The Problem

With all of the big data sets and volumes bogging down forensic examinations nowadays, it’s nearly impossible to keep up with caseloads unless you have an excellent triaging methodology or a Processing Engine. The inability to handle large amounts of data efficiently can create a backlog of unprocessed examinations.  Frustration is soon to follow.

The Processing Engine is described as such:

“The processing engine is responsible for processing data, usually retrieved from storage devices, based on pre-defined logic, in order to produce a result. Any data processing that is requested by the Big Data solution is fulfilled by the processing engine. ¹”

To work through caseloads efficiently, it’s better to utilize systems geared toward processing power.  Forensic Workstations primarily rely on forensic write-protected devices and offer potentially slower processing speeds. When a forensic workstation is designed, there is often a heavy emphasis on write-protected equipment with additional PCIe cards, storage drives, and a variety of other components, which can limit the speeds of the system because of available allocated PCIe lanes on processors.  Adding in cards will step PCIe lanes down, limiting the available bandwidth on the motherboard to handle all of the I/O’s necessary to process data quickly.  Therefore it’s much better to rely on a Processing Engine than a Forensic Workstation.

Implementing Technology

Processing Engine systems are specifically geared toward high-speed calculations. Sometimes there is enough headroom to allow other processes to run in tandem.   The key is fast volume sets, PCIe NVMe drives, and RAID SSDs. However, other hardware considerations can make the system even faster.

Practitioners are utilizing Processing Engines to perform individual tasks.  They are piecing together their examination on the results provided by individual systems.  Think of “divide and conquer,” where numerous components are divided among workers.  These individual tasks are combined so the final product is a culmination of the workers involved.

Speed and Performance

So, what type of speeds should you expect and/or shoot for with your Processing Engine?  By RAIDing together PCIe NVMe’s, you should achieve speeds over 12 Gigabytes per Second.   SSDs drives typically run at either their specified limitation or perhaps faster, depending on the RAID Controller.  These processing drives, if you will, feed software the speeds required to run as fast as possible.   It’s critical to know how to configure the Processing Engine for each client.  Some software packages on the market can run conventionally faster with RAIDed SSDs.  This software recognizes all drives connected to an SSD RAID as individual disks.   These RAIDs utilize those disks to create indexes for the case.

Conclusion

If you are considering a new “workstation” for your laboratory, perhaps you should consider implementing a Processing Engine rather than a “forensic workstation”.  It is critical that the designer of your system understands the implementation of a Processing Engine.  The benefits are considerably faster and will allow you to get through Big Data sets more efficiently.