Wednesday, November 26, 2008

Redemption





Though I missed the true beta period I downloaded and installed the pre-release version of FTK 2.1 last night. FTK 2.0 left us all in a state of shock. Many questions and accusations flew around various industry forums and mailing lists. Prices went up, quality went down, and we were wanting what we paid for. A lot of faith was lost in Accessdata and their ability to provide a solid product moving forward.

Don't throw away your dongles quite yet. 2.1 is the product 2.0 was supposed to be.

Compared to 2.0, the installation of 2.1 was a breeze. The only missing link was that I needed to reboot to get KFF installed.

Some remarkable improvements I noticed are:
Speed - moving between tabs is as it should be. Processing is much much faster.

Resource usage - Obviously with a 64bit install FTK will use as many resources as can be thrown at it. I like this. I have a good machine, with plenty of resources and before I moved to 64bit, I always watched in horror as my resources just didn't get used.

Here's a shot of FTK just beginning to process an image:



Here it is 10 minutes in to processing:


Usability - Wow, when you click on a tab, you open that tab immediately, even while processing a case.



Does it still require a huge amount of resources? Why yes, yes it does. My test rig has the following specs:
8GB ECC 667 RAM
Dual Xeon 2.66GHz Quad Core processors
System drive is a raid-0 on two 146GB SAS drives
Database drive 3*500GB SATA raid-0

All in all I have to hand it to Accessdata. After all the tongue lashing they took when 2.0 was released, they listened to their customers, licked their wounds, and went back to the drawing board and worked to remedy the problems. I won't say just yet that all of the problems have been fixed. I just installed the product last night, and I'm still processing cases, but this is what I wanted to see - a solid product capable of living up to its marketing, and a product that gives me what I paid for.

Addendum: An 80GB disk took about 6 hours to process and index. I imagine if I had more disk available I could get it taken care of in under 4 hours. Compared to FTK 1.7 which took 20 hours to process an image, I'm happy, very happy with the performance. Currently, I'm processing two more images of 100GB and 150GB in the same case.

4 comments:

Anonymous said...

So have you been able to process a real hard drive of any reasonable size? I have been trying to process a 80 gig drive so far unsuccessfully. We had a major problem installing the database, and "SUPPORT" had no clue what to do. I figured it out on my own and moved on. Now when it is processing a 80 gig it gets a generic error and just says ok, it will not continue unless you click ok, and you have to click it for like an hour, each time it has a problem. And "SUPPORT" told us they do not know what the error is, nor how to fix it, nor are they currently tracking the errors in a log file so you could determine the file you want to skip. That is really slack and completely useless. I do not have hours to click ok on a error. . You have to sit there and click on each error until it gets past it before it will continue, clicking for HOURS! I have already paid 4k this year in updates and then just got a call from Access Data asking me to pay another 4k (I own four useless copies) for updates. What bull this is and I am tired of paying for it. Access Data should be giving away updates until they get it right, it has been over a year now and I have yet to be able to successfully. This is a waste of money for something that does not work and we should not keep paying for updates until it is working.


----------------------------------------------------------
Scott A. Moulton / CCFS CCFT CDRP DREC
Certified Computer Forensic Specialist
Certified Computer Forensic Technician
Certified Data Recovery Professional
Data Recovery Expert Certification
----------------------------------------------------------
Forensic Strategy Services, LLC
----------------------------------------------------------
601b Industrial Court, Woodstock, Ga 30189
Phone: 770-926-5588 Fax: 770-926-7089
Web: www.ForensicStrategy.com

hogfly said...

Hi Scott,
I have processed three drives now:
80G
100G
150G

This equalled about 3 million objects when I was done. I have had no issues. Not sure what to tell you. You have 2.1 installed? Did you install over top of a 2.0 install?

Anonymous said...

No, we even installed the OS clean just to do this test. However, we did the 32 bit edition, I am going to reformat and try the 64bit edition today and see if there are any changes and it runs better. So far it is difficult to see what is better when you cannot get past the indexing processes. Our equipment seems to be similar except that we only have 4 gigs of ram in the server. I will post my findings after 64bit tests.

Scott Moulton

hogfly said...

I'd be interested to see how your 64 bit tests go. After looking at the requirements I decided I had to go with 64 bit. Even 32bit w/ PAE support didn't seem like it would work even with the new version. I used to run server 2k3 32bit w/ PAE on the same system, and with 2.0 I had endless issues like you describe. This makes me think that the only way to get 32bit to be responsive is if you separate oracle from the worker(s).