I'm about to build a forensic machine as well, for my home lab, so I'll be able to work from home if need be. The basics
-Tyan S2895 with a pair of dual-core Opterons
-15K RPM SCSI boot drive
-A pair of the new Seagate 750GB SATAs for active evidence
-8 GB of RAM (remember that 32-bit Windows cannot effectively use all that RAM)
-Acer 24" monitor (looks great, IMO nearly as good as the Sony PremierPro 23", for $712 as opposed to $1000+)
-Adesso programmable keyboard with mechanical keyswitches
-Prolly a triple-boot config Win32/Win64/Linux
-Yada yada yada
As someone already mentioned, HD speed is critical. In many many operations this is the bottleneck.
Jerry
-Tyan S2895 with a pair of dual-core Opterons
-15K RPM SCSI boot drive
Jerry
One thing to consider is, since you're getting the 2895 with the SCSI option, add one more SCSI drive for the page file. Also, I like the smaller (37GB) drives for my systems, as they backup more quickly.
One thing to consider is, since you're getting the 2895 with the SCSI option, add one more SCSI drive for the page file. Also, I like the smaller (37GB) drives for my systems, as they backup more quickly.
I'm currently running a similar config, but with SATA a 36GB Raptor boot and an identical drive for swap. You're right, certainly worth considering.
I wish SCSI wasn't so pricey, because I'd love to go with 15K-RPM SCSI for storage, as well. But alas, it is.
BTW, if anyone doubts the claim as to the importance of HD speed, load up a few different EnCase processes and poke around in your performance monitor. You'll often find the processor at 10% utilization and your gigabit network at 1% or less, even if you're processing evidence across the wire.
That's not to say HD speed is the only important element, of course. Certainly the Weakest Link paradigm is fully in play in forensic work. But for many tasks, that weak link may not be where you think it is.
Chop
Make sure your SATA drives are rated for 3Gb/s.
Make sure your SATA drives are rated for 3Gb/s.
Yup, already switched to the new standard on that.
Chop
Ok, here are a few more questions…
The idea is to build a basic forensic workstation for around 1500-2000 $
Is it worth it to get a 64 bits capable proc ?
Then, what to choose betwwen AMD 64 3800+ and a Pentium 4 830 ?
Does anyone have a clue about when a 64bits / dual core optimised Encase is scheduled?
Is XP pro 34 bits worth having with a 64 bits proc, even if the woftware used is not 64 bits optimised ?
About the display a big CRT screen (21/22 inches) or dual LCD 17" ?
About storage Do high speed disks ( 36Gb raptors 10 000 rpm) have the same reliability than slower disks ?
What about SATA2 ? Does it really improve the actual transfer speed with a 7200 / 10000 rpm disk ?
Thanks !
Hi,
I think you will get varied opinions on what to use etc.
As far as the monitor setup, I have a bunch of different setups, dual montior, 21", 15", 19", but what I like the most is my projector. You have a ton of real estate to work with and your only limit would be the wall size or the size of your projector.
I am not one to invest a fortune in one particular workstation because as with many other people, I need several workstations. For the main part I run 2.8 to 3.2 p4's with a couple gigs of ram, a midline video card like the geforce 2 which supports things like Hydravision, 2 CRT removable drive bays, 2 floppy drives, an Adaptec SCSI card, 750mb Zip disk, DVD+ and CDRW drive, etc.
The acquisition machine I like is my Sager 9880 laptop which is a 3.6 p4 with 2gb of ram and a 256mb nvidia graphics card. It fits into a Dell XPS backpack and will fit in the overhead compartment when you are travelling via airplane.
What are people's thoughts on the amount of RAM to put in your machine?
There is some debate about this. Some people say put in the most, fastest RAM you can afford. However, if you useEnCase for your analysis and check performance through Task Manager or alternative system performance tools you will see that the utilisation of RAM is actually quite low. So why put in any more than 2gb - even that seems overkill.
What are people's thoughts on the amount of RAM to put in your machine?
There is some debate about this. Some people say put in the most, fastest RAM you can afford. However, if you useEnCase for your analysis and check performance through Task Manager or alternative system performance tools you will see that the utilisation of RAM is actually quite low. So why put in any more than 2gb - even that seems overkill.
How much action is the page file getting? There are a few registry values you can change so that it will not use the page file until physical memory is exhausted.
This brings up another interesting topic. (Jamie feel free to start a new thread if nesscessary.) How do you optimize your operating system to make the most of software like encase, FTK, or iLook? Are there registry settings you change to optimize memory better? Page file settings? etc.?
Hi,
We're shortly going to switch to keeping the evidence files on a data store locally attached to our machines via ultra scsi 320 interfaces. Our exam machines will in turn be attached via gigabit CAT6 cable to a main data store, for overspill from the local storage. This will give us massive storgae space with the means of doing tape backup from the main store of any local data store. Speed will be the interesting factor and I will post back soon on how it's going.
On a separate note we bought new exam machines recently and opted for a fairly high spec graphics card. Well the money was well spent. When you are going through gallery view in EnCase and get to the suspect's collection of 5.1 megapixel digital photos we get a lot less slow down.
Steve