FTK 4 System Spec Guide - Amazon Web Services

pridefulauburnData Management

Dec 16, 2012 (4 years and 7 months ago)

165 views



February

201
2












Forensic Toolkit
®

System Specifications Guide

















©20
1
2

AccessData Corporation, All Rights Reserved.



Page
2

of
6


When it comes to performing effective and timely investigations, we recommend examiners take into consideration the demands t
he
software, and specifically
PostgreSQL
, will make on their hardware resources. Depending
on

the size and scope of a given
investi
gation
,

Forensic Toolkit
®

4

(FTK
®
)

and AccessData Enterprise
,
will push hardware resources to their limits.


FTK Components

and Their System Requirements

FTK is made u
p of four separate components/
applications
,

each of which are installed separately and perform dif
ferent functions
.
These components are the
PostgreSQL

Database,

the FTK Client
User Interface (
UI
)
, the Client
-
s
ide Processing Engine and the

Distributed Processing Engine.

When configuring a system t
o run FTK
,

it is helpful to understand the hardware requirements of each of

these components/
applications and the strain these components each place on the hardware.


PostgreSQL

Database

-

The
PostgreSQL

database is
a key component

of the FTK application.
PostgreSQL

stores the
processed metadata

and performs all the queries, sorts, filters, file listing
s

and other functions requested by the Client UI.


-

RAM
: T
o achieve maximum product performance, especially during review, it is
important
to provide
PostgreSQL

with as much RAM as possible.


PostgreSQL

should
really
be installed on a
machine running a
64
-
bit operating
system
and
at least 8GB

of RAM

when possible
. Installing
PostgreSQL

on a system with less
than

8GB of
RAM
can
res
ult in
sluggish FTK Client UI

depending on the data set size
.


8
GB

of RAM is
the minimum
recommended for
investigations involving
roughly
3
-
4 million record items.

12
-
16GB

of RAM is
recommended

for
larger
cases

with 4
-
8
million record items.

For e
xtremely large cases
with over 8 million record
s

the system
should
really have
16
GB

of
RAM or more.


-

OS
:
Even though
PostgreSQL

will run on all versions of Windows XP,
2003,
Vista
,
2008

and

Windows 7
, a

64
-
bit
OS is
VERY

strongly recommended
.
PostgreSQL

will run at least
3
-
5 times faster on a 64
-
bit OS
as
compared to a
32
-
bit OS.

Windows 7

and Server 2008 R2

have much better memory management than Windows XP. Therefore,
Windows 7

x64 and Server 2008 R2

are
AccessData’s

recommended operating systems.


CPU
:
PostgreSQL

can place a significan
t demand on the CPU during revie
w.
PostgreSQL

will run on most
processors
that are
dual
core or greater.


A q
uad

core

processor is
the minimum
r
ecommended
CPU for a
n all
-
in
-
one
forensic machine
.

Test
s

have show
n

that
PostgreSQL

run
s

extremely well
on machines built on
the Intel i7

chip
.

AccessData recommends a minimum of 8GB for a
q
uad core CPU, a minimum of 12 GB for an i7 CPU and a
minimum of 16GB for higher end CPUs.



-

Hard Disk

Storage Requirements and

Hard Drive

I/O
S
peed
:

PostgreSQL
’s responsiveness, especially during
review, is
a
ffected by the amount of RAM in the computer
,

the power and speed
of the CPU
,

and the speed of the
hard drive(s)
.

The larger the case the more
directly
hard drive
speed
is going
imp
act UI performance.

Thus a
faster hard
drive
will result in a much
more respo
nsive UI. ,


-

A
t a minimum
, if the space exists in the computer case

PostgreSQL

should always be hosted on its own dedicated
hard drive.



-

The storage requirements for the
PostgreSQL

database are small relative to the storage requirements of the case
folder and the
evidence location
.
PostgreSQL

will

usually take up only
take up
about
4
-
5
GB

for every million record
items.

The storage requirements are therefore directly dependent upon the number o
f active cases in the database.
For most single Examiner machines 150

GB

of storage space for
PostgreSQL

should be sufficient.


-

7200 RPM Drives

-

7200 RPM drives
have
huge storage
, however, the I/O seek speed is
usually less than ideal.
If
the
PostgreSQL

box has
lots
of RAM
and
the
cases are small (3 million record items or less) hos
ting
PostgreSQL

on a 7200 RPM drive is an option
, though not preferred
.
A

7
200 RPM drive
will
start to become a problem when
working on large cases as the
I/O seek speed of the 7200 RPM drive will directly impact
the
responsiveness of the
Clie
nt UI.
If hosting
PostgreSQL

on a 7200 RPM SATA drive
,

when possible use one of the
latest generation driv
e
s

with a large cache (at least 64MB)
.
Avoid

hosting
PostgreSQL

on an older generation drive.

-


©20
1
2

AccessData Corporation, All Rights Reserved.



Page
3

of
6


-

SSD Drives

-

SSD drives

will
usually
provide the highest level of
PostgreSQL

performance

and do not need to be
RAID

configured
.
At the time this paper was
written th
e Intel x25
-
M
was tested to be
a very good
drive for hosting
PostgreSQL
. Unfortunately
these
SSD drives
have small storage compared to mechanical drives
and the price per
GB is
expense
. SSD technology is rapidly changing (improving) and pe
rform
ance between different solid state
driv
es varies dramatically.

Make sure to research the drive performance data before making a purchase
.
http://www.tomshardware.com/reviews
/ssd
-
review
-
benchmark,3115.html


-

Hardware RAID Controllers

-

Several hard dri
ves
in a
RAID
configuration
will
usually
provide
very high
performance. If using a hardware RAID

the most important factor is to make sure the controller supports a write
-
through cache. Write
-
through
-
caches frequently require the purchase of a separate battery. The purchase of a
battery for the hardware RAID controller is money very well spent.

Th
e RAID configuration (RAID5, RAID6,
RAID10) only marginally impact
s

performance. It is usually recommended to avoid RAID0
for storing case folder
information
as there is no

redundancy in the event of a drive failure.
However, a separate small (160
-
380
G
B)
RAID0 partition with write
-
through cache enabled is ideal for FTK temporary folder location.
The Adaptec 5000
series RAID controllers
do
extremely well in testing.
Software RAIDs provide no significant performance
advantage.


-

For laptops

with a single internal hard drive
,

PostgreSQL

usually needs to be
installed on the
internal
OS drive.

If
possible
,

laptop users should
try to
store the case folder and E
01 image on an external drive.
The connection to the
external drive should be ESATA

or

USB3 compatible

if available. Fire
wire and USB2 are viable second

options
,

bu
t
will not be as fast as ESATA and will impact processing and review time.


-

Network Speed
:
1Gbit

is recommended for
all AccessData applications.
100Mbit is discouraged
-

especia
lly if any
sort of data is stored on a network drive and/or share path.



FTK Processing Engine and

FTK Distributed Processing Engine
:

The processing engine and distributed
processing engines
,

as their names suggest, perform the majority of the work when processing
data
. The processing engine also
performs live search during review.


-

CPU
:
When processing an image

the bottleneck is

usually
the capability of the CPU
’s

or the I/O speed of the
driv
e
hosting the image file.
If the FTK Processing Engine is not utilizing 100% of the system's CPU capacity
,

frequently
the I/O speed of the drive hosting the
evidence (e01,

AFF,

DD, AD1,
l
oose files)
is the cause
.


To maximize

the
performance of

higher end CPUs
,

such

as

i7 processors
,

you may need to focus on the speed at which the machine
can read the
evidence
.


-

RAM
:
The processing engine will adjust the number of threads based on the amount of RAM in the computer.
8

gig
abytes

or more is
AccessData’s

suggested
minimum.
It is
not recommended

to run the processing engine
s on a
machine with less than 4GB

of RAM.

As a rule of thumb there should be

at least

2
GB of RAM per

logical

core.


-

OS
:
The processing engines will run on all versions of
Windows XP,
2003,
Vista
, 2008

and Windows 7. A 64
-
bit OS
is not mandatory
but strongly recommended.
Windows 7

and Server 2008 R2

ha
ve

much better me
mory
management than Windows XP. T
herefore, Windows 7
x64

and Server 2008 R2

are

AccessData’s

recommended
operating systems.


-

Hard Disk
, Storage Requirements and I/O S
peed
:

Many times the I/O access speed to the
evidence

will be the
limiting factor when it comes to total processing time. Because most
forensic

images

and loose

files
take up a lot
of
space
,

they
are
usually stored on
large capacity

7200 RPM drives. When connecting to an external hard drive
,

eSATA or USB3

is going to provide faster response than USB
2

or Firewire
.

While storing the image on a much
faster drive such

as a
RAID array is
an option, in many situation
s

this may not
be
feasible
.
Storage of the
forensic
image
s

or case folder on the same drive as
PostgreSQL

is strongly discouraged
as performance will be significantly
impacted.

The preferred configuration
is to store the case f
older
, PostgreSQL,

and the
evidence files

on
separate
drives.


©20
1
2

AccessData Corporation, All Rights Reserved.



Page
4

of
6


-

Network Speed
:
1Gbit

is recommended for
all AccessData applications. 100Mbit is discouraged
-

especially if any
sort of data is stored on a network drive and/or share path.


-

Preferences
-

Temporary File Path:

In FTK's case management window there is a Preferences option that allow
s

a user to select the location of the temporary folder.
The
FTK
Processing Engine uses this
temp
folder as scratch
space to store numerous temp

files

created during
p
rocessing.
By default the folder is on the OS drive. T
he

I/O
speed of the hard drive that hosts this folder can
significantly slow down the
time it takes to process
evidence
.
For
users with higher end machines needing the fastest proces
sing speed possible a dedicated
128
GB or
256
GB SSD
drive is an excellent option for hosting this folder. For machines with a hardware RAID card a
160
-
320
GB RAID0
partition should be created with write
-
though c
ache enabled for this folder.
T
his folder sh
ould not be placed on a
network drive or USB connected drive.

The sizing of this folder is dependent upon the evidence being proc
essed
and the temp space utilization
will vary from case to case.



FTK Client User Interface (UI)
:

The Client user interface is an application that is used
to manage the case, launch the
Processing Engines
,

and provide

the

examiner

with a view into the
collected
metadata.

The hardware requirements for the FTK Client
U
I

are the least onerous of the four
components.
If the UI is slow and/
or non
-
responsive it is usually a result of an issue with the
PostgreSQL

database and not the machine

hosting the FTK Client UI
.


-

CPU
:
When running the FTK Client UI
,

the CPU will rarely be taxed to its full capacity. Any
system with a dual core
CPU
or better should provide a reasonably fast UI experience. As stated above
,

the setup of the machine running
the
PostgreSQL

database has the greatest impact on UI performance.


-

RAM
:
The machine should h
ave a minimum of 4
GB

of RA
M.


-

OS
:
The FTK UI will run on all versions of Windows XP,

2003,

Vista
, Windows 2008

and Windows 7.

A 64
-
bit OS is
not mandatory but recommended. Windows 7
and Server 2008 R2
have much better me
mory management than
Windows XP. T
herefore, Windows 7

x64 and Server 2008 R2

are the manufacture
r’
s recommended operating
systems.


-

USB Slot
:
The FTK Client UI requires a security license.
This license is usually stored on the CodeM
eter

USB

dongle. If a USB slot is unavailable
,

the Network License Service (N
LS)
or a soft token
,

which can be obtained by
contacting support
,

are alternative options.


There are two
primary
configurations that

most examiners follow

when
running
FTK 4
.




Configuration 1

(highly portable
)
:

o

System 1: All components (GUI

/

Worker

/

Primary Processing Engine /
Database)
o
n a single system

o

System
s

2
-
4
: Distributed Processing Engine (optional)




Configuration 2

(maximum performance)
:

o

System 1: GUI

/

Worker

/ Primary Processing Engine

o

System 2: Database

o

System 3
-
5
: Distributed
Processing Engine (optional)


NOTE: When using distribu
ted processing engines (DPE) t
here is absolutely no benefit to creating multiple Virtual machines on the
same system and putting distributed processing engines in those VM’
s
.



©20
1
2

AccessData Corporation, All Rights Reserved.



Page
5

of
6



C
ONFIGURATION
1


Specifications for FTK 4

with the
PostgreSQL

Database,

FTK UI and
Primary
Processing Engine on the Same Machine

If installing
PostgreSQL
, the UI, and the processing engine all on the same machine AccessData recommends one of the following hardware specifi
cations:



Recommended

Minimum

Ideal

Processor

Intel
®

i7

or AMD equivalent

Intel
®

i
7
,
Dual Quad Core Xeon
,

or AMD equivalent

RAM

12

GB
-

16

GB

32

GB

(or more)

OS / Application drive

7200 RPM drive with 64MB cache


7200 RPM drive with 64MB cache or SSD
drive

Storage for
PostgreSQL

database

7200 RPM drive with 64MB cache

dedicated
exclusively to
PostgreSQL
.

160
GB Solid State Drive (SSD) dedicated exclusively
to
PostgreSQL
.

Network Card

Gigabit

Gigabit

HW RAID Controller

N/A

Highly recommended
if hosting
PostgreSQL

database.
Configure with RAID

5, 6, or

10

avoid
RAID
0

Temporary Folder
Location

Set to OS Drive

SSD drive or RAID0 partition w/ write
-
through

Drive Configuration

Drive Set 1: OS

Drive Set 2:
PostgreSQL

Database

Drive Set 3: Case
Folder and HD Image

Drive Set 1: OS

Drive Set 2:
PostgreSQL

Database (SSD or HW RAID)

Drive Set 3: Case Folder and HD Image

Drive 4 (temp folder): SSD or RAID0 partition

Operating Systems

Server
2008

R2

/

Windows7 (64
-
bit)

Server
2008

R2

/

Windows7
(64
-
bit)


Performance and Storage Considerations


1)

The
PostgreSQL

database should be
hosted on a dedicated
hard drive, Solid State Drive (SSD)
,

or hardware RAID array, separate
from the operating system. For hardware RAIDs
,

RAID 0 gives the best performance but RAID 0 provides no recovery from drive
failure. RAID 0 should only be considered if automatic scheduled backups are available. RAID
5 or RAID
10

will provide similar
performance as RAID 0 with the additional advantage
of redundancy if a drive fails.

2)

It is strongly recommend
ed

to configure antivirus to exclude the
PostgreSQL

database, temp, images, and
case

folders.

3)

It is recommend
ed

to turn off indexing, compression and/or EFS encryption. (By default, indexing of fi
les and folders is on.)

4)

Hardware RAID controllers will provide substantially better performance than an OS
-
based software RAID configuration. It is
recommend
ed

to use a hardware RAID controller with at least 256MB of write
-
through cache. If activating the write
-
through cache
,

it is strongly recommend
ed

to purchase a card with a backup
-
battery for the RAID controller and enabling the write
-
through cache.
Enabling

the write
-
through cache without the backup
-
battery creates the potential for database corruption in the event of a system
crash or power failure.

5)

For recommendations on hard drives and hardware RAID controllers please see:

a)

Hard Drives:
http://www.tomshardware.com/charts/3
-
5
-
hard
-
drive
-
charts/benchmarks,24.html


b)

RAID Controllers:
http://www.maximumpc.com/sites/future.p2technology.com/files/imce
-
images/RAIDbenchmarksBIG.gif

6)

To
roughly
estimate the amount of storage space to support your processing load you should consider these
variables
:

a)

Database: Every 1
mil
lion objects

require

roughly
4
-
5
GB of space on the
PostgreSQL

drive.

(Note: The type of target data
should also be considered in estimating space requirements. Once processed a single file may constitute several objects in
the
PostgreSQL

database. Furthermore, compound files like ZIPs or PSTs may equate to several hundred objects in the
PostgreSQL

database.)

b)

Generally, the
dtSearch
index
that is stored in the case folder
will be about 25
-
30% the size of the compressed image.







©20
1
2

AccessData Corporation, All Rights Reserved.



Page
6

of
6


C
ONFIG
URATION
2


Specification for FTK 4

UI and Processing Engine on one machine and
PostgreSQL

on a

Separate (2
nd
) Machine (2 Node Configuration)


Node 1:
Specifi
cations for GUI

and Worker

If installing the embedded
PostgreSQL

database on a
dedicated
machine or using an existing
Oracle

infrastructure, AccessData recommends one of the following
hardware specifications for the machine running the FTK UI and Processing Engine:



Recommended

Minimum

Ideal

Processor

Intel
®

Quad Core or AMD equivalent

Intel
®

Dual
Quad Core, i7 or AMD equivalent

CD/DVD Drive

DVD


DVD

RAM

8GB

32

GB

(or more)

OS/Application Drive Size

7200 RPM drive with 64MB cache

7200 RPM drive with 64MB cache

Network Card

Gigabit

Gigabit

Storage for Index and
Images

As necessary

As
necessary

Temporary Folder Location

Set to OS Drive

SSD drive or RAID0 partition w/ write
-
through

Operating System

Server 2008 R2 or
Windows7

(64
-
bit)

Server 2008 R2 or
Windows7

(64
-
bit)

Drive Configuration

Drive Set 1: OS

Drive Set 2: Hard Drive Image

and Case Folder

Drive Set 1: OS

Drive Set 2: Hard Drive Image and Case Folder

Drive 3 (temp folder): SSD or RAID0


Node 2:
Stand
-
alone Database Specifications for Windows
-
based
PostgreSQL

If installing the embedded
PostgreSQL

database on a second machine, AccessData recommends the following hardware specifications.



Recommended

Minimum

Ideal

Processor

Intel
®

i7

or AMD equivalent

Intel
®

i
7
,
Dual Quad Core Xeon
,

or AMD equivalent

RAM

8

GB

/
12

GB

32 GB (or more)

OS /
Application drive

7200 RPM drive with 64MB cache


7200 RPM drive with 64MB cache or SSD drive

Storage for
PostgreSQL

database

7200 RPM drive with 64MB cache

dedicated
exclusively to
PostgreSQL
.

Solid State Drive (SSD) dedicated exclusively to
PostgreSQL
.

Network Card

Gigabit

Gigabit

HW RAID Controller

N/A

Highly recommended
if hosting
PostgreSQL

database.
Configure with RAID

5, 6, or

10

avoid
RAID
0

Drive Configuration

Drive Set 1: OS

Drive Set 2:
PostgreSQL

Databas
e

Drive Set 1: OS

Drive Set 2:
PostgreSQL

Database (SSD or HW RAID)

Operating Systems

Server 2008 R2 or
Windows7 (64
-
bit)

Server 2008 R2 or
Windows7 (64
-
bit)


Distributed Processing Engine

If using a distributed processing engine
,

AccessData recommends the following hardware specifications.



Recommended

Minimum

Ideal

Processor

Intel
®

Quad Core

or AMD equivalent

Intel
®

i7

or

AMD equivalent

RAM

8 GB

/
12

GB

16 GB / 32 GB

OS / Application drive

7200 RPM drive with 64MB cache


7200 RPM drive with 64MB cache

Scratch / Temp
space
drive

7200 RPM drive with 64MB cache

SSD Drive

Network Card

Gigabit

Gigabit

Temporary Folder Location

Set to OS Drive

SSD drive or RAID0 partition w/ write
-
through

Drive Configuration

Drive Set 1: OS

Drive Set 1: OS

Drive 2:
Scratch / Temp space drive

Operating Systems

Windows7 (64
-
bit)

Windows7 (64
-
bit)