Best Specs for a Forensic PC Tower (not a laptop)
I have an old Tower, which I constantly upgrade, but it's on it last legs the power supply recently crapped the bed.
I currently have on hand:
1. New 64 GB total of RAM Chips
2. 2 New Solid State Drives 2TB each
All other components are in the HP Z420 Tower which is about to be disposed.
What is the best PC and/or specs for a PC running Forensic Applications (Cellebrite, FTK Imager, Autopsy, etc)
Any info is good
Thanks in Advance
Ask the manufacturers of the platforms you are using for their recommendations. Not only for the best hardware, but also how to use it: use of page disk, tmpdisk, RAIDing, possibly use of GPU. etc.,
I'm fairly certain Exterro/AccessData have recommendation -- in those I remember reading, not everything was self-evident, but it made sense. I suspect Cellebrite also have recommendations.
I can recommend the P920s from Lenovo, we have used their range (P900-P920) for some time and they have been very reliable.
Budget is a massive factor but I'd go for more cores over faster cores (some years ago I would have advocated faster cores) as software like Axiom really uses all your CPU.
If you are using software that requires a more tailored approach, then see manufacturers recommendations.
but I'd go for more cores over faster cores
1) Performance decreases with too many cores (the RAM bandwidth is saturated and you get cache thrashing). I could post some graphs with actual measurements, but this forum doesn't allow it.
2) There are very few tasks that require more than a few cores and are CPU bound. Most tasks are limited by the disk speed, RAM speed, GPU speed or network speed. Going from 8 cores to 32 cores doesn't make your disk any faster and even fast SSDs only do ~100MB/sec when reading small files.
3) Once you get to system with dual sockets you end up with NUMA based RAM access. This can be rather slow unless the software it aware of it (and 99% of software isn't aware of it).
4) Many tasks are inherently single threaded. The classic one for forensics is E01 decode. The ZLIB decompression algorithm can't be threaded, so only uses 1 core. So pretty much everything you do with a E01 is gated by this single threaded task. And even a good CPU only manages around 100MB/sec. So you want the best single core speed possible for this.
Fortunately there are some CPUs with excellent single threaded AND multi-threaded performance at a very reasonable price. The $270 i5-12600K would be a great choice at the moment. (or the i7-13700 in about a month from now). Could build a nice system for $2K. If forensics software doesn't run very well on a $2K system there is something wrong with the software.
Also rather than putting in 500GB of RAM into a single machine the money is better spent on getting 4 separate machines with 128GB each (64GB is plenty however). You get 4 times the PCIe disk bandwidth and 4 times the RAM bandwidth this way, plus redundancy in case of hardware failure.
Fast SSDs and big dual screen 4K monitors are more important than more CPU cores.
Adding to this thread... any thoughts on the E-Cores / P-Cores and processing? Was considering AMD over Intel in the fear that multicore processing might take a hit on the E-Cores. Especially on tools like EnCase or NUIX.
@passmark Interestingly enough, OSForensics is able to take advantage of the 32 cores we have in a 10 year old server with just 64GB of RAM. I know OSForensics pops up a message stating "adding more than 10 cores can degrade performance," but our 10 year old server indexes so fast with OSForensics and all 32 cores enabled.
I do know that once OSForensics hits an OST or PST file, then only one core can be used per OST/PST file at a time, hence your suggestion that faster cores are better than more cores.
From my personal experience, OSForensics can index ESI faster than any other forensic tool we have tested (it is not even close!!!), so perhaps the indexer engine is a factor to consider as well.