Daily Blog #74: The hidden burden of journaled filesystems in your imaging

The hidden burden of journaled filesystems in your imaging

Hello Reader,
                A small diversion today as I prepare for tomorrows Forensic Lunch. A few months back we purchased a small, very small, computer from a company called xi3 known as the x5a, http://xi3.com/x5a-modular-computer.php. I liked the idea of a very portable computer system with lots of I/O (usb2 and eSATAon the x5a with usb3 coming on the x7a when its released) so we decided to test it.

The unit came shipped to us with Linux installed so we loaded up some of our favorite Linux based acquisition tools and began speed testing. In theory we had a pretty amazing setup that should have given us speeds of over 100MB/sec reading and writing to eSATA. Instead we found every tool we tried (dd, dcfldd, ewfacquire, guymanger) writing a very slow 8MB/sec. We were very confused, what could be creating this issue? We sent a support request into the manufacturer asking about their bus configuration, tried different ports, different disks all to no avail.

Then we did something we haven't had to worry about in quite some time in our heavy processing power world, we ran ps and then top. The drive we had setup to store our image was formatted NTFS and writing to it using the ntfs3g driver was causing the system to use 100% of the cpu. The slow down was not the drive, bus, tool, image format, it was the file system we were writing to.

We formatted the drive ext2 and speeds jumped up to 100MB and up, same with FAT and I began to think back to the bad old days of DOS boot disks, high ram and whether or not to enable compression if the system could handle it. You take a lot for granted with quad core, 8gb, SSD systems just hanging around everywhere these days but when you want some small, portable and efficient you have to work with what you get.

So if you are seeing lackluster performance in your imaging, take a look at your filesystem you may be slowing yourself down with a journaled filesystem

Tomorrow is the forensic lunch, I hope you tune in!

Also Read: Daily Blog #73

Post a Comment