My Road to Digital Forensics Excellence

Benchmarking EnCase (update)

Posted by Paul Bobby on March 6, 2009

I have completed an evidence set to be used for non carving/recovery benchmarks.

The source was the complete database dump from Wikipedia, dated June 2008. This 15Gig .gz file uncompressed to ~250gigs, a process itself that took considerable time.

Once uncompressed, the directory structure for this wikipedia archive is just enormous – and is quite unwieldy when attempting to process as one big chunk. Performing operations against this large single dataset would be a great benchmark I’m sure, but it would bring most systems to a crawl, and so I decided to break it up in to smaller chunks, and investigators can load as many or as few as they want when running benchmarks.

The evidence sets were created from the articles\a-z sub folders. I chose to create .E01 evidence files as opposed to LEFs. I may still do that, but E01 has the advantage of including the operating system, and disk topology. If I do create LEFs, it will be on a subset of wikipedia as I’m interested in benchmarking the L01 file format and pushing the limits of the internal tree structure it is capable of maintaining.

The evidence assembly process was as follows:

0. Create a 32gig NTFS partition
1. Format the partition using Quick mode
2. Run Eraser and overwrite the unallocated space on the partition (using a simple 0x00byte 1-pass overwrite)
3. Copy ~32gigs of stuff from the wikipedia archive to this partition
4. Run EnCase and acquire an image of the drive. I selected Good compression, the default block size, and selected creating both an MD5 hash and a SHA1 hash, and 640meg file segments (you can fit 7 to a DVD if you want)

Once the acquisition was completed, go back to step 1 and start over for the next chunk of wikipedia.

In the end I created Wikipedia-Part1.E01 through Wikipedia-Part11.E01, each part approximately 10 640meg .E** files, creating a grand total of 60gigs for our first benchmarking evidence set.


