Notifications
Clear all

Building a new PC

Artee
(@artee)
New Member

Happy New Year all.

I'm about to start building a desktop PC for my university course in forensic computing and just wanted to know if i should be prioritizing any particular part of the hardware?

Thanks in advance.

Quote
Topic starter Posted : 01/01/2015 7:04 pm
mscotgrove
(@mscotgrove)
Senior Member

Lots of disk storage space. All modern PCs are pretty good speed wise. Choose 64 bit operating system.

Software is you big area for investigation

ReplyQuote
Posted : 01/01/2015 10:17 pm
lpforensic
(@lpforensic)
New Member

Lot of RAM

ReplyQuote
Posted : 01/01/2015 11:33 pm
Bulldawg
(@bulldawg)
Active Member

If you can afford it, lots of FAST storage and plenty of RAM are your priorities. CPU isn't that critical unless you're going to be doing a lot of password cracking. The same goes for the GPU.

Minimum–get a small-ish SSD for your OS. 250 MB should be plenty and you can probably get by with a 120GB if you're good. Then use a cheaper spinning disk for all your analysis. A 4TB Western Digital Black drive should do. Better, put a few of those spinning disks in a RAID 0 (make sure you back up often), or RAID 10 (4 disks required). RAID 5 is okay too, but only with hardware RAID cards. Best would be lots of big SSDs, but that's cost prohibitive for most students.

RAM–32GB minimum. 64 GB will leave you more room for VMs.

CPU–Don't go for the latest and greatest Intel. The X99 chipset's RAM requirements bump up the price significantly, and DDR4 RAM isn't significantly faster in the real world than the DDR3 used by the Z97/Z87 chipsets. The CPUs are cheaper too. Hyperthreading isn't necessary, IMO. You can stick with an i5 of similar clock speed rather than paying for an i7.

ReplyQuote
Posted : 02/01/2015 9:32 pm
BitHead
(@bithead)
Community Legend

^^^^ That and an SSD for \Temp

ReplyQuote
Posted : 03/01/2015 3:49 am
athulin
(@athulin)
Community Legend

I'm about to start building a desktop PC for my university course in forensic computing and just wanted to know if i should be prioritizing any particular part of the hardware?

Display(s), keyboard and mouse that's what you'll be facing most of the time. You don't want your problems to be with these devices. Make sure keyboard and mouse works also at boot time – you don't want to find yourself with a keyboard that is dead until the OS had loaded USB drivers. (This is not much of a problem anymore, but if you decide to use older equipment, you may want to double-check.)

Fans, and other noise-generating equipment avoid them. (Go for a higher-speced power supply that won't need to spin up its fans because it never heats up, for instance. But quiet computing is a craft of its own. Consider avoiding extreme CPUs, if they require noisy cooling.)

Fast I/O channels – that goes both for memory and storage units. This may mean looking at server/workstation platforms rather than consumer platforms, though top-of-the line client platforms may have an edge in certain circumstances. (Hot graphics is of limited use – on-board graphics usually does the job, though graphics cards can be useful for cracking passwords.)

Robust device connectors. You're likely to plug in all kinds of devices – you don't want connectors placed where they're difficult to get at, or where you can't keep cabling neat. And you don't want connectors that die on you with the first hard tug on the wrong cable.

Support for hot-swapping disks may be important – but it depends more on your work habits than anything else. Room to grow (free PCI slots, free disk bays, free memory slots, …) may be important. If you blow your entire budget on one system, it will be very important (and that also means you need to get a power-supply with enough headroom for that extra growth).

Apart from that, follow the recommendations for the particular software you're going to use. If your forensic-toolkit-of-choice doesn't support multi-core systems, the benefit of having a multi-core CPU will be limited. And if it can't make use of more than X Gb of user memory, again, loads and loads of memory may not be your best choice.

If you don't know what software you'll be running, spend around half of your budget on a middle-high gaming platform with some additional memory and disks. Keep the other half for your first upgrade once you've learned what is important to your particular circumstances. You'll need it.

If you can definitely say that you'll be mainly using EnCase or FTK or … whatever, you would probably get more specific recommendations.

ReplyQuote
Posted : 03/01/2015 11:44 am
minime2k9
(@minime2k9)
Active Member

OK so firstly, designing a "forensic workstation" for home/uni use is very different to an industry spec system. Usually the image files provided are a fraction of the size of the "normal" image files that investigators deal with everyday. Also universities tend to like you to go more in depth into low level tools to give you that understanding of what you are doing (not a bad thing by any means).

As such, I will recommend the following to you

Find out what forensic software the course is going to have you use, I imagine it will be one of the following
Encase 6 - Outdated now but still used because it is preferable to the new version
Encase 7 - Utter S**t, used on some courses because it is the latest version
FTK - not sure if this is used as much on uni courses because of the server - client approach it seems to take
Open source tools - Many universities advocate the use of open source/free utilities (even if a commercial tool is used).

Which ever one the have will slightly alter the build you want. For instance, Encase 6 requires more memory (at least 32gb), however Encase 7 requires an SSD (and some anti-depressants to stop you topping yourself). Also nowhere did you state a budget.

However for the most part, I would be looking at something like this
CPU Solid i5 (4690 is a good call)
RAM 16GB (32 if Encase 6 is to be used)
Hard Disk 240 SSD plus 2 TB storage drive. Consider 500gb SSD or extra hdd if you want to install Linux.
Graphics card Doesn't really matter. Pick something in £50 - 100 ranage if you want one.
Power supply 550 -600W should do. Your not running that much stuff!
Ensure you have Sata 3 ports (should be standard on any new machine).
The tower itself in this scenario was coming out at about £900 (With OS) from www.scan.co.uk (look under 3xs systems). These come with a warranty )

2 monitors is preferable as you will want to have things easily view-able.

Software - Go for Windows 7 Pro (allows more than 16GB of Ram), some things don;t like running on Windows 8.

Second OS - I would install Linux for many reasons as a second OS. Firstly it allows you to use a lot of the open source tools and inbuilt functions of Linux (DD for imaging etc). If you want you can install a forensic build of Linux (I recommend Deft 8 as a 64 bit version) which comes with a lot of these tools. Also if you do need imaging capability, it removes the need for Write blockers.

If you have a budget, please state it and can probably help tailor the above.

ReplyQuote
Posted : 03/01/2015 6:36 pm
jaclaz
(@jaclaz)
Community Legend


Which ever one the have will slightly alter the build you want. For instance, Encase 6 requires more memory (at least 32gb), however Encase 7 requires an SSD (and some anti-depressants to stop you topping yourself).

D

… are they included in the yearly dongle license or you need to pay for them separately (and having them prescribed by your family doctor)? ?

wink

jaclaz

ReplyQuote
Posted : 03/01/2015 7:53 pm
minime2k9
(@minime2k9)
Active Member

D

… are they included in the yearly dongle license or you need to pay for them separately (and having them prescribed by your family doctor)? ?

wink

jaclaz

No but they're offering a special buy Encase portable and two free bottles containing 30 pills each - enough for 2 whole weeks p

ReplyQuote
Posted : 03/01/2015 8:17 pm
jhup
 jhup
(@jhup)
Community Legend

If this is forensics class build, I would only consider FOSS tools and X-Ways from the commercial side. I have seven classrooms set up for various digital forensics.

We go for
- display area (bigger screens and more monitors),
- fast and lots of memory,
- hot swap, front access bays (at least 3)
- a non-removable forensic bridge, something like a Tableau T35689iu is plenty fine
- lots of USB 3 ports,
- exteral eSATA port(s)
- three drives
- wired keyboard and mouse (get the keyboard/mouse plug versions, not USB - less likely to get "lost")

Do not forget to get at least one powerstrip (3+ open power sockets) per workstation if you get into mobile device.

We use a 3 drives in our rooms. One for the OS and application, one for the evidence, and one for the student results.

For educational purposes you do not need anything more.

Do

NOT

use SSD for student build. They will die faster and will be more headache then a box of 1TB HDDs.

ReplyQuote
Posted : 05/01/2015 10:48 pm
BraindeadVirtually
(@braindeadvirtually)
Active Member

FTK - not sure if this is used as much on uni courses because of the server - client approach it seems to take

You can get a decent standalone copy of FTK up and running easily enough. Use the Postgres DB installer that all later versions come bundled with. It's relatively lightweight (relative to MSSQL anyway) and any i5+ system will cope reasonably well, particularly with student data.

There are loose specs for a single-box 'laptop' install here. I respectfully disagree with the no-SSD comment - since this will presumably be your own CF box. Just keep an eye on the manufacturer's page for firmware etc and run diagnostics from time to time. And be aware it will fry eventually lol

ReplyQuote
Posted : 05/01/2015 11:38 pm
Bulldawg
(@bulldawg)
Active Member

I've been using SSDs on forensic workstations for years, and none of them have died yet. (none of the HDDs have died either) The only drives I've lost in the past few years have been DOA evidence storage HDDs, which failed wiping and were RMA'd before being placed in service.

I have a bunch of computers with SSDs for OS drives. One computer has a little RAID 0 array of 512GB SSDs that we use for temporary storage while processing. The only problem with it is to preserve write speeds, I have to physically remove the drives and issue an ATA secure erase command on them periodically because TRIM does not work through this RAID controller, which is very common. I usually do this after a few cases. It only takes a few minutes since a secure erase command takes only seconds on an SSD.

The speed advantage of an SSD over spinning disks makes using SSDs a no-brainer if you can afford them.

If you go with SSDs, pay attention to SLC vs MLC vs TLC. Each refer to the number of bits stored in each cell (single, double, and triple, respectively). TLC is cheapest but will wear fastest. The Samsung 850 EVO is a drive that uses TLC. I prefer MLC drives like the Samsung 840 Pro as a good compromise. SLC drives are more rare these days, but they are much more durable. That said, the lifespan of drives like the 840 Pro are far beyond what you'll need even in a forensic workstation.

https://www.samsung.com/global/business/semiconductor/minisite/SSD/uk/html/about/MlcNandFlash.html
Relevant section

Furthermore, a Korean SSD enthusiast website used Iometer’s Endurance Test (2008) to push the limits of a 120GB 840 SSD. The test, which ran without failures, achieved an impressive 331TB Total Bytes Written (TBW) which is equivalent to an extraordinary 94 year lifespan at 10GB/day.

And an article on the newer 850 Pro NAND endurance
http//www.anandtech.com/show/8239/update-on-samsung-850-pro-endurance-vnand-die-size

ReplyQuote
Posted : 06/01/2015 1:43 am
Deltron
(@deltron)
Active Member

Just look at builds and build your own off of theirs specs
http//www.digitalintelligence.com/products/fred/
Integrated Write blackers are nice to have but the tabluea one is like $1000
https://www.guidancesoftware.com/products/Pages/tableau/products/forensic-bridges/t35689iu.aspx
https://www.guidancesoftware.com/products/Pages/tableau/products/forensic-bridges/ultraBay-3d.aspx

ReplyQuote
Posted : 06/01/2015 2:51 am
Share:
Share to...