Try Buy
 

Efficient forensic workflow: Is your bridge a bottleneck?

Over the last few years we have been presenting seminars on accelerating forensic workflow at a range of conferences such as HTCIA, DFRWS, ACSC, & F3. This blog series aims to extract and expand the key themes in the seminar.

Is your bridge a bottleneck?

For around 4 years now, we have been benchmarking the throughput of a range of storage devices: SSD's RAID's, NVMe drives, regular spinning rust drives, and USB bridges (the subject of this post). The table below summarises our results for interconnects.

Not all bridges are created equal

The test methodology was to connect a drive with known performance characteristics via various interconnects. We used a benchmarking tool to see how fast we could read data through the various bridges from the drive. Through earlier testing with the same tools, we know that the test drive is capable of reading data at upwards of 500 MB/s when directly connected to a motherboard via SATA3.

In all cases the bridges are a bottleneck, limiting throughput.

The results fall into roughly three groups, being bridges that limit throughput at around 200 MB/s, 300 MB/s and 400 MB/s. For the USB3 bridges running at 200 MB/s the cause appears to be that they are using the USB Bulk Only Transport (BOT) standard (up until recently this was the only game in town for USB storage). The bridges with 400 MB/s figures employ the next-generation USB Attached SCSI Protocol (UASP), which enables faster speeds through more parallelism. The final group of bridges, the forensic write blockers, limit speeds to around 300MB/s.

When is your bridge NOT a bottleneck?

If you are reading single spinning rust disks the bridges aren't a significant bottleneck. Today's commodity 3.5" SATA drives pump data at a maximum of around 200 MB/s.

The bottleneck hits in both directions.

Consider acquiring a Samsung T5 (400 MB/s), via a Tableau T8u (325 MB/s). If the Tableau is connected via USB3 to a forensic workstation, and we are imaging to RAID volume inside, there is likely to be enough throughput to keep up with a read stream of 325 MB/s. However, if we image to a single spinning disk (200 MB/s) via a BOT based USB3 bridge (200 MB/s), the bottleneck is either the disk or the BOT based bridge. Substituting an SSD won't give a speed improvement as we are still limited to 200 MB/s by the bridge.

How to go faster.

On the read side, choose an interconnect that mates the native storage protocol of the drive (eg. SATA or SAS or NVMe) with the PCIe bus on your imaging device. This means either using a forensic live OS or a forensic duplicator to assure write blocking and evidence integrity.

On the image storage side, find an interconnect that gives the most throughput. Use native SAS or SATA if possible, with USB3 preferenced over USB2. If using USB3, use a UASP bridge. Onwards, make sure your storage device has sufficient write throughput to match the rest of the pipeline.

There are a range of ways to do the above. My next post will focus on how the acquisition technique chosen can become the become a bottleneck.