Letter from Perlustro Team

To Our Worldwide Customers,

Since Perlustro was formed, our goal has been to build the finest line of forensics tools in the world and to be the leading forensic tool provider in law enforcement, military, intelligence, and other national agencies.  For 10 years, we were able, with the support of our National Government partners, to produce and provide tools to any in those fields who faced the challenges of digital investigations.   We are justifiably proud of that unique history, and sincerely appreciate the unquestioned support that has always been received from these users.   Indeed, that user community gave us the unique ability to create what we have today.   Any company would be more than proud at any level to have received the support and accolades we have enjoyed, much less the access to that type and volume of data.   In the future, empowering digital investigations based on this background, will be continued by the use of new ILook tools and new technologies that make the investigation of seriously complex digital issues, much easier than ever before.

Since we ushered in the first Windows analysis platform in National Government use (Unix on Windows), we have been fortunate to have a unique and unequaled connection to massive data sets around the world.  This interface to that quantity of data, produced not only better tools, but a clear and quite unique picture of the future solutions we needed to create.  But, over time, it became obvious, that there was also growth and demand for tools as good as ILook in the commercial sector too, simply because that field was in a somewhat dire need of more solutions.  Likewise, there were also many commercial forensics issues that we could learn from and which made both sides of the tools better.  Many of these solutions were already developed by Perlustro, yet for whatever reason, they were missing in any other sector.  Just like our unique Windows and Linux heritage, there was much to be gained in that field.  The literally surging demands of the commercial users who have corresponded with us over all these years clearly showed that solutions Perlustro already had available, were simply not filtering into the commercial market.  It was also true that the challenges of forensics in the commercial area required that any technology Perlustro was capable of producing had to meet those demands as much as those of our long standing user base.

Simply put, when we started in digital forensics development, the requirements, and even the criminal statutes of the times, did not generate the same demand in the commercial space as it did in law enforcement or intelligence operations.   There is nothing intrinsically to be gained in this field by keeping tools designed to do a specific job, hidden away from those who can most economically utilize the tools.  There were particular reasons in times past – and particular functions – that the inventors did not allow the public to access.  But, as we go forward from here, we will explain how we achieved a solution to both ends of that equation.  We start today, and from that perspective.

You may have heard that about two years ago, we advised our user base, via a non public listserv, that we were embarking on a database powered solution that would address several areas of concern.  These were areas which were becoming intractable in digital forensics generally.  Mostly, this situation resulted from exponential data growth and increasing e-discovery demands of speed and cost efficiency.  These commercial issues now bring almost all business users into contact with the discovery processes caused by statute changes, as well as increased governance requirements.   In particular, PII challenges, Safe Harbor data restrictions, and native crypto support are 10 year specialties that are unique to our tools.   It was also clear to us that some technical issues simply could not be solved by using RAM based solutions such as ILook V8 and its predecessors. 

Perlustro spent a great deal of time working directly with Microsoft in designing a system that would be able to scale and perform on two specific fronts : a cost effective solution, and a faster throughput speed form that absorbed, to the greatest extent possible, all variables of data analysis.  We have worked very hard to address these issues in a design that we believe can be relied on into the future - a design which will expand with the user base that lays ahead; and at the same rate as the advances in supporting technology. 

Today, we want to share with you the first part of news of our future tool set which will be released later this year.  Integral to the sophistication of the new ILook suite is the Microsoft Sql Server 2005/2008 64 bit platform, with no CPU core limits, and supporting four cpu sockets.  This is the engine that will power the new ILook, and each user will have a fully unrestrained commercial version of Sqlserver for their own use within the ILook toolset.

Background

Specifically, the mandate we set out to address related mostly to numerical limits of objects and system hardware limitations, with a clear goal to make the tools much easier to use. At that time, it was becoming increasingly clear that even in 64 bit computing, these challenges were threatening to severely deplete the future ability of the forensic field to adapt.  This same issue also threatened potential solutions for mission critical data that we had already devised.  Simply put, even a high powered computer, can in many cases, only barely investigate another single computer system.  Such a predicament, is no longer a choke point in investigations.

Additionally, at some levels of severe ram utilization, 64 bit computing becomes ineffective itself, despite having conceivably no physical limits on available hardware.   At the maximum ram levels available in typical PC’s, RAM speed also becomes problematic and somewhat volatile, especially when faced with increasingly laborious memory assignments.  RAM also has no fall over mechanism.  If you have bad ram, you have no inherent method to correct it unless it is diagnosed otherwise.   You can also harm ram by other application interactions; and while the same can be said for DB files, the potential is dramatically less likely for that to occur.  You also cannot scale into relative infinity simply by buying more ram, even if it were economically feasible to do so.  This is not new to computing requirements and in fact, it is the same reason that databases were originally invented.

MS-Sqlserver will run 100% undaunted on a 1 gig ram box, and in fact, our base beta test machines are only $550 USD 2 gig ram, AMD x2-64, off the shelf machines.   It will also run more than adequately on a 128 gig ram box, with the only difference being processing speed improvements of the Dbengine as ram increases above 2 gigs.  This mode of operation and hardware minimum demand is unique in computer technology.  In order to accomplish both high speed transactions as well as queries, SqlServer uses a technology based on a side by side operating system component known as SQLOS which manages all system resources within windows, not just the DBengine.  The power of the 25 million lines of Sqlserver code, all written in .NET, becomes a catalyst which has no equal in MS Windows Database performance and usability to a .NET  application like ILook.

Addressing the Dilemma of RAM Dependency and Numerical Limits

The ability to use this DBengine, the most important component in the Microsoft line, required us to reengineer many different solutions and methods of operation that are far different from those currently in commercial existence.  This has created many clear advantages to the end users, among them :

1. The data contained in the database, in all forms, is 100% under the control and access of the user.  The design allows not only your full access to data within the database containers, one set for each case you work, but also provides the user with Sqlserver Management Studio in which you can directly conduct queries independent of ILook without it even being involved in the process.  Charting and statistical analysis tools from many vendors also expand those built in capabilities.   In summary, its your data, and you have ownership and total control over all of it – not part of it.   The next generation of ILook will provide the entire DB schema objects so that you can engineer (with optional ILook components) an entirely new tool set using the inbuilt ILook building blocks and controls, including SqlServer, if you need to.
2. The database Engine itself is the only co-kernel power within Windows operating systems.  In effect, it has equal authority to the operating system and can manage resources much more intensively than other database products within a Windows Operating system platform.  The immediate visible benefit to the user here, is the reduced demand for RAM resources on the host machine.   But also, operating system demands are mitigated by the inherent power of the DBengine.  Scalability issues of high ram utilization are somewhat now an old fashion problem, and no longer a concern.  For instance, handling 1 million, 5 million or 10 million objects is easily managed with 2 gigs of ram.
3. The speed of data access available to the user GUI interface is not even comparable to RAM use at high number levels.  In RAM based applications like ILook V8, the movement of data actually takes a serial path in order to form it into user interface components, but the new ILook ties directly into the Dbengine for seamless displays of data within milliseconds instead of minutes, and without regard to numbers.  

Some timed Examples : 

1. From an ILook Application double click start, a display of a typical 1 million file load takes less than 25 seconds to become fully available in the entire user context.
2. Shutting down a machine and doing a full restart takes less than 1 minute, but only 1 minute one time, and each successive restart takes only 25 seconds.   This is NOT just to app start, this is to data load and display.
3. There are no session data files to corrupt, hence there is no need for the user to host a backup strategy for the hosted data in case of application failures or mechanical problems.   Assuming the system being investigated fully succeeds in being loaded, it will remain in that locked in form from that point on, barring physical storage problems or damage from some other source.
4. The use of the DBengine changes the entire paradigm of saving historical case data by bypassing a need to SAVE data at all, in fact, unlike ILook V8, there is no save button simply because once you load and process the image or device data one time, it is encapsulated from then on. [An early test was to take other applications, generally similar to and including v8, loading the same image, and then pulling the power plug out of the wall after each had loaded the data, using the same machine.  The result is - it still only takes the new ILook, 25 seconds to reload the entirety of the data sets.  Unfortunately, we cannot give you reload times for the other products.]
5. Lets take a common ILook operation that is well recognized :  the negative SHA1 hash of 1 million files against a database of 15 million.  In that solution, the V8 time would be at least several elapsed hours for that dataset size, but the current processing time is less than 150 seconds.  The reduction of irrelevant or duplicative data is a pivotal design issue of the new tools at every level.   It is also central that the design uses the outstanding work performed over many years that is inherent in the NSRL hash sets provided by the National Institute of Standards and Technology.  Those sets are integrated into the application base as the default form.   Any future NSRL sets they produce can now be loaded without any constraints on size or numerical limits at any level.
    
3. Increased computing power of the DBengine itself also allows for many multi threaded application processes to coexist and be managed by the DBengine instead of ILook.  While ILook may be running close to 10 threads at one time, there is an additional scope of energy available in the database engine working for the user behind the scene at every turn.  Multi-cores and Sockets are all fully usable by the DBengine separately from ILook, as is any 64 bit Vista or XP OS.  (32 bit windows users are not left out of this solution, but they will face numerical limits due to system constraints, not those imposed by ILook)

The Importance of The Engine: Microsoft Sql Server 2005/2008  

By way of background, Perlustro is a Microsoft Independent Software Vender (ISV) and Certified Partner.  This status was achieved through a concerted effort on our part, including software testing of our products by Microsoft, with the goal of incorporating Microsoft DB technology into the new ILook.   Frankly, a number of people have asked, what is such a big deal about .NET anyway, why is it better or different from a Win32/64 windows application ?  The new tools will clearly answer that question because you will see products that can have no form in Win32/64 generation at any level.   The future of forensics in our view is about real-time requirements, regardless of user context, and regardless of physical location access; the future is not about using maps of the past to chart a new course.

MsSql 64 does have some numerical limits, but these limits should not be encountered unless a user needs tens of thousands of Terabytes of storage in a broad environment.   In the new ILook solution, there is no attempt to put in place any design constraint for any purpose other than reaching the goals set forth here.  

This storage implementation was also important to the ILook tools' design because ILook is the only comprehensive tool line which is 100% .NET framework based, and the first forensics package to deploy the .NET architecture.  Plus, it is the only Sqlserver Engine based computer forensics product in the world.   Sqlserver was used exactly where it needed to be used, but only to the extent it provided advantage to the solutions.  You do not store image data inside the databases, you only store relevant numerical information relating to the connection between image data files and the base windows application interface.   We will provide several different imaging solutions, not just our own unequaled IXimager, and all of which store data in physically separate forms apart from the database storage.

Importantly, this edition of Sqlserver is specifically designed for ILook in several ways.  This edition is a fully operational commercial database engine with a single market price of $6000.00.  There are no hidden gotchas designed into the DB and your accepted use is only limited by the ILook EULA to ILook centric applications, even though they could be your own design.  When you adjust equivalent core pricing to other products, the same licensing model per single instance installation is $30,000.00.  Our goal, however, is to ensure that ILook is priced fairly and appropriately versus its competitors.   Fair price also means that the in-built values of these tools necessarily places them higher than they started 10 years ago.

Perlustro could have easily selected a different path, and others were tried, but at the end of the day, we were simply not going to settle for second best at any level in this tool set. 

The Solutions of the Future

Combined with Sqlserver 64, ILook is now free to integrate solutions and algorithms for use in digital forensics that could never before be imagined, by us anyway, much less executed in any solution we could see.

In the end, the true test will come from you, our customers, both previous long standing users, and new users in the commercial space.  Significant enhancements to the ILook technology will only be successful if they have a positive demonstrable effect on the elapsed time and efficiency necessary to reach your goals.  With this engineering advance, Perlustro intends to change the paradigm in forensics in order to provide you with the greatest utility assessment of the data under investigation, in the most usable format, and within the shortest elapsed work time.

In order to keep you updated on our new products and their features, we will post additional messages in the coming weeks. Our next message will go into more detail on how the products shape the output and, more importantly, how they affect elapsed time to digital forensics mission completion.

Perlustro has built tools that now have much more inherent retail value, just in their constituent pieces, than their consumer cost.  These tools provide more economy through saved time, by a multiple, than their cost as well.   Our mission now depends only on reaching these two goals in the customers mind, and Perlustro is very excited to make them available for those that demand the ultimate in performance and digital capability.

Best Regards,

Perlustro