Join Us!

Notifications
Clear all

i7 or Xeon  

  RSS
Vesalius
(@vesalius)
Member

So my question for today is, will a top of the line i7 CPU do better for Ripping and Analyzing phones using UFED 4PC or will an Intel Xeon do better?

So let's say an i7 Extreme Proccessor or let's say the 7700k with really good multi-threading capabilities, or an Intel Xeon.

I would like to hear your opinion's on the matter.

Quote
Posted : 06/04/2017 12:28 pm
steve862
(@steve862)
Active Member

Hi,

There's quite a price difference when you factor in motherboards as well. I think that an i7 7700K will be plenty for phone analysis, particularly if you read the phone dumps from a fast storage method, rather than mechanical disks.

The Xeon of the same speed will require a more expensive motherboard and is less likely to have M.2 SATA slots in that sort of price range too. The X99 chipset for i7 Extreme will also be pricier but is more likely to have M.2 SATA.

Having looked at resource usage in a few of the phone tools; XRY, Oxygen and UFED PA, there certainly are times when the task being performed is single threaded and so a higher base clock speed will benefit you over more but slower cores. That might make the i7 Extreme CPUs less suitable too.

Steve

ReplyQuote
Posted : 06/04/2017 3:37 pm
danielb
(@danielb)
Junior Member

When last looking at UFED and PC performance a year or two back I did some tests with sample reads and came to the following conclusions

The actual phone read isnt really affected by pc performance

The opening of the file in Physical Analyser was affected alot by cpu performance and also to some smaller degree disk performance.

Report creation was more affected more by disk performance and not that much by cpu.

So an 4c/8th i7 eg i7-7700k or even i7-6700 etc would be a nice sweet spot for both the single and multi threaded decoding involved in opening up a file. Unless you really need the extra features of the z170/z270 boards I would recommend a b150/b250 board or something similar.

Its worth getting a decent sized SSD for general use as well. Theres another debate on how much you will benefit from faster SSD's eg m2 pcie etc however a decent brand Sata SSD such as a Samsung 850 should be your starting point.

ReplyQuote
Posted : 06/04/2017 8:22 pm
MDCR
 MDCR
(@mdcr)
Active Member

Building a system with one Xeon processor is a waste of money, as pointed out above the system card can be a bit more expensive than one for a regular i7 processor.

The advantage of the i7 is cheaper and higher clock speeds. The one major advantage with Xeon is that the system card usually can fit more memory, I've seen one setup with 384 GB memory.

The Xeon really flies with a dual/multi processor setup, and multi threaded applications work well since it is built for it. So, if you got an application that wouldn't make use of Xeon hardware, then go with the i7.

ReplyQuote
Posted : 07/04/2017 2:16 am
Passmark
(@passmark)
Active Member

I would actually argue that the main benefit of the Xeon is ECC RAM support.
(as clearly you don't need all the extra CPU cores you can get with Xeon, nor the extra RAM, nor the dual CPU support).

But you can get ECC support with the new AMD Ryzen CPUs as well.

ReplyQuote
Posted : 07/04/2017 5:17 am
randomaccess
(@randomaccess)
Active Member

The Xeon really flies with a dual/multi processor setup, and multi threaded applications work well since it is built for it. So, if you got an application that wouldn't make use of Xeon hardware, then go with the i7.

I did a bit of testing with single and dual xeon machines and didn't really find a huge speed improvement for the dual.
Better to have a faster disk speed and more RAM

ReplyQuote
Posted : 07/04/2017 6:24 am
MDCR
 MDCR
(@mdcr)
Active Member

The Xeon really flies with a dual/multi processor setup, and multi threaded applications work well since it is built for it. So, if you got an application that wouldn't make use of Xeon hardware, then go with the i7.

I did a bit of testing with single and dual xeon machines and didn't really find a huge speed improvement for the dual.
Better to have a faster disk speed and more RAM

And with what did you test it? Was it specifically written for Xeon processors? If not, you get c**p performance and it wont matter.

There is a reason why there are 2+ CPU slots on most Xeon boards, they don't add extra CPUs for because someone thinks it would be cool.

ReplyQuote
Posted : 07/04/2017 7:07 pm
randomaccess
(@randomaccess)
Active Member

The Xeon really flies with a dual/multi processor setup, and multi threaded applications work well since it is built for it. So, if you got an application that wouldn't make use of Xeon hardware, then go with the i7.

I did a bit of testing with single and dual xeon machines and didn't really find a huge speed improvement for the dual.
Better to have a faster disk speed and more RAM

And with what did you test it? Was it specifically written for Xeon processors? If not, you get c**p performance and it wont matter.

There is a reason why there are 2+ CPU slots on most Xeon boards, they don't add extra CPUs for because someone thinks it would be cool.

I tested a few forensic tools commonly used in my lab.
I dont think many forensic tools are written for xeon processors, so yeah pretty much was just testing for multi-core+ram+disk speed. Basically encase6 is ridiculously slow when compared to encase8 and xways (which in some respects were equal, but xways was usually faster). Having all the data on the host ssd also made a massive difference (as expected), even compared to the raid.

As a sidebar, there's also some research into the use of RAMdisks to improve speed even more, but that's only going to be useful for some processes until you can get into the terabytes of ram

I get there's a reason for it, I'm just saying I don't think it's necessary for forensic applications - someone should get a xeon, dual xeon, and i7-7700 and run some tests 😉

ReplyQuote
Posted : 07/04/2017 7:21 pm
MDCR
 MDCR
(@mdcr)
Active Member

I tested a few forensic tools commonly used in my lab.
I dont think many forensic tools are written for xeon processors, so yeah pretty much was just testing for multi-core+ram+disk speed. Basically encase6 is ridiculously slow when compared to encase8 and xways (which in some respects were equal, but xways was usually faster). Having all the data on the host ssd also made a massive difference (as expected), even compared to the raid.

As a sidebar, there's also some research into the use of RAMdisks to improve speed even more, but that's only going to be useful for some processes until you can get into the terabytes of ram

I get there's a reason for it, I'm just saying I don't think it's necessary for forensic applications - someone should get a xeon, dual xeon, and i7-7700 and run some tests 😉

Well, there you go. As i have mentioned in another thread, i've written specific program that utilise multicore/multicpu hardware and when you do, Xeon is unbeatable. If you want to read up on why and when you should us Xeon, here you go https://en.wikipedia.org/wiki/Xeon

You can use Ramdisks today to store information you want to write, or as a cache. IMDisk is one free tool you can use - now - to get a RAM device capable of bus speeds. You can also put PCI Express SSD storage devices like Revodrives in Raid0 and get a speed close to the bus speed, i have done it and it is insanely fast. To get the same speed, you need several SATA3 controllers with one SSD per controller in raid 0 to get the same performance.

Putting all this together There is a reason why i don't even look at Encase, FTK or Security Analytics when i've done investigations, my main forensics tool is Visual Studio running on insanely fast hardware. If i need to extract information, i use a specialised tool like Network miner, in all other cases when dealing with any kind of large raw (big)data like DD images, Logs, Pcaps - i write my own multi threaded tools.

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.

ReplyQuote
Posted : 08/04/2017 10:42 am
Vesalius
(@vesalius)
Member

Well then from what I gathered I got a pretty decent purchase,
————————————————————————————————————-
Operating System
Windows 10 Pro 64-bit
CPU
Intel Core i7 @ 4.20GHz
Kaby Lake 14nm Technology
RAM
32.0GB Dual-Channel Unknown @ 1071MHz (15-15-15-36)
Motherboard
ASUSTeK COMPUTER INC. MAXIMUS IX CODE (LGA1151)
Graphics
HP 24es ([email protected])
4095MB NVIDIA GeForce GTX 1070 (ASUStek Computer Inc)
Storage
476GB Samsung SSD 850 PRO 512GB (SSD)
Optical Drives
TSSTcorp CDDVDW SH-224GB
Audio
Realtek High Definition Audio

————————————————————————————————————-

all I need to upgrade or add is another SSD, prefreabbly M2, or SSD's for grabbing images.

Cheers guys!

ReplyQuote
Posted : 10/04/2017 4:30 pm
Vesalius
(@vesalius)
Member

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.

I am familiar with the basics of Java and C#, so learning a new language won't be hard for me, where would you recommend I begin, what languages do you use and what do you use them for if you don't mind me asking?

ReplyQuote
Posted : 10/04/2017 4:46 pm
Bulldawg
(@bulldawg)
Active Member

My $0.02 on the subject

1. Very few forensics tools can take advantage of heavily multi-core systems. Magnet IEF (Axiom) seems to be the most hungry for cores, but it cannot use all 24 threads on our dual Xeon E5-2620 (6 core, 12 thread each at 2.0 Ghz). This is an older system, but still has fast enough storage that it should get enough data to use all 24 threads available. It does not make use of all threads for whatever reason.

In contrast Magnet Axiom running on a newer i7-5930K (6 core 12 thread overclocked to 4.5 Ghz) does use all 12 threads. 12 threads that are running over twice as fast as the 24 threads on the Xeon machine.

It get much, much worse when you're looking at EnCase, Cellebrite PA, FTK Imager, etc. Many of those workloads are single threaded, so the i7 running at 4.5 Ghz is over twice as fast as the Xeon running at 2.0 Ghz.

2. You cannot discount the ability of an i7 (K or X sku) to overclock. My i7-5930K is running on air cooling, and with a very slight voltage bump it runs at 4.5 Ghz 24/7. The official clock on this CPU is 3.5 Ghz with a 3.7 Ghz boost clock.

Xeons don't overclock AFAIK.

3. ECC RAM is an advantage. In 2018 I'm going to take a serious looks at using an AMD Ryzen CPU in my systems so I can get overclocking and ECC RAM. I'm also hoping AMD's allowing ECC RAM on Ryzen will force Intel to rethink supporting ECC RAM on high end i7 CPUs rather than keeping it a Xeon exclusive.

Notes
I know all this is anecdotal evidence, and I've certainly not done any scientific testing, but for your information I feel both systems have sufficiently fast storage to make this meaningful. The i7 system is using an NVMe drive and the Xeon system has a RAID 0 array of SSDs.

IMO, storage speed is still king on a forensic workstation. NVMe drives are a must if you can afford them. My next system uses Intel 750 PCIe SSDs for storage. Rotating disks are too slow. SATA SSDs are a good compromise of speed and performance.

Also IMO, the i7-7700K is not the best Intel i7 for forensics. Its low core count (4) means for some workloads it will be at a disadvantage compared to other Intel CPUs. The 7700K also has a max of 16 PCIe lanes. 😯 This is fine for gaming (unless you're running multiple GPUs), but not for all the PCIe cards I generally put in a forensic workstation. Plus, it can only handle 64 GB of RAM. It can overclock, however. 5.0 Ghz is a pretty conservative overclock for an i7-7700k on water cooling.

I believe the sweet spot right now is an i7-6850K (6 core, 12 thread which should overclock nicely). This CPU has 40 PCIe lanes, which leaves plenty of breathing room. If you're feeling rich, go for the i7-6950X (10 core, 20 thread) but be prepared for less stellar overclocking. These CPUs also support up to 128 GB of RAM.

I expect an upgrade to Intel's X99/enthusiast line of CPUs soon since all the current CPUs are based off the Skylake architecture rather than the newer Kaby Lake.

TL;DR - i7 enthusiast CPUs are the current best for forensic workstations.

ReplyQuote
Posted : 10/04/2017 6:49 pm
MDCR
 MDCR
(@mdcr)
Active Member

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.

I am familiar with the basics of Java and C#, so learning a new language won't be hard for me, where would you recommend I begin, what languages do you use and what do you use them for if you don't mind me asking?

Well, any language that do the job you're looking to do. I'm not going to say "use C++" like the zealots from "the holy C-church" do. You can do plenty with Python, C#, VB.Net, Java or any language that is versatile enough. Some languages like Ruby on rails are more functional and have their use, i.e. for parsing logs.

The bare minimum for a language would be to be able to read files, parse textfiles, search for text or binary values in a variable or array. Also if it can get web content, extract data from JSON/XML it doesn't hurt.

And as this discussion suggest, being able to multithread well is very useful. All the languages i listed above are MT capable and could use a multi core/multi cpu hardware setup. Even IF you use a language that is not multithreaded, you can usually spawn multiple processes of the same tool and give it different parameters, that way you can utilise the hardware anyway.

ReplyQuote
Posted : 11/04/2017 1:34 am
Passmark
(@passmark)
Active Member

Was it specifically written for Xeon processors? If not, you get c**p performance and it wont matter.

This is not true.
Nobody ever writes specific Xeon code. At least not for forensics. The Xeon uses the same x86 instruction set as desktop and mobile CPUs. It is true that a developer might target a certain number of Cores, or a certain amount of RAM, or even a certain x86 instruction sub-set (like AVX or SSE). But they don't target 'Xeon'.

I did a short study a year back on CPU and disk use for forensics tasks. It was only with our own tools, but it applies to a lot of what is on the market.

My conclusions (14 months ago) were,
• Most forensics tasks are disk bound and single threaded.
• Even when not single threaded a two core CPU is enough
• When picking a CPU, customers should favour a small number
of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large
number of slow cores (32 cores at 2.4Ghz).
• Hardware spend should instead be on better disks and SSDs.
• For most tasks 8GB of RAM is plenty. Or 16GB if running VMs.

With the following exceptions
• Password cracking uses lots of cores.
• Working on multiple projects at the same can use lots of core (if not disk bound).

Obviously as disks get faster and code gets better, things change. So if I was doing the same study again I am sure 4 cores would be a minimum recommendation. But the number of tasks that benefit from more than 4 core would be few (as they are normally disk bound if well coded).

ReplyQuote
Posted : 11/04/2017 11:14 am
MDCR
 MDCR
(@mdcr)
Active Member

Was it specifically written for Xeon processors? If not, you get c**p performance and it wont matter.

This is not true.
Nobody ever writes specific Xeon code. At least not for forensics. The Xeon uses the same x86 instruction set as desktop and mobile CPUs. It is true that a developer might target a certain number of Cores, or a certain amount of RAM, or even a certain x86 instruction sub-set (like AVX or SSE). But they don't target 'Xeon'.

I did a short study a year back on CPU and disk use for forensics tasks. It was only with our own tools, but it applies to a lot of what is on the market.

My conclusions (14 months ago) were,
• Most forensics tasks are disk bound and single threaded.
• Even when not single threaded a two core CPU is enough
• When picking a CPU, customers should favour a small number
of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large
number of slow cores (32 cores at 2.4Ghz).
• Hardware spend should instead be on better disks and SSDs.
• For most tasks 8GB of RAM is plenty. Or 16GB if running VMs.

With the following exceptions
• Password cracking uses lots of cores.
• Working on multiple projects at the same can use lots of core (if not disk bound).

Obviously as disks get faster and code gets better, things change. So if I was doing the same study again I am sure 4 cores would be a minimum recommendation. But the number of tasks that benefit from more than 4 core would be few (as they are normally disk bound if well coded).

I do not agree. The day you start doing CPU intensive data processing like logs and PCAPs, you'll be happy that you had a Xeon system. Some of us do network forensics and don't sit around staring at DD images all day.

And i never said that CPUs are a fix everything solution without having faster disks. I have used a dual Xeon system with PCI Express drives (Way faster than Sata 3 SSD) that i've written specific programs for, unless you are running that you won't see any difference. Try some CPU intensive stuff from a ram disk that would use the Xeon hardware properly and you'll start seeing differences.

ReplyQuote
Posted : 11/04/2017 11:32 am
Share: