Software

Forensic Toolkit v3 Tips and Tricks ― Not on a Budget

A couple of weeks ago, Brian Glass posted a very helpful comment, Forensic Toolkit v3 Tips and Tricks — on a Budget.  His comment focused on how to “get close to SSD performance on the cheap” and he discussed the practice of partitioning a large hard drive, but using only the outer sectors of the platter, and frequent defragmentation.  In my comment, today, I want to encourage readers to adopt Glass’ advice, and, if you have the budget, to consider a few other enhancements to improve performance.

In my practice, I spared no expense on equipment, including the latest OCz SSD drives, dual Xeon processors, and 24GB of RAM, yet I still experienced unacceptable performance from FTK v3.3.   For example, an evidence load of a 500GB drive with indexing, entropy test, and hashing enabled (but not OCR of images, or thumbnailing) still took over 20 hours.

Although I lay no claim to the best optimizations, I have found the following helpful:

  • You should have a minimum of 2GB of RAM for every processor core.  If you are running dual six-core processors, you have twelve cores (not counting hyperthreading psuedo-cores) and would, therefore, need 24GB minimum.  Source: February 2011 System Specifications Guide at 3.
  • The FTK machine should have a minimum of two disks: one for the FTK engine, and the other used solely to host the FTK temporary files directory.  This is because, according to one FTK technical support rep I corresponded with, the disk hosting that directory experiences the greatest i/o demands, because it is to this directory that the FTK engine and Oracle database read and write from in passing data off to each other. It is accessible through Tools > Preferences (see FTK Users Guide for v3.3, p. 38 of 396)  If you have the budget, consider hosting the temporary directory on its own SSD drive, apart from the operating system, pagefile, Oracle, or FTK engine.
  • According to bench testing on FTK v. 3 by Digital Intelligence on a single-box configuration, the greatest performance enhancements came not from increasing the CPU speed or system memory, but using the fastest possible hard-drive for the Oracle database.
  • Unlike the system tested by Digital Intelligence, you should have a dual machine system (exclusive of FTK distributed processing engines): one for FTK, and the other for Oracle.  Network speed should be 1Gbit, not 100Mbit.  Source: February 2011 System Specifications Guide at 3.
  • The Oracle machine should be configured with at least two disks: one for Oracle and the operating system; and the other for the Oracle database.  Ideally, I recommend three separate disks: one for Oracle and the O/S, one for the page file, and one for the Oracle database.
  • For all disks requiring intensive i/o (that hosting the FTK temp files, and the Oracle database drive), you should use a SSD (such as the OCz Vertex 3 Pro (6 GBPs)), or Serial Attached SCSI (SAS, 10,000 RPM) or, if you’re using 7,200 RMP SATA drives, a RAID 0 configuration.    To use these disk configurations, you’ll need a motherboard that supports the SATA-3 standard and  preferably has onboard RAID.   For example, SuperMicro is one manufacturer of boards that support multiple processors, onboard RAID, SAS, and SATA-3.
  • During evidence loading, your machine[s] should be physically disconnected from the Internet (including wireless adapters). Disable any resident antivirus programs and disable the Microsoft Indexer, both of which may compete with Oracle or the FTK engine for resources.
  • I recommend Ghost or the Windows 7 system image/restore to load a fresh image on both of your machines for each new case you work (and to use FTK to archive the case on to an external drive, upon completion).  This way, in the unlikely event your machine was to become infected from the evidence drive (for example, by trying to run an executable on the evidence drive that contains a Trojan), you will not preserve the infection for subsequent work.

I will conclude with this anecdote: Recently, I conducted a child pornography investigation at a law enforcement facility, where I was prohibited from using SSD drives in my equipment, because the detective-analyst had read a report that data cannot be complete wiped from SSDs.  He was concerned that I might inadvertently retain contraband even after completing a forensic wipe.   Although, based on the current caselaw, I did not believe the prosecution had a legal right to dictate what equipment I used, I solved the problem by purchasing six 40GB refurbished Western Digital drives from NewEgg for $10 each, and configured them as RAID-0 on the SAS backplane of the motherboard.  I didn’t run any bench tests to determine whether this 240GB array was as fast as a single OCz Vertex 3 drive, but it ran flawlessly and cost only $60.

Whether or not you’re on a tight budget, FTK 3.x with Oracle presents substantial impediments to harware capacity and processing time.  Nevertheless, these impediments can be mitigated through creativity and resourcefulness.

About barristerharri

The author, Sean L. Harrington, is a digital forensics examiner, cybersecurity attorney, and e-discovery and litigation consultant with the private practice digital forensics firm of Attorney Client Privilege, LLC (http://attyClientPriv.com). Harrington holds the MCSE, CISSP, CHFI, CSOXP, and CCFP, has served on the board of the Minnesota Chapter of the High Technology Crime Investigation Association (http://mn-htcia.org), is a member of Infragard, a member of the Financial Services Roundtable cyber- legislative working group, a member of the Minnesota Ediscovery Working Group, a member of Century College's Computer Forensics Advisory Board and [erstwhile] Investigative Sciences for Law Enforcement Technology (ISLET) board, and is a council member of the Minnesota State Bar Association (MSBA) Computer & Technology Law Section. (http://mntech.typepad.com). Harrington earned a certificate in computer forensics from Century College's pioneering digital forensics program and graduated with honors from Taft Law School.

Discussion

4 thoughts on “Forensic Toolkit v3 Tips and Tricks ― Not on a Budget

  1. I’ve been trying to find definitive answers on the topic of Forensic Computer Hardware for some time. I’m building several machines for a new lab and this is exactly what I needed. Thanks! Obviously the detective hasn’t read the other article claiming that SSD’s will be the end of forensic investigations because the garbage collection process can have the SSD’s wipeing themselves without any user input. Available here: http://www.jdfsl.org/subscriptions/JDFSL-V5N3-Bell.pdf

    Posted by Mitch | November 29, 2011, 4:40 pm
  2. One quick thought: If you’re going for max performance, a separate, slot-based, HIGH QUALITY 6 Gb/sec RAID controller will yield far better results than mobo-based controllers. It’s just a guesstimate but you’re probably looking at $500 – $700 for a decent card.

    Posted by Jerry Hatchett | November 30, 2011, 1:39 pm
    • You are exactly right! a High quality RAID controller will definitely get you a big increase in throughput. I have also learned from years of configuring servers, that Oracle runs better when there are multiple drives, and as much cache memory on the drives and controller as possible (or you can afford!).
      Here are a couple of RAID adapters that are fairly low priced but with good specs.

      LSI MegaRAID SAS 9240-4i -6GB/S SATA+SAS – about $235.00
      Intel RAID Controller RS2BL040 – 6Gbps SAS adapter – about $319.00

      They are certified for ;
      Red Hat Linux 5.0, Microsoft Windows Server 2003, SunSoft Solaris 10, Microsoft Windows Vista, SuSE Linux Enterprise Server 11, SuSE Linux Enterprise Server 10, Microsoft Windows Server 2003 x64 Edition, Microsoft Windows Vista (64-bit versions), Red Hat Linux 4, Microsoft Windows Server 2008

      Hope that helps!

      Harry Dykeman
      Account Executive
      Forensic Analyst
      asi System Integration
      847-499-3521 Office
      847-224-0268 Cell

      Posted by Harry | December 1, 2011, 6:02 pm
  3. Try the the NIST website NRL

    ROBO

    Posted by Robo | January 15, 2012, 1:56 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 959 other followers

%d bloggers like this: