Follow

Configuring Distributed Processing in FTK/AD Enterprise/AD Lab

Created by: Brendan Bone
Created date:
Last Updated date:

Question

How do I configure FTK/AD Lab/AD Enterprise to use Distributed Processing?

 

Answer

Create a Service Account

In order for Distributed Processing to work, all components must run under the same account, which we refer to as the "service account".

The "service account" must be a domain account, with its password set to never expire.  It must also have local administrator permissions on any machines running FTK, the database, and the Processing Engine.

Important: Using a mirrored account while in a workgroup is no longer supported for distributed processing.

Configure the Database

The database must be configured to use the service account.

PostgreSQL:

  1. Open the Services snap-in (services.msc)
  2. Right-click the "PostgreSQL" service and select Properties
  3. Go to the "Log On" tab
  4. Select "This account"
  5. Enter the credentials for the service account
  6. Click "OK"
  7. Restart the "PostgreSQL" service

MSSQL:

  1. Open MSSQL Management Studio
  2. Log in to the database server
  3. In Object Explorer, expand the entry for your server
  4. Expand "Security"
  5. Right-click "Logins" and select "New Login"
  6. On the "General" page, select "Windows Authentication" and use the "Search" button to find the desired Windows user account
  7. On the "Server Roles" page, check both "public" and "sysadmin"
  8. Click "OK"

Share the Necessary Folders

Create network shares for your Case Folders and Evidence.  Ensure that the service account is given Full permissions to these network shares.

Open Necessary Ports

Make sure that ports 34096 and 34097 are open to allow incoming and outgoing communications on all involved machines.

Install the Processing Engines

Determine which machines will have the Distributed Processing Engine.  FTK and AD Enterprise can use up to 3 Distributed Engines, while AD Lab can use more as it can use a Distributed Processing Manager.

--Without a Distributed Processing Manager (FTK/AD Enterprise)--

Examiner Machine:

  1. Log into Windows using the service account's credentials
  2. Install the Examiner as normal
  3. Run the Evidence Processing Engine installer
  4. When prompted, do not check "Install as a Distributed Processing Engine"
  5. Log into the Examiner interface
  6. Go to Tools > Processing Engine Config
  7. Add each of your Distributed Engines by machine name or IP

Distributed Engines:

  1. Log into Windows using the service account's credentials
  2. Run the Evidence Processing Engine installer
  3. When prompted, check "Install as a Distributed Processing Engine"
  4. When prompted, enter the credentials for your service account

 

--With a Distributed Processing Manager (AD Lab)--

Distributed Processing Manager:

  1. Log into Windows using the service account's credentials
  2. Run the Distributed Processing Manager installer
  3. When prompted, enter the credentials for your service account
  4. At the Processing Manager Configuration dialog, add each of your Distributed Engines by machine name or IP

Distributed Engines:

  1. Log into Windows using the service account's credentials
  2. Run the Evidence Processing Engine installer
  3. When prompted, check "Install as a Distributed Processing Engine"
  4. When prompted, enter the credentials for your service account

Use the Distributed Engines

--Without a Distributed Processing Manager (FTK/AD Enterprise)--

  1. Log into Windows using the service account's credentials
  2. Log into the Examiner interface
  3. Create a case on Case Folders network share, remembering to use UNC paths (not mapped/absolute paths) for the case folder path
  4. Add evidence from your Evidence network share, remembering to use UNC paths (not mapped/absolute paths) for the evidence path

 

--With a Distributed Processing Manager (AD Lab)--

  1. Log into Windows using the service account's credentials.
  2. Log into the Examiner interface.
  3. Create a case on Case Folders network share, remembering to use UNC paths (not mapped/absolute paths) for the case folder path.
  4. At the New Case Option dialog, make sure the "Processing Manager" is set  whatever machine is housing the Distributed Processing Manager (this should be IP address or hostname, NOT "localhost").
  5. Add evidence from your Evidence network share, remembering to use UNC paths (not mapped/absolute paths) for the evidence path.
  6. At the Add Evidence dialog, make sure the "Processing Manager" is set to whatever machine is housing the Distributed Processing Manager.

 

Overview

Distributed Processing allows the installation of the Distributed Processing Engine (DPE) on additional computers in your network, allowing you to apply additional resources of up to three additional computers at a time to the processing of your cases.

For more information on Processing Manager, see the article linked here.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk