind you!”

Short stroking

So how do I get close to SSD performance on the cheap? Welcome to the world of short stroking.

With short stroking, you don’t use the entire hard drive for storage. Disks have become so large and cheap that you can use the outer tracks of the disk just for storing data. If you create one partition that is twenty percent, of the total size of the drive, the drive head will travel much less distance. This will decrease your latency and improve your input / output performance, access times, and in all probability, drive wear. If correctly implemented, short stroking creates more than double the throughput in less than half the access time.

By using Fdisk, GParted, or software provided by the hard disk drive manufacturer, you can use only the first few blocks of the disk to limit the number of LBAs (Logical Block Addresses) accessible in your hard disk drive. This limits the drive arm to only the last few tracks of each platter and blocks the use of slower areas of the hard drive. Remember, you will lose access to the part that’s blocked; therefore, it cannot be used to store any data.

Reading from the outside sectors of the platters is faster, as more sectors pass under the heads per second (depending on your drive speed) at 10,000 or 15,000 RPM than towards the middle of the drive at the same speed.

If you do a twenty percent short stroke of a Terabyte hard drive, you will only have 200GB of usable space on the hard drive. You will need to short stoke two Terabyte hard drives, at twenty percent, and assemble them in a RAID 0 array to get 400GB of useable space for your Oracle database. Remember, even though RAID 0 is fast, it is not fault tolerant; be sure to periodically backup your database.

Defragment early, defragment often.

After you have installed your Oracle database on your short stroked RAID 0 array, another performance boost is recognized by defragmenting the drive that the Oracle database resides on. Defragmenting allows for rapid sequential file reads and writes.  It is always best to store file blocks together contiguously (especially in any type of database).

I have created and processed FTK cases, on a clean Oracle database install and have observed up to seventy five percent fragmentation on the hard drive. Before starting analysis, I defragment the hard drive containing the Oracle database and make sure it is at zero fragmentation.

You need to regularly defragment the hard disk drive to ensure all frequently used data is defragmented otherwise; you will lose some of the performance benefits.

About Brian K. Glass

I am a Senior Forensic Computer Analyst. I work for the U.S. Postal Inspection Service Forensic Laboratory Services / Digital Evidence Unit located in Philadelphia, PA. I have testified about computer forensics as a expert witness in Federal Court. PROFESSIONAL CERTIFICATIONS: Access Data Certified Examiner, Certified Malware Investigator, Computer Information Forensics Investigator, Microsoft Certified Systems Engineer, Microsoft Certified Systems Administrator, Microsoft Certified Database Administrator, Comptia: Server , Security & A plus, Electronics Technician U.S.C.G. PROFESSIONAL ORGANIZATIONS: High Technology Crime Investigation Association, Consortium of Digital Forensic Specialists, International Association of Financial Crimes Investigators, Association for Computing Machinery.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,010 other followers

%d bloggers like this: