Drobo Network storage for Forensics lab
I work at District Attorney's Office and have been given the opportunity to design and implement a digital forensics program.
Our lab is going to be small, probably 4 to 5 total computers to start, which would include a couple of imaging machines, a machine for analysis, a dedicated machine for mobile forensics, and possibly one more machine for online investigations.
A big part of the design discussion is how we store and maintain digital evidence. In the agency I came from, everything was stored on individual hard drives which were then logged into evidence. For a number of reasons I didn't like that model. I know the use of servers for digital evidence storage is another option, but can come with a hefty price tag. In addition, we don't have a huge budget, so a server may be out of the question.
One of the ideas for storage that was thrown out was a Drobo NAS device. On its face, it seems like a viable option for our lab. The thought was we could network all the forensics / online investigations computers to the Drobo, simplifying workflow and creating a storage area which could be accessed by any of the forensic workstations.
I'm looking for thoughts / opinions on the idea of using a Drobo (or any high capacity NAS for that matter) as storage for a forensics lab. Are there any issues with a data bottleneck into the NAS if we're running multiple machines at once? Any insight or ideas about the entire topic would be greatly appreciated. Thanks.
The issue is backing up. Computer Forensic work especially uses an awful lot of disk space, so typically, you wouldn't want to keep all your data on your NAS/SANS. You would implement a longer term backup solution such as tape backup which would be more difficult (but not impossible) without a proper network/SANS storage solution.
If I were you, I would build/buy a proper file server with high capacity disks in a RAID array with a tape backup solution built in.
One important question is how long you expect to save the image files for? If 'forever' then any storage system will just fill up. If it was just one month (unlikely) you could work out a reasonable excess in size and work with it.
I don't know the actual figure, but drives seem to get 25-50% larger each year, though compression can hide the unused space.
Tape has it's place, but tapes can only be restored on special equipment/software. Imaging to separate hard drives is flexible as anyone can handle them.
There is no correct solution, and every solution needs to be reviewed on a regular basis (at least once a year)
Hard drives are dirt cheap, I can't see why you wouldn't just archive to them.
I archive all case data for a period of 2 years, then I notify the client that I'm going to wipe the data unless they want me to retain and store, then we charge on a quarterly basis to store the data.
My job turnover will be quite small compared to others but I generally have at any given time anywhere between 8-15 2TB drives in my archive cupboard.