Recently we acquired funding to purchase a new fileserver/forensics workstation. Here is what we have
ASUS M3N-HD/HDMI motherboard
AMD Phenom 9550 2.2 GHz Quad-Core processor
4 GB DDR2 1066 RAM
6 - Seagate Barracuda 1 TB hard drives
Western Digital 120 GB IDE drive (for operating system)
other hardware as needed
Here is what we want to do
120 GB drive is the main operating system drive
6x1TB drives in RAID 5 array (approx. 4.5 TB when finished) is storage for current / recent cases.
Currently all of our forensic workstations run Win XP Pro SP2 (32-bit).
I would like to keep it that way, however, XP (32-bit) doesn't support a single drive over 2TB because of the way MBR works and of course, the raid array shows up in Windows as a single 4.54 TB drive.
So here are the options I've come up with
1. Temporarily install Vista and get the raid array set up as GPT with a single NTFS partition, then reinstall Win XP SP2 and use GPT Mounter by Mediafour to mount the drive.
2. Realize that the world moves on and just switch to Vista Enterprise as the OS for the new system. Should have drivers for all the hardware, but question how software will like this.
3. Switch to Windows Server 2003 SP1 (or greater). Not sure about drivers, will have to look. Also unsure about software.
So, my question is - what would you recommend? Does anyone have experience with a Vista or Server 2003 forensics workstation? We primarily use EnCase v5.05j for our forensics work with
NetAnalysis 1.36,
FTK Imager 2.3,
SnagIt 7.1,
CaseNotes 1.0.2007.7
Paraben Email Examiner 5.0
BitPim 0.9.12
Flint Software's Case Manager 1.2.6
QuickView Plus 6.0.1
and other miscellaneous tools which are rarely used.
If you have any experience with any of the above software working or not working in either Vista Enterprise or Server 2003 SP1 (or later), I would appreciate it. Also if you have experience with the 64-bit versions of these operating systems and whether they would be beneficial or not, I'd like to hear it. I know that for Vista, 64-bit is needed to take full advantage of the 4 GB of RAM.
For now stick with a 32-bit OS until your tools of choice migrate that direction. W2K3 has been quite a workhorse for us, albeit pretty pricey for a workstation OS.
Really I want to ask you for same subject too.
My question is about fileservers (storage servers).
I thing to use all in one systems like Dell PowerVault MS30001 SAN for our five examiner-in lab.
As you know SAS technology gives 3.0 Gbps write-speed with 15.000 RPM SAS discs. And Dell use it in this model.
Please look this product ( http//
and write your suggestions.
Thankyou.
I thing to use all in one systems like Dell PowerVault MS30001 SAN for our five examiner-in lab.
As you know SAS technology gives 3.0 Gbps write-speed with 15.000 RPM SAS discs. And Dell use it in this model.
In a multi-examiner lab there are certainly advantages to be gained from centralized storage. I have used Dell for quite some time and find they provide good value for the money. They are not the fastest nor the most innovative but provide good service and value.
A couple of items to keep in mind
-Connectivity your infrastructure for connecting to an iSCSI array is very important. There is little reason to consider FiberChannel in your situation, just do not skimp on the Gb Ethernet portion of the system. Also, using a TCP/IP offload engine (TOE) on the iSCSI target port within the storage system can have a measurable positive impact on performance (not sure if this is available in the MD3000i as I did not dig into the specs).
-Utilizing a wide stripe group can give a significant performance advantage over traditional volumes. That difference can more than make up for any difference between iSCSI and FiberChannel.
As is the case in any network environment, security, disk quotas and backups should be carefully considered.
Harky,
I agree with BitHead. Windows 2003 Server is the way to go. Although it's quite expensive for a license. I doubt you'll have a problem with drivers - it should be fine.
For now, I'd stay away from 64 bit OSes. We've done some trials here and have had numerous problems. Performance was so bad (probably due to drivers) that we had to revert back to 32 bit 2003 Server.
If you do go with the Windows 2003 Server option, then have a look at this article on how to convert 2003 server to a workstation.
2. Realize that the world moves on and just switch to Vista Enterprise as the OS for the new system. Should have drivers for all the hardware, but question how software will like this.
The world may move on, but it doesn't necessarily get better! Personally (and I don't want to start a big flame war), I think Vista is a huge disappointment. 2003 Server is far better as a workstation.
HTH
)
My first suggestion is that you do NOT use Seagate or Western Digital drives.
Seagate have, in recent months, become the most unreliable drive I know of.
For many years, Western Digital have had worse-than-average reliability.
I would recommend Hitachi drives for your array and a Samsung 320GB for your system drive.
Make sure you get a top-spec Raid card (Areca ARC1220) and have a hot spare enabled.
I'd be disinclined to go for a quad-core; instead, I would choose a high-speed dual core. (Unless, if course, your applications are specifically written to support multiple cores.)
I would still avoid Vista like the plague. I run a high-spec system with Windows XP 64-bit, fast Intel dual core CPU, 8GB memory and an Areca RAID card (which is configured as RAID 0, but is only used for temporary storage - but it transfers data at nearly 200MB per second real time.)
What is the need to involve GPT?
A good 24" widescreen monitor is so much easier to work with - highly recommended.
Just my angle from having been in storage and data recovery for many years…
Duncan
I'd be disinclined to go for a quad-core; instead, I would choose a high-speed dual core. (Unless, if course, your applications are specifically written to support multiple cores.)
Just as an aside to this, if you are an FTK user you will find that a single core processor is the recommended CPU and is faster than a dual or multi-core. This is from personal experience, having just shelved some nice multi-core machines and dusted off a slightly older single core model after working with AD on some serious performance problems with 1.X.
My first suggestion is that you do NOT use Seagate or Western Digital drives.
Seagate have, in recent months, become the most unreliable drive I know of.
Yeah? We use the Seagate Enterprise models and these are really really good. I agree about WD. I tend to avoid those too.
I would recommend Hitachi drives for your array and a Samsung 320GB for your system drive.
I use both Hitachi and Samsung at home. The Samsungs are really superb. Very quiet, but more importantly, they run very cool. The Hitachi on average runs 6 degress C higher than the Samsungs, but still a good drive. I would lean towards the Samsung F1 more though.
Duncan, do you run any Forensic software on the 64 bit workstation? Do you experience any problems with it?
This is the current situation
The hardware was all purchased prior to the initial post, so the hardware mentioned is the hardware to be used.
Following BitHead's initial suggestion (and our prior experience), we chose to stick with 32-bit OS. However, we chose to try Vista. Primarily because we had access to it without need to purchase a license due to the University's license agreement (also, I have heard, but not confirmed, that Nvidia has poor driver support for Win2k3, and the motherboard chipset and video card are both Nvidia). Purchasing the hardware was time-sensitive, however getting the system running is not, so we can still change if this proves too problematic.
So far, the only software we have not gotten running in Vista is
PartitionMagic 8.0 (wholly incompatible from everything I've read)
- if anyone has a (especially free) vista-compatible alternative to
be able to support formatting large drives fat32, please let me know
WriteBlocker XP
- if anyone knows of a forensically sound software write blocker
compatible with vista, please let me know
I will keep you updated as the build continues.
What is the need to involve GPT?
Everything I have read is that the MBR partitioning scheme (at least as far as windows is concerned) does not support drives greater than 2 TB. The raid-5 array shows up as a single 4.5 TB drive to the operating system. If you know of another workaround, I would love to hear about it. The only solutions I have found are here
The third option sounded good, but the built-in raid on the motherboard does not seem to support such a configuration. The best I could do is create two independent raid-5 arrays (3 drives each) and thus lose two drives worth of space.
A good 24" widescreen monitor is so much easier to work with - highly recommended.
Duncan
How do triple 17" monitors sound?
My first suggestion is that you do NOT use Seagate or Western Digital drives.
Seagate have, in recent months, become the most unreliable drive I know of.
Yeah? We use the Seagate Enterprise models and these are really really good. I agree about WD. I tend to avoid those too.
I would recommend Hitachi drives for your array and a Samsung 320GB for your system drive.
I use both Hitachi and Samsung at home. The Samsungs are really superb. Very quiet, but more importantly, they run very cool. The Hitachi on average runs 6 degress C higher than the Samsungs, but still a good drive. I would lean towards the Samsung F1 more though.
Duncan, do you run any Forensic software on the 64 bit workstation? Do you experience any problems with it?
Sorry about the delay in responding - I've been totally flooded with raid array recovery work.
The only forensic software I use is X-Ways forensics.
I experience no more problems under Windows XP-64 than on my 32-bit recovery workstations.
Don't be misled by "enterprise" drives. I don't for one second believe that they are necessarily any more robust than "normal" drives.
I reiterate my lack of confidence in Seagate products - none excluded.
Duncan