Question

How do I configure Forensic Tools (FTK, Enterprise, LAB, and Quin-C) to use Distributed Processing?

 

Answer

Create a Service Account

In order for Distributed Processing to work, all components must run under the same account, which we refer to as the "service account".

The "service account" must be a domain account, with its password set to never expire.  It must also have local administrator permissions on any machines running Forensic Tools, the database, and the Processing Engine.

Important: Using a mirrored account while in a workgroup is not supported for distributed processing.

 

Configure the Database

Only needed for MSSQL:

  1. Open MSSQL Management Studio
  2. Log in to the database server
  3. In Object Explorer, expand the entry for your server
  4. Expand "Security"
  5. Right-click "Logins" and select "New Login"
  6. On the "General" page, select "Windows Authentication" and use the "Search" button to find the desired Windows user account
  7. On the "Server Roles" page, check both "public" and "sysadmin"
  8. Click "OK"

 

Share the Necessary Folders

Create network shares for your Case Folders and Evidence.  Ensure that the service account is given Full Sharing and Security permissions to these network shares.

 

Open Necessary Ports

The machine running the database must accept incoming connections, over whatever port the database is listening on, from all machines running the Forensic Tools, Processing Manager, and Processing Engine.

The machine running Forensic Tools and/or the Distributed Processing Manager, must accept incoming connections over port 34096, from all machines running the Processing Engine.

The machine(s) running the Distributed Processing Engine must accept incoming connections over port 34097, from the machine Forensic Tools and/or the Distributed Processing Manager,

Only needed for MSSQL:

All machines need to have MSDTC open between each other.

 

Install the Processing Engines

Determine which machines will have the Distributed Processing Engine and if you will need a Processing Manager.  A given environment can only have one Distributed Processing Manager.  FTK can use a Distributed Processing Manager, but only if it's installed on the same machine as FTK.  Enterprise, Lab, and FTK Central can use a remote Distributed Processing Manager, which allows for collaboration.

--Without a Distributed Processing Manager--

Forensic Tools Machine:

  1. Log into Windows using the service account's credentials
  2. Install the Examiner as normal
  3. Run the Evidence Processing Engine installer
  4. When prompted, do not check "Install as a Distributed Processing Engine"
  5. Log into the Examiner interface
  6. Go to Tools > Processing Engine Config
  7. Add each of your Distributed Engines by machine name or IP

Distributed Engines:

  1. Log into Windows using the service account's credentials
  2. Run the Evidence Processing Engine installer
  3. When prompted, check "Install as a Distributed Processing Engine"
  4. When prompted, enter the credentials for your service account

 

--With a Distributed Processing Manager--

Distributed Processing Manager:

  1. Log into Windows using the service account's credentials
  2. Run the Distributed Processing Manager installer
  3. When prompted, enter the credentials for your service account
  4. At the Processing Manager Configuration dialog, add each of your Distributed Engines by machine name or IP

Distributed Engines:

  1. Log into Windows using the service account's credentials
  2. Run the Evidence Processing Engine installer
  3. When prompted, check "Install as a Distributed Processing Engine"
  4. When prompted, enter the credentials for your service account


Use the Distributed Engines

--Without a Distributed Processing Manager--

  1. Log into Windows using the service account's credentials
  2. Log into the Examiner interface
  3. Create a case on Case Folders network share, remembering to use UNC paths (not mapped/absolute paths) for the case folder path
  4. Add evidence from your Evidence network share, remembering to use UNC paths (not mapped/absolute paths) for the evidence path

--With a Distributed Processing Manager--

  1. Log into Windows using the service account's credentials.
  2. Log into the Examiner interface.
  3. Create a case on Case Folders network share, remembering to use UNC paths (not mapped/absolute paths) for the case folder path.
  4. At the New Case Option dialog, make sure the "Processing Manager" is set  whatever machine is housing the Distributed Processing Manager (this should be IP address or hostname, NOT "localhost").
  5. Add evidence from your Evidence network share, remembering to use UNC paths (not mapped/absolute paths) for the evidence path.
  6. At the Add Evidence dialog, make sure the "Processing Manager" is set to whatever machine is housing the Distributed Processing Manager.

 

Overview

Distributed Processing allows the installation of the Distributed Processing Engine (DPE) on additional computers in your network, allowing you to apply additional resources additional computers to the processing of your cases.

For more information on Processing Manager, see the article linked here.