I am often asked the question: "When is EnCase going to be able to distribute processing?" EnCase customers have a naturally voracious appetite for processing: As case backlogs grow over time and technology. I’ll define a backlog as a set of evidence, awaiting review by an Investigator. While EnCase Evidence Processor introduced powerful automation capabilities, the task of centrally distributing, prioritizing and managing evidence processing has been largely left up to the best effort of the Investigator.
Forensics labs of any size almost universally have backlogs of evidence. Backlogs are a lot like automobile traffic on the freeway: they happen with little notice, and a small event can have ripple effects, clogging up the entire system.
Consider an influx of disk images as part of a recent incident, or a bag full of hard drives freshly seized from a crime scene. An event like either of these may be viewed as an anomaly, but the ripple effects are notable. Senior Investigators may be pulled off their existing casework to work the new backlog. Open cases may suffer. Cases already in the backlog get pushed back even further.
Part of the problem is a lack of highly trained Investigators for the task at hand. My esteemed colleagues in Guidance Software’s Training and Professional Services Divisions provide solutions for education of your team as well as getting boots on the ground. The other part of the problem is making the best use of the computing resources available. While a case is in a backlog, standard processing can take place. When the expert Investigator is free to perform their deep-dive investigation, all tools are at the ready.
- Is a keyword index available? Check.
- Have all entries been hashed and a file signature analysis performed? Check.
- Has all email been exposed for immediate review? Check.
- Create a Processing "Grid", physical or virtual, two nodes, or one hundred nodes (there is no arbitrary limit).
- distribute evidence processing to EnCase Processor Nodes
- prioritize evidence processing jobs
- manage configuration and settings for any number of Processor Nodes
- Efficiency: It's easier to manage processing of multiple evidence files
- Power: For customers who are not taking advantage of EnCase Examiner and EnCase Processor together, processing throughput increases linearly.
- Cost savings: Use of lower cost EnCase Processor licenses to perform the heavy computational lifting of Evidence Processing.
No comments :
Post a Comment