davepawlak - you do not appear to be running any Mac software. Why spend the money for a Mac chassis?
If you are running FTK3 are you running Oracle on the same box as your exam machine? Running (or planning to run) any distributed processing?
I'll be running Blacklight which is now supported for both OSX and Win; however, it was previously only OSX. I will more than likely be running BL in OSX as it was initially designed.
Yes, I've been running FTK3 Oracle DB on an SSD within my lab machine with good results so far. I haven't done any distributed processing and am not yet setup for that. I would like to in the future, but thats in the air right now.
My biggest issue is the number of Mac I'm running across now for analysis. Encase and FTK have been alright in working with HFS/HFS+ but Blacklight has been great.
Could you share thoughts?
Good thread drift - start yer own )
For a field machine I would recommend that it has eSATA and USB 3.0 connections.
I currently use a Sony Vaio VPC-F13M8E/B Laptop, Intel Core i7, 1.73GHz, 4GB RAM, 500GB. (Cost £800)
This has decreased my imaging time dramatically compared to USB 2.0 connections.
I have also found that a good write speed for the target disk in the USB 3.0 connection is an important factor when reducing time on site.
You are out of my league for a lab machine. Mine was about £1,200 self built with SSD, 6GB Ram, I7, and powerful graphics card (For password cracking).
It runs FTK3 fine on the cases that I have thrown at it so far.
Good luck with your new machine.
For field machines - I take a junker workstation or use their own hardware to do the imaging.
If I have to conduct analysis on site, I FedEx my examiner workstation to their location.
Dell Precision workstations are just lovely.
Specifications for FTK 3 with the Oracle Database as of 5/10/2011
FTK UI and Primary Processing Engine on the Same Machine
If installing Oracle, the UI, and the processing engine all on the same machine AccessData recommends one of the following hardware specifications
Recommended Minimum and Ideal
Min - Processor Intel® i7 or AMD equivalent
Ideal - Intel® i9, Dual Quad Core Xeon, i7 Nehalem or AMD equivalent
Min - RAM 12 GB (DDR3) / 8 GB (DDR2)
Ideal - 12 GB (DDR3) / 16 GB (DDR2)
Min - OS / Application Drive 7200 RPM drive with 64 MB cache
Ideal - 7200 RPM drive with 64 MB cache or SSD drive
Min - Storage for Oracle database 7200 RPM drive with 64 MB cache dedicated exclusively to Oracle
Ideal - 160GB Solid State Drive (SSD) dedicated exclusively to Oracle.
Min and Ideal - Network Card Gigabit Gigabit
Min - HW RAID Controller N/A
Ideal - Highly recommended if hosting Oracle database.
Configure with RAID 5, 6, or 10. Avoid RAID0.
Min - Temporary Folder Location Set to OS Drive
Ideal - x-25 SSD drive or RAID0 partition w/ write-through
Min - Drive Configuration
Drive Set 1 OS
Drive Set 2 Oracle Database
Drive Set 3 Case Folder and HD Image
Ideal - Drive Configuration
Drive Set 1 OS
Drive Set 2 Oracle Database (SSD or HW RAID)
Drive Set 3 Case Folder and HD Image
Drive Set 4 (temp folder) SSD or RAID0 partition
Operating Systems
Min - MS Vista / 2008 / Windows7 (64-bit)
Ideal - MS Vista / 2008 / Windows7 (64-bit)
Read the fine print for Fed Ex on what they reimburse if lost of damaged.
I would never ship a PC through the mail or Fed Ex unless it was a dedicated courier or FedEx freight.
I've lost an expensive item before through Fed Ex and I read the small print, needless to say the check they gave to me was microscopic. Plus what about a backup, do you ship 2 machines to the site?
For field machines - I take a junker workstation or use their own hardware to do the imaging.
If I have to conduct analysis on site, I FedEx my examiner workstation to their location.
Dell Precision workstations are just lovely.
For FTK 3 I've had success with the following
HDD for OS drive/Processing Engine
SSD for FTK Temp and Pagefile.sys
10K rpm/ SATA 6GBs for Oracle
RAID 5 - 10K rpm/ SATA 6GBs for Case management
I use regular SATA Drives/Trays to put the images into.
This way each component (OS/ProcEngine, Oracle, Image, Temp/Pagefile, Case work) has it's own drive(s).
I've processed 2 TB evidence drives full of files in under 7 hours while doing the whole processing (hash, index, entropy, expand compound files, file signature, registry reports, etc).
Good Luck!
Define full of files please.
Large email servers with compression, a standard home user drive, all .mp3, all video. Also, I noticed you left carving off there.
For FTK 3 I've had success with the following
HDD for OS drive/Processing Engine
SSD for FTK Temp and Pagefile.sys
10K rpm/ SATA 6GBs for Oracle
RAID 5 - 10K rpm/ SATA 6GBs for Case managementI use regular SATA Drives/Trays to put the images into.
This way each component (OS/ProcEngine, Oracle, Image, Temp/Pagefile, Case work) has it's own drive(s).
I've processed 2 TB evidence drives full of files in under 7 hours while doing the whole processing (hash, index, entropy, expand compound files, file signature, registry reports, etc).
Good Luck!
If you want to get technical P
Office Documents, Home pictures/videos, thousands of emails through outlook, really long internet history and downloads (using Limewire, emule, bittorrent), gaming software like WoW, etc.
In this particular case I had a total of around 4 million files, I don't think the suspect ever "cleaned" the computer.
It was a Child Pornography case if you must know.
I don't carve until after I do the initial processing. Most of time, the AUSA would like to have a short forensics report upfront, if possible.
Cheers!