The Impact of Evidence Drive I/O and Processing Cores in a Forensics Distributed Processing Arra

As drive sizes increase at a relentless rate in computer systems, it has become far more time consuming to process the data sets for the forensic examiner. The advent of cloud computing and the significant size of data queries in e-discovery litigation has also significantly impacted the processing times for cases in the digital forensics field. It is not uncommon for significant delays to occur in processing of this digital evidence. Distributed Processing will likely become a primary method to process evidence in digital forensics due to these increasingly problematic conditions. While there are recommendations from companies that sell distributed solutions there currently does not exist any independent third party benchmarks for performance planning or configuration guidance. Further, as the move to private clouds for forensic processing becomes a reality, it will be important to have performance data and scaling factors in order to mimic the performance of a standalone array with a cloud based virtual array. As a result, certain critical variables, particularly the type of evidence server and the number of worker processor cores tends to create issues with inconsistent or suboptimal performance. This research has attempted to quantify the effect that additional worker processing cores and evidence server input / output (I/O) performance has on the processing time of the Distributed Processing Array (DPA) for a given case.