Hello,
I am setting up a home lab for training purposes (learning forensics). I have limited hard drive space, but I do have an external 80 GB maxtor hard drive. If I format the hard drive in ext2/3 would it be okay to mount the external hd and just it for data analysis instead of buying a new internal hard drive? I know that I will take a hit in performance, but that is okay.
Thanks for the help.
Mark
Hi Mark
what do you intend putting on the drive, and what tools do you expect to be analysing it with ?
This may help you decide on how you will prep the drive, say, by way of formatting it or not.
Kern
Kern,
Thanks for the help. I have a 40 GB HD that has about 25 GB left. On that drive /home/… I will have all my tools, and just other programs etc. On the external drive I will have the data that I will be analyzing. Basically I am just imaging other hard drives and working on extracting the data. So the tools will stored and run locally on the hd against data sets that stored on the external hd. The tool results will be external as well.
Thanks,
mark
I find that it varies based upon what you are actually doing …
If you are carrying out an operation against the whole image, e.g. a string search then the speed difference can be quite noticeable.
If you are visually looking at the image in a Hex editor for Partition Tables, MFT etc. Then the computer will pretty much always work faster than you do, and, after the initial process of loading up the image, is usually OK.
I have found generally, that the more memory that the machine has though, the more bearable using an external drive for any sort of Forensic work is … 2Gb is better than 1Gb by a very, very long way. -)
For the record, I also use an external 500Gb drive in my home lab, I use it for storing images, but often, if I am organised enough, I will copy the whole or sub-sections to the internal disk in advance for analysis.
If you do feel that the investment is worthwhile, I would suggest that, if possible, if you add another internal disk, that you have a look at a swapable drive caddy - this will make life easier in the long run. Something like http//
Good Luck -)
It more depends on how you connect it. An external drive for forensic image files, connected via a SATA II interface or direct IDE would give you better performance than most! But even USB will give you reasonable performance given that you'll probably be using small test images rather than 1TB forensic acquistions.
James
I didn't realise that was possible without leaving the case open, but http//
Firewire isn't too shabby either performance wise …
Mark,
…/home/ so you're mainly *nix then and OSS ?
One thing to consider is that if you switch to a native windows environment it may not pick up a linux partition without additional software.
For file storage I have a large Sata drive with both MS and *nix partitions. Whichever OS i'm in on the main drive, i can move stuff over to storage without too much hassle.
I'd agree with azrael, the USB part may not necessarily be your bottleneck if you are carrying out certain tasks.
The tool results will be external as well.
Having one drive as source and another as destination may reduce hard drive thrash and speed up transfer too. So if for instance you store a bitwise image for analysis on the USB it may be better to write the results back to the native drive.
Kern
I use FAT32 drives … NIX and Windows compatible.
This is fine, so long as you aren't concerned with the maximum file size of 4Gb ( as near as dammit anyway … )
Indeed … and I fallen foul of it numerous times!