Forensic Toolkit System Specifications Guide

Similar documents
SYSTEM SPECIFICATIONS GUIDE

SYSTEM SPECIFICATIONS GUIDE

Quantifying FTK 3.0 Performance with Respect to Hardware Selection

ASN Configuration Best Practices

AccessData AD Lab Release Notes

AccessData Forensic Toolkit Release Notes

AccessData Forensic Toolkit 6.2 Release Notes

SuperImager TM -Rugged USB Display Touch Screen SAS Drive Slots A Computer Forensic- Field Analysis Platform Unit

Hardware RAID, RAID 6, and Windows Storage Server

AccessData Forensic Toolkit Release Notes

Considering the 2.5-inch SSD-based RAID Solution:

IT and Interface Requirements

AD Enterprise 6.5 Installation & Upgrade Guide Contents

The Impact of Disk Fragmentation on Servers. By David Chernicoff

AccessData FTK Quick Installation Guide

Windows Hardware Performance Tuning for Nastran. Easwaran Viswanathan (Siemens PLM Software)

FEMAP v Operating Systems and Minimum Hardware Requirements

PARAGON PARTITION MANAGER

System Requirements. PREEvision. System requirements and deployment scenarios Version 7.0 English

DEDICATED SERVERS WITH EBS

AccessData Forensic Toolkit Release Notes

Source:

System Requirements. PREEvision. System requirements and deployment scenarios Version 7.0 English

Femap v Operating Systems and Minimum Hardware Requirements

Introduction to computers

Upgrade to Webtrends Analytics 8.5: Best Practices

Computers for Photography. Fort Collins Digital Camera Club September 14, 2010

Surveyor Installation Guide Objective Imaging Ltd.

The Impact of Disk Fragmentation on Servers. By David Chernicoff

AccessData FTK Quick Installation Guide

Copyright 2009 by Scholastic Inc. All rights reserved. Published by Scholastic Inc. PDF0090 (PDF)

W H I T E P A P E R. Comparison of Storage Protocol Performance in VMware vsphere 4

AccessData Forensic Toolkit Release Notes

Cube Base Reference Guide Cube Base CUBE BASE VERSION 6.4.4

LATEST INTEL TECHNOLOGIES POWER NEW PERFORMANCE LEVELS ON VMWARE VSAN

Taurus S2. User Manual. Dual-Bay Storage Enclosure for 3.5 Serial ATA Hard Drives. (English )

Adaptec MaxIQ SSD Cache Performance Solution for Web Server Environments Analysis

Desktop Desirable Features: (please read notes below)

ECCAIRS 5 Technical Course. Standards and Platforms. Minimal System Requirements. Architecture. Uniting Aviation On Safety Security Environment

Taurus Super-S LCM. Dual-Bay RAID Storage Enclosure for two 3.5 Serial ATA Hard Drives. User Manual July 27, v1.2

Taurus Super-S Combo

Properly Sizing Processing and Memory for your AWMS Server

Technical Brief: Specifying a PC for Mascot

System Requirements E 23 rd, Hutchinson KS (866)

Sage 300 ERP. Compatibility Guide Version Revised: Oct 1, Version 6.0 Compatibility Guide i

Patriot Hardware and Systems Software Requirements

Ed Ferrara, MSIA, CISSP

Storage Devices for Database Systems

GED Only Technical Requirements

FUNCTIONS OF COMPONENTS OF A PERSONAL COMPUTER

AccessData AD Lab 6.3 Release Notes

Requirements and Dependencies

AccessData AD Lab Release Notes

Hardware & Software Specification i2itracks/popiq

iscsi Technology Brief Storage Area Network using Gbit Ethernet The iscsi Standard

How to Pick SQL Server Hardware

C A S P E R GUIDE SMARTSTART S ERVER E DITION 8.0

Apace Systems. Avid Unity Media Offload Solution KIT

Exactly as much as you need.

MCSE, CCSA, CCSE, CISSP-ISSAP, CISM, CISA, CIFI, CCE

DELL EMC DATA DOMAIN SISL SCALING ARCHITECTURE

STORAGE. EVOLVED. PRODUCT guide

Hardware Sizing Guide OV

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

CLASSIFYING AND EVALUATING COMPUTERS

Autodesk Revit Structure 2012 System Requirements and Recommendations. Minimum: Entry-level configuration. Operating System Microsoft Windows 7 32-bit

Cisco Prime Home 6.X Minimum System Requirements: Standalone and High Availability

Storage Update and Storage Best Practices for Microsoft Server Applications. Dennis Martin President, Demartek January 2009 Copyright 2009 Demartek

Manual Format Flash Drive Mac And Pc Large Files

Enter the details on the pricing sheet attached.

IMT Standards. Standard number A Server Blade. GoA IMT Standards

INCA V7 Performance Tips And Tricks

Specialised Server Technology for HD Surveillance

AccessData Forensic Toolkit Release Notes

PC-3000 EXPRESS / UDMA / PORTABLE

AccessData Enterprise Release Notes

Chapter 2. Working with Disks and Other Removable Media

C A S P E R TECH EDITION 10 USER GUIDE

Sage ERP Accpac. Compatibility Guide Version 6.0. Revised: February 2, Version 6.0 Compatibility Guide


Automated Storage Tiering on Infortrend s ESVA Storage Systems

AccessData. Forensic Toolkit. Upgrading, Migrating, and Moving Cases. Version: 5.x

Choosing Hardware and Operating Systems for MySQL. Apr 15, 2009 O'Reilly MySQL Conference and Expo Santa Clara,CA by Peter Zaitsev, Percona Inc

Recommended Backup Strategy for FileMaker Pro Server 7/8/9 for Macintosh & Windows Updated February 2008

Storage Optimization with Oracle Database 11g

Practical Guide For Transformer in Production

PREINSTALL CHECKLIST. 1. General Information. 2. Radiation Environment. 3. Electrical Specifications. 4. Network Requirements. 5. Server Requirements

System Requirements. SuccessMaker 3

Navigator & XiFlow System Specifications

Was ist dran an einer spezialisierten Data Warehousing platform?

M A I N M E N U B U T T O N. Backing up

BEST PRACTICES FOR OPTIMIZING YOUR LINUX VPS AND CLOUD SERVER INFRASTRUCTURE

NetVault Backup Client and Server Sizing Guide 2.1

A+ Guide to Hardware: Managing, Maintaining, and Troubleshooting, 5e. Chapter 6 Supporting Hard Drives

Computer Overview. A computer item you can physically see or touch. A computer program that tells computer hardware how to operate.

PREEvision. System Requirements. Version 7.5 English

Condusiv s V-locity VM Accelerates Exchange 2010 over 60% on Virtual Machines without Additional Hardware

Dell PowerVault MD Family. Modular storage. The Dell PowerVault MD storage family

Sage ERP Accpac. Compatibility Guide Version 6.0. Revised: November 18, 2010

High-Value PXI Embedded Controller for Windows. High-Value Embedded Controllers for PXI Express NI PXI-8101, NI PXI NI PXIe-8101, NI PXIe-8102

Transcription:

Forensic Toolkit System Specifications Guide February 2012

When it comes to performing effective and timely investigations, we recommend examiners take into consideration the demands the software, and specifically PostgreSQL, will make on their hardware resources. Depending on the size and scope of a given investigation, Forensic Toolkit 4 (FTK ) and AccessData Enterprise, will push hardware resources to their limits. FTK Components and Their System Requirements FTK is made up of four separate components/applications, each of which are installed separately and perform different functions. These components are the PostgreSQL Database, the FTK Client User Interface (UI), the Client-side Processing Engine and the Distributed Processing Engine. When configuring a system to run FTK, it is helpful to understand the hardware requirements of each of these components/applications and the strain these components each place on the hardware. PostgreSQL Database - The PostgreSQL database is a key component of the FTK application. PostgreSQL stores the processed metadata and performs all the queries, sorts, filters, file listings and other functions requested by the Client UI. - RAM: To achieve maximum product performance, especially during review, it is important to provide PostgreSQL with as much RAM as possible. PostgreSQL should really be installed on a machine running a 64-bit operating system and at least 8GB of RAM when possible. Installing PostgreSQL on a system with less than 8GB of RAM can result in sluggish FTK Client UI depending on the data set size. 8GB of RAM is the minimum recommended for investigations involving roughly 3-4 million record items. 12-16GB of RAM is recommended for larger cases with 4-8 million record items. For extremely large cases with over 8 million records the system should really have 16GB of RAM or more. - OS: Even though PostgreSQL will run on all versions of Windows XP, 2003, Vista, 2008 and Windows 7, a 64-bit OS is VERY strongly recommended. PostgreSQL will run at least 3-5 times faster on a 64-bit OS as compared to a 32-bit OS. Windows 7 and Server 2008 R2 have much better memory management than Windows XP. Therefore, Windows 7 x64 and Server 2008 R2 are AccessData s recommended operating systems. CPU: PostgreSQL can place a significant demand on the CPU during review. PostgreSQL will run on most processors that are dual core or greater. A quad core processor is the minimum recommended CPU for an all-inone forensic machine. Tests have shown that PostgreSQL runs extremely well on machines built on the Intel i7 chip. AccessData recommends a minimum of 8GB for a quad core CPU, a minimum of 12 GB for an i7 CPU and a minimum of 16GB for higher end CPUs. - Hard Disk Storage Requirements and Hard Drive I/O Speed: PostgreSQL s responsiveness, especially during review, is affected by the amount of RAM in the computer, the power and speed of the CPU, and the speed of the hard drive(s). The larger the case the more directly hard drive speed is going impact UI performance. Thus a faster hard drive will result in a much more responsive UI., - At a minimum, if the space exists in the computer case PostgreSQL should always be hosted on its own dedicated hard drive. - The storage requirements for the PostgreSQL database are small relative to the storage requirements of the case folder and the evidence location. PostgreSQL will usually take up only take up about 4-5GB for every million record items. The storage requirements are therefore directly dependent upon the number of active cases in the database. For most single Examiner machines 150 GB of storage space for PostgreSQL should be sufficient. - 7200 RPM Drives - 7200 RPM drives have huge storage, however, the I/O seek speed is usually less than ideal. If the PostgreSQL box has lots of RAM and the cases are small (3 million record items or less) hosting PostgreSQL on a 7200 RPM drive is an option, though not preferred. A 7200 RPM drive will start to become a problem when working on large cases as the I/O seek speed of the 7200 RPM drive will directly impact the responsiveness of the Client UI. If hosting PostgreSQL on a 7200 RPM SATA drive, when possible use one of the latest generation drives with a large cache (at least 64MB). Avoid hosting PostgreSQL on an older generation drive. - 2012 AccessData Corporation, All Rights Reserved. Page 2 of 6

- SSD Drives - SSD drives will usually provide the highest level of PostgreSQL performance and do not need to be RAID configured. At the time this paper was written the Intel x25-m was tested to be a very good drive for hosting PostgreSQL. Unfortunately these SSD drives have small storage compared to mechanical drives and the price per GB is expense. SSD technology is rapidly changing (improving) and performance between different solid state drives varies dramatically. Make sure to research the drive performance data before making a purchase. http://www.tomshardware.com/reviews/ssd-review-benchmark,3115.html - Hardware RAID Controllers - Several hard drives in a RAID configuration will usually provide very high performance. If using a hardware RAID the most important factor is to make sure the controller supports a writethrough cache. Write-through-caches frequently require the purchase of a separate battery. The purchase of a battery for the hardware RAID controller is money very well spent. The RAID configuration (RAID5, RAID6, RAID10) only marginally impacts performance. It is usually recommended to avoid RAID0 for storing case folder information as there is no redundancy in the event of a drive failure. However, a separate small (160-380GB) RAID0 partition with write-through cache enabled is ideal for FTK temporary folder location. The Adaptec 5000 series RAID controllers do extremely well in testing. Software RAIDs provide no significant performance advantage. - For laptops with a single internal hard drive, PostgreSQL usually needs to be installed on the internal OS drive. If possible, laptop users should try to store the case folder and E01 image on an external drive. The connection to the external drive should be ESATA or USB3 compatible if available. Firewire and USB2 are viable second options, but will not be as fast as ESATA and will impact processing and review time. - Network Speed: 1Gbit is recommended for all AccessData applications. 100Mbit is discouraged - especially if any sort of data is stored on a network drive and/or share path. FTK Processing Engine and FTK Distributed Processing Engine: The processing engine and distributed processing engines, as their names suggest, perform the majority of the work when processing data. The processing engine also performs live search during review. - CPU: When processing an image the bottleneck is usually the capability of the CPU s or the I/O speed of the drive hosting the image file. If the FTK Processing Engine is not utilizing 100% of the system's CPU capacity, frequently the I/O speed of the drive hosting the evidence (e01, AFF, DD, AD1, loose files) is the cause. To maximize the performance of higher end CPUs, such as i7 processors, you may need to focus on the speed at which the machine can read the evidence. - RAM: The processing engine will adjust the number of threads based on the amount of RAM in the computer. 8 gigabytes or more is AccessData s suggested minimum. It is not recommended to run the processing engines on a machine with less than 4GB of RAM. As a rule of thumb there should be at least 2GB of RAM per logical core. - OS: The processing engines will run on all versions of Windows XP, 2003, Vista, 2008 and Windows 7. A 64-bit OS is not mandatory but strongly recommended. Windows 7 and Server 2008 R2 have much better memory management than Windows XP. Therefore, Windows 7 x64 and Server 2008 R2 are AccessData s recommended operating systems. - Hard Disk, Storage Requirements and I/O Speed: Many times the I/O access speed to the evidence will be the limiting factor when it comes to total processing time. Because most forensic images and loose files take up a lot of space, they are usually stored on large capacity 7200 RPM drives. When connecting to an external hard drive, esata or USB3 is going to provide faster response than USB2 or Firewire. While storing the image on a much faster drive such as a RAID array is an option, in many situations this may not be feasible. Storage of the forensic images or case folder on the same drive as PostgreSQL is strongly discouraged as performance will be significantly impacted. The preferred configuration is to store the case folder, PostgreSQL, and the evidence files on separate drives. 2012 AccessData Corporation, All Rights Reserved. Page 3 of 6

- Network Speed: 1Gbit is recommended for all AccessData applications. 100Mbit is discouraged - especially if any sort of data is stored on a network drive and/or share path. - Preferences - Temporary File Path: In FTK's case management window there is a Preferences option that allows a user to select the location of the temporary folder. The FTK Processing Engine uses this temp folder as scratch space to store numerous temp files created during processing. By default the folder is on the OS drive. The I/O speed of the hard drive that hosts this folder can significantly slow down the time it takes to process evidence. For users with higher end machines needing the fastest processing speed possible a dedicated 128GB or 256GB SSD drive is an excellent option for hosting this folder. For machines with a hardware RAID card a 160-320GB RAID0 partition should be created with write-though cache enabled for this folder. This folder should not be placed on a network drive or USB connected drive. The sizing of this folder is dependent upon the evidence being processed and the temp space utilization will vary from case to case. FTK Client User Interface (UI): The Client user interface is an application that is used to manage the case, launch the Processing Engines, and provide the examiner with a view into the collected metadata. The hardware requirements for the FTK Client UI are the least onerous of the four components. If the UI is slow and/or non-responsive it is usually a result of an issue with the PostgreSQL database and not the machine hosting the FTK Client UI. - CPU: When running the FTK Client UI, the CPU will rarely be taxed to its full capacity. Any system with a dual core CPU or better should provide a reasonably fast UI experience. As stated above, the setup of the machine running the PostgreSQL database has the greatest impact on UI performance. - RAM: The machine should have a minimum of 4GB of RAM. - OS: The FTK UI will run on all versions of Windows XP, 2003, Vista, Windows 2008 and Windows 7. A 64-bit OS is not mandatory but recommended. Windows 7 and Server 2008 R2 have much better memory management than Windows XP. Therefore, Windows 7 x64 and Server 2008 R2 are the manufacturer s recommended operating systems. - USB Slot: The FTK Client UI requires a security license. This license is usually stored on the CodeMeter USB dongle. If a USB slot is unavailable, the Network License Service (NLS) or a soft token, which can be obtained by contacting support, are alternative options. There are two primary configurations that most examiners follow when running FTK 4. Configuration 1 (highly portable): o System 1: All components (GUI / Worker / Primary Processing Engine / Database) on a single system o Systems 2-4: Distributed Processing Engine (optional) Configuration 2 (maximum performance): o System 1: GUI / Worker / Primary Processing Engine o System 2: Database o System 3-5: Distributed Processing Engine (optional) NOTE: When using distributed processing engines (DPE) there is absolutely no benefit to creating multiple Virtual machines on the same system and putting distributed processing engines in those VM s. 2012 AccessData Corporation, All Rights Reserved. Page 4 of 6

CONFIGURATION 1 Specifications for FTK 4 with the PostgreSQL Database, FTK UI and Primary Processing Engine on the Same Machine If installing PostgreSQL, the UI, and the processing engine all on the same machine AccessData recommends one of the following hardware specifications: Processor Intel i7 or AMD equivalent Intel i7, Dual Quad Core Xeon, or AMD equivalent RAM 12 GB - 16 GB 32 GB (or more) OS / Application drive 7200 RPM drive with 64MB cache 7200 RPM drive with 64MB cache or SSD drive Storage for PostgreSQL database 7200 RPM drive with 64MB cache dedicated exclusively to PostgreSQL. 160GB Solid State Drive (SSD) dedicated exclusively to PostgreSQL. HW RAID Controller N/A Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0 Temporary Folder Location Set to OS Drive SSD drive or RAID0 partition w/ write-through Drive Set 2: PostgreSQL Database (SSD or HW RAID) Drive Set 2: PostgreSQL Database Drive Set 3: Case Folder and HD Image Drive Set 3: Case Folder and HD Image Drive 4 (temp folder): SSD or RAID0 partition Operating Systems Server 2008 R2 / Windows7 (64-bit) Server 2008 R2 / Windows7 (64-bit) Performance and Storage Considerations 1) The PostgreSQL database should be hosted on a dedicated hard drive, Solid State Drive (SSD), or hardware RAID array, separate from the operating system. For hardware RAIDs, RAID 0 gives the best performance but RAID 0 provides no recovery from drive failure. RAID 0 should only be considered if automatic scheduled backups are available. RAID 5 or RAID10 will provide similar performance as RAID 0 with the additional advantage of redundancy if a drive fails. 2) It is strongly recommended to configure antivirus to exclude the PostgreSQL database, temp, images, and case folders. 3) It is recommended to turn off indexing, compression and/or EFS encryption. (By default, indexing of files and folders is on.) 4) Hardware RAID controllers will provide substantially better performance than an OS-based software RAID configuration. It is recommended to use a hardware RAID controller with at least 256MB of write-through cache. If activating the write-through cache, it is strongly recommended to purchase a card with a backup-battery for the RAID controller and enabling the write-through cache. Enabling the write-through cache without the backup-battery creates the potential for database corruption in the event of a system crash or power failure. 5) For recommendations on hard drives and hardware RAID controllers please see: a) Hard Drives: http://www.tomshardware.com/charts/3-5-hard-drive-charts/benchmarks,24.html b) RAID Controllers: http://www.maximumpc.com/sites/future.p2technology.com/files/imce-images/raidbenchmarksbig.gif 6) To roughly estimate the amount of storage space to support your processing load you should consider these variables: a) Database: Every 1 million objects require roughly 4-5GB of space on the PostgreSQL drive. (Note: The type of target data should also be considered in estimating space requirements. Once processed a single file may constitute several objects in the PostgreSQL database. Furthermore, compound files like ZIPs or PSTs may equate to several hundred objects in the PostgreSQL database.) b) Generally, the dtsearch index that is stored in the case folder will be about 25-30% the size of the compressed image. 2012 AccessData Corporation, All Rights Reserved. Page 5 of 6

CONFIGURATION 2 Specification for FTK 4 UI and Processing Engine on one machine and PostgreSQL on a Separate (2 nd ) Machine (2 Node Configuration) Node 1: Specifications for GUI and Worker If installing the embedded PostgreSQL database on a dedicated machine or using an existing Oracle infrastructure, AccessData recommends one of the following hardware specifications for the machine running the FTK UI and Processing Engine: Processor Intel Quad Core or AMD equivalent Intel Dual Quad Core, i7 or AMD equivalent CD/DVD Drive DVD DVD RAM 8GB 32 GB (or more) OS/Application Drive Size 7200 RPM drive with 64MB cache 7200 RPM drive with 64MB cache Storage for Index and Images As necessary As necessary Temporary Folder Location Set to OS Drive SSD drive or RAID0 partition w/ write-through Operating System Server 2008 R2 or Windows7 (64-bit) Server 2008 R2 or Windows7 (64-bit) Drive Set 2: Hard Drive Image and Case Folder Drive Set 2: Hard Drive Image and Case Folder Drive 3 (temp folder): SSD or RAID0 Node 2: Stand-alone Database Specifications for Windows-based PostgreSQL If installing the embedded PostgreSQL database on a second machine, AccessData recommends the following hardware specifications. Processor Intel i7 or AMD equivalent Intel i7, Dual Quad Core Xeon, or AMD equivalent RAM 8 GB / 12 GB 32 GB (or more) OS / Application drive 7200 RPM drive with 64MB cache 7200 RPM drive with 64MB cache or SSD drive Storage for PostgreSQL database 7200 RPM drive with 64MB cache dedicated exclusively to PostgreSQL. Solid State Drive (SSD) dedicated exclusively to PostgreSQL. HW RAID Controller N/A Highly recommended if hosting PostgreSQL database. Configure with RAID 5, 6, or 10 avoid RAID0 Drive Set 2: PostgreSQL Database Drive Set 2: PostgreSQL Database (SSD or HW RAID) Operating Systems Server 2008 R2 or Windows7 (64-bit) Server 2008 R2 or Windows7 (64-bit) Distributed Processing Engine If using a distributed processing engine, AccessData recommends the following hardware specifications. Processor Intel Quad Core or AMD equivalent Intel i7 or AMD equivalent RAM 8 GB / 12 GB 16 GB / 32 GB OS / Application drive 7200 RPM drive with 64MB cache 7200 RPM drive with 64MB cache Scratch / Temp space drive 7200 RPM drive with 64MB cache SSD Drive Temporary Folder Location Set to OS Drive SSD drive or RAID0 partition w/ write-through Drive 2: Scratch / Temp space drive Operating Systems Windows7 (64-bit) Windows7 (64-bit) 2012 AccessData Corporation, All Rights Reserved. Page 6 of 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback