Introduction

As everyone knows, disk I/O performance is significant factor in how quickly and efficiently a forensic analyst can perform their duties.  Often times, people try to through hardware at a performance issue and hope it “just works” out of the box.  While there can be an increase in performance by simply buying faster drives, the issue is much more complex and includes RAID controller configuration, stripe sizes, disk configuration and file system to name a few.  This article is the first of several in this series that will test various configurations in the pursuit of the highest performing array.

Problem statement

In part 1, my goal was to test the impact of stripe size on performance.  Specifically, my RAID controller supports 16kB, 64kB and 256kB stripe sizes in a RAID0 array and I wanted to understand the impact of these different settings, if any.  Additionally, I wanted to set a performance baseline by running the tests against the stock hard drive shipped with my workstation as well as a WD VelicoRaptor and a 4-disk RAID5 array.

Hardware

Below is an overview of the relevant hardware in my workstation:

• HP xw8400 workstation, 2x Intel Xeon E5345 2.33GHz Quad-Core, 8MB L2 cache (8 cores total)
• 4GB RAM
• 300GB WD VelicoRaptor OS drive, Seagate Barracuda 7200RPM “stock drive”
• 64-bit Linux (2.6.27-11-generic SMP x86_64 GNU/Linux), Ubuntu 8.10
• 3Ware 9690SA-8E SAS/SATA RAID controller
• 2 CRU Dataport 4-bay external chassis:
  • Chassis 1: 4x Seagate Barracuda 1TB 7200RPM ES2 SATA drives (ST-ST3100034NS)
  • Chassis 2: 4x Fujitsu 300GB 15000RPM SAS drives (FJ-MBA3300RC)

The Seagate drives needed this firmware updated which I did prior to testing.  Every drive was configured with a single EXT3 partition for consistency.

Test methodology

Of course, I am most interested in how the drives perform forensic tasks so I the following test script was developed to test reading and writing of both large and small files using common forensic techniques:

1. Copy 38GB dd image from different drive to test target
2. Calculate md5sum of dd image and write to target drive
3. Extract strings from dd image and write to target drive
4. Extract unallocated space from dd image and write to target drive
5. Carve files from dd image and write to target drive
6. Execute suite of iozone tests for write, rewrite, read and reread benchmarks

On steps 1-5, I used the time command to measure elapsed time.  The iozone tests were written to disk in text and Excel format and provide the basis for read/write throughput and the charts.

Summary Results

The results we very interesting and are summarized in the table below:

As you can see, a few things are immediately evident:

• The stock Seagate Barraduca drive was outperformed in every test by a factors ranging for 1-3 times faster (speed up). This, of course, was expected.
• The single WD VelociRaptor drive performed amazing well and given the reduction in cost is a great option for any forensic analyst on a budget
• The RAID5 setup with 4 7200RPM SATA drives performed very well also
• Of the 3 RAID0 configurations tested, the 64kB stripe performed the best and was the overall performance winner.  A clear example was the 3.19x speed up generating an md5sum of the dd image, decreased the total time for 2 minutes and 51 seconds (from 9 mins and 5 seconds).

Also, to accurately measure disk/array throughput I had to remove the performance boosts generated by the RAID card cache, RAM and CPU cache.  I ran iozone with parameters that created files from 64kB up to 4GB and record sizes from 4kB to 16MB.

Finally, for the RAID0 64k stripe array, the maximum read throughput iozone recorded was 4,036MB/sec (nearly 4GB/sec).

Conclusions

Given these results, a RAID0 array with 64kB stripes is the ideal configuration for my forensic workstation “scratch space”.  The next part in this series will examine the various file systems to determine which performs the best including ext2, ext3, ext4, xfs, jfs and reiserfs4.

I hope to post the iozone read and write graphs soon so check back.  Also, if you have a different setup, experience or other comments, please share.