CONFIGURING DISTRIBUTED PROCESSING WITH FTK

What is Distributed Processing?

An FTK examiner machine can be configured to utilize three additional machines to assist case creation / data processing as remote "workers". These additional processing engines are in addition to the local machine FTK installation engine. Distributed processing increases productivity while decreasing processing time.

What is needed to configure Distributed Processing?

The additional components needed for distributed processing with FTK: .NET 3.5 Service Pack 1 Microsoft Windows Installer 4.5 AccessData Distributed Processing Engine (DPE executable)

This document assumes an existing installation of FTK as outlined in Chapter 3 of the FTK user guide. The Distributed Processing Engine is not to be installed on the examiner FTK examiner machine.

Configuring Distributed Processing:

BEFORE BEGINNING! It is important to note the remote worker machines should have only the distributed processing engine installed. Remote worker machines should not have stand alone FTK with the single processing engine installed. It is also essential that the remote worker machines have unimpeded network permissions and connectivity to the machine that contains the cases folder and evidence folder to be utilized in the distributed processing environment. These folders need to be shared with full read / write control (illustrated later in this document). Environment Setup

Additional Worker

FTK Machine

Network Connectivity

Additional Worker

(Optional Oracle Host Machine) (Optional Evidence Store Machine)

Additional Worker

This environment represents a standard FTK installation on a single examiner machine with evidence files and the Oracle database residing together with FTK. Optional Oracle host and evidence storage machines are displayed but not used in this configuration (see FAQ #12 for more information on that type of configuration). The following configuration steps assume a Windows XP or Vista operating system and full network connectivity between all machines. For assistance with creating a network, contact your IT department or network administrator. Using the above environment setup, gather the following information from each machine: Machine IP address on the network (Steps for Windows XP and Vista are the same) o Click on the Start or Windows button and select the "Run" option. o In the Run box, type the command "cmd" as illustrated below.

o In the resulting command box, utilize the "ipconfig /all" command to determine the IP address of the network connection adaptor (if unfamiliar with network addressing, consult IT or the network administrator for assistance with this).

User account credentials (logon name and password) The easiest way to ensure that the remote worker machines can fully communicate with the FTK examiner machine hosting the cases and evidence folders is to have all machines logged in to Windows with mirrored user accounts. This means all machines log in with the same user name and account password. Create Administrator privileged user accounts with the same user name and account passwords on all machines in the environment via the following steps: See the FAQ #8, #9 and #10 at the end of this document for important notes regarding using mirrored accounts vs. individual accounts and installing in a domain environment.

NOTE:

In Windows XP: o o o o o Click on the Start or Windows button and select the "Control Panel" option. In the Control Panel, select the "User Accounts" application as illustrated (#1). In User Accounts, select "Create a new account" as illustrated (#2). In User Accounts, name the new account as illustrated (#3). In User Accounts, pick an account type of "Administrator" as illustrated (#4).

#2

#1

#3

#4

In Windows Vista: o o o o o Click on the Start or Windows button and select the "Control Panel" option. In the Control Panel, select the "User Accounts" application as illustrated (#1). In User Accounts, select "Manage another account" as illustrated (#2). In Manage Accounts, select "Create New Account" as illustrated (#3). In Create New Account, name the account and select an account type of "Administrator" as illustrated (#4).

#1

#2

#3

#4

NOTE:

Remote worker machines require access to the cases folder and evidence folder(s) on whichever machine they reside. This access must be unimpeded and these folders must be shared with read / write permissions. To ensure this state, perform the following actions with these folders.

In Windows XP: o o o o Locate the case and evidence folders in your networked environment. Right click on the folders and select "Sharing and Security...". In the next window, select "Share this folder" as illustrated (#1) Click the "Permissions" box (#1) and then select the box to allow "Full Control" as illustrated (#2). This will automatically select "Change" and "Read" as well. o Click the "Apply" button on all windows as steps are completed.

#2 #1

Shared !

In Windows Vista: o o o o o o Locate the case and evidence folders in your networked environment. Right click on the folder and select "Properties". In the next window, select the "Sharing" tab as illustrated (#1). In the next window, click the "Advanced Sharing" box as illustrated (#1). In the next window, select the "Share this folder" option as illustrated (#2). Click the "Permissions" box (#2) and select the box to allow "Full Control" as illustrated (#3). This will automatically select "Change" and "Read" as well. o Click the "Apply" button on all windows as steps are completed.

#1

#2

#3

Shared !

At this stage, the environment should be in a state where all machines are logged in with Administrative accounts with the same user name and password, and all machine IP addresses have been documented. Use this template to assist documenting that information:

Username: __________________ Password: __________________ IP address: __________________

Username: _______________________ Password: _______________________ IP address: _______________________ * Cases folder should be shared with read / write access! * Evidence folder should shared with read / write access!

Username: __________________ Password: __________________ IP address: __________________

Username: __________________ Password: __________________ IP address: __________________

Installing the remote worker Distributed Processing Engines

o Copy the AccessData Distributed Processing Engine installer to the remote worker machines. On each machine, follow these installation steps: 1) Launch the AccessData Distributed Processing Engine installer (#1). (Depending on your current machine configuration you may also have to install the .NET 3.5 SP1 and / or the Microsoft Windows Installer 4.5) Click "Next" when prompted as illustrated (#2). Accept the "License Agreement" - click "Next" as illustrated (#3). Note the Destination Folder and click "Next" as illustrated (#4). Input the Administrative account name and password for the remote machine. This must be the account that has read / write access to the shared case and evidence folders. If the machine is on a domain, enter the domain name - leave "Domain" blank if none is present - click "Next" as illustrated (#5). Click "Install" to begin installation (#6) and "Finish" when complete.

2) 3) 4) 5)

6)

#1

#2

#3

#4 8

#5

#6

Configuring FTK to utilize remote worker machines

When all remote worker machines have been configured, they can be added to the FTK client. Accomplish this configuration via these steps: o In the FTK Database Management window select the menu option: "Tools \ Processing Engine Configuration" as illustrated (#1). o In the "Add engine" section, input the IP addresses of the remote machines as illustrated (#2). Click "Add" after inputting each remote machine IP address each machine will propagate in the "Computer Name/IP" list as the Add button is clicked. o Close the Processing Engine Configuration window when complete.

#1

#2

Creating a Case using Distributed Processing

o Create a new case. It is a requirement the "Case Folder Directory" be a UNC path to its location on the hosting machine in the distributed environment. Remember, this folder must be shared with read / write permissions (configured earlier in this document). Utilize the three dot ellipse on the "New Case Options" console to navigate to the UNC path of the shared Case Folder Directory as illustrated (#1). o In the "Manage Evidence" console, it is a requirement the evidence "Path" be a UNC path to its location on the hosting machine in the distributed environment. Remember, this folder must be shared with read / write permissions (configured earlier in this document). When selecting the evidence to add to the case, be sure to browse to the evidence location via the network path when adding that evidence. In the "Manage Evidence" console, validate the UNC path of the shared evidence location as illustrated (#2). o With those two requirements met, continue to create the case normally.

#1

#2

10

NOTE:

The remote machines will not immediately commence working on a case. New processes named "ADProcessor.exe" and "ADIndexer.exe" will spawn on the remote machines and can be observed in the remote worker machine process lists via the Windows Task Manager. As the FTK examiner machine begins to enumerate (discover) items in the case, the enumeration builds to a point where the items are pushed in to the Oracle database. At that stage, the enumerated items become "things to do" and will be assigned out to the remote worker machines previously configured in the FTK client. As these "item pushes" continue as the case "discovery" increases, the remote worker machines continue to function until case processing is complete.

11

Distributed processing install summary checklist / FAQ

Add network connectivity between remote machines and FTK examiner machine Share cases and evidence folders with full read / write permissions Appropriately permission accounts for all machines in distributed environment Document IP address information for all machines in distributed environment Install Distributed Process Engines to remote machines (providing administrative credentials with read / write access to the shared case and evidence folders) Add remote machines to the FTK examiner machine (via FTK interface) Create FTK case with UNC paths for the case and evidence file locations ______________________________________________________________________________ 1) Q: A: The Distributed Processing Engine installation fails or the installed service fails to start because it needs appropriate logon rights - how is this overcome? Follow these steps:

o Right click on the "My Computer" icon in Windows XP (the "Computer" icon in Windows Vista). o Select "Manage" from the right click menu. o In the Computer Management Console, expand "Services and Applications" and click on "Services" as illustrated (#1). The machine service list will populate. o Locate the "AccessData Processing Engine Service" and view the "Properties" dialog box by double clicking on the AccessData Processing Engine Service (#1). o In the Properties window, select the "Log On" tab. Verify the correct Administrative logon credentials for the service (#2). o Stop and Restart this service after performing any credential update (#1). -- OR -o If the failure was during installation, click "Retry" on the installation window. NOTE: When deploying, the credentials used by this service need to be part of the Administrator control group and must have read / write access to the shared case and evidence folders.

#1

#2 12

2)

Q: A: Q: A:

What is the option to "Maintain UI performance when processing"? It allows the choice of making preprocessing or UI performance a precedent. What if a remote machine does not have the .NET 3.5 SP1 or the Microsoft Windows Installer 4.5? The Distributed Processing Engine installer will provide these components during the installation process. This will cause the machine to reboot during the installation process - save any work before installation. In the FTK interface, what are the Processing Engine Configuration options: "Remove / Enable / Disable"? Remove - removes a worker from the list. Enable - enables a worker. Disable disables a worker (it will not receive work until re-enabled). ADProcessor.exe spawns remotely, but doesn't engage - what is wrong? The most common problem in this scenario is pointing the case and / or evidence paths to local machine locations rather than the proper, fully shared, UNC path locations. Remember also, that a threshold of items must be enumerated and pushed in to the database before remote workers will assist the FTK examiner machine. Also, check the entered IP addresses to ensure proper connectivity between the FTK examiner machine and remote worker machines. What other things can be done to fix issues preventing distributed processing? Allow a firewall exception to the port used by the remote worker machines (default = 34097). Can machine names be used instead of machine IP addresses? Yes, as long as proper name resolution is occurring on the network. Is it necessary for the remote worker machine accounts to be logged on for a remote worker machine engine to process data? No, as long as the Distributed Processing Service Engine is installed with administrative credentials, and those credentials have full read / write permissions to the cases and evidence files folders on the FTK examiner machine.

3)

4)

Q: A:

5)

Q: A:

6)

Q: A:

7)

Q: A: Q: A:

8)

In this graphic, ADProcessor is running as a service (Ken) that is not the logged on service user (Alice).

13

9)

Q: A:

Is it necessary to use mirrored accounts? In a non-domain environment, this is the easiest way to facilitate machine communication. In a domain, users can be given individual permission to the case and evidence folders. What if the existing network for distributed implementation is domain based? Add these steps to your installation process:

10)

Q: A:

o When installing the Distributed Processing Engines, list your domain name at this step of the installation:

o Be sure to install the engine with a domain-based user account. o Ensure that domain-based user account has permission to install software. o Ensure that domain-based user account has read / write permissions to the case and evidence folder.

11)

Q: A: Q: A:

Can remote worker machines be added to FTK while a case is processing? Yes, but they may not receive work until the next push of enumerated items. What if the distributed network environment is using standalone machines to separately host the Oracle database and evidence files? The Oracle database configuration would have presumably been taken care of during the FTK examiner installation and the evidence files on the evidence host machine would need to be configured according to this document - SHARED to the remote worker machines, with full read / write access permissions (bet you never heard that before?).

12)

Please utilize this enhanced technology to your benefit. Contact AccessData Technical Support with questions or issues not addressed in this document.

14