Hello everyone.
I have been tasked with building a computer forensic lab for my security team. I will be one of about 4 individuals doing forensic work, but I have been designated as the lead.
We currently have enCase as our software, but are looking to add a few tools to our arsenal.
My first task is to build a lab.
My plan is to have about 2 workstations in the lab for doing work.
However, my biggest question is about storage. Storing of images.
Do many people here have large setups of storage to store images they have created? If so, how long?
Doing some rough calculations, say your average image you create is 50gigs, that can quickly add up to a lot of storage, easily into the terabytes.
With that being said, any guidelines or suggestions on the storage portion of building a forensic lab?
Thanks,
Jas
It is a problem for any computer forensics lab. It seems nice to have a central storage with disk arrays including 10Gbit connection speed, however no storage will be enough for a long time. You will run out of free space in the end if you do not add up new free space periodically. Also, adding up free space is costly.
I know some labs backup the images on tapes. Again, in my opinion not a perfect solution as tapes may not work if you need them again after some years. I had many cases where backup tapes failed when you needed them after some years. Tapes are nice for short-term storage but not that nice when it comes to keeping data intact for a long time.
If you are a private lab you can include the charge for storage so each requester will have to provide hard drives to hold the acquired data and you will need to keep up a room for these hard drives.
If you are a state-run lab, you can't charge for storage and you will definitely run out of space as the government can never keep pace with emerging needs of technology. You will have to make room for the new images; so oldest ones will have to go first.
Your estimation of 50GB / image would have been right 4 years ago, but not now.
Also, anything less than 1 workstation per examiner is just plain wrong.
Your estimation of 50GB / image would have been right 4 years ago, but not now.
Also, anything less than 1 workstation per examiner is just plain wrong.
True, but we have such a wide range of computer HD sizes here, I pretty much took the average. However, I fully expect the images to be around 100gigs as an average size, and bigger as time goes on.
I thought about 4 workstations, since there are 4 of us, but since our security team handles everything related to IT Security, at most, there will only be 2 people working on forensics at a given time. That might change, and if it does, it will be far down the road.
Trying to gets some numbers on storage, anyone have a NAS in their lab?
I could care less about brand name, just a lot of storage, efficient, good performance at a good price.
Looking at some dell NAS stuff right now and seems reasonable.
I am also trying to purchase something that is scalable as well.
Thanks for the input.
Cheers,
Jason
In my data recovery business the typical disk size I currently see is 500GB, and quite few 1TBs (sometimes as 2x500GB RAID0) are also coming through. Many disks have many photos and MP3s/MPEGs so compression is limited. With good compression, I would expect most disks to require 250GB, but this number grows each year.
There was a webinar last week that was specifically about storage. For those interested click http//
As far as one workstation per examiner, that is fine until you get a few cases in the lab. Once you have that you may have examiners sitting around twiddling their fingers while a case processes, performs a search, etc.
I work in a very large forensic lab. We seldom use online storage.
Why not use HD's for long term storage. Infinitely expandable. Relatively cheap. We use them, some still use tape for long term, but we are getting away from that - issues with getting image back out after a few years plus it is not much cheaper than HD. No need for 10Gb networks, expensive SANs etc etc.
Most of us have a 2 to 6 Tb RAID connected to our systems for current case storage/processing. When done with the case, we put it on the aforementioned HD and put it away.
You say you are a 4 man lab, are you willing to give up .5 - 1.0 man to do systems administration? We have 2 full time system engineers that take care of stuff so forensic guys can take care of forensicating.
Remember KISS…. keep it simple stu….
These are computers aren't they…therefore they will not work correctly all the time.
Good luck to you.
Mark
[Trying to gets some numbers on storage, anyone have a NAS in their lab?
I could care less about brand name, just a lot of storage, efficient, good performance at a good price.
Try to fit in some kind of risk/threat analysis while you're at it – that often influences the buying options. What could go wrong – what would hurt must – and how do you address those issues?
For instance, if NAS failure is a serious issue, you want good service agreement, you may need to have spare parts in store, and you will almost certainly need to have a sysadmin somewhere close by.
Also, a plain NAS only addresses accessibility issues (failed drives – I'm assuming RAID5 or so), but not things such as accidental files deletion. You also need to consider backup issues. That could be done by using part of the NAS for backup, but then you need to size it accordingly.
In general, you may also want to look through 'Building a Digital Forensic Laboratory' by Jones and Valli, for ideas.
I'm with markg43. We too use hard drives for storage. As the hard drives in machines coming in for examination get bigger so too do the hard drives on sale. With the odd exception we can manage to keep 1 case (most have multiple machines) on 1 hard drive and that includes all the images, cases, case notes, exported files, reports, the lot. What is more we don't usually have to buy the very largest (and most expensive) drives either, about 10% are the largest and the rest are about half the size. It's been that way since 1995 so I think it's fair to say it's a robust system.
Paul
i suggest you to read this paper written by a friend of mine.
http//
it's pretty interesting in how they handled the scalability using opensource storage solutions.