Following on from one or two earlier discussions, I'd like to develop a page devoted to forensic workstation suggestions/recommendations. The aim would be to provide a quick reference to anyone considering buying or building a workstation - for imaging and analysis - and to keep the page updated at regular intervals.

Cost is as much a factor as performance in many of our purchasing decisions and I'd like the focus of the recommendations to be on hardware which gets the job done but also represents value for money. In other words, I'm not really looking for expensive, bleeding edge solutions which would be very nice to have but are unlikely to be approved for purchase. Think more along the lines of something you'd be comfortable talking about at your next forensic get together but wouldn't expect to make anyone jealous!

My initial thoughts are it would be nice to have a generic recommendation for each category of hardware (for "build your own" machines) and then list two or three specific products per category. For ready built machines, perhaps we could simply have a few price range categories and list two or three recommended options in each.

With regard to hardware categories for those considering a a self-build, these immediately spring to mind - please feel free to suggest any others:

Case and power supply
Motherboard
CPU
RAM
Hard drive(s)
IDE/SCSI/Firewire controllers
CD/DVD writer
Hardware write blocker
Memory card reader
Video card
Sound card
Network interface(s)
Removable drive bays
Floppy drive
Speakers
Backup storage (e.g. tape drive)
Keyboard & Mouse
Monitor

Perhaps a separate section for mobile solutions (e.g. laptops/notebooks, travelling cases, etc) is also worthwhile?

I know that asking for recommendations has the potential to be somewhat chaotic but let's give it a go, hopefully the end result will be of real use to those either starting a new forensics section or upgrading from older kit.

Thoughts, comments but most of all suggestions for the above categories are very welcome...

For mobile stations.

I like the Dell M1710 and the Sager 98 series. One is a desktop replacement the other is a lighter laptop with a strong graphics card.

For actual workstations I have liked getting server cases on wheels, so if I need to for some reason take it somewhere it wheels right out of the office, and server cases have so many free slots, you would be hard pressed to fill them all.

I would add that SCSI card would be good to have, maybe an IDE expansion card.

Cooling would be important as we let our cases index for hours and sometimes days. Spreaders for the memory would be nice.

At least 2 of every item you would put in an expansion bay. Much easier to copy floppies, CD's, DVD's,

3.5 and 5,25 floppy bays will come in handy.

I like to have one of whatever the largest drive on the market is for compression of the cases (backup)

Software to be able to multiboot Vista, Linux, XP. As many of you know Vista is not the easiest to multiboot with.

I would refrain from a network card and for sure disable it in the bios. A large number of cases we have require that there be no network or internet connection on the examination machine.

Updates for windows, and other software can be made via a thumbdrive.

Would it be too much to ask for specialist hardware to be included as well ?

When faced with having to chose a writeblocker for example - which one would people reccommend, or possibly more importantly, which would they avoid ?

In the UK, Rock make quite decent desktop replacement "portable" machines - they also have some interesting features, such as RAIDed drives that makes them quite well suited to business jobs. Apple MacBook Pro laptops are both very portable, and very powerful. They have excellent screens and graphics & can dual ( triple ) boot any combination of Windows/MacOS X/Linux ...

I find that the Dell LCD monitor range offer excellent quality/value, and in all the time I've used them in a corporate environment, I have not known a single one either arrive dead or fail in use, unlike both Sony and Samsung monitors that I have seen ...

Hi all,

If we're going to get really specific we might want to look at how the processor divides its secondary cache memory between the data banks of RAM. For example a Xeon CPU with 4MB depending on it's desgnation might allocate 2MB to each of 2 banks of RAM. Therefore if you frequently only use half the installed RAM you may also be losing half the secondary cache of the CPU. So you might decide to spend more money on a better CPU and less on memory. It all depends on the type of work you get your machine to do.

In more general terms we are looking seriously at Mac Pro machines now as these seem to run core tasks in FTK and EnCase quicker than similar spec PCs. It has the added advantage of being both your Mac and your PC. They run into the very high spec and I believe this past week saw the release of the new Intel CPUs.

On the cheaper side of things we have a few Intel Core 2 Duo machines in the lab as secondary work machines and these are surprisingly good.

The bottleneck is frequently read/write access from the hard drive on which the evidence is stored. Externally connected hard drives containing evidence ideally should be connected via Firewire B, as this performs roughly on a parl to internal SATA. We found USB 2 resulted in tasks running at roughly half the speed of IDE 100. An alternative might be to have an i-scsi card in your PC and an i-scsi external data store. Not the cheapest again though.

Bare in mind where you put your pagefile (if you have one). A separate disk on a separate channel is better than on the OS partition or worse still on the OS drive but a different partition.

As for wite blockers we have been using Tableau ones for a while. They are easy to manage with firmware updates etc and offer Firewire A and B and USB 2 connections. Writeable versions are also available and are quite good for doing a restore of an image.

Just a few thoughts.

Steve

Excellent comments guys, thank you.

I really would like to encourage anyone else to chime in too, even if its only to share your thoughts on one particular piece of hardware. I'll start to put up a preliminary list of recommended components shortly but more input from other members would be very useful.

OK, just to nudge this on a little bit I'm going to suggest we stick with Intel's Core 2 Duo as a sensible CPU choice ("sensible" being a good compromise between cost and performance). That being the case, any recommedations out there for specific motherboards or chipsets?

I have had good success with the ASUS boards with NVIDIA chipset with the Intel chipset coming in a close second. Right now I am building a system with one of the new "energy efficient" P5E3 boards.

Compusys make good workstations. Just got a new one, specs are as follows:

Dual Xeon E5335 (Quad core)
8GB Ram
WD Raptor drive (150gb)

I've not had a chance to fully test it, but I suspect it'll do the job. The system board is Intel, so hopefully stability won't be a problem! The reason for the large amount of ram is to allow me to run multiple Virtual Machines!

Thanks BitHead (I've been very happy with previous ASUS boards too). Looking at some reviews of the P5E3 it seems to be well received so unless anyone has any complaints I'll use it as the suggested/recommended board for the Core 2 Duo chip. BTW does anyone know the difference between the P5E3 and the P5E3 Deluxe? It wasn't immediately obvious to me after a little Googling. I did notice there's yet another option, though, the P5E3 Deluxe with wi-fi which brings a question to mind...are people purposefully avoiding boards with built in wi-fi chips, perhaps with security/data integrity concerns in mind (even assuming this functionality can be disabled)?

My current main forensics workstation is using an ASUS board as well but it's the P5W64 WS professional. I put a quad core kentsfield chip in it. I only recommend ASUS boards. I bought it specifically for the 4 PCI express slots. I use one for video, one for hardware raid and one for my firewire 800 card. The firewire card is connected to my tableau T35i. I also have a plextor dual layer dvd burner PX-760A. I put two CRU-dataport removable drive trays in. The case is a NZXT Lexa.

So on to recommendations:
CPU: Don't buy dual core processors. Buy Quad cores, especially if buying the xeons. The Penryn chip(X5400 series) is supposed to be insanely great.

MOTHERBOARD: buy ASUS motherboards. They're a little more expensive but generally worth it. The P5 series is pretty solid.

HARD DRIVE: Buy seagate hard drives(I go with the enterprise class drives. They're a little slower, but they don't die) unless buying WD raptors.

REMOVABLE TRAYS: If using removable trays buy CRU dataports - the quality is great.

MEMORY: I have been using Crucial Ballistix lately. They're good, fast and affordable. As is G.Skill. If you want top of the line get GEIL PC8500 Ultra which is limited and with CAS of 4-4-4-12. These things overclock like crazy - to 1200MHZ and are stable, but they're expensive.

CASES: Look at Cooler Master cases. The Cosmos looks like a beautiful case - 6 internal drive bays and 5 5.25" bays.

POWER: Seasonic power supplies are nice, but try to get more 12v rails. I just bought an Antec True power 1000W

CD/DVD: Plextor cd/dvd writes are a little more expensive but rarely if ever fail, and succeed where others do fail.

NIC: The only choice here is the Intel Pro 1000 series cards.

WRITE BLOCKER: Tableau/digital intelligence

Backup Storage: Dual layer DVD's.

Video Card: As long as it works it doesn't matter to me...ATI/Nvidia...unless you're utilizing the 8800's GPU's as processors.

Sound Card: Something that handle 6 channels.

Monitor: NEC Multisync 90GX w/ Opticlear. I love these.

RAID: I like 3Ware controllers. I have a 9550 and 9650 and love them both.

USB KEYS: I like corsairs. I have a flash voyager GT that's been rock solid. I just bought an Ironkey but can't recommend it yet.

PELICAN CASES: I have two 1600's. They're extremely bulky but my jump kit is large.

NETWORK TAPS: NetOptics. The Teeny tap has saved me more than once.

DON'T BUYS:
Kingwin anything. These are complete garbage components.

Hope that helps Jamie.