Case Study

Background

Fortune 500 Utilities Company Processing Over a Terabyte of Complex Data in 12 Hours

A major utilities company has 150 locations throughout its region of service. In previous years, the organization was using FTK and EnCase Forensic, relying on these stand-alone tools to address internal investigations and e-discovery. With caseload growing year over year, the company saw the need to explore options to improve its computer forensics and e-discovery capabilities. Typically, the company sees one new computer forensics case a week, with data sets ranging in size from 80GB to 500GB.
Rigorous Testing

It is worth noting that we have achieved this impressive speed doing full forensic-level processing. If we were testing this architecture on an e-discovery matter, the data would process even faster.
Member of the Information Security Operations Team

To test the solution we threw a worst-case-scenario data set at it. Compressed data lling a terabyte hard drive included many zip les, PSTs and CD-ROM images. There were close to 13 million items.
Member of the Information Security Operations Team

Full forensic-level processing refers to the processing actions selected in the Additional Analysis processing refinement pane within AD Enterprise. In this case, all actions were selected except Optical Character Recognition and Cerberus malware analysis.
AD Enterprise Additional Analysis selection screen showing the full depth of processing options available in nearly all AccessData technology.

E-discovery matters typically involve 12GB of email and a total of 5 terabytes of data. Knowing these volumes will only trend upward, the organizations information security operations team launched an initiative to dramatically increase the speed with which they are able to process and index data. In particular, the goal was to get a better handle on computer forensics caseload, which requires a much deeper level of processing than an e-discovery matter would require.

The Solution
Given the sheer processing speed, ease of use and innovative capabilities of AccessDatas technology, the decision was made to adopt AD Enterprise and AD eDiscovery. These solutions are built on Forensic Toolkit and allow processing to be distributed among four workers, enabling investigators to move into the analysis phase faster. However, processing performance is also dependent on hardware capabilities, such as disk I/O. As there are virtually innumerable ways in which to configure distributed processing with AccessData technology, the AccessData Technical Account Manager team was asked to assist the utilities company in tailoring the architecture to fit the its needs. Testing was rigorous to ensure the most reliable results. One test data set when compressed filled a terabyte drive and had close to 13 million items.

Results
Before implementing AD Enterprise and the new architecture, it typically took six days to forensically process a terabyte of complex data. Now, this Fortune 500 utilities company is able to perform full forensic-level processing on data sets of that size and complexity, including carving and indexing, in just 12 hours. The only reason we were able to do this is because of the AccessData Technical Account Manager experts who came out to assist us, claimed a member of the information security team. In addition, he explained that this would not be possible with other computer forensics solutions. AccessData technology absolutely helped. With our current set up were able to keep up with caseload very well. We can get eyes on the case faster than ever beforemuch more time doing and lot less time waiting.

AD Enterprise Processing Summary

Items Enumerated (Identied): 12,678,306 Total Processing Job time: [Link]M[Link]PM = [Link] (hh:mm:ss)

With our current set up, were able to keep up with caseloads very well.

We can get eyes on the case faster than ever before

Member of the Information Security Operations Team

Case Overview lists all processed data categories and item counts.

Hardware Infrastructure

The infrastructure employed to support the improvements in the companys processing and investigative capabilities includes four servers and a network attached storage (NAS) device. AD Enterprise provides for the use of four distributed processing engines working in unison to handle nearly any volume of data. The inclusion of a NAS device, while not required, can improve the rate at which evidence can be accessed and sent to the processing engine(s).
Operating System: Windows7 Enterprise x64 CPU: 2x 6-core 3.46GHz RAM: 96GB Drive Conguration: OS/App240GB SSD Temp spaceRAID 0, 480GB SSD Case Folder1.8TB 15k RPM

(Processing Engine, Database)

AD Enterprise

Isilon NAS Network: 6x 10GBE Drive Conguration (RAID 6): Evidence80TB 15k RPM Case Folder40TB 15kRPM

Operating System: Windows Server 2008 R2 x64 CPU: 2x 6-core 2.66GHz RAM: 96GB Drive Conguration: OSRAID 1, 146GB 15k RPM Distributed Processing EnginRAID 1, 146GB 15k RPM Temp Space320GB SSD

Storage

CORPORATE HEADQUARTERS 801.377.5410 384 South 400 West Suite 200 Lindon, UT 84042 USA

NORTH AMERICAN SALES 800.574.5199 801.765.4370 sales@[Link]

INTERNATIONAL SALES +44 (0)20 7010 7800 internationalsales@[Link]

[Link]