Question
How do I configure Forensic Tools (FTK, Enterprise, LAB) to use Distributed Processing?
Answer
Create a Service Account
In order for Distributed Processing to work, all components must run under the same account, which we refer to as the "service account".
The "service account" must be a domain account, with its password set to never expire. It must also have local administrator permissions on any machines running Forensic Tools, the database, and the Processing Engine.
Important: Using a mirrored account while in a workgroup is not supported for distributed processing.
Configure the Database
Only needed for MSSQL:
- Open MSSQL Management Studio
- Log in to the database server
- In Object Explorer, expand the entry for your server
- Expand "Security"
- Right-click "Logins" and select "New Login"
- On the "General" page, select "Windows Authentication" and use the "Search" button to find the desired Windows user account
- On the "Server Roles" page, check both "public" and "sysadmin"
- Click "OK"
Share the Necessary Folders
Create network shares for your Case Folders and Evidence. Ensure that the service account is given Full Sharing and Security permissions to these network shares.
Open Necessary Ports
The machine running the database must accept incoming connections, over whatever port the database is listening on, from all machines running the Forensic Tools, Processing Manager, and Processing Engine.
The machine running Forensic Tools and/or the Distributed Processing Manager, must accept incoming connections over port 34096, from all machines running the Processing Engine.
The machine(s) running the Distributed Processing Engine must accept incoming connections over port 34097, from the machine Forensic Tools and/or the Distributed Processing Manager,
Only needed for MSSQL:
All machines need to have MSDTC open between each other.
Install the Processing Engines
Determine which machines will have the Distributed Processing Engine and if you will need a Processing Manager. A given environment can only have one Distributed Processing Manager. FTK can use a Distributed Processing Manager, but only if it's installed on the same machine as FTK. Enterprise, Lab, and FTK Central can use a remote Distributed Processing Manager, which allows for collaboration.
--Without a Distributed Processing Manager--
Forensic Tools Machine:
- Log into Windows using the service account's credentials
- Install the Examiner as normal
- Run the Evidence Processing Engine installer
- When prompted, do not check "Install as a Distributed Processing Engine"
- Log into the Examiner interface
- Go to Tools > Processing Engine Config
- Add each of your Distributed Engines by machine name or IP
Distributed Engines:
- Log into Windows using the service account's credentials
- Run the Evidence Processing Engine installer
- When prompted, check "Install as a Distributed Processing Engine"
- When prompted, enter the credentials for your service account
--With a Distributed Processing Manager--
Distributed Processing Manager:
- Log into Windows using the service account's credentials
- Run the Distributed Processing Manager installer
- When prompted, enter the credentials for your service account
- At the Processing Manager Configuration dialog, add each of your Distributed Engines by machine name or IP
Distributed Engines:
- Log into Windows using the service account's credentials
- Run the Evidence Processing Engine installer
- When prompted, check "Install as a Distributed Processing Engine"
- When prompted, enter the credentials for your service account
Use the Distributed Engines
--Without a Distributed Processing Manager--
- Log into Windows using the service account's credentials
- Log into the Examiner interface
- Create a case on Case Folders network share, remembering to use UNC paths (not mapped/absolute paths) for the case folder path
- Add evidence from your Evidence network share, remembering to use UNC paths (not mapped/absolute paths) for the evidence path
--With a Distributed Processing Manager--
- Log into Windows using the service account's credentials.
- Log into the Examiner interface.
- Create a case on Case Folders network share, remembering to use UNC paths (not mapped/absolute paths) for the case folder path.
- At the New Case Option dialog, make sure the "Processing Manager" is set whatever machine is housing the Distributed Processing Manager (this should be IP address or hostname, NOT "localhost").
- Add evidence from your Evidence network share, remembering to use UNC paths (not mapped/absolute paths) for the evidence path.
- At the Add Evidence dialog, make sure the "Processing Manager" is set to whatever machine is housing the Distributed Processing Manager.
Overview
Distributed Processing allows the installation of the Distributed Processing Engine (DPE) on additional computers in your network, allowing you to apply additional resources additional computers to the processing of your cases.
Troubleshooting
Problem
Forensic Tools doesn't appear to be sending work to any Distributed Processing Engines (DPE's).
Resolution
Confirm that the following have been configured properly.
- Make sure Microsoft .NET Framework 4.7.2 (or newer) is installed on the DPM and all DPEs.
- Ports 34096 (to the DPM) and 34097 (to the DPEs) are open as needed.
- A mirrored, domain service account is being used to run the DPE service.
- All the involved machines are running the same version of the Processing Engine, and that it's the correct version for the version of Forensic Tools being used.
- Service account has local admin privileges on all the involved machines.
- Case and Evidence folders are shared out, and that the service account has full access to those shares.
- If using MS-SQL, make sure the service account is added to the Logins with the "sysadmin" role.
- On the machine running Forensic Tools, make sure you're logged into Windows under the service account.
- Distributed Processing Engine machines are added under Tools > "Processing Engine Config" in FTK/Lab/Enterprise.
- Make sure your Case folder and Evidence are using UNC paths, not mapped drive letters.