i7 or Xeon

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.

I am familiar with the basics of Java and C#, so learning a new language won't be hard for me, where would you recommend I begin, what languages do you use and what do you use them for if you don't mind me asking?

My $0.02 on the subject

1. Very few forensics tools can take advantage of heavily multi-core systems. Magnet IEF (Axiom) seems to be the most hungry for cores, but it cannot use all 24 threads on our dual Xeon E5-2620 (6 core, 12 thread each at 2.0 Ghz). This is an older system, but still has fast enough storage that it should get enough data to use all 24 threads available. It does not make use of all threads for whatever reason.

In contrast Magnet Axiom running on a newer i7-5930K (6 core 12 thread overclocked to 4.5 Ghz) does use all 12 threads. 12 threads that are running over twice as fast as the 24 threads on the Xeon machine.

It get much, much worse when you're looking at EnCase, Cellebrite PA, FTK Imager, etc. Many of those workloads are single threaded, so the i7 running at 4.5 Ghz is over twice as fast as the Xeon running at 2.0 Ghz.

2. You cannot discount the ability of an i7 (K or X sku) to overclock. My i7-5930K is running on air cooling, and with a very slight voltage bump it runs at 4.5 Ghz 24/7. The official clock on this CPU is 3.5 Ghz with a 3.7 Ghz boost clock.

Xeons don't overclock AFAIK.

3. ECC RAM is an advantage. In 2018 I'm going to take a serious looks at using an AMD Ryzen CPU in my systems so I can get overclocking and ECC RAM. I'm also hoping AMD's allowing ECC RAM on Ryzen will force Intel to rethink supporting ECC RAM on high end i7 CPUs rather than keeping it a Xeon exclusive.

Notes
I know all this is anecdotal evidence, and I've certainly not done any scientific testing, but for your information I feel both systems have sufficiently fast storage to make this meaningful. The i7 system is using an NVMe drive and the Xeon system has a RAID 0 array of SSDs.

IMO, storage speed is still king on a forensic workstation. NVMe drives are a must if you can afford them. My next system uses Intel 750 PCIe SSDs for storage. Rotating disks are too slow. SATA SSDs are a good compromise of speed and performance.

Also IMO, the i7-7700K is not the best Intel i7 for forensics. Its low core count (4) means for some workloads it will be at a disadvantage compared to other Intel CPUs. The 7700K also has a max of 16 PCIe lanes. 😯 This is fine for gaming (unless you're running multiple GPUs), but not for all the PCIe cards I generally put in a forensic workstation. Plus, it can only handle 64 GB of RAM. It can overclock, however. 5.0 Ghz is a pretty conservative overclock for an i7-7700k on water cooling.

I believe the sweet spot right now is an i7-6850K (6 core, 12 thread which should overclock nicely). This CPU has 40 PCIe lanes, which leaves plenty of breathing room. If you're feeling rich, go for the i7-6950X (10 core, 20 thread) but be prepared for less stellar overclocking. These CPUs also support up to 128 GB of RAM.

I expect an upgrade to Intel's X99/enthusiast line of CPUs soon since all the current CPUs are based off the Skylake architecture rather than the newer Kaby Lake.

TL;DR - i7 enthusiast CPUs are the current best for forensic workstations.

This is why i recommend forensics analysts to learn how to code. If you don't know how to code then you are limited to the products capabilities.

I am familiar with the basics of Java and C#, so learning a new language won't be hard for me, where would you recommend I begin, what languages do you use and what do you use them for if you don't mind me asking?

Well, any language that do the job you're looking to do. I'm not going to say "use C++" like the zealots from "the holy C-church" do. You can do plenty with Python, C#, VB.Net, Java or any language that is versatile enough. Some languages like Ruby on rails are more functional and have their use, i.e. for parsing logs.

The bare minimum for a language would be to be able to read files, parse textfiles, search for text or binary values in a variable or array. Also if it can get web content, extract data from JSON/XML it doesn't hurt.

And as this discussion suggest, being able to multithread well is very useful. All the languages i listed above are MT capable and could use a multi core/multi cpu hardware setup. Even IF you use a language that is not multithreaded, you can usually spawn multiple processes of the same tool and give it different parameters, that way you can utilise the hardware anyway.

Was it specifically written for Xeon processors? If not, you get crap performance and it wont matter.

This is not true.
Nobody ever writes specific Xeon code. At least not for forensics. The Xeon uses the same x86 instruction set as desktop and mobile CPUs. It is true that a developer might target a certain number of Cores, or a certain amount of RAM, or even a certain x86 instruction sub-set (like AVX or SSE). But they don't target 'Xeon'.

I did a short study a year back on CPU and disk use for forensics tasks. It was only with our own tools, but it applies to a lot of what is on the market.

My conclusions (14 months ago) were,
• Most forensics tasks are disk bound and single threaded.
• Even when not single threaded a two core CPU is enough
• When picking a CPU, customers should favour a small number
of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large
number of slow cores (32 cores at 2.4Ghz).
• Hardware spend should instead be on better disks and SSDs.
• For most tasks 8GB of RAM is plenty. Or 16GB if running VMs.

With the following exceptions
• Password cracking uses lots of cores.
• Working on multiple projects at the same can use lots of core (if not disk bound).

Obviously as disks get faster and code gets better, things change. So if I was doing the same study again I am sure 4 cores would be a minimum recommendation. But the number of tasks that benefit from more than 4 core would be few (as they are normally disk bound if well coded).

Was it specifically written for Xeon processors? If not, you get crap performance and it wont matter.

This is not true.
Nobody ever writes specific Xeon code. At least not for forensics. The Xeon uses the same x86 instruction set as desktop and mobile CPUs. It is true that a developer might target a certain number of Cores, or a certain amount of RAM, or even a certain x86 instruction sub-set (like AVX or SSE). But they don't target 'Xeon'.

I did a short study a year back on CPU and disk use for forensics tasks. It was only with our own tools, but it applies to a lot of what is on the market.

My conclusions (14 months ago) were,
• Most forensics tasks are disk bound and single threaded.
• Even when not single threaded a two core CPU is enough
• When picking a CPU, customers should favour a small number
of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large
number of slow cores (32 cores at 2.4Ghz).
• Hardware spend should instead be on better disks and SSDs.
• For most tasks 8GB of RAM is plenty. Or 16GB if running VMs.

With the following exceptions
• Password cracking uses lots of cores.
• Working on multiple projects at the same can use lots of core (if not disk bound).

Obviously as disks get faster and code gets better, things change. So if I was doing the same study again I am sure 4 cores would be a minimum recommendation. But the number of tasks that benefit from more than 4 core would be few (as they are normally disk bound if well coded).

I do not agree. The day you start doing CPU intensive data processing like logs and PCAPs, you'll be happy that you had a Xeon system. Some of us do network forensics and don't sit around staring at DD images all day.

And i never said that CPUs are a fix everything solution without having faster disks. I have used a dual Xeon system with PCI Express drives (Way faster than Sata 3 SSD) that i've written specific programs for, unless you are running that you won't see any difference. Try some CPU intensive stuff from a ram disk that would use the Xeon hardware properly and you'll start seeing differences.

@mdcr 

Hi everyone, just saw this thread like a year ago and came across it again today.

I can only say that Ryzen CPUs have wiped out any Intel ones today, in price and performance.

Please prove me wrong.