This post is authored by Christopher Cone, a Forensic Consultant at Magnet with 20 years of law enforcement experience.
Recently, I have seen user questions about hardware choices as it relates to performance with Magnet AXIOM or Magnet AXIOM Cyber. When it comes down to it, we all want our cases processed faster!
This was a regular topic of discussion during my time on the Training team at Magnet Forensics. In my experience—not just with Magnet AXIOM, but all computer software that I have used—hardware configuration and software configuration each play a role.
Another factor with modern digital investigations is the sheer volume of data we are often examining and having reasonable expectations for what we are asking our chosen hardware and software combination to do. I want to share with you some of the choices I have found that work well for me, and what I have heard about from other users of Magnet AXIOM and AXIOM Cyber, related to hardware options and overall system configuration.
In a second follow-up post I will include suggestions related to software settings in Magnet AXIOM and AXOM Cyber and I will cover some of the common pitfalls I have encountered.
Bring on the Progress Bars
The struggles that existed in the early days of personal computer hardware also existed when I began work as a digital forensic examiner. I can remember cases processing for days on end, almost afraid to make eye contact with the computer, just waiting for results. And then waiting some more. Sometimes a case would process for what seemed like ages, only to crash and then I would restart the processing over again.
The early days were interesting. As an example, finding a desktop computer that contained data related to a CSAM investigation was common and often the only piece of electronic evidence of interest in that investigation. Over time, desktop computers gave way to laptop computers, often with USB external storage devices. Then smartphones, tablets, new types of external storage devices, and cloud-stored data came into the picture. Time goes on and technology evolves. The types of devices examiners are asked to look at continue to increase in variety and complexity. Device capacity increases and the number of devices in any given investigation continues to grow.
In modern digital investigations an examiner could have Microsoft Office metadata in a document that is one fragment of a clue in a case; it is not necessarily what breaks a case wide open as it did for the investigation into Dennis Raider (the BTK killer.) Today, examiners typically find themselves investigating a diverse set of devices and data sources, combining them all for maximum effect and to draw the most context from user activity with their devices and applications.
Whether you are an AXIOM or AXIOM Cyber user, you are probably just like me—you want it to be faster, regardless of your current hardware configuration. Over the years, both Magnet AXIOM and AXIOM Cyber have gotten bigger with subsequent versions, but they have also gotten faster. I was able to do some testing last year comparing overall processing time for different versions of AXIOM using the same data set, with the same settings in AXIOM Process, and using the same hardware for each test. The newer versions were faster, and if you are interested, you can read more about it here.
Not only is AXIOM faster, but it also does more things for you automatically. The latest version of AXIOM supports more native and third-party applications than ever, and as a result, it finds more artifacts. It is impressive that I can point AXIOM at a several hundred gigabyte image and have hundreds of thousands of artifacts neatly categorized, a Timeline of activity, visual Connections, media categorization, picture comparison, keyword searches, and all the other things I have selected done for me and ready for review. If I need to look at data in the file system explorer, that is an option. Investigate further into Registry data? We can do that, too! Ever need to pivot from something found in an AXIOM case to an external specialty tool to really dig in and take something apart? Absolutely!
The Nuts and Bolts of Hardware Performance
Now on to the hardware, which can be a struggle—if you buy the latest and greatest today, it will seem outdated tomorrow when the next new thing is released.
Finding the right balance between CPU core count, clock speed, RAM (type, quantity, and speed), plus storage options all play into the equation for getting the best performance out of Magnet AXIOM and AXIOM Cyber. You may be in a position where you need to make do with the hardware you have, and a complete system upgrade is not an option. Even in that situation, a change to how you’re using the drives you have available or adding a couple of task-specific flash-based storage drives (that are relatively inexpensive) can pay dividends in performance. Not everyone is a gearhead when it comes to computer hardware. But we all recognize the different hardware components – after all, they’re part of what we work with on a regular basis. To make solid decisions around hardware specifications and resource allocation, we need an understanding of how all this hardware works together in a typical computer.
I Need More Power
The central processing unit (CPU) of your forensic workstation is one of the first things to look at. When looking at options for a new system, the market is full of options from Intel and AMD. AXIOM is a multi-threaded application and provides support for a maximum of 32 logical CPU cores, although some operations are by design single threaded. The official documentation indicates that core count trumps clocks speed. However, one thing to consider – with the newer generation of CPUs you can have both core count and clock speed.
As an example, using an Intel i9-13900kf gives you both thirty-two logical CPU cores and blazing-fast clock speeds. As an added bonus, this CPU is an extremely cost effective choice. Using a (typically) much higher cost Xeon-based system may give you similar (or even higher) core-count but that often comes at lower clock speeds. There were some sessions at this year’s Magnet Virtual Summit comparing the performance of different Intel and AMD CPUs, if you are interested in that you can still see it here. I will give you a spoiler, the newest Intel i9 and AMD Ryzen 9 7xxxx series CPUs were the fastest, considerably more so than some of the much more expensive CPU options tested.
Look at the CPU in your current system and, if you’d like, you can search for your forensic workstation’s specific CPU at PassMark’s benchmark page to get an idea of what you should expect from it.
The rule of thumb I have been using is two gigabytes per logical CPU core. If you have a system that can provide Magnet AXIOM or AXIOM Cyber the maximum of 32 logical cores, then you will have the best results with at least 64GB of RAM. Check your RAM speed, there are benefits here as well. DDR4 has been the standard for several years and supports a range from DDR4-1600 through DDR4-3200, although DDR4-2133 seems to be the lowest speed variant in common use. The theoretical peak transfer rate of DDR4-2133 is 17 GB/s, while DDR4-3200 bumps that to 25.6 GB/s. If you are not sure the type and speed of memory in your system, you could try the following from a command prompt:
wmic MemoryChip List
Here is an example below from the output of this command run on one of the computers used during the performance testing article:
After checking your system RAM, you can compare to the speeds listed here. The CPU and motherboard configuration influence the overall throughput, and there can be some limitations on which combinations will work in your system, but faster RAM is a benefit with the type of work examiners are doing in digital investigations. The newer generation of Intel and AMD CPUs that support DDR5 RAM get a performance boost from the start, even the slowest DDR5 (DDR5-4000) variety beats the fastest DDR4 (DDR4-3200) in overall throughput.
The first thing about storage is: you probably need more of it. The good news in the storage arena is that we have options, maybe so many options that it gets a bit confusing. Spinning disk or flash-based storage? SATA or PCIe bus? What about NVMe, m.2, and u.2? Not to add to any confusion in the decision-making process, but what about RAID? There is another bit of good news with storage. Optimized storage options are a relatively cost-effective way to get a boost in performance on systems that are lacking on the CPU end.
There are two facets to the approach when it comes to storage. First, consider how to efficiently divide the workflow for case processing operations—evidence file storage location, case file storage location, temporary files, hash set storage location, AXIOM installation location, and your Windows operating system—more on this in part two.
Second, while considering how to divide the workflow among the various storage devices you have, also think about the type of storage devices you have in your system. Flash storage is generally faster than spinning disk and the PCIe bus is generally faster than the SATA bus. PCIe lanes are a consideration, with some CPUs having a limited amount. As with all things related to digital forensics, the standard answer applies: it depends. After addressing CPU core count and clock speed and ensuring you have the appropriate quantity and speed of memory in your system, evidence read speed is a potential bottleneck in performance.
Digital Forensics is Like Real Estate
Location, location, location. Evidence files stored locally generally provide better performance than files stored on a network share. I understand this is not always possible. I know that some organizations have <insert your organization’s reason here> that require processing across the network. I even recognize there are times when it may be necessary because of local storage constraints with large data sets. Just be realistic with expectations as this is likely going to have an impact on your case processing times.
Even with a 10 gigabit ethernet (GbE) connection, you will likely experience a performance hit. The nature of evidence processing means the read across the network is not always done in one continuous transfer. Sure, a 10GbE connection provides a theoretical maximum transfer rate of 1,250 megabytes per second and the cost for those 10Gb network interface cards is reasonable. Then you must also consider cabling and switch upgrades along with storage on the other end of that cable which supports the same speeds and provides sufficient throughput to realize the speed advantage the faster interface provides.
That faster speed quickly tumbles when two things happen: reality sets in and the actual transfer speeds are not the same as the maximum the interface will support and more than one user on the same network segment comes along while you are trying to process a case. I worked in a lab where it was commonplace to process cases with network-stored data, I am by no stretch of the imagination implying this is wrong. For many reasons, this is the way things must be done in some cases. What I cannot change is that doing this will be slower than using uncompressed evidence files on something like a local PCIe 4.0 NVMe RAID 0 array.
Those two examples are focused on best-case options for each scenario. What about something more common? Like a single examiner storing evidence files on a RAID 5 spinning-disk NAS attached via 1 GbE. Or a lab where there are several examiners actively working cases and trying to access network-stored data across that same 1GbE connection. Yes, you can do it and it works. Just adjust your performance expectations accordingly.
A quick disclaimer, I recognize there are network storage options that are suited for high-availability, high-throughput, multiuser access; but this is not what I typically hear about when users are experiencing performance issues and those same users are processing across the network. Generally, it is a situation where network storage has been added as a stopgap for combating the scale of typical digital investigations. Add in slower network connections and multiple users and things slow to a crawl, relatively speaking.
While convenient, I would avoid using USB attached devices as a storage location for evidence files, or any other purpose related to case processing. While a 4TB external USB hard drive is a tempting and cost-effective storage option, I have seen that be the cause of case processing issues too many times. Which means I should probably clarify the above statement about locally stored evidence files to exclude anything stored on removable media. Have I mentioned it depends? I know there are times when you move something from one machine in the lab to another, or you export something from an acquired evidence source. There are times when something like a Samsung T7, or other USB-C attached external device makes an almost perfect candidate for such things, I do it, too. If you do this, make certain you have addressed all the power and USB suspend options in Windows (just selecting one of the broad power plan options may not do it) and this approach will likely work just fine for smaller items.
But I would recommend avoiding the option altogether for larger evidence containers. Nothing like ruining a perfectly good case processing when an external spinning disk chooses to go to sleep while AXIOM is working with data on another disk.
With storage, I get it—there are a ton of variables at play. Some examiners are left using a local spinning disk RAID (with a focus on parity) as both the volume that evidence files are processed from and pinning their hopes on that same volume being a viable option for a long-term storage solution. That’s just not ideal, a storage option for evidence files during case processing is a drastically different use case than one for longer-term storage, not to mention RAID is not a backup.
I believe there should be a distinction between storing evidence files for active use—things like case processing, analysis, and reporting—versus long-term storage. Which brings up another topic that I see regularly. As digital evidence becomes central to even more investigation types, because as digital forensic examiners we recognize what a significant role it plays in so many aspects of daily life, how are you maintaining that data to comply with organizational policy, regulatory requirements, and legal requirements, like evidence retention in criminal cases?
Evidence Container Types
When I started in this field, creating disk images with segmented and compressed E01s was the standard approach. Times have changed, evidence sources have changed, and the logical size of those evidence sources has changed drastically. These days, disk space is relatively cheap. My tests have shown if you can alter your workflow to create uncompressed image files, you are bound to see an improvement in case processing speeds. AXIOM (and all your other forensic tools) will not be spending CPU clock cycles decompressing data and writing to a temp storage location to work with it. When you have completed your analysis and reporting on that case, then look for ways to compress the data for long-term storage.
General Guidelines for Hardware Performance
Here is the short version of what I have found through testing different storage configurations, hardware combinations, and lots of head-scratching. Ok, yelling at computers. First, there is no magic system configuration that will be the perfect solution for every piece of software that you use and every case that you investigate. Second, there is no one-size-fits-all approach to this.
In a prior role, we made the switch to using i9-based workstations several years ago. At that time many forensic computers were still being outfitted with dual-socket mega-core-count Xeon CPUs. They have their use, no denying that and they are fantastic in the right configuration. But we found it was possible to equip each examiner with more than one workstation for less cost. Add in a relatively low-cost machine with a write blocker for acquiring images to free up the high-performance workstations for processing work, and we really increased our efficiency.
With all of that in mind, some rule-of-thumb suggestions are to use a high-clock speed, newer generation CPU with a quantity of fast RAM appropriate to the CPU core count along with dedicated local storage for case files, temp files, and evidence files consisting of uncompressed images gives the best performance. I have had good results with my OS and applications on a SATA SSD, case files going to a second SATA SSD, temp files going to a PCIe NVMe drive, and my evidence files being read from a second PCIe NVMe drive. Add in a modest NVIDIA-based GPU to leverage for the features supported by Magnet.AI and you have a well-rounded system that should provide solid performance. In each environment there may be exceptions to what is suggested here, and you may need to experiment with how you allocate disk usage.
Spend a bit of time thinking about the different workflows involved in your investigations. Remember that with Magnet AXIOM and AXIOM Cyber, you can go straight from evidence acquisition to processing, so leverage that option when appropriate. There are also times when you first need to acquire a variety of evidence sources and then process them all at once, so having a secondary computer to use for imaging purposes leaves your high-end machine available for the processing work it is intended to do. As the average data size of any given case continues to grow, we will find ourselves spending more time acquiring, processing, and analyzing that data. Instead of waiting for data to copy from local storage to network storage when you are done actively working with it, consider ways to implement scripting to move that data around during off-hours. This can pay off by putting the machines to use in what would otherwise be unused computing time.
Digital forensics is a fascinating discipline. For years I have told people that I try to learn something new every day, and in this field that is an easy goal to meet. There are so many aspects to digital investigations—applications to know about and techniques that are in use. When you add in things like operating system changes and new security methods to overcome, there is simply no end to what any practitioner in this field can learn about—either by choice or out of necessity during an investigation.
With computer, smartphone, cloud, IoT devices, vehicle infotainment systems, and log data from a seemingly endless number of applications and service providers, modern digital investigations have an abundance of potential sources of information. In some ways, the volume of data can be overwhelming to a single examiner.
While Magnet AXIOM and AXIOM Cyber include a wide range of features designed to help you cut through the noise and get to actionable data faster, the distributed workflows and automation offered by the Magnet Digital Investigative Suite (MDIS) may be the next logical step in your evolution as a digital forensic examiner and for the workload at your organization.
The second part of this series will focus on application settings within Magnet AXIOM and AXIOM Cyber, including post-processing options and artifact profiles. We will also cover dividing the case processing workflow amongst available drives in your system and some of the big troublemakers I have run into regarding application and system settings with respect to overall performance.
- The official system requirements and suggestions are available at: https://support.magnetforensics.com/s/article/System-requirements-Magnet-AXIOM
- Using an NVIDIA GPU with Magnet AXIOM or AXIOM Cyber: https://support.magnetforensics.com/s/article/System-recommendations-for-using-Magnet-AI-with-a-NVIDIA-GPU
- AXIOM version performance testing: https://www.magnetforensics.com/blog/comparing-magnet-axiom-performance-speeds-through-the-ages/
- CPU Testing: https://www.magnetforensics.com/resources/one-goes-up-the-other-comes-down/