Building a Forensic...
 
Notifications
Clear all

Building a Forensic Analysis Machine  

Page 1 / 2
  RSS
vrocco
(@vrocco)
Junior Member

I am interested in thoughts and experience of this forum on building my own forensic analysis machine. This would be a non-portable, lab machine for analyzing forensic images, cell equipment, memory cards, etc.

What (by current standards) would you recommend for hardware requirements?

Quote
Posted : 16/05/2006 10:21 pm
DigitalExodus
(@digitalexodus)
New Member

start here Computer Forensic Systems

In my opinion, the critical areas are Alot of HDD space, and very fast disks. But when taking images, you can only pull as fast as the source drive spins. But remember once you've got an image the faster your disks are that hold the image, the faster you can manage the image (when using forensic software to analyze it) Also i would want a good bit of memory 1-2GB would be ideal. (the more the better though) And i would assume the faster the cpu can crunch numbers the better off you'll be. I would shoot for the dual core p4's. and then a motherboard that can handle this powerhouse and bring it all together with room for expansion to say the least. But be sure you have a device such as a 6-in-1 card reader, or something, just be sure you have the capability to read from almost any type of media (usb, sata, IDE, SCSI, etc.. you get the point)

ReplyQuote
Posted : 16/05/2006 11:58 pm
Andy
 Andy
(@andy)
Active Member

Whatever you get it needs plenty of speed (dual processor), many forensic tools are processor and RAM hungry (EnCase, etc), also a large amount of storage space (Terabyte RAID).

ReplyQuote
Posted : 17/05/2006 1:26 am
hogfly
(@hogfly)
Active Member

I agree with the other guys.
I finally got enough money last year to build a solid system. Cost me around $3k.

Tyan K8WE -Dual opteron MOBO - dual core capable
Dual Opteron 246's (2.0ghz)
6GB Patriot ECC ram
1.2TB array (WD 400GB Raid class SATA drives)
4 removable drive bays (2 IDE, 2 SATA)
Firewire 800 PCI-X 16 adapter
Digital Intel T335 forensic drive bay controller(new addition)

ReplyQuote
Posted : 17/05/2006 4:27 am
armresl
(@armresl)
Community Legend

WD are the absolute worst hard drives made.

I see more failed WD's than any other drive and the 250's and up are the worst offenders.

If speed is an issue get a very small SCSI drive and load your OS's to that drive. Pretty sure you would run a multiple OS boot with different flavors including some Linux.

ReplyQuote
Posted : 17/05/2006 5:34 am
hogfly
(@hogfly)
Active Member

to each his own..I've been running this class of hard drive for a few years in servers and never had a single problem. The "consumer" grade drives are junk..no matter which manufacturer you use.

ReplyQuote
Posted : 17/05/2006 7:06 am
rkamens
(@rkamens)
Junior Member

deleted

ReplyQuote
Posted : 17/05/2006 6:15 pm
armresl
(@armresl)
Community Legend

There is a known firmware problem with several lines of WD drives and while you can get them to give you another drive, unless you have the equip to rewrite firmware then you are out of luck on the data.

MHDD is good for HD problems but has a really high learning curve.

If anyone has bad drives they were going to throw away, I will gladly pay something for those drives.

ReplyQuote
Posted : 17/05/2006 9:55 pm
vrocco
(@vrocco)
Junior Member

Back on topic…..anyone else willing to post a profile of their forensic machine to give me a better idea where to start?

ReplyQuote
Posted : 17/05/2006 10:20 pm
JimmyW
(@jimmyw)
Member

Tyan K8WE -Dual opteron MOBO - dual core capable
Dual Opteron 246's (2.0ghz)
6GB Patriot ECC ram
1.2TB array (WD 400GB Raid class SATA drives)
4 removable drive bays (2 IDE, 2 SATA)
Firewire 800 PCI-X 16 adapter
Digital Intel T335 forensic drive bay controller(new addition)

I use a similar setup on my machines Tyan 2895 with 2 dual core Opterons, 6-8GB RAM. Concerning my RAID 5, I highly recommend Broadcom's 4852 controller. I build a 2TB array with Broadcom's distributed sparing, which costs an extra drive's worth of space, but adds performance and safety. My system dual boots with XP 32/64. After I'm done working a case, I move the images to a storage machine. My newest system uses 500 GB WD SATAs, and I've used Hitachis in the past. (I've had more problems with Maxtors than any other brand. I think it's somewhat luck.) I also suggest a Lian Li V-2000 case with plenty of coolong!

ReplyQuote
Posted : 19/05/2006 9:54 am
ChopOMatic
(@chopomatic)
New Member

I'm about to build a forensic machine as well, for my home lab, so I'll be able to work from home if need be. The basics

-Tyan S2895 with a pair of dual-core Opterons

-15K RPM SCSI boot drive

-A pair of the new Seagate 750GB SATAs for active evidence

-8 GB of RAM (remember that 32-bit Windows cannot effectively use all that RAM)

-Acer 24" monitor (looks great, IMO nearly as good as the Sony PremierPro 23", for $712 as opposed to $1000+)

-Adesso programmable keyboard with mechanical keyswitches

-Prolly a triple-boot config Win32/Win64/Linux

-Yada yada yada

As someone already mentioned, HD speed is critical. In many many operations this is the bottleneck.

Jerry

ReplyQuote
Posted : 20/05/2006 12:00 am
JimmyW
(@jimmyw)
Member

-Tyan S2895 with a pair of dual-core Opterons

-15K RPM SCSI boot drive

Jerry

One thing to consider is, since you're getting the 2895 with the SCSI option, add one more SCSI drive for the page file. Also, I like the smaller (37GB) drives for my systems, as they backup more quickly.

ReplyQuote
Posted : 20/05/2006 12:58 am
ChopOMatic
(@chopomatic)
New Member

One thing to consider is, since you're getting the 2895 with the SCSI option, add one more SCSI drive for the page file. Also, I like the smaller (37GB) drives for my systems, as they backup more quickly.

I'm currently running a similar config, but with SATA a 36GB Raptor boot and an identical drive for swap. You're right, certainly worth considering.

I wish SCSI wasn't so pricey, because I'd love to go with 15K-RPM SCSI for storage, as well. But alas, it is.

BTW, if anyone doubts the claim as to the importance of HD speed, load up a few different EnCase processes and poke around in your performance monitor. You'll often find the processor at 10% utilization and your gigabit network at 1% or less, even if you're processing evidence across the wire.

That's not to say HD speed is the only important element, of course. Certainly the Weakest Link paradigm is fully in play in forensic work. But for many tasks, that weak link may not be where you think it is.

Chop

ReplyQuote
Posted : 20/05/2006 5:29 am
gmarshall139
(@gmarshall139)
Active Member

Make sure your SATA drives are rated for 3Gb/s.

ReplyQuote
Posted : 20/05/2006 7:29 am
ChopOMatic
(@chopomatic)
New Member

Make sure your SATA drives are rated for 3Gb/s.

Yup, already switched to the new standard on that.

Chop

ReplyQuote
Posted : 20/05/2006 9:06 am
Page 1 / 2
Share: