codyf please check your inbox.
I have tried this a few times with varying results with EnCase, FTK, X-Ways and most phone tools.
All resulted in a lower performance which is obvious I guess. The advantages of having a clean system everything was tempting but the performance loss coupled with the config issues - especially for reading/writing to network storage was too much of a pain. Added to this was the fact that we often run a bunch of jobs together. It quickly got to the point of having to have a lot of VMs saved, not to mention having to archive off data and case files.
Nice idea that I'll no doubt try again at some stage but right now running physically is easier.
I have tried this a few times with varying results with EnCase, FTK, X-Ways and most phone tools.
All resulted in a lower performance which is obvious I guess. The advantages of having a clean system everything was tempting but the performance loss coupled with the config issues - especially for reading/writing to network storage was too much of a pain. Added to this was the fact that we often run a bunch of jobs together. It quickly got to the point of having to have a lot of VMs saved, not to mention having to archive off data and case files.
Nice idea that I'll no doubt try again at some stage but right now running physically is easier.
What I learned is that you very much have to design your environment from the outset to use VMs. Trying to tack them on to an existing environment doesn't usually work well.
We didn't have an issue with storage, but we were running our own local domain on our forensic network using SAN storage and accessing the volumes through mapped iSCSI and UNC paths. That way we could access any storage from any machine on the network, virtual or physical. Every case had it's own dedicated volume on the SAN so even storage was isolated per VM. There were some other physical architectural considerations that sped up our storage as well.
X-ways I found ran fine (storage speed was the main limiter here). EnCase we were speeding up considerably by offloading the processing to a dedicated processing server. Got better performance that was than I did on the local machines.
For me the two big advantages was isolated environments as well as the ability to work on another case while one was bogging down it's VM doing whatever.
This type of environment is costly though. Ours was easily in the 6-figure range, and got to the point where more of my time was dedicated to network/environment maintenance than it was to actual forensic work.
VMs have a lot of advantages but they're definitely not a fit for everyone's forensic shop.
Sounds like a very clever set up. Like you say though, intensive to maintain but very very clever.
Hats off to you for the effort and the results. I'm guessing that if you have a big enough lab (and budget) and can justify employing a network manager this seems a very good option.
Indeed. We ran an 8-10 person shop so it made sense to leverage the advantages of a VM environment, and luckily we had the budget to do it. It really started to get beyond us though with maintenance. A complex environment like that really requires dedicated expertise to operate.