CASE STUDY: CASE STUDY:

CASE  STUDY:   CASE  STUDY:  

The  Norwegian  National  Authority  for  Investigation  and  Prosecution  of  Economic  and  Environmental  Crime  (ØKOKRIM) The  Norwegian  National  Authority  for  Investigation  and Prosecution  of  Economic  and  Environmental  Crime  (ØKOKRIM)

BACKGROUND

The  Norwegian  National  Authority  for  Investigation  and  Prosecution  of  Economic     and  Environment  Crime  (ØKOKRIM)  is  the  central  unit  for  investigation  and  prosecu-­ tion  of  economic  and  environmental  crime,  and  the  main  source  of  specialist  skills   for  the  police  and  the  prosecuting  authorities  in  their  combat  against  crime  of  this   kind.  ØKOKRIM  was  established  in  1989,  and  is  both  a  police  specialist  agency  and   a  public  prosecutors’  office  with  national  authority. While  the  organization  may  only  have  60  cases  per  year,  the  nature  of  these  cases   are  very  complex  and  they  involve  10  to  15  years’  worth  of  data.  ØKOKRIM  was   originally  using  FTK  1.x  and  EnCase,  both  of  which  are  memory-­driven  solutions   and  would  not  handle  more  than  700,000  items.  Furthermore  the  indexing  with   EnCase  was  not  working  to  the  organization’s  satisfaction.  With  the  average  case   size  being  4  or  5  terabytes,  ØKOKRIM,  required  a  better  solution  to  address  their   high  data  volumes.

THE  SOLUTION When  AccessData  unveiled  AD  Lab,  ØKOKRIM,  saw  the  value  in  upgrading  to  an  enterprise-­class  forensic  lab  infra-­ structure.  AD  Lab  was  designed  to  increase  productivity  in  forensics  labs  by  allowing  forensics  examiners  to  leverage  a   distributed  processing  pool  and  a  centralized  database.  To  ensure  the  organization  was  implementing  the  best  infra-­ structure  to  serve  its  needs,  Niclas  Bjørn,  Forensic  Examiner  and  lab  infrastructure  specialist,  engaged  in  testing  hard-­ ware  and  configurations.  Because  every  forensics  lab  is  different,  this  document  is  not  intended  to  serve  as  instructions   for  implementing  a  lab  infrastructure;;  it  is  simply  a  case  study  to  discuss  how  one  organization  is  leveraging  AD  Lab.

TESTING Niclas  chose  to  test  the  organization’s  legacy  hardware  against  top  of  the  line  new  hardware.  The  computers  tested  were   Win7,  x64  computers  at  a  cost  of  $800  each  against  state-­of-­the-­art  machines  with  solid  state  drives,  RAID,  96GB  of   RAM  and  SAS  drives  -- at  a  cost  of  $7200  each.  They  tested  3  worker  pools  with  8  computers  in  each  against  a  single   pool  of  32  processing  workers. “What  we  saw  is  that  the  cutting-­edge  machines  would  just  idle  most  of  the  time,  while  the  legacy  hardware  worked  at   close  to  100%  capacity,”  commented  Niclas.  “So  we  figured  that  for  each  of  the  state-­of-­the-­art  machines,  we  could  buy   2  pools  of  the  cheap  ones  which  would  do  the  job  in  approximately  the  same  time!”  According  to  Niclas,  when  process-­ ing  the  30  million  item  test  data,  the  difference  in  processing  time  between  the  old  and  new  computers  was  only  an  hour.     They  also  determined  that  using  3  worker  pools,  each  with  8  computers  was  more  cost  efficient.  To  ensure  the  workers   “play  nicely”  together,  Niclas  made  sure  the  computers  within  each  worker  pool  were  identical. The  organization  opted  to  invest  money  in  top-­of-­line  computers  for  the  centralized  database  and  discovered  that  using  3   database  servers  greatly  improved  their  workflow.  ØKOKRIM  implemented  multiple  databases  for  processing  and   analysis.  This  eliminated  the  risk  of  investigators  being  slowed  down  when  large  cases  were  being  processed.  In  addi-­ tion,  when  they  archive  and  detach  the  case  from  a  processing  database  and  put  it  into  a  client  database,  they  are   automatically  creating  a  backup  at  the  same  time.

THE  RESULT It  used  to  take  Niclas  one  week  to  process  a  single  case  for  analysis.  Today  he  is  processing  approximately  1  million   items  an  hour.  As  Niclas  explained,  “Today,  we  can  have  a  case  finished  in  a  couple  hours…  indexed,  carved  and   ready  for  investigators.”  ØKOKRIM  is  now  much  better  equipped  to  handle  its  massive  amounts  of  case  data,  and  was   able  to  leverage  existing  computers  and  inexpensive  new  computers  to  create  its  worker  pools.  Reducing  the  time  from   processing  to  analysis  from  one  week  to  less  than  a  day  has  dramatically  improved  the  workflow  and  productivity  at   ØKOKRIM’s  lab.

A  Pioneer  in  Digital  Investigations  Since  1987

©2011  AccessData  Group.  All  Rights  Reserved.