I am using F-Response on a live Exchange Server to image data drive.
Machine can not go down for imaging.
OS on RAID 0 - Data RAID 5 sata .
600GB capture of full data drive with FTK Imager to .e01 over 100Mps network with active traffic throughout the day/night.
Collection drive is a 1TB sata 7200rpm external on USB 2.0 is (stupid PCMCIA e-sata card flaked).
I am at 40hrs with another 3hrs to go (at least). One of my collection laptops has been sitting locked in a server room for two days and I kinda want it back at some point!
Trying to think ways to increase performance for theses situations while maintaining minimal client down time and forensic integrity.
Am I missing any obvious bottle necks?
Next time was thinking of having the admin pause traffic so I could swap in a gigabit switch to server/collection/rest of network. Not as foot print free as I would like.
I think that the USB external device is likely your bottleneck. I've never been happy with USB devices for acquisitions but I've used F-Response with no problems, whatsoever. I tried eSATA but the reliability seems to be an issue, there. Our "enterprise" acquisition system is a server with an FC attached SAS array but in a pinch or when we have to improvise, we get a commodity machine with six SATA ports and load it up with disks.
The only problem is that you have to look before you buy. Many off the shelf systems use commodity motherboards (HPs, for example), save money by reducing the number of physical SATA connectors and have lower output power supplies which can be a problem.
I would blame the network more than the USB drive.
However, it is too late now, but USB is faster if set for performance rather than Quick removal
Side note - started running at 6MB/sec and then settled to 3.4-4 MB/sec.
USB is not helping for sure. Had to grab a new PCMCIA e-sata card in a pinch on the way so didn't have a lot of time to burn in and it would not work so went to USB.
iSCSI offers a nice solution in general, but as this says
http//
…" the limitations inherent with Ethernet networks such as IP overhead, latency, port oversubscription and iSCSI target initiator software."
Still think in general it is a double edged sword because its great to plug in with minimal footprint and changes but it dose not allow for much source "tweaking".
Going to try to do some bench testing at some point to see with different OS's and the iSCSI initiator to see if that makes any difference for the future.
I have just tried copying a 10GB files over a 100Mbps network that is absolutely quiet. The network is running at about 90%. The copy time is about 17 mins, or 35GB / hour. At this transfer rate, 600GB will take about 17 hours. If you load the network with other traffic to 50%, your 40 hours looks about right
When I tried copying a 10GB file to a local USB drive, it took less than 9 mins, about twice the speed of the network transfer.
The speeed between two different SATA drives on the same PC was similar (slightly faster) to the external USB transfer. USB is actually quite fast.
Unless you need the whole drive, could you just get away by duplicating the Exchange data store?
You are taking a snapshot of a changing system, are you not? So, you would not be able to authenticate it using a hash since the server would change within minutes…
Of course, I could be missing something.
I wonder, If you had placed your destination drive directly into the machine. Say on a spare IDE or sata channel and allowed the system to detect it and imaged directly to that drive. Would you you be done by now? wink
Running FTK Imager or DD from a CD (old and free Helix?) on the machine that is being imaged and saving your forensic image to a connected via USB 2 HDD may be quicker. I would use F-Responce only if there are no USB 2 or Firewire ports on the machine or there is Gigabit Ethernet available.
UPDATE
Unless you need the whole drive, could you just get away by duplicating the Exchange data store?
You are taking a snapshot of a changing system, are you not? So, you would not be able to authenticate it using a hash since the server would change within minutes…
Of course, I could be missing something.
Funny you should say that…the situation changed on-site. Originally that is what I was going to do but then we had to shift gears for a full drive archive for preservation and had to roll with what I had.
I stopped the verification process because it listed another 40+hours and would have just kicked back verification because of live image. There is a way to make a shadow copy and from what I understand it would verify. I really just need for now in my investigation is a few older EDB files from a migration and archived PST's so those can be hashed separately.
Running FTK Imager or DD from a CD (old and free Helix?) on the machine that is being imaged and saving your forensic image to a connected via USB 2 HDD may be quicker. I would use F-Responce only if there are no USB 2 or Firewire ports on the machine or there is Gigabit Ethernet available.
I wonder, If you had placed your destination drive directly into the machine. Say on a spare IDE or sata channel and allowed the system to detect it and imaged directly to that drive. Would you you be done by now?
It was a situation that I wanted minimal source hardware and OS interaction so this was the best solution.
===============
All in all it worked perfectly for the situation. Client was fine with the collection time, they just wanted no IT downtime or having personal tied up during the day and especially off hours. It was seamless what more can I say?
Last night I picked up some new cardbus e-sata cards and drives for an older laptop that will now be my F-Response "set-it and forget it" (ok, not forget it because I monitor remotely) collection system. Now I know that I just have to budget the time.
Big thanks to Matt Shannon and the team at F-Response. I e-mailed Matt at 530pm EST last Thursday because this came in fast and I needed the F-Response dongle the next day. He told me place the order online and it would ship by 6pm. I have heard this from many vendors over the years that have then fallen flat on the promise but the next day at 10am I had it in my hands!
Theoretical maximums
USB 1.0 2 mbps
USB 2.0 12 mbps
USB 2.0 High Speed 480 mbps*
Firewire 400(1394a) 400 mbps
Firewire 800(1394b) 800 mbps - 1600 mbps
100baseT 100 mbps
10baseT 10 mbps
1000baseT 1000 mbps
ATA-133 1064 mbps
SATA-150 1200 mbps
* Not all USB 2.0 is High Speed. Actual performance may be much lower (various benchmarks have established ovbserved performance in actual systems to be about 30% of theoretical maximum).
I used F-Response Enterprise (and I echo your kudos to Matt for the tremendous and timely reponse to some issues that I was having with iSCSI), to acquire 13 laptops and 5 virtualized servers using FTK imager and compressing the images. The acquisition system was Vista 64 bit running on a quad core system with 8Gbytes RAM on a switched 100 Mbps network. These were live systems in which were in active use. I had 6 Tbytes of SATA attached storage (5 if I exclude the boot drive).
In all, I acquired 2.4 Tbytes in a little less than 4 days. I'm not saying that the network isn't a factor but I can't help but think that USB is a contributor. In our internal network, accessing network attached storage is noticeably faster than USB attached storage.