Forensics CPU & Disk resource usageOSForensics

http://www.osforensics.com/

Feb 2016 by D. Wren

Hardware used for testing

• CPU: i7-4770 @ 3.4Ghz

• RAM: 16GB, DDR3 PC3-17066

• SSD: Intel 520 Series, 240GB

• GPU: Integrated

• OS: Win10

• CPU has 4 cores + Hyper-threading. So can support 8 threads.• Meaning 12.5% CPU load = 1 thread busy• 25% CPU load = 2 threads busy• 50% CPU load = 4 threads busy

Interpreting CPU load values

• i7-4770 CPU has 4 cores + Hyper-threading. So can support 8 threads.• Meaning 12.5% CPU load = 1 thread busy

• 25% CPU load = 2 threads busy

• 50% CPU load = 4 threads busy

• Nominal CPU base frequency is 3.4Ghz… but• Can ‘turbo’ single threaded loads to 3.9Ghz.

• Can idle down to below 1Ghz under low load to lower energy use.

• CPU can’t reach 3.9Ghz when all cores are fully loaded.

• So CPU almost never actually runs at base frequency

TASK: File name search

• Search 220,038 file names for JPG & PNG files.

• Duration ~7 sec

• Max CPU load 15%

• Average CPU load 11%

• Slightly less than 1 CPU core used. Task is I/O bound not CPU bound.

TASK: Recent activity

• Collect internet activity & registry records, etc...168,490 records collected

• Duration ~61 sec

• Max CPU load 15%

• Average CPU load 12%

• Max disk load 100%(average 95%)

• 1 CPU core used. Task is I/O bound not CPU bound.

TASK: Undelete files

• Examine MFT and carve files

• Duration ~61 sec

• Max CPU load 1%

• Average CPU load <1%

• Max disk load 100%(average ~50%)

• Task is totally I/O bound.

TASK: Index disk

• Read all files, extract text, build search index.

• Max CPU load 31%

• Average CPU load 15%

• Max disk load 100%(average ~30%)

• Task is threaded, but only 2 core CPU required

TASK: Password cracking

• Brute force attempt on encrypted zip file.

• Max CPU load 100%

• Average CPU load 100%

• Max disk load 5%(average <1%)

• Task is fully threaded & will use as many cores as are available.

TASK: Multitasking

• Simultaneously build index, undelete files & recover passwords

• Max CPU load 30%

• Average CPU load 15%

• Max disk load 100%(average ~90%)

• Simultaneously tasks make disk even more of a bottle neck

Conclusions

• Most forensics tasks are disk bound and single threaded.

• Even when not single threaded a two core CPU is enough

• When picking a CPU, customers should favour a small number of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large number of slow cores (32 cores at 2.4Ghz).

• Hardware spend should instead be on better disks and SSDs.

• For most tasks 8GB of RAM is plenty. Or 16GB if running VMs.

Hardware suggestions

• Current best CPUs (Feb 2016) are,• Intel i7-6700K• Intel i7-4790K• Xeon E3-1271 v3 & E3-1281 v3• An i5-4690K, i5-4770K or even a cheap i3-4370 or i3-6320 would still give good

performance however.

• There are a huge number of storage options. In order of highest to lowest performance.• PCIe based SSD (including M.2 drives). Example: Samsung 950 Pro M2• SATA3 SSD. Example: Intel 535 Series• SATA3 HDD in RAID config. 3 x Western Digital Black in RAID 5• Standard HDD.

Exceptions

• More CPU cores (and dual CPUs) can be useful when

• Exception 1: Multiple projects.• You are simultaneously working on multiple projects AND

• Each of the projects is running off a separate disk system

• Same applies to VMs when you have multiple disk systems.

• Still for most users there would be little benefit in going above 6 cores.

• Exception 2: Password cracking• There is very little disk activity for a brute force password attack with random

passwords. This can be highly threaded and scale with the available CPUs.