±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 131

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

i7 or Xeon

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2, 3  Next 
  

randomaccess
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 07, 17 18:21

- MDCR
- randomaccess
- MDCR
The Xeon really flies with a dual/multi processor setup, and multi threaded applications work well since it is built for it. So, if you got an application that wouldn't make use of Xeon hardware, then go with the i7.


I did a bit of testing with single and dual xeon machines and didn't really find a huge speed improvement for the dual.
Better to have a faster disk speed and more RAM


And with what did you test it? Was it specifically written for Xeon processors? If not, you get crap performance and it wont matter.

There is a reason why there are 2+ CPU slots on most Xeon boards, they don't add extra CPUs for because someone thinks it would be cool.


I tested a few forensic tools commonly used in my lab.
I dont think many forensic tools are written for xeon processors, so yeah pretty much was just testing for multi-core+ram+disk speed. Basically encase6 is ridiculously slow when compared to encase8 and xways (which in some respects were equal, but xways was usually faster). Having all the data on the host ssd also made a massive difference (as expected), even compared to the raid.

As a sidebar, there's also some research into the use of RAMdisks to improve speed even more, but that's only going to be useful for some processes until you can get into the terabytes of ram

I get there's a reason for it, I'm just saying I don't think it's necessary for forensic applications - someone should get a xeon, dual xeon, and i7-7700 and run some tests Wink  
 
  

MDCR
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 08, 17 09:42

- randomaccess

I tested a few forensic tools commonly used in my lab.
I dont think many forensic tools are written for xeon processors, so yeah pretty much was just testing for multi-core+ram+disk speed. Basically encase6 is ridiculously slow when compared to encase8 and xways (which in some respects were equal, but xways was usually faster). Having all the data on the host ssd also made a massive difference (as expected), even compared to the raid.

As a sidebar, there's also some research into the use of RAMdisks to improve speed even more, but that's only going to be useful for some processes until you can get into the terabytes of ram

I get there's a reason for it, I'm just saying I don't think it's necessary for forensic applications - someone should get a xeon, dual xeon, and i7-7700 and run some tests Wink


Well, there you go. As i have mentioned in another thread, i've written specific program that utilise multicore/multicpu hardware and when you do, Xeon is unbeatable. If you want to read up on why and when you should us Xeon, here you go: https://en.wikipedia.org/wiki/Xeon

You can use Ramdisks today to store information you want to write, or as a cache. IMDisk is one free tool you can use - now - to get a RAM device capable of bus speeds. You can also put PCI Express SSD storage devices like Revodrives in Raid0 and get a speed close to the bus speed, i have done it and it is insanely fast. To get the same speed, you need several SATA3 controllers with one SSD per controller in raid 0 to get the same performance.

Putting all this together: There is a reason why i don't even look at Encase, FTK or Security Analytics when i've done investigations, my main forensics tool is Visual Studio running on insanely fast hardware. If i need to extract information, i use a specialised tool like Network miner, in all other cases when dealing with any kind of large raw (big)data like DD images, Logs, Pcaps - i write my own multi threaded tools.

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.  
 
  

Vesalius
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 10, 17 15:30

Well then from what I gathered I got a pretty decent purchase,
-------------------------------------------------------------------------------------------------------------
Operating System
Windows 10 Pro 64-bit
CPU
Intel Core i7 @ 4.20GHz
Kaby Lake 14nm Technology
RAM
32.0GB Dual-Channel Unknown @ 1071MHz (15-15-15-36)
Motherboard
ASUSTeK COMPUTER INC. MAXIMUS IX CODE (LGA1151)
Graphics
HP 24es ([email protected])
4095MB NVIDIA GeForce GTX 1070 (ASUStek Computer Inc)
Storage
476GB Samsung SSD 850 PRO 512GB (SSD)
Optical Drives
TSSTcorp CDDVDW SH-224GB
Audio
Realtek High Definition Audio

-------------------------------------------------------------------------------------------------------------

all I need to upgrade or add is another SSD, prefreabbly M2, or SSD's for grabbing images.

Cheers guys!
_________________
Digital Forensics is an Exact science, not the procedures, but the results. 
 
  

Vesalius
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 10, 17 15:46

[quote="MDCR"]
- randomaccess

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.


I am familiar with the basics of Java and C#, so learning a new language won't be hard for me, where would you recommend I begin, what languages do you use and what do you use them for if you don't mind me asking?
_________________
Digital Forensics is an Exact science, not the procedures, but the results. 
 
  

Bulldawg
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 10, 17 17:49

My $0.02 on the subject:

1. Very few forensics tools can take advantage of heavily multi-core systems. Magnet IEF (Axiom) seems to be the most hungry for cores, but it cannot use all 24 threads on our dual Xeon E5-2620 (6 core, 12 thread each at 2.0 Ghz). This is an older system, but still has fast enough storage that it should get enough data to use all 24 threads available. It does not make use of all threads for whatever reason.

In contrast Magnet Axiom running on a newer i7-5930K (6 core 12 thread overclocked to 4.5 Ghz) does use all 12 threads. 12 threads that are running over twice as fast as the 24 threads on the Xeon machine.

It get much, much worse when you're looking at EnCase, Cellebrite PA, FTK Imager, etc. Many of those workloads are single threaded, so the i7 running at 4.5 Ghz is over twice as fast as the Xeon running at 2.0 Ghz.

2. You cannot discount the ability of an i7 (K or X sku) to overclock. My i7-5930K is running on air cooling, and with a very slight voltage bump it runs at 4.5 Ghz 24/7. The official clock on this CPU is 3.5 Ghz with a 3.7 Ghz boost clock.

Xeons don't overclock AFAIK.

3. ECC RAM is an advantage. In 2018 I'm going to take a serious looks at using an AMD Ryzen CPU in my systems so I can get overclocking and ECC RAM. I'm also hoping AMD's allowing ECC RAM on Ryzen will force Intel to rethink supporting ECC RAM on high end i7 CPUs rather than keeping it a Xeon exclusive.

Notes:
I know all this is anecdotal evidence, and I've certainly not done any scientific testing, but for your information: I feel both systems have sufficiently fast storage to make this meaningful. The i7 system is using an NVMe drive and the Xeon system has a RAID 0 array of SSDs.

IMO, storage speed is still king on a forensic workstation. NVMe drives are a must if you can afford them. My next system uses Intel 750 PCIe SSDs for storage. Rotating disks are too slow. SATA SSDs are a good compromise of speed and performance.

Also IMO, the i7-7700K is not the best Intel i7 for forensics. Its low core count (4) means for some workloads it will be at a disadvantage compared to other Intel CPUs. The 7700K also has a max of 16 PCIe lanes. Shocked This is fine for gaming (unless you're running multiple GPUs), but not for all the PCIe cards I generally put in a forensic workstation. Plus, it can only handle 64 GB of RAM. It can overclock, however. 5.0 Ghz is a pretty conservative overclock for an i7-7700k on water cooling.

I believe the sweet spot right now is an i7-6850K (6 core, 12 thread which should overclock nicely). This CPU has 40 PCIe lanes, which leaves plenty of breathing room. If you're feeling rich, go for the i7-6950X (10 core, 20 thread) but be prepared for less stellar overclocking. These CPUs also support up to 128 GB of RAM.

I expect an upgrade to Intel's X99/enthusiast line of CPUs soon since all the current CPUs are based off the Skylake architecture rather than the newer Kaby Lake.

TL;DR - i7 enthusiast CPUs are the current best for forensic workstations.  
 
  

MDCR
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 11, 17 00:34

[quote="Vesalius"]
- MDCR
- randomaccess

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.


I am familiar with the basics of Java and C#, so learning a new language won't be hard for me, where would you recommend I begin, what languages do you use and what do you use them for if you don't mind me asking?


Well, any language that do the job you're looking to do. I'm not going to say "use C++" like the zealots from "the holy C-church" do. You can do plenty with Python, C#, VB.Net, Java or any language that is versatile enough. Some languages like Ruby on rails are more functional and have their use, i.e. for parsing logs.

The bare minimum for a language would be to be able to read files, parse textfiles, search for text or binary values in a variable or array. Also if it can get web content, extract data from JSON/XML it doesn't hurt.

And as this discussion suggest, being able to multithread well is very useful. All the languages i listed above are MT capable and could use a multi core/multi cpu hardware setup. Even IF you use a language that is not multithreaded, you can usually spawn multiple processes of the same tool and give it different parameters, that way you can utilise the hardware anyway.  
 
  

Passmark
Senior Member
 

Re: i7 or Xeon

Post Posted: Apr 11, 17 10:14

- MDCR
Was it specifically written for Xeon processors? If not, you get crap performance and it wont matter.


This is not true.
Nobody ever writes specific Xeon code. At least not for forensics. The Xeon uses the same x86 instruction set as desktop and mobile CPUs. It is true that a developer might target a certain number of Cores, or a certain amount of RAM, or even a certain x86 instruction sub-set (like AVX or SSE). But they don't target 'Xeon'.

I did a short study a year back on CPU and disk use for forensics tasks. It was only with our own tools, but it applies to a lot of what is on the market.

My conclusions (14 months ago) were,
• Most forensics tasks are disk bound and single threaded.
• Even when not single threaded a two core CPU is enough
• When picking a CPU, customers should favour a small number
of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large
number of slow cores (32 cores at 2.4Ghz).
• Hardware spend should instead be on better disks and SSDs.
• For most tasks 8GB of RAM is plenty. Or 16GB if running VMs.

With the following exceptions
• Password cracking uses lots of cores.
• Working on multiple projects at the same can use lots of core (if not disk bound).

Obviously as disks get faster and code gets better, things change. So if I was doing the same study again I am sure 4 cores would be a minimum recommendation. But the number of tasks that benefit from more than 4 core would be few (as they are normally disk bound if well coded).  
 

Page 2 of 3
Page Previous  1, 2, 3  Next