I am thinking about converting our physical forensics lab into a virtual environment, replacing our physical boxes with virtual machines. Has anyone tried or have any thoughts about this? Of course, the servers hosting the virtual machines will need to be pretty beefy so that the VM's have adequate RAM and CPU dedicated to each. We currently have 20+ physical boxes (12GB RAM, dual core xeon CPUs each), not all running at the same time, but we have a lot of processing power available to us currently. It would be nice to replicate that type of system but cut down on the electrical, AC, and maintenance costs, not to mention the headaches with upgrading and updating 20+ machines whenever Guidance or AD releases a new version.
Any thoughts are appreciated.
Generally CF tends to tax your hardware pretty majorly during processing and searching. I think you're in danger of serious performance degradation and lost productivity if you virtualise.
We are in the process of doing exactly what you describe right now in our agency and have been working out the specifics. I can tell you that it is a costly venture.
What I can say and what we have found is this; VMs are not really the way to go. When I say VMs, I mean VMs with VM disks etc.. What you would want is a virtual desktop / client environment, accessing AD Lab over a fiber connection with AD Lab running on crazy high end servers. AD Lab is the only way to go to take advantage and harness the resources of what I am about to explain. It is the only forensic application that will use all of the hardware processing power that you can throw at it.
We are looking at a vendor which will be running 4 rack servers, each with 24 cores of processing power and hundreds of Gigs of RAM (in each….I forget the ridiculous amount of RAM we were talking…maybe like 200 some Gigs of RAM in each), each of which will be run by its own "command center". You then run a Virtual Desktop on a thin client machine to do your review and analysis. With the 4 rack servers and 4 associated command centers, I can simultaneously process 4 cases; each handling a case. If I have a high priority case and no one else is processing, I can combine all 4 into a single profile and throw 96 CPU cores and 1 TB of RAM at it. This is for the processing side. Of course we would also have a large amount of storage for archival of our cases.
This is a sort of set up, where you would image directly over the wire (fiber) in your office to the server and all processing would take place on the server. When I refer to processing, I mean everything done, including indexing, to get you ready to start plowing through the data looking for your evidence. After processed, the server would move onto the next job that may be in the queue waiting to be processed by another examiner.
During the review / analysis of the evidence, including things like keyword searches, the processing servers aren't taxed or utilized and are devoted to other tasks as needed on what we are calling "processing" (which needs the heavy horse power).
I hope this helps out somewhat.
Det. Tim Moniot
Las Vegas Metropolitan Police Department
Computer Forensic Unit
Generally CF tends to tax your hardware pretty majorly during processing and searching. I think you're in danger of serious performance degradation and lost productivity if you virtualise.
Agreed…*IF* you're going the GSI/AccessData route. You're gonna need some considerable horsepower for those apps and the kind of work that you do with them.
However, using free and open source tools, you can be far more highly effective. Have you considered having a physical system for your usual work and VMs for when you want to "go commando" (ie, no dongle)?
Thanks all for the very informative comments. We aren't a huge shop by any means but when we are crunching the data (recovery, indexing, carving, etc…) we don't want to wait for ever. We currently have 2 data crunching machines, 24GB RAM, dual quad-core CPU, that work very well when doing the heavy lifting in EnCase and FTK Forensic. We don't use FTK Lab. I think we would continue to use the 2 workhorses for this type of processing but utilize the analysis machines for the digging and poking that takes place post processing, and this is where i feel like VMs might work well. If each was outfitted with 8GB dual core, etc… then i think this would work. We also currently utilize NAS's to store our evidence and case data. It might be different with FTK Lab or Encase Enterprise, but i have never seen Encase or FTK max out the CPU and/or RAM in our machines, most likely because this is a limitation with the software not utilizing the resources. We would use remote desktop to access the VMs, not have individual thin clients.
Timbo, what you describe sounds like geek paradise. I doubt we could do that, but i'm very curious to hear your results. Why are you limited to only processing 4 cases at once. If each rack has 24 cores and 200GB RAM, i would think you could process more than 1 case/rack unless you actually can use all the hardware at once.
Keep in mind the License considerations if you go for a fully virtualised environment - Oracle running within a VMWare Hosted Server (windows/linux/whatever) for example must be licensed for each available CPU core within the VM Host - it cannot just be licensed for the cores allocated within it's Virtual Server.