No announcement yet.

OSForensics system requirements and resource usage

  • Filter
  • Time
  • Show
Clear All
new posts

  • OSForensics system requirements and resource usage

    For anyone wondering about what CPU and hard drives to use in a forensics system, designed to run OSForensics, we ran a few test and came up with some suggestions here,

    A summary of the conclusions where,
    • Most forensics tasks are disk bound and single threaded.
    • Even when not single threaded a two core CPU is enough
    • When picking a CPU, customers should favour a small number of fast CPU cores (e.g. 4 cores at 3.9Ghz) rather than a large number of slow cores (32 cores at 2.4Ghz).
    • Hardware spend should instead be on better disks and SSDs.

  • #2
    How much RAM do you need to run OSForensics.

    For very light usage you can actually get away with as little as 1GB of RAM. But for any serious work you'll need more RAM. In some cases a lot more.

    RAM usage is proportional to the number of devices / file systems added to the case and the number of files, folders & Emails in those file systems.

    The task that places the heaviest demand on the RAM is creating an searchable index. The more files and Emails you index the more RAM required.

    Here is a very rough guide.

    Number of Files & Emails to index Total RAM suggested
    1,000 2GB
    5,000 3GB
    10,000 4GB
    50,000 8GB
    100,000 16GB
    1,000,000 32GB
    5,000,000 64GB
    Actual requirement will also vary depending on what other software is running on the machine (e.g. VMs can use a lot of RAM) and what type of documents are being indexed (and how much text there is in them).

    Once you start to think about indexing millions of documents is makes sense to split the index. For example have one index for Email and another one for documents. Or have an index per large folder. Or even an index per PST file is you are dealing with millions of Emails.