±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 3
New Yesterday: 7
Overall: 27330
Visitors: 55

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Thunderbolt, Light Peak and forensics

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Thunderbolt, Light Peak and forensics

Post Posted: Sat Feb 26, 2011 6:39 pm

The Intel Light Peak, aka Thunderpolt is now implemented in the Apple MacBook Pro.

Light Peak I believe appeared in 2009.

EndGadget has a decent but basic article of the implementation.

Any thoughts? How will this impact our industry?
anyone played with it?
I love the faster speed for imaging, with possibility of direct memory imaging . . .  

jhup
Senior Member
 
 
  

Re: Thunderbolt, Light Peak and forensics

Post Posted: Tue Oct 16, 2012 5:11 pm

First post for me, but this forum seems pretty active and great overall.

In the pursuit of faster field acquisitions, I've begun playing with USB3, and now Thunderbolt.

USB3 is a dismal failure. There's only one or two PCIe controllers worth anything, and the controllers built into laptops are a lottery. I abandoned USB3 when I realized I'd need to purchase and return an endless supply of laptops. The issue is that while one transfer is okay, the controllers cannot handle multiple transfers. Aggregate speeds would sputter.

Thunderbolt is essentially, PCI Express. From my (limited) understanding the IDE/ATA commands are sent over the bus and all should be well in the land of fast transfers. Under actual use this isn't always the case.

Promise R6: The Mac-daddy end-all storage DAS
The Promise R6 is a bit pricey (12TB $2300), but if you've given up on USB3, there's really no other alternative. I tested the R6 on a 2010 Macbook Pro with 8GB of RAM and an SSD. I used 'dd' to read from zero and write to the drive. I also tested the default and maximum settings for stripe and sector size:
RAID1E - read 454MB/s - write 290MB/s
RAID0 - read 799MB/s - write 621MB/s
RAID5 - read 426MB/s - write 582MB/s
The RAID5 test was done while syncronizing the array, which means this is a minimum speed. I realize it's not very exact, but I don't have time to sit and wait for it to finish. I used bs=1024k (block size) and count=25000 to transfer about 25GB of data each time. Overall, very happy with the product.

LaCie eSata Hub Thunderbolt Series
The LaCie eSata Hub is basically a controller sitting on the Thunderbolt bus, and comes with the added benefit of being daisy-chained. I purchased two of these, yielding up to 4 eSATA ports.
Most of the testing was done using Weibetech Ultradock v5s, the new write blocker with USB3 and a bunch of other ports. dd images of one SSD, two 7200RPM SATA, and 1 PATA drive yielded about the same results: ~20MB/s per thread. After speaking to LaCie, I could tell I wasn't going to get any help whatsoever and I started playing around with block sizes and the destination drive. I even tried a random eSata drive just to make sure it wasn't the write blockers. The most I ever got was 23MB/s, on drives that easily did 45MB/s or more. Finally I tested using FTK Imager CLI for mac, with similar results.
On a whim I attempted a simple file copy from the mounted SSD. Miraculously, it copied at a snappy 45MB/s. I then unmounted, and got the same paltry 20MB/s speeds. Undeterred I grabbed a bunch of big (8-20GB) backups and threw them on the drive. Through the write blocker, I got about 100MB/s. That's more like it!
Calling the company back, I was sure this was a software issue, and a firmware update was sure to come. After all, how could having a filesystem in the way copy faster than a bare drive? Lacie's answer was that the hardware was only tested using mounted filesystems, and that the product worked as they expected. Good thing it's no problem returning.

The Future
Before returning the Pegasus R6, I'm going to try one more product which opens up the Thunderbolt bus. The Magma Expressbox 3T theoretically allows you to put in PCIe cards (such as USB3 controllers, or eSATA controllers) directly on the Thunderbolt bus. With luck, this may work out. Luckily, it seems they're used by a bunch of video pros and are suited to providing technical expertise and advice.  

pmow
Newbie
 
 
  

Re: Thunderbolt, Light Peak and forensics

Post Posted: Tue Oct 16, 2012 9:39 pm

Tom's Hardware had an excellent article on this very subject in July:

www.tomshardware.com/r...,3222.html

Actually, the future is NAS boxes with SSD drives in them.
_________________
Marc Yu
Chief Forensics Examiner
ClearForensics.com 

marcyu
Senior Member
 
 
  

Re: Thunderbolt, Light Peak and forensics

Post Posted: Mon Nov 26, 2012 12:20 pm

Unfortunately there are no resources out there which discuss the potential pitfalls of Thunderbolt for use in forensics. Specifically, for use in imaging with increased total throughput.

One pitfall, currently, is that little hardware exists. Desktops and laptop PCs (non-Apple) have been out for less than a year and although there seem to be fewer issues than the rollout of USB, drivers are a real issue. As an evaluation machine, our internal 2011 Macbook Pro was used to test out the R6 with the Magma Expressbox 3T. The 3T also seemed to run into the throughput limitation when imaging physical drives. To isolate the problem, I began investigating the possibility of utilizing Thunderbolt devices in boot camp. Fortunately, the Magma Expressbox 3T has no need of drivers on the Windows 7 side. The Pegasus R6 however, needed drivers and they are sorely lacking in that department. This article sorts it out, and after some initial confusion with the model number to base the driver from, the R6 is [mostly] working.

Initially, booting with both devices connected in the chain didn't work (with either device first in the chain). I noticed varying results sometimes, and have narrowed it down to a hot boot issue; That is, booting from being powered down works, but rebooting and connecting the devices will result in a frozen boot process. As expected, speeds are up there (65MB/s from one test spinning-disk), although speeds to the R6 resulted in a slightly slower 55MB/s. The newer Macbook Pros have options which include dual thunderbolt, and may help. The task now is to test with multiple imaging operations, but now that the speed issue is isolated to later Mac OSX versions, I expect decent results.  

pmow
Newbie
 
 
  

Re: Thunderbolt, Light Peak and forensics

Post Posted: Wed Dec 05, 2012 5:04 pm

I've had good luck using on of these:

Seagate GoFlex Desk

I have a MacBook Pro Retina which has 2 Thunderbolt ports. I use the GoFlex Desk with a bare SATA drive as my target drive and a Tableau Firewire bridge on my suspect drive.

I only use this setup in the field, and I haven't done any tests on this setup as the bottleneck is with the Firewire bridge. So, it works, but may not be all that fast.  

Bulldawg
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1