Looking for some advice..
We are looking to centralize our storage of case data in our lab, to facilate a more dynamic work envrionment by which all the analyst can share case workload and perform peer case review.
Current state 10 forensic wokstations with 2 -1TB internal drives (RAID1) to store case data. Each workstation also has an external 1 TB drive attached via Firewire 800 for back-ups.
Typical imaged drive is 40GB or less.
The network is segemented behind a firewall. Encase is the main tool used for forensic analsys with other tools availible as needed.
Thinking about a NAS or SAN and want to make sure that latency is not an issue. Any recommendations (specifically actual implementations) would be helpful.
Thanks
A NAS, is optimized for data sharing at the file level. The strength of a SANs lies in its ability to move large blocks of data like database, imaging and transaction processing. A SAN is also a distributed architecture which allows a greater number of users to access data across the enterprise while minimizing bottlenecks at the server or on the LAN.
For 10 users a NAS will likely cost less and take less care and feeding to keep running. If you had a lot more users or were running a large enterprise version of FTK where actual database transactions were occurring a SAN might be justified.
Thinking about a NAS or SAN and want to make sure that latency is not an issue. Any recommendations (specifically actual implementations) would be helpful.
Thanks
Your systems sound pretty beefy, which make me wonder about your network topology. Are you running all Gigabyte interfaces and switches?
A NAS would work best for your lab IMHO. I have PTK running on my 4tb NAS it allows me to load the image for the case and have the analysts login to it remotely from there perspective workstation.
So are you looking at a 20 TB system, or are you going to expand further?
I think with 10 hosts you would struggle to hit the I/O thershold of a decent NAS or SAN controller.
It's more important to think about how you are going to carve up the disks, and how much network traffic you think you will generate.
For instance, if you go for a NAS that only has a couple of Ethernet ports, you'll probably find that it would be easy to hit a bottleneck.
Or if you go down the SAN route, you need to attatch a server to it for file access, so again, you could be introducing network bottlenecks at the servers NIC.
As far as disks are concerned, disks are normally a lot more expensive than those that you'll put into a workstation. This may make it too expensive to carry on using RAID 1.
Another thing to consider is backup and archive. A good storage solution should offer the ability to directly attach a tape library, allowing you to backup straight from the storage, rather than having to drag the data back on to the network.
If this is going to be a significant investment for you, you might want to consider hiring a consultant for a design taylored to your working practices. If it's done correctly, centralised storage can help bring about massive productivitey improvements, but get it wrong and you'll just rue the day that you bought it.
Greetings,
As a consultant who's set up a lot of NAS solutions for IT clients, I'd suggest going with a NetApp, a direct attach SCSI tape library, Symantec NetBackup with an NDMP license, and a 24 slot LTO3 library with two drives.
NetApps come in a lot of price ranges, and you can get some screaming deals on used units right now. They quite a few network interface options to help avoid that bottleneck. They can be partitioned in many different ways to suit your needs, and repartitioned (to some extent) on the fly. If you get two, you can use snapmirror to mirror one to the other for disaster recovery/hot spare.
And many more features.
There are many similar solutions, that's just the one I've rolled out most often, and it always worked.
-David
Greetings,
As a consultant who's set up a lot of NAS solutions for IT clients, I'd suggest going with a NetApp, a direct attach SCSI tape library, Symantec NetBackup with an NDMP license, and a 24 slot LTO3 library with two drives.
Good advice David, but out of interest, why a SCSI LTO3? I'm not critisising, just curious.
Speaking of the NetApp range, i'd be really interested to hear if anyone is using deduplication in their forensic lab?
Having spoken at length with IBM (who offer a rebadged Netapp range) I have a niggling concern about the fact that it changes the data. For instance, how do forensic tools react towards the deduplicated data? The other thing is, although the endpoint data's hash will be the same as before deduplication, could the deduplication process cast doubt on your case as the data has been changed whilst stored on your NAS?
Hope this makes sense, and I don't mean to hijack the post!
Pete
Greetings,
I go with the SCSI LTO3 simply because I started with one and they kept working for me. I'd attach both the backup server and the NetApp to the tape library with SCSI so each could write to one of the drives. LTO3 because it was the highest capacity format.
I looked at various deduplication appliances, and specifically the Data Domain product. I had the same concerns and even if I was comfortable with it, someone could use it to distract a court.
-David