Scribd
Upload
14 views

FRED_Optimization_EnCase_8

Uploaded by

Guzman Charly
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
14 views

FRED_Optimization_EnCase_8

Uploaded by

Guzman Charly
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 22

Analyzing Hardware for EnCase v8

Optimization

Jim Borecki, Digital Intelligence Inc.


DIC 2017
My Background and Role
• Tableau Forensic Products – 2006 thru 2015
Based in Wisconsin, USA
Forensic Imaging Products – Duplicators, Write Blockers, & Tableau Imager
• Guidance Software – 2010 thru 2015
Vice President of the Forensic Business Unit
• Digital Intelligence – 2016 forward
Business Development
• Engineer and Business Manager by Education / Training
Who Performed The Testing?
• Jim Woodring
• Digital Intelligence Systems Engineer
• Test Workstations with various industry software
• Certify new versions
Hardware
Operating Systems
• FRED C Forensic Datacenter
R&D
Installation and Training
Support
Why We Test…
• System Compatibility and Stability
• Resource Requirements
• CPU/Cores
• Memory
• Disk Subsystems
• Rotational Media
• SSD
• NVMe
• RAID and RAID configurations
• Result – we can provide INFORMED assistance during system
selection and support!
How We Test…
• Script Processes
• Determine “typical” processing options
• “profile” of Application
• Run test in phases to isolate the demands of each
function
• Evidence Verify
• Pre-Processing
• Indexing
• Carving
• Select Baseline System
• Typically entry-level FRED
• Examine combined storage volumes
• Single Factor Tests
• Alter one resource
• Multiple Factor Tests
• Select “best” resources
• Confirm Assumptions and Optimize
Test Phases
• Verify – part of adding evidence
• Checks the integrity of the E01 files
• Pre-Process
• Start with “defaults”
• Alter based on input from DI’s
Services team
• Add protected file analysis
• Checks for file encryption
Test Phases - continued
• Index
• De-select all current options
• Select “Index text and metadata”
• Select “East Asian Script Support”
• Carve
• Select File Carver module
• Note – carving utilizes the Hash
Libraries
Evidence Repository
• Source http://digitalcorpora.org/corpora/files
• courtesy of Garfinkel, Farrell, Roussev and Dinolt, Bringing Science to Digital Forensics with Standardized
Forensic Corpora, DFRWS 2009, Montreal, Canada

• Build Repository
• 1 million “random” files (GovDocs)
• Enron dataset
• Browsing History
• Process to create Test Disk
• Sample files to get appropriate dataset size
• Prepare base OS install (win10)
• Make users w/”desktops” and other supporting structures
• Copy files to user’s “documents” (round-robin)
• Obfuscate by changing extension periodically
• Copy and delete to “fragment” the drive – create carving challenge
• Put sample Internet Activity into a single user’s browser history files
• https://www.symantec.com/connect/articles/web-browser-forensics-part-1

• See also http://www.forensicfocus.com/images-and-challenges


Count extension Count extension

“ImageDisk7”
21009 .PDF 17 .PST

19424 .HTML 14 .TEX

19395 .JPG 14 .TMP

• Windows 10x64 7161 .TXT 13 .TROFF

• 2 users 6979 .DOC 7 .BMP

• 51 GB data/~96,000 user files 5782 .XLS 4 .PUB

• Split evenly between the 2 users 4461 .PPT 4 .SGML

• 46 file extensions*
• Note some may be obfuscated
3298 .GIF 3 .GLS

• Baseline system test takes ~ 8 hours 1961 .PS 3 .XLSX

• Internet history “injected” for one user 1668 .CSV 1 .BAT

• Image with Tableau Imager/Digital Intelligence UltraBay 4 1287 .GZ 14 .TMP

• 29 E01 Files 945 .LOG 13 .TROFF

491 .EPS 7 .BMP

4 .PUB
… ...
System Resources and Testing
• CPU/Cores
• X99 (i7 6800K Family)
• Z10 (Xeon E5-2600 Family)
• Memory
• I/O Subsystem Types and Architectures

• Single Factor Testing


• Identifies the relative contribution of a specific resource
• May have inter-dependencies
• Multi-factor Testing
• Combines “best contributors” to obtain cumulative improvements
• Helps identify and resolve inter-dependencies
CPU Concepts
• Clock speed
• Faster clock speed can yield Faster test
times when:
• There are “Single Threaded” processes
like Validation
• Either the application, specific workload,
or just the forensic process in general
doesn’t lend itself to multi-threading
• Threads (Hyper-threading = 2X cores)
• Increased cores for the same clock
speed doesn’t have much effect < 1%
• More cores usually result in reduced
clock speed due to thermal issues
Intel(R) Core(TM) i7-6800K CPU @ 3.4 GHz – 6 cores – 12 Threads
Thread loads are well balanced – StdDev = 5.3
CPU – i7 The average thread is 32% utilized
Intel(R) Xeon(R) CPU E5-2620 v4 @ 2.1 GHz – 8 cores – 16 threads
and 2 processors = 32 threads
CPU – Xeon Threads are well balanced – StdDev = 5.3
The average thread is 12.5% utilized
Memory
• Measures “Committed Memory”
• Committed to application(s)
• Extremely sensitive to case contents and size
• Large carving jobs need more memory
• Additional memory used by Operating System
• I/O Buffering
• “Background” processes/services
• The effects of memory changes are hard to
predict – testing is required
Disk I/O
• 7 Different I/O Channels Identified
• OS – Operating System
• OSTEMP – TMP and TEMP
environment variables
• Evidence – E01 file storage
• Case – Case file location
• Cache – Cache file location
• APPTEMP – “TEMP” sub-folder of
Case file location
• KFF – File signatures (NIST)
• Examine Throughput, I/O Operations, Disk
Queue Length
• Example - Disk Q Length
• Shows Channel Activity
• Identifies “bottle necks”
Storage Channels and Application Demands
Write Storage Capacity Desired Fault-
Location Throughput IOPS Queue Depth
Performance (% of E01 size) Tolerance
OS Low Low Low Low Low Low

OSTEMP Medium Medium High Medium Medium (100%) None

EVIDENCE High High None High High (100%) High

CACHE Medium High High High Very High (300%) Medium

CASE None None None None Low Medium

APPTEMP Medium Low Medium Medium Low (10%) None

KFF Low Low None Low Low (Fixed < 40GB) None
Discussion of I/O Architectures
IO Operations /
Type Strengths Weaknesses
Throughput
SATA Mechanical Low/Low Low $$ per GB, High Slow, No Fault-tolerance
Capacity
SATA SSD Medium/Medium Good IOPS and Throughput No Fault-tolerance, Limited
Capacity
RAID 5 Medium/High Good Read Performance, Poor Write Performance,
Fault-tolerant, Good Increased Storage Overhead
Capacity
RAID 10 High/High Good Read/Write High Storage Overhead
Performance, Fault-tolerant
NVMe Very High/High Excellent IOPS and Good No Fault-tolerance, Limited
Read/Write Performance Capacity, High Cost
Single Factor Results
• Benefits
• Maximum Memory
• Affects Pre-Processing
• Increased Clock Speed
• Affects Verify, Indexing, and
Carving

• Surprises
• RAID-5 vs RAID-10
• RAID CACHE Volume
Multi-factor Results

• Benefits
• Confirms decision to
combine CASE and EVIDENCE
volumes
• ~35% overall performance
improvement

• Surprises
• RAID w/SSD’s does not
differentiate itself
Conclusions
• Increased Benefit • Reduced Benefit
• Maximize Memory • Increase # of Cores
• Maximize CPU clock speed • Usually results in lower clock speeds
due to thermal issues
• RAID for read-intensive volumes
• Evidence
• RAID-10 vs RAID-5
• Significant loss of storage capacity
• Case – little or no activity*
with no major performance
• KFF on high IOPS volume improvement
• RAID for write-intensive volumes
• Cache

* APPTEMP has some impact


In Closing
• Your Mileage may vary….
• Many factors are affected by evidence quantity and makeup
• Image processing
• Lotus Notes
• Other “plug-ins”
• Could vary by case or by discipline
• Only you can determine what makes sense in your situation
Thank You!
• Questions?

• Coming Soon - Look for the full


report on our website
http://www.digitalintelligence.com

You might also like