Changes To Impact Performance

back

Items that effect the performance of SqlServer, also effect ILooKIX. The following items fall in this category, they are listed based on the frequency they are encountered:

Item 1.

Memory resident services for DVD writers and Cdrom drives. In particular device load drivers that constantly exist after a cold boot, at a lower ram level than after their first use.

Item 2.

Antivirus : Many forensics specialists do not , or cannot, run forensics software without active AV software. There are at least two AV applications we would recommend as being viable for forensics use, Avast, and Mcafee. This is because both can be shut down, and stopped , and in addition, working folders used by ILooKIX (Cpoints) can be excluded. But this use, where AV is mandatory, applies to POST Sqlserver Installations only when ILooKIX is running. It does NOT mean the software can be installed prior to the install of Sqlserver. All other AV software we have tested will cause virus ID failures within Vista. This includes Microsoft’s own AV software, the firewall, GAC or DEP.

The ability to recover ILooKIX from AV induced file locks or collisions is impossible to address beforehand. Because of the workflow issues, Perlustro integrated and wrote its own version of opensource based AV software to be used internally in the tool. That use, proactively, will more than compensate for the issues encountered by outside AV services. The main motivation for Perlustro’s introduction of the AV feature was to give the investigator back the time loss, generally 30%, which AV processing would cost otherwise, and to give the examiner for the first time, the ability to find Viral issues within an image of static data. Data not effected by a system that has to be moved to a booted state in order to find nefarious content.

Item 3.

Machine specific notification services: A common one being HP and Dell diagnostic utilities, but this also includes HP printer monitor software which attempts to make net connects for driver updates with no network connections existing and others in its ilk. All applications that make internet connections should be suspect of resource and ram drain where they cannot be put into manual connection mode.

Item 4.

PC “health” utilities, in particular from PC manufacturers and Microsoft. Windows office groove being one example of a utility that causes severe interaction problems with certain types of .net software. Groove or any TSR based application like office Notes are resource drain applications with little value otherwise to a forensics examination. They also have sleep timers in their code which cause constant cpu interrupts to fire and further degrade performance.

Item 5.

Clock time on the machine:

If the clock set time is incorrect and Windows is set up to use a time clock or where it is manually set in the bios to the correct time, then the time of the examination process is effectively altered by the machine time error itself. This can also impede other processing issues in both SqlServer as well as ILooKIX. Time is a BIG deal. Insure you have the bios time set correctly, then insure windows is either using a time server (if on the net often) or that the windows clock picks up the correct time zone showing in bios. (Note: a large current time error in bios time is usually reflective of a more serious error in the bios or system)

Item 6.

Prepare a high quality “control point” (CPOINT) drive, for use in the ILooKIX evidence solution forensics system.

With the boot drive being (drive 1), you would normally have another drive or storage point besides the system drive on which to store images – (drive 2)

Drive 3, would typically be the drive that is used to hold image data if you are mapping images as opposed to devices , files or folders.

In other words, you are looking at a necessity of at least ONE other drive at all times to store case data (drive 2) in the form of Control Point resident data. This drive should not ever be changed as to drive letter assignments. It should be stationary in the system at all times.

You should back up the control point drive frequently, not just occasionally. The control point drive holds the database information as well as the ILooKIX deconstructions of data already analyzed. The controlpoint drive needs to be on as fast a bus as possible and it should be as fast as you can afford. Whereas image set holding drives can be on external devices or slower bus connections, there are great advantages in analysis by using a controlpoint drive which is the fastest in the system next to the boot drive. SqlServer, running from the boot drive, creates and accesses SqlServer databases on the control point drive at all times a case is loaded. This is also a drive that can benefit from an increased MFT zone, as well as routine defragmentation after backup.

Your case related and evidentiary item data is completely enveloped by the control point folders you create for each case. No no other data on disk from an examination standpoint, is more important. By default, this data needs an archiving mechanism for safekeeping purposes long term. Windows backup is actually a good solution built into both xp and vista. A control point can be renamed at any time for archiving purposes, but not after being set in place and used actively in ILooKIX.

When you get ILooKIX loaded, you can create an IX and immediately image both drives to insure your working system can be restored in short order, but in order to first start that process, you want to PREP the drives before their first use as a backup is made.

Using IX, zero any drives that you start with in this backup process by zeroing and formatting them at that time and letting IX check them for errors. The method used by IX to verify a drive and check it for bad sectors is much more complete that the process used by windows. It is also slower.

Item 7.

Stop automatic update in windows. Windows update can always be run as a user defined task from Internet Explorer’s tools menu without it being on full time. Many more than a few times, we have seen a windows patch break an entire system and if you occasionally hook up to the net to check for hardware updates etc. always make an IX image of the system boot drive before upgrading it with service packs.

Item 8.

Moving and copying files within a forensic process should never use Windows Explorer. Windows explorer was designed for users to move user files, not forensics images. It will fail without warning to the user and no error will be returned. It will also copy partial files without warning. It will overwrite files without warning in certain cases.

The current Microsoft method to move “large” files or exceptionally high counts of files is their Robo interface utility – free at Microsoft . http://technet.microsoft.com/en-us/magazine/2009.04.utilityspotlight.aspx

Step 9. Adjustments to AV software

While it sounds here the opposite of the pre install instructions, we will assume that you cannot take off AV software and you otherwise believe that SqlServer did correctly installed.   Given every possible AV software, it may not have failed in fact but we cannot verify that with any assurance.  Assuming that it did install, you still MUST Disable antivirus software from active file scanning of those areas used by ILooKIX at all times during the running of ILooKIX.

You also need to exclude updates to the AV software from WEB connections, which is usually a SERVICE that has to be stopped and disabled.

If you need to suspend AV such as NAV, and cannot otherwise remove it, then you can use the Psservice utility from Microsoft Technet to STOP the AV service and restart it when the process is completed. (Psservice is contained in the PStools package from Systernals , http://technet.microsoft.com/en-us/sysinternals/default.aspx)

Cut off AV file scanning on any control point (CPOINT) DRIVES. Alternatively, cut off FOLDER scanning by using exemption settings in the antivirus software.

Note : Avast does not require such exteme efforts, just suspend the File resource during loading and mapping, then cut it back on from the task bar if needed. The same applies for email deconstruction when Avast is installed, suspend Avast immediately when running ILooKIX.

Email processing of all clients inside ILooKIX produces temp files on the control point. It will invariably occur during this process, that AV software will block or lock a process task and possibly stop ILooKIX from continuing to function due to the creation of those files. There is no method to bypass this issue or its attendant problems except to treat a forensics investigative platform as a “dispensible system” which is subject to daily contamination from all sorts of unknown injurious software injections. The issues raised here with AV software are completely bypassed by use of  ILooKIX’s AV option.

Step 10.  Disable AT jobs

Disable any kinds of chron or AT jobs running on system timers. Only advanced users would have created timer jobs, but they can be running from other scripts. MSconfig and Hijackthis will both reveal timer / chron jobs.

Autoruns.exe, written by Dr. Mark Russinovich of Microsoft, is a premier software app which produces output exactly designed for this task : http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Step 11.  Disable Screen Savers

Disable any screen savers, no matter what type they are. You can also have screen shutdown timers within the BIOS of a machine, in particular laptop BIOS that need to be shutdown, so check the bios again for this existence of hardware induced suspension issues. Shut all screensavers off from any location.

The part many don’t see here is that windows spends a tremendous amount of cpu cycles just trying to figure out IF screensave should be cut on. Cut off the monitor instead.

Step 12.  Disable Unneeded Network Connections

Disable any network connections completely if you do not need them 100% of the time. Having them open on a forensics box while actively copying out files is patently dangerous. Even if you have restricted NET access on the box, think carefully about having the nic disabled except when you need an active connection.

The nic itself interrupts the cpu by just remaining active. This approach of course is impractical where images are not local to ILooKIX. But, you can disable any nic connection on the task bar and easily start them back up.

Step 13.  Disable Event Timers

Disable any applications which run on event timers.

MS messenger, MS windows system automatic updater (in control panel) antivirus automatic update polling.  These apps will all cause you to run timers which in turn demand updates from the web.

Step 14.  Disable File Shares

Disable host machine file shares, even on netbios connections through firewire or any cable to any other source except those running file server duties from the investigation machine. It is not unusual for a forensics platform to act as a file share for other review machines, and backup policies in place may require such shares. Regardless, there is a clear advantage which improves performance where it can be eliminated.

Step 15.  Disable Samba Connections

Disable connections to samba servers. Samba is a very good system for IP access to fileshares in large storage environments, but if it is not “necessary” to the use of ILooKIX, it needs to be exchanged for some other system. It will spend an inordinate amount of cpu time keeping the circuit alive better spent on processing.

If you have to use a network connection, reduce the protocol layers to the minimum needed to make the connection. TCPIP only, usually is more than sufficient as a single protocol although netbios is faster.

Step 16.  Do not run other applications

Do not run any external applications —–after starting ILooKIX —-or during an ILooKIX running session . You can run Passware as an outside application, but note it will take approximately 250 megs of memory for each decrypt solution started. An example would be starting outlook as a mail client or any cpu intensive real time application such as another forensics software application. There may be controlling and conflicting use of system resources if other problems arise within the application base.

Step 17.   Try to avoid network connections to Image data

Do not use distant network connections to reach image data files if you can avoid it otherwise. It is not at all that the process will not work to use mapped drives, but it is seldom that a network connection can compete with a bus connected storage device. A large LOCAL device will always provide faster results.

If local firewire or scsi storage is attainable without going to a network location, try to implement that method by using larger and faster drives, SAS or SCSI or 10k Sata 2 before reaching to a lesser speed connection.

USB is the worst comparative data storage connection there is for the simple reason there is no inbuilt buffer. Mechanically, USB has no resiliency compared to other data connections and it has no resend intelligence built into the controller hubs. In simple terms, this can cause packet loss, even on physical connections. This is much worse where a network connection to USB data devices is used because the network demands of resend acknowledgments goes unheeded by the USB devices.

A very good solution is 800 firewire or SAS connections to SATA drives if you do not have SCSI. SATA on board in a forensics machine is faster than almost any IDE drive connections, in particular to analysis Image holding drives.

Step 18.  Disable Sound

Disable all sound devices on the machine. Cut them off if possible. It can be easily cut back on if needed in control panel. It will usually require a reboot.

Step 19.  Check the system for running processes

Check device manager for view hidden devices, and make sure there are none you are not aware are being loaded, or, where you have remaining questions about what they do.

“Hijackthis”©  from Trend Micro® and MSconfig and MSinfo are all very useful in finding the details of current running processes. If you do not know a process by type, all legitimate services and processes are easily searchable on the NET. If a process list executable is running and no direct manufacturer name or description can be found, it will usually be suspect until proven otherwise.

Investigators of Internet Crimes, and Child pornography in particular, are frequently susceptible to virus & Trojan intrusions on their own systems or Rootkit injections due to the nature of the investigations. RootKitRevealer from Systernals is an outstanding tool to help find threats of this type.  However, it requires, as do all other solutions, on the ability to boot detect the rootkits.  ILooKIX’s rootkit detection is built into the AV option internally and can find rootkits within the image data in static form, or by mapping a IXVM within the evidence set either one.

In addition, once an image is made of your investigation machine by ISeekImager or IX3, the Registry and AV tools inside ILooKIX itself can lend an additional lower level protection of your system by mapping your own system image. We highly recommend this procedure if you have the ILooKIX-AV Option!

Step 20.

If the machine bios does allow for Hyperthreading to be disabled, try it, and see if it makes a performance improvement on Intel chip motherboards. In extreme processing IO issues, and Ilook’s processing of certain large image files, as much as a 400% speed improvement has been seen in disabling hyperthreading.

http://www.intel.com/support/processors/pentium4/pentium4_ht.htm#2

Step 21.   Remove unnecessary services

Remove services that do not have to be running, or that will not be needed, or that can be eliminated from the platform itself. http://www.theeldergeek.com/services_guide.htm

These include server processes where the investigation machine serves as a file server for other machines, or where there are network indexing tasks running.

Step 22. a.  If XP only

http://support.microsoft.com/kb/121007

Remove 8.3 naming convention creation from the system by using

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem

NtfsDisable8dot3NameCreation (value = 1) Edit ➝ New ➝ DWORD Value, and then type the name exactly as shown in yellow.

Values: 0 = enabled (default), 1 = disabled.

(VISTA – this key usually already exists and is set to 0 – enabled by default.)

Step 22.b  Vista or XP

Disable Folder Access Date updates with :

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Filesystem

NtfsDisableLastAccessUpdate (value = 1) Edit ➝ New ➝ DWORD Value, and then type the name exactly as shown in yellow.

Values: 0 = enabled (default), 1 = disabled.

(VISTA – this key usually already exists and is set to 1 – disabled by default which means it would not change)

back