Analyst Workstation...
 
Notifications
Clear all

Analyst Workstation - What are you using?

25 Posts
12 Users
2 Likes
8,651 Views
(@skyccord)
Posts: 9
Active Member
Topic starter
 

Looking at upgrading our lab setup. What are you folks doing these days?

Daily software is
X-Ways
Blackbag Blacklight

 
Posted : 20/01/2020 3:44 pm
(@rich2005)
Posts: 535
Honorable Member
 

Are you talking about upgrading hardware to better run your software? Or upgrading the software itself? Or both?

 
Posted : 20/01/2020 3:57 pm
(@skyccord)
Posts: 9
Active Member
Topic starter
 

Are you talking about upgrading hardware to better run your software? Or upgrading the software itself? Or both?

Hardware for analyst station.

 
Posted : 20/01/2020 4:35 pm
(@rich2005)
Posts: 535
Honorable Member
 

I'd have a few suggestions if you're not working on a massive budget (others could probably help if you've got a lot more money to play with).
Firstly, as with any computer these days, an SSD makes a massive difference, and a workstation is no different (depending on the types of tools you're using). Most of them aren't expensive these days (and you can do your own googling for the best price/performance/reliability).
So one for your OS and tools is a no-brainer.
Anything like Axiom/NUIX that's going to be using lots of threads/processes will benefit a lot from SSDs.
NUIX particularly will benefit from having its case folder on an SSD (and also, I imagine, so would any tool that has a large indexed database to search from).
You can get good performance from a RAID to store your evidence files on for processing, reading sequentially, but I don't think these tools always end up reading sequentially, so a large SSD for your evidence would probably also speed things up (I've not tested - but from a glance at performance monitor watching the speeds and what it's reading/writing - I think it's probably reading from various parts of a drive image and therefore thrashing the disk and degrading performance).
I'd investigate the performance benefits of NVME ones too and make your choice depending on budget.
I went for an i9 9900K for the CPU, as its a pretty good all-rounder, with good single-threaded performance, and many tools seem to prefer a higher clock speed to a larger number of cores (even though it has plenty of those too).
Had to settle for 64GB of RAM grudgingly, as I'd ideally have gone for 128 (and accepted the cost), or more, but that would have meant changing the rest of the spec of the kit and disproportionately increasing the price. This is probably less of an issue if you're not using something like NUIX though.

 
Posted : 20/01/2020 4:56 pm
(@skyccord)
Posts: 9
Active Member
Topic starter
 

I'd have a few suggestions if you're not working on a massive budget (others could probably help if you've got a lot more money to play with).
Firstly, as with any computer these days, an SSD makes a massive difference, and a workstation is no different (depending on the types of tools you're using). Most of them aren't expensive these days (and you can do your own googling for the best price/performance/reliability).
So one for your OS and tools is a no-brainer.
Anything like Axiom/NUIX that's going to be using lots of threads/processes will benefit a lot from SSDs.
NUIX particularly will benefit from having its case folder on an SSD (and also, I imagine, so would any tool that has a large indexed database to search from).
You can get good performance from a RAID to store your evidence files on for processing, reading sequentially, but I don't think these tools always end up reading sequentially, so a large SSD for your evidence would probably also speed things up (I've not tested - but from a glance at performance monitor watching the speeds and what it's reading/writing - I think it's probably reading from various parts of a drive image and therefore thrashing the disk and degrading performance).
I'd investigate the performance benefits of NVME ones too and make your choice depending on budget.
I went for an i9 9900K for the CPU, as its a pretty good all-rounder, with good single-threaded performance, and many tools seem to prefer a higher clock speed to a larger number of cores (even though it has plenty of those too).
Had to settle for 64GB of RAM grudgingly, as I'd ideally have gone for 128 (and accepted the cost), or more, but that would have meant changing the rest of the spec of the kit and disproportionately increasing the price. This is probably less of an issue if you're not using something like NUIX though.

i9 over Xeon, that's the question. We have SSD's in our machines now. Just ordered another 4TB Samsung SSD. Never enough space…

 
Posted : 20/01/2020 5:09 pm
hipmatt reacted
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Very much depends on the size of your average case as well and how you work.
Do you work will all the images and working files on your machine or do you process to and from external hard disk (either caddy or in dock)? How many cases would you normally have and what is the average size?

Our machines are set up with dual quad core xeon (higher clock speed so fewer cores), 128GB of ram and the following HDD config
1 x 512gb SSD for OS
1 x 1TB/2TB SSD for some working files.
2 x 6TB HDD for case files (RAID 1).
4 x 8TB HDD for image files (RAID 0).
These are built into Lenovo 920 machines which we have found to be very reliable, and they give LE discount )

Contrary to popular belief, the CPU actually seems to be the sticking point for a lot of forensic tools, including X-Ways, Axiom and Griffeye. On our machines, maxing one core only shows as 6% CPU usage and this leads people to believe the disk is slowing it down.

If you are using Griffeye or similar image processing tools, you may want to consider adding a powerful graphics card as well.

 
Posted : 21/01/2020 6:52 am
(@rich2005)
Posts: 535
Honorable Member
 

It's often both imo - during different times in the processing (CPU / disk bottleneck).
No doubt CPU is more often the sticking point in Axiom (and other tools to varying degrees)……but, as I say, if you're on dual xeons and 128GB of RAM, you're pushing the machine into another price bracket almost certainly <insert green-eyed-monster smiley here>.
However, without serious testing, I've casually observed the disk reading speed often dipping under 100mb/sec at times, but nowhere near as often when on the SSD, leading me to believe it's just due to thrashing from multiple threads reading different parts of the E01 image.
I have to mix-and-match on that front though depending on the size of the images.

 
Posted : 21/01/2020 7:40 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

……but, as I say, if you're on dual xeons and 128GB of RAM, you're pushing the machine into another price bracket almost certainly &lt;insert green-eyed-monster smiley here&gt;.

True, it would be helpful if OP had a rough price guide as well.

 
Posted : 21/01/2020 8:43 am
(@skyccord)
Posts: 9
Active Member
Topic starter
 

……but, as I say, if you're on dual xeons and 128GB of RAM, you're pushing the machine into another price bracket almost certainly &lt;insert green-eyed-monster smiley here&gt;.

True, it would be helpful if OP had a rough price guide as well.

I ordered a new machine. HP Workstation Z2 G4 - Core i9 9900K 3.6 GHz - 32 GB - 512 GB NVMe SSD. I have a few 1TB SSD's and and new 4TB SSD. Wish me luck!

Plenty of things in Blacklight only workin single threaded mode, so the i9 should cut it. I will bump the memory up.

 
Posted : 21/01/2020 7:57 pm
(@rich2005)
Posts: 535
Honorable Member
 

One other thing that might help
I don't know if you've ordered a cooler already for it, but I'd recommend getting a good one for the CPU, for the extra tiny amount of money. It's an absolute beast of a desktop CPU and, as such, it chucks out a beastly amount of heat if stressing all the cores (especially if something is using the AVX extensions - although that's less likely to happen in "normal" forensics workloads).

 
Posted : 22/01/2020 8:15 am
Page 1 / 3
Share: