By Manny Kressel
CEO and Founder of BitMindz
For years examiners in the forensic community have relied on what we call a Forensic Workstation for processing case data. That included almost all digital evidence like hard drive images, mobile phone dumps, media cards, external drives, etc. The Forensic Workstation was what most of us relied on in the community to make images, process the case, identify evidence, and create reports. This methodology worked for a long time, and rightly so because there was no other method of making images except with a forensic computer (or forensic workstation) that could support write blockers in the system.
With the introduction of smartphones, more portable media, tablets, and larger storage devices, the computer forensic community has seen a continuous rise in the amount of data to process with their system. Programs like Cellebrite, Magnet Axiom, XRY, Oxygen, and other tools which acquire phones use the examiner’s workstation to extract the data.
While this is somewhat efficient and allows the examiner to use a single system to acquire and process all of the data, it will inevitably impede workflow because the system is tied up with making images and extracting data rather than just processing it. This is where the Processing Engine, rather than a Forensic Workstation, is a better workflow for increasing productivity.
A Processing Engine differs slightly from a Forensic Workstation in that it is geared more toward processing rather than collecting data. While a Forensic Workstation is the Swiss Army forensic community tool and can process data, it might not be the best solution for an examiner who needs to get through Terabytes or Petabytes of data.
Without getting into the “thirty-third level of nerdy computer engineering,” there are various factors to consider when building a system that can process data efficiently. Modern processors (including the newer Intel desktop processors, Intel Xeon processors, AMD Ryzen, and AMD Threadrippers) all have technology built in whereby if the system designer isn’t paying attention to the number of PCIe lanes utilized by expansion cards, NICs, PCIe NVMe’s, RAID Controllers, etc.
Then there is a good chance your system is being throttled by the processor because it cannot manage or handle all of the throughput required to get you through casework fast. This is where requirements to manufacture a Forensic Workstation can impede your workflow, and this is precisely where a Processing Engine shines and increases productivity to significantly higher levels.
So, what’s the best solution? It’s much more efficient to make forensic images on a single system utilized to collect data. This system would collect complex drive images, SSDs, media cards, phones, drones, memory, and anything else the examiner needs to collect. This data would then be moved to the Processing Engine, which is geared toward maximum bandwidth and throughput with high disk input/output. The result is a more efficient workflow that allows the examiner to make images on one system and process them on another, creating a steady flow of imaging, processing, imaging, processing.
Better yet, get something like the Logicube Falcon-NEO (see below), which can imagine five source drives out to nine target drives with speeds surpassing 50GB/min. External devices like this allow you to make forensic images independent of the system, whereby you can transfer the resulting images onto your Processing Engine. This allows you to work more efficiently as you constantly make images, load data, and process.
Logicube Falcon-NEO
It helps if the engineer(s) who design your Processing Engine (or Forensic Workstation) are forensic examiners AND law enforcement. Getting certifications is a start to understanding how to build a system; however, nothing supersedes the knowledge, training, and experience involved in years and years of working cases in a law enforcement capacity.
At BitMindz, we have that experience, which shows in the skillfully crafted systems we design to meet the rigorous data processing standards. Your system needs to withstand the constant demands of processing day and night with no breaks. We know how to craft a technological powerhouse with multiple fast volumes and the processing power you need to get through data quickly. The best part is that this can be done without significant costs.
So while most of our systems contain write blockers, we gear the system more toward a Processing Engine. It’s designed with the speed, quality, and performance you expect. We are constantly innovating, testing new technology, and implementing that technology in our systems. Further, we are constantly striving to provide you with the best chassis, and we have designed our own cases from the ground up; however, we’ll save that story for another day. As always, please feel free to reach out to us with any questions or comments.