±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 36595
New Yesterday: 5 Visitors: 173

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Analyst Workstation - What are you using?

Discussion of forensic workstations, write blockers, bridges, adapters, disk duplicators, storage etc. Strictly no advertising of commercial products, please.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3, 4  Next 
  

skyccord
Newbie
 

Analyst Workstation - What are you using?

Post Posted: Jan 20, 20 15:44

Looking at upgrading our lab setup. What are you folks doing these days?

Daily software is:
X-Ways
Blackbag Blacklight  
 
  

Rich2005
Senior Member
 

Re: Analyst Workstation - What are you using?

Post Posted: Jan 20, 20 15:57

Are you talking about upgrading hardware to better run your software? Or upgrading the software itself? Or both?  
 
  

skyccord
Newbie
 

Re: Analyst Workstation - What are you using?

Post Posted: Jan 20, 20 16:35

- Rich2005
Are you talking about upgrading hardware to better run your software? Or upgrading the software itself? Or both?


Hardware for analyst station.  
 
  

Rich2005
Senior Member
 

Re: Analyst Workstation - What are you using?

Post Posted: Jan 20, 20 16:56

I'd have a few suggestions if you're not working on a massive budget (others could probably help if you've got a lot more money to play with).
Firstly, as with any computer these days, an SSD makes a massive difference, and a workstation is no different (depending on the types of tools you're using). Most of them aren't expensive these days (and you can do your own googling for the best price/performance/reliability).
So one for your OS and tools is a no-brainer.
Anything like Axiom/NUIX that's going to be using lots of threads/processes will benefit a lot from SSDs.
NUIX particularly will benefit from having its case folder on an SSD (and also, I imagine, so would any tool that has a large indexed database to search from).
You can get good performance from a RAID to store your evidence files on for processing, reading sequentially, but I don't think these tools always end up reading sequentially, so a large SSD for your evidence would probably also speed things up (I've not tested - but from a glance at performance monitor watching the speeds and what it's reading/writing - I think it's probably reading from various parts of a drive image and therefore thrashing the disk and degrading performance).
I'd investigate the performance benefits of NVME ones too and make your choice depending on budget.
I went for an i9 9900K for the CPU, as its a pretty good all-rounder, with good single-threaded performance, and many tools seem to prefer a higher clock speed to a larger number of cores (even though it has plenty of those too).
Had to settle for 64GB of RAM grudgingly, as I'd ideally have gone for 128 (and accepted the cost), or more, but that would have meant changing the rest of the spec of the kit and disproportionately increasing the price. This is probably less of an issue if you're not using something like NUIX though.  
 
  

skyccord
Newbie
 

Re: Analyst Workstation - What are you using?

Post Posted: Jan 20, 20 17:09

- Rich2005
I'd have a few suggestions if you're not working on a massive budget (others could probably help if you've got a lot more money to play with).
Firstly, as with any computer these days, an SSD makes a massive difference, and a workstation is no different (depending on the types of tools you're using). Most of them aren't expensive these days (and you can do your own googling for the best price/performance/reliability).
So one for your OS and tools is a no-brainer.
Anything like Axiom/NUIX that's going to be using lots of threads/processes will benefit a lot from SSDs.
NUIX particularly will benefit from having its case folder on an SSD (and also, I imagine, so would any tool that has a large indexed database to search from).
You can get good performance from a RAID to store your evidence files on for processing, reading sequentially, but I don't think these tools always end up reading sequentially, so a large SSD for your evidence would probably also speed things up (I've not tested - but from a glance at performance monitor watching the speeds and what it's reading/writing - I think it's probably reading from various parts of a drive image and therefore thrashing the disk and degrading performance).
I'd investigate the performance benefits of NVME ones too and make your choice depending on budget.
I went for an i9 9900K for the CPU, as its a pretty good all-rounder, with good single-threaded performance, and many tools seem to prefer a higher clock speed to a larger number of cores (even though it has plenty of those too).
Had to settle for 64GB of RAM grudgingly, as I'd ideally have gone for 128 (and accepted the cost), or more, but that would have meant changing the rest of the spec of the kit and disproportionately increasing the price. This is probably less of an issue if you're not using something like NUIX though.


i9 over Xeon, that's the question. We have SSD's in our machines now. Just ordered another 4TB Samsung SSD. Never enough space...  
 
  

minime2k9
Senior Member
 

Re: Analyst Workstation - What are you using?

Post Posted: Jan 21, 20 06:52

Very much depends on the size of your average case as well and how you work.
Do you work will all the images and working files on your machine or do you process to and from external hard disk (either caddy or in dock)? How many cases would you normally have and what is the average size?

Our machines are set up with dual quad core xeon (higher clock speed so fewer cores), 128GB of ram and the following HDD config:
1 x 512gb SSD for OS
1 x 1TB/2TB SSD for some working files.
2 x 6TB HDD for case files (RAID 1).
4 x 8TB HDD for image files (RAID 0).
These are built into Lenovo 920 machines which we have found to be very reliable, and they give LE discount Smile

Contrary to popular belief, the CPU actually seems to be the sticking point for a lot of forensic tools, including X-Ways, Axiom and Griffeye. On our machines, maxing one core only shows as 6% CPU usage and this leads people to believe the disk is slowing it down.

If you are using Griffeye or similar image processing tools, you may want to consider adding a powerful graphics card as well.  
 
  

Rich2005
Senior Member
 

Re: Analyst Workstation - What are you using?

Post Posted: Jan 21, 20 07:40

It's often both imo - during different times in the processing (CPU / disk bottleneck).
No doubt CPU is more often the sticking point in Axiom (and other tools to varying degrees)......but, as I say, if you're on dual xeons and 128GB of RAM, you're pushing the machine into another price bracket almost certainly <insert green-eyed-monster smiley here>.
However, without serious testing, I've casually observed the disk reading speed often dipping under 100mb/sec at times, but nowhere near as often when on the SSD, leading me to believe it's just due to thrashing from multiple threads reading different parts of the E01 image.
I have to mix-and-match on that front though depending on the size of the images.  
 

Page 1 of 4
Page 1, 2, 3, 4  Next