When it comes to setting up a system for OSForensics, there is a huge range of PC hardware on the market. Below are some suggested guidelines, but many other setups will also work fine.
- Bare Minimum Hardware:
- 2GB RAM
- Any x86 CPU (e.g. Intel Core i3)
- Win7 or above
- Any hard drive with 2GB free space
- Any video card
- Suggested mid range cost effective hardware for lab machine:
- 32GB DDR4 or DDR5 RAM
- 64bit x86 CPU released in last 3 years with 6+ cores (e.g. Intel i5-12600K)
- 2TB Boot & data drive. M2 NVME SSD (e.g. Samsung 980 PRO M.2 PCI-E Gen4 2TB)
- Optional ‘cold’ storage (e.g. Seagate Ironwolf 10TB HDD)
- Video card (e.g. nVidia 3060)
- Power supply Gold class 650W.
- High end workstation:
- Off the shelf solutions: PowerEdge T440 Tower Server, or HPE ML350 Gen11
- 64GB+ ECC DDR5 RAM
- Xeon CPU with 10+ cores (Gen11 or later)
- 4TB Boot and data drive. M2 NVME SSD (e.g. Samsung 980 PRO M.2 PCI-E Gen4 4TB)
- 4 x 8TB SATA SSD storage. (e.g. Samsung 870 QVO 2.5in SATA SSD 8TB)
- Optional RAID 0 data mirroring on SSD storage
- Video card: nVidia 4080 (if password cracking is envisaged, otherwise 3060 class)
- Power supply Gold class 850W+.
Don’t forget about keyboard, mouse and quality monitors (large dual 4K monitors are suggested) and some type of data backup solution, and USB based external storage.
Q. If my motherboard has additional M2 slots for more storage should I use them?
A. Yes. M2 slots can give 10x the performance of SATA hard drives.
Q. Should I store my case files on a network drive or NAS or cloud?
A. No. At least not if you care about performance. A case running on a local M2 drive can give 100x the performance. Network drives are good for cold case storage however.
Q. Should I work from E01 images files off USB external storage?
A. No. At least not if you care about performance. A case running on a local M2 drive can give 10x the performance of a USB drive. Copy the E01 file to a local M2 drive first, if you can. Also the E01 file format intrinsically slow (due to single threaded compression). Raw images are faster, but take up more space.
Q. Are more than 10 CPU cores useful?
A. There is a point of diminishing returns and a significant number of tasks can’t be threaded at all. So single thread performance is also important. However if you are running multiple VMs or multiple cases at the same time, more cores and more RAM can help. At some point the disk speed or RAM becomes a bottleneck however. It is hard to imagine any scenario where more than 32 cores provides a meaningful performance benefit. Especially as the CPUs with the largest number of cores have lowest single thread performance. A table of best single thread performance can be found here.
Q. What about external storage?
A. USB is the most compatible and universal. Latest USB standards are much much quicker than the old ones. So use USB4, USB3.3 Gen2 where possible with high end solid state drives. We like the external M2 enclosures with 20Gbit/s connection and high end M2 drive inside.
Copyright © 2022 PassMark™ Software