Forensic Toolkit®

Forensic Toolkit® System Specifications Guide FEBRUARY 2011

When it comes to performing effective and timely investigations, we recommend examiners take into consideration the demands the software, and specifically Oracle, will make on their hardware resources. Depending on the size and scope of a given investigation, Forensic Toolkit® 3 (FTK®) and AccessData Enterprise, will push hardware resources to their limits.

FTK Components and Their System Requirements FTK is made up of four separate components/applications, each of which are installed separately and perform different functions. These components are the Oracle Database, the FTK Client User Interface (UI), the Client-side Processing Engine and the Distributed Processing Engine. When configuring a system to run FTK, it is helpful to understand the hardware requirements of each of these components/applications and the strain these components each place on the hardware. Oracle Database – The Oracle database is a key component of the FTK application. Oracle stores the processed metadata, and performs all the queries, sorts, filters, file listing and other functions requested by the Client UI.

-

-

RAM: To achieve maximum product performance, especially during review, it is important to provide Oracle with as much RAM as possible. Oracle should really be installed on a machine running a 64-bit operating system and at least 8 gigs of RAM when possible. Installing Oracle on a system with less than 8GB of RAM can result in sluggish FTK Client UI depending on the data set size. 8 gigs of RAM is the minimum recommended for investigations involving roughly 3-4 million record items. 12-16 gigs of RAM is recommended for larger cases with 4-8 million record items. For extremely large cases with over 8 million records the system should really have 16 gigs of RAM or more. OS: The Oracle database will run on all versions of Windows XP, 2003, Vista, 2008 and Windows 7. A 64-bit OS is not mandatory but is very strongly recommended, because Oracle’s responsiveness is as much as 3-5 times faster on a 64-bit OS compared to a 32-bit OS. CPU: Oracle can place a significant demand on the CPU during review. Oracle will run on most processors that are dual core or greater. A Quad processor is the minimum recommended CPU for an all-in-one forensic machine. Tests have shown that Oracle runs extremely well on machines built on the Intel i7 and Intel I9 chip. AccessData recommends a minimum of 8GB for a Quad core CPU, a minimum of 12 GB for an i7 CPU and a minimum of 16GB for higher end CPUs.

-

Hard Disk, Storage Requirements and Hard Drive I/O Speed: Oracle’s responsiveness, especially during review, is affected by the amount of RAM in the computer, the power and speed of the CPU and the speed of the hard drive(s). The larger the case the more directly hard drive speed is going impact UI performance. Thus a faster hard drive will result in a much more responsive UI.

-

At a minimum, if the space exists in the computer case Oracle should always be hosted on its own dedicated hard drive.

-

The storage requirements for the Oracle database are small relative to the storage requirements of the case folder and the evidence location. Oracle will usually take up only take up about 4-5 gigs for every million record items. The storage requirements are therefore directly dependent upon the number of active cases in the database. For most single Examiner machines 150 gigs of storage space for Oracle should be sufficient. 7200 RPM Drives - 7200 RPM drives have huge storage, however, the I/O seek speed is usually less than ideal. If the Oracle box has lots of RAM and the cases are small (3 million record items or less) hosting Oracle on a 7200 RPM drive is an option, though not preferred. A 7200 RPM drive will start to become a problem when working on large cases as the I/O seek speed of the 7200 RPM drive will directly impact the responsiveness of the Client UI. If hosting Oracle on a 7200 RPM SATA drive when possible use one of the latest generation drive with a large cache (at least 64MB). Avoid hosting Oracle on an older generation drive. SSD Drives - SSD drives will usually provide the highest level of Oracle performance and do not need to be RAID configured. At the time this paper was written the Intel x25-M was tested to be a very good drive for hosting Oracle. Unfortunately these SSD drives have small storage compared to mechanical drives and the price per GB is

©2011 AccessData Corporation, All Rights Reserved.

Page 2 of 8

expense. SSD technology is rapidly changing (improving) and performance between different solid-state drives varies dramatically. Make sure to research the drive performance data before making a purchase. http://www.tomshardware.com/charts/ssd-charts-2010/I-O-Performance-Database,2353.html ) Hardware RAID Controllers - Several hard drives in a RAID configuration drives will usually provide very high performance. If using a hardware RAID the most important factor is to make sure the controller supports a writethrough cache. Write-through-caches frequently require the purchase of a separate battery. The purchase of a battery for the hardware RAID controller is money very well spent. The RAID configuration (RAID5, RAID6, RAID10) only marginally impact performance. It is usually recommended to avoid RAID0 for storing case folder information, as there is not redundancy in the event of a drive failure. However, a separate (200-300GB) RAID0 partition with write-through cache or a modern SSD drive larger then 150GB is ideal for FTK temporary folder location. The Adaptec 5000 series RAID controllers do extremely well in testing. Software RAIDs provide no significant performance advantage. For laptops with a single internal hard drive, Oracle usually needs to be installed on the internal OS drive. If possible, laptop users should try to store the case folder and E01 image on an external drive. The connection to the external drive should be ESATA if available. Firewire and USB2 are viable second options, but will not be as fast as ESATA. -

Network Speed: 1 gig is recommended for all AccessData applications. 100Mbit is discouraged. Database Optimization: Running Oradjuster to optimize the database is necessary to achieve maximum database performance and the best FTK Client UI responsiveness. Oradjuster can be found on the Oracle installing DVD or at http://www.accessdata.com/downloads.html. Oradjuter can also be run directly from the FTK Client UI.

FTK Processing Engine and FTK Distributed Processing Engine: The processing engine and distributed processing engines as their names suggest, perform the majority of the work when processing an image. The processing engine also performs live search during review. CPU: When processing an image the bottleneck is usually the capability of the CPU’s or the I/O speed of the drive hosting the image file. If the FTK Processing Engine is not utilizing 100% of the system's CPU capacity it frequently is because of the I/O speed of the drive hosting the evidence (e01, AFF, DD, AD1, loose files) to be processed. To maximize the performance of higher end CPUs such i7 or i9 processors you may need to focus on the speed at which the machine can read the evidence to be processed data. RAM: The processing engine will adjust the number of threads based on the amount of RAM in the computer. 8 gigs or more is the manufactures suggested minimum. It is not recommended to run the processing engines on a machine with less than 4 gigs of RAM. As a rule of thumb when possible there should be 2 GB of RAM per core. OS: The processing engines will run on all versions of Windows XP, 2003, Vista, 2008 and Windows 7. A 64-bit OS is not mandatory but strongly recommended. Vista and Windows 7 have much better memory management than Windows XP. Therefore, Vista-64 and Windows 7 are the manufacturer’s recommended operating systems. Hard Disk, Storage Requirements and I/O Speed: Many times the I/O access speed to the evidence will be the limiting factor when it comes to total processing time. Because most forensic images and loose files take up a lot of space, they are usually stored on large capacity 7200 RPM drives. When connecting to an external hard drive, eSATA is going to provide faster response than USB or Firewire. While storing the image on a much faster drive such as a RAID array is an option, in many situations this may not be feasible. Storage of the forensic images or case folder on the same drive as Oracle is strongly discouraged, as performance will be significantly impacted. The preferred configuration is to store the case folder and the E01 image on separate drives. Network Speed: 1 gig is recommended for all AccessData applications. 100Mbit is discouraged.

©2011 AccessData Corporation, All Rights Reserved.

Page 3 of 8

Preferences - Temporary File Path: In FTK's case management window there is a Preferences option that allows a user to select the location of the temporary folder. The FTK Processing Engine uses this temp folder as scratch space to store numerous temp files created during processing. By default the folder is on the OS drive. The I/O speed of the hard drive that hosts this folder can significantly slow down the time it takes to process evidence. For users with higher end machines needing the fastest processing speed possible a dedicated 150GB or great SSD drive is an excellent option for hosting this folder. For machines with a hardware RAID card a 200-300 GB RAID0 partition should be created with write-though cache enabled for this folder. This folder should not be placed on a network drive/share or USB connected drive. NOTE: It is possible that artifacts in the source evidence can cause the Temp folder to grow beyond 200GB in some circumstances. If the temp folder runs out of space it can cause processing to fail. A possible workaround is to move the temp folder to a drive or set of drives with more capacity to meet the needs of the evidence. FTK Client User Interface (UI): The Client user interface is an application that is used to manage the case, launch the Processing Engines and provide a user with a view into the collected metadata. The hardware requirements for the FTK Client UI are the least onerous of the four components. If the UI is slow and/or non-responsive it is usually a result of an issue with the Oracle database and not the machine hosting the FTK Client UI. -

CPU: When running the FTK Client UI, the CPU will rarely be taxed to its full capacity. Any system with a Core-2 duo or better should provide a reasonably fast UI experience. As stated above, the setup of the machine running the Oracle database has the greatest impact on UI performance.

-

RAM: The machine should have a minimum of 4 gigs of RAM. OS: The FTK UI will run on all versions of Windows XP, 2003, Vista, Windows 2008 and Windows 7. A 64-bit OS is not mandatory but recommended. Vista and Windows 7 have much better memory management than Windows XP. Therefore, Vista-64 and Windows 7 are the manufacturer’s recommended operating systems.

-

USB Slot: The FTK Client UI requires a security license. This license is usually stored on the CodeMeter USB dongle. If a USB slot is unavailable, the Network License Service (NLS) is an option or use of a soft token which can be obtained by contacting support

There are three primary configurations that most examiners follow when running FTK 3. •

Configuration 1 (Standard): o System 1: All components (GUI / Worker / Primary Processing Engine / Database) on a single system

•

Configuration 2 (Standard with distributed processing engines): o System 1: All components (GUI / Worker / Primary Processing Engine / Database) on a single system o Systems 2-4: Distributed Processing Engine (optional)

•

Configuration 3 ( Processing/Review with dedicated Database): o System 1: GUI / Worker / Primary Processing Engine o System 2: Database o System 3-5: Distributed Processing Engine (optional)

NOTE: • •

When using distributed processing engines (DPE). There is absolutely no benefit to creating multiple Virtual machines on the same system and putting distributed processing engines in those VM’s. We highly recommend that you disable power saving features of your computer/OS when processing data.

©2011 AccessData Corporation, All Rights Reserved.

Page 4 of 8

CONFIGURATION 1

Specifications for FTK 3 with the Oracle Database, FTK UI and Primary Processing Engine on the Same Machine If installing Oracle, the UI, and the processing engine all on the same machine AccessData recommends one of the following hardware specifications: Recommended Minimum Processor

Intel® i7 or AMD equivalent

RAM OS / Application Drive

12 GB (DDR3) / 8 GB (DDR2) 7200 RPM drive with 64 MB cache

Ideal Intel® i9, Dual Quad Core Xeon, i7 Nehalem or AMD equivalent 12 GB (DDR3) / 16 GB (DDR2) 7200 RPM drive with 64 MB cache or SSD drive

Storage for Oracle database

7200 RPM drive with 64 MB cache dedicated exclusively to Oracle

160GB Solid State Drive (SSD) dedicated exclusively to Oracle.

Network Card

Gigabit

HW RAID Controller

N/A

Temporary Folder Location

Set to OS Drive

Drive Configuration

Drive Set 1: OS Drive Set 2: Oracle Database Drive Set 3: Case Folder and HD Image

Operating Systems

MS Vista / 2008 / Windows7 (64-bit)

Gigabit Highly recommended if hosting Oracle database. Configure with RAID 5, 6, or 10. Avoid RAID0. x-25 SSD drive or RAID0 partition w/ write-through Drive Set 1: OS Drive Set 2: Oracle Database (SSD or HW RAID) Drive Set 3: Case Folder and HD Image Drive Set 4 (temp folder): SSD or RAID0 partition MS Vista / 2008 / Windows7 (64-bit)

Performance and Storage Considerations 1) The Oracle database should be hosted on a dedicated hard drive, Solid State Drive (SSD) or hardware RAID array, separate from the operating system. For hardware RAIDs, RAID 0 gives the best performance but RAID 0 provides no recovery from drive failure. RAID 0 should only be considered if automatic scheduled backups are available. RAID 5 or RAID10 will provide similar performance as RAID 0 with the additional advantage of redundancy if a drive fails. 2) It is strongly recommended to configure antivirus to exclude the Oracle database, temp, images, and case folders. 3) It is recommended to turn off indexing, compression and/or EFS encryption. (By default, indexing of files and folders is on.) 4) Hardware RAID controllers will provide substantially better performance than an OS-based software RAID configuration. It is recommended to use a hardware RAID controller with at least 256MB of write-through cache. If activating the write-through cache, it is strongly recommended to purchase a card with a backup-battery for the RAID controller and enabling the writethrough cache. Enabling the write-through cache without the backup-battery creates the potential for database corruption in the event of a system crash or power failure. 5) For recommendations on hard drives and hardware RAID controllers please see: a) Hard Drives: http://www.tomshardware.com/charts/3-5-hard-drive-charts/benchmarks,24.html b) RAID Controllers: http://www.maximumpc.com/sites/future.p2technology.com/files/imceimages/RAIDbenchmarksBIG.gif 6) To roughly estimate the amount of storage space to support your processing load you should consider these variables: a) Database: Every 1 million objects requires roughly 4-5 GB of space on the Oracle drive. (Note: The type of target data should also be considered in estimating space requirements. Once processed a single file may constitute several objects in the Oracle database. Furthermore, compound files like ZIPs or PSTs may equate to several hundred objects in the Oracle database.) b) Generally, the dtSearch index that is stored in the case folder will be about 25-30% the size of the compressed image.

©2011 AccessData Corporation, All Rights Reserved.

Page 5 of 8

CONFIGURATION 2

Specifications for FTK 3 with the Oracle Database, FTK UI and Primary Processing Engine on the Same Machine (w/ Distribute Processing Engines) If installing Oracle, the UI, and the processing engine all on the same machine AccessData recommends one of the following hardware specifications: Recommended Minimum RAM OS / Application Drive

12 GB (DDR3) / 8 GB (DDR2) 7200 RPM drive with 64 MB cache

Ideal Intel® i9, Dual Quad Core Xeon, i7 Nehalem or AMD equivalent 12 GB (DDR3) / 16 GB (DDR2) 7200 RPM drive with 64 MB cache or SSD drive

Storage for Oracle database

7200 RPM drive with 64 MB cache dedicated exclusively to Oracle

160GB Solid State Drive (SSD) dedicated exclusively to Oracle.

Network Card

Gigabit

HW RAID Controller

N/A

Temporary Folder Location

Set to OS Drive

Drive Configuration

Drive Set 1: OS Drive Set 2: Oracle Database Drive Set 3: Case Folder and HD Image

Operating Systems

MS Vista / 2008 / Windows7 (64-bit)

Gigabit Highly recommended if hosting Oracle database. Configure with RAID 5, 6, or 10. Avoid RAID0. x-25 SSD drive or RAID0 partition w/ write-through Drive Set 1: OS Drive Set 2: Oracle Database (SSD or HW RAID) Drive Set 3: Case Folder and HD Image Drive Set 4 (temp folder): SSD or RAID0 partition MS Vista / 2008 / Windows7 (64-bit)

Processor

Intel®

i7 or AMD equivalent

Distributed Processing Engine If using a distributed processing engine, AccessData recommends the following hardware specifications.

Processor RAM OS / Application Drive Scratch / Temp Space Drive

Recommended Minimum Intel® Quad Core or AMD equivalent 6 GB (DDR3) / 8 GB (DDR2) 7200 RPM drive with 64 MB cache 7200 RPM drive with 64 MB cache

Ideal Intel® i7, i9, or AMD equivalent 8 GB (DDR3) / 12 GB (DDR2) 7200 RPM drive with 64 MB cache SSD Drive

Network Card

Gigabit

Gigabit

Temporary Folder Location

Set to OS Drive Drive Set 1: OS

x-25 SSD drive or RAID0 partition w/ write-through Drive Set 1: OS Drive Set 2: Scratch / Temp space drive MS Vista / 2008 / Windows7 (64-bit)

Drive Configuration Operating Systems

MS Vista / 2008 / Windows7 (64-bit)

Performance and Storage Considerations 7) The Oracle database should be hosted on a dedicated hard drive, Solid State Drive (SSD) or hardware RAID array, separate from the operating system. For hardware RAIDs, RAID 0 gives the best performance but RAID 0 provides no recovery from drive failure. RAID 0 should only be considered if automatic scheduled backups are available. RAID 5 or RAID10 will provide similar performance as RAID 0 with the additional advantage of redundancy if a drive fails. 8) It is strongly recommended to configure antivirus to exclude the Oracle database, temp, images, and case folders. ©2011 AccessData Corporation, All Rights Reserved.

Page 6 of 8

9) It is recommended to turn off indexing, compression and/or EFS encryption. (By default, indexing of files and folders is on.) 10) Hardware RAID controllers will provide substantially better performance than an OS-based software RAID configuration. It is recommended to use a hardware RAID controller with at least 256MB of write-through cache. If activating the write-through cache, it is strongly recommended to purchase a card with a backup-battery for the RAID controller and enabling the write-through cache. Enabling the write-through cache without the backup-battery creates the potential for database corruption in the event of a system crash or power failure. 11) For recommendations on hard drives and hardware RAID controllers please see: a) Hard Drives: http://www.tomshardware.com/charts/3-5-hard-drive-charts/benchmarks,24.html b) RAID Controllers: http://www.maximumpc.com/sites/future.p2technology.com/files/imceimages/RAIDbenchmarksBIG.gif 12) To roughly estimate the amount of storage space to support your processing load you should consider these variables: a) Database: Every 1 million objects requires roughly 4-5 GB of space on the Oracle drive. (Note: The type of target data should also be considered in estimating space requirements. Once processed a single file may constitute several objects in the Oracle database. Furthermore, compound files like ZIPs or PSTs may equate to several hundred objects in the Oracle database.) b) Generally, the dtSearch index that is stored in the case folder will be about 25-30% the size of the compressed image.

©2011 AccessData Corporation, All Rights Reserved.

Page 7 of 8

CONFIGURATION 3 Specification for FTK 3 UI and Processing Engine on one machine and Oracle on a Separate (2nd) Machine (2 Node Configuration) Node 1: Specifications for GUI and Worker If installing the embedded Oracle database on a dedicated machine or using an existing Oracle infrastructure, AccessData recommends one of the following hardware specifications for the machine running the FTK UI and Processing Engine: Recommended Minimum Intel®

Processor

Quad Core or AMD equivalent

CD/DVD Drive RAM OS / Application Drive Size Network Card Storage for Index & Images Temporary Folder Location

DVD 8 GB 7200 RPM drive with 64 MB cache Gigabit As necessary Set to OS Drive

Drive Configuration

Drive Set 1: OS Drive Set 2: Hard Drive Image and Case Folder

Operating Systems

MS Vista or Windows7 (64-bit)

Ideal Intel® Dual Quad Core Xeon, i7 or AMD equivalent DVD 12 GB 7200 RPM drive with 64 MB cache Gigabit As necessary x-25 SSD drive or RAID0 partition w/ write-through Drive Set 1: OS Drive Set 2: Hard Drive Image and Case Folder Drive Set 3 (temp folder): SSD or RAID0 MS Vista or Windows7 (64-bit)

Node 2: Stand-alone Database Specifications for Windows-based Oracle If installing the embedded Oracle database on a second machine, AccessData recommends the following hardware specifications. Recommended Minimum Intel® i7 or AMD equivalent 8 GB (DDR3) / 12 GB (DDR2) 7200 RPM drive with 64 MB cache 7200 RPM drive with 64 MB cache dedicated exclusively to Oracle

Ideal Intel® i9, Dual Quad Core Xeon, or AMD equivalent 12 GB (DDR3) / 16 GB (DDR2) 7200 RPM drive with 64 MB cache or SSD drive 160 GB Solid State Drive (SSD) dedicated exclusively to Oracle

Network Card

Gigabit

Gigabit

HW RAID Controller

N/A

Processor RAM OS / Application Drive Storage for Oracle Database

Drive Configuration Operating Systems

Drive Set 1: OS Drive Set 2: Oracle Database MS Vista / 2008 / Windows7 (64-bit)

©2011 AccessData Corporation, All Rights Reserved.

Highly recommended if hosting Oracle database. Configure with RAID 5, 6, or 10. Avoid RAID0. Drive Set 1: OS Drive Set 2: Oracle Database (SSD or HW RAID) MS Vista / 2008 / Windows7 (64-bit)

Page 8 of 8