Evidence Processor Performance Monitoring - Part II

Guidance Software

Feature Spotlight: Performance Test

In the last feature spotlight, I described the new Performance tab in EnCase Version 7.07. In particular, once you have visibility to the performance of Evidence Processor within EnCase, following questions quickly arise:
  1. What can I do to speed up Evidence Processor from a hardware perspective?
  2. When Evidence Processor is taking longer than expected, what kind of information can I share with Guidance?

How is my hardware performing?

Perhaps you have setup a new RAID configuration, and you’d like to see the benefits of this disk configuration for processing evidence. The most direct way to test would be to simply run Evidence Processor. But, what if there is a problem with the RAID configuration? What if you suspect there is a problem with one of your drives? How would you know? Certainly, processing would take longer, but that’s a symptom.

One could use a variety of hardware benchmarking tools to measure things like IOPS, seek time or read time. These objective measures definitely help point one in the right direction. However, a more direct approach would be to understand how EnCase utilizes and perceives the performance of the device. Let’s take a look at the Performance test feature in EnCase Version 7.07 to see how this works.

Navigate to the Performance tab through View --> Performance. On the sub-tab, click “Performance Test”. A list of available tests will be displayed:

Each of these tests is designed to utilize the same interfaces as Evidence Processor to systematically measure performance across all processing activities. An investigator does not need to understand the significance of each one of these tests to be able to utilize them in a before-and-after analysis.

Here is an example of the output of a performance test run on a basic business laptop, measuring performance of a 7200 RPM 2.5” drive (0), and a category 4 flash drive connected via USB 2.0 (1):

I’ve configured the size of the test data to be 512MB for each, and the Performance Test generates metrics on the actual performance of the system, as seen by EnCase.

Since we’re looking at a standard table in EnCase, I can click the menu in the upper right corner of the screen to save the results:

Let’s say I replace my 7200 RPM RAID with an SSD RAID. I can run the same tests again, and with some minor Microsoft Excel manipulation, I have a difference worksheet, showing EnCase performance before and after a hardware or system configuration change.

Using these tests, and a basic set of comparison in Excel, an investigator can quickly identify differences in performance of the system running EnCase, and identify where bottlenecks might be occurring, from a hardware perspective.

My hardware is performing fine but…

If evidence processing isn’t meeting expectations, Guidance Software encourages all our customers to reach out to us. But, when you’ve configured your hardware appropriately, and you’ve done everything you can to make sure your forensic workstation is running optimally, what else can you do?

The Performance tab also contains aggregate metrics on all Evidence Processing tasks. This view aggregates total metrics across a single evidence processor run. This detailed information can be extremely helpful when determining where time is being spent for a given processing run.

Additionally, snapshots in time can be taken so a timeline of performance may be collected. Individual counters for specific tasks can also be enabled, to collect metrics on how long each atomic processing action took. Perhaps processing is spending a long time on a 32-level nested ZIP file? That might be useful to know to help you figure how to get your case on track.

This view can be exported and sent to Guidance Software Technical Support. A more detailed view is also available in the Evidence Cache directory within your case:

We hope you find these rich data sets helpful; they’re intended to assist in situations where casework doesn’t proceed according to plan. Let us know what you think and better yet, share your performance results and configurations.

No comments :

Post a Comment