Case Studies

Fortune 500® Utilities Company: Processing over a Terabyte of Complex Data in 12 Hours

A major utilities company has 150 locations throughout its region of service. In previous years, the organization was using FTK® and EnCase® Forensic, relying on these stand-alone tools to address internal investigations and e-discovery. With caseload growing year over year, the company saw the need to explore options to improve its computer forensics and e-discovery capabilities.

Typically, the company sees one new computer forensics case a week, with data sets ranging in size from 80GB to 500GB.

E-discovery matters typically involve 12GB of email and a total of 5TB of data. Knowing these volumes will only trend upward, the organization’s information security operations team launched an initiative to dramatically increase the speed with which they are able to process and index data.

In particular, the goal was to get a better handle on computer forensics caseload, which requires a much deeper level of processing than an e-discovery matter would require.


The Solution

Given the sheer processing speed, ease of use and innovative capabilities of AccessData® technology, the decision was made to adopt AD Enterprise and AD eDiscovery®. These solutions are built on Forensic Toolkit® technology and allow processing to be distributed among four “workers,” enabling investigators to move into the analysis phase faster. However, processing performance is also dependent on hardware capabilities, such as disk I/O. As there are virtually innumerable ways in which to configure distributed processing with AccessData technology, the AccessData Technical Account Manager team was asked to assist the utilities company in tailoring the architecture to fit its needs.

Testing was rigorous to ensure the most reliable results. One test data set when compressed filled a terabyte drive and had close to 13 million items.

Full forensic-level processing refers to the processing actions selected in the Additional Analysis processing refinement pane within AD Enterprise. In this case, all actions were selected except Optical Character Recognition and Cerberus malware analysis.



Before implementing AD Enterprise and the new architecture, it typically took six days to forensically process a terabyte of complex data. Now, this Fortune 500 utilities company is able to perform full forensic-level processing on data sets of that size and complexity, including carving and indexing, in just 12 hours. “The only reason we were able to do this is because of the AccessData Technical Account Manager experts who came out to assist us,” claimed a member of the Information Security Operations team. In addition, he explained that this would not be possible with other computer forensics solutions. “AccessData technology absolutely helped. With our current setup we’re able to keep up with caseload very well. We can get eyes on the case faster than ever before … much more time doing and lot less time waiting.”


Hardware Infrastructure

The infrastructure employed to support the improvements in the company’s processing and investigative capabilities includes four servers and a network attached storage (NAS) device. AD Enterprise provides for the use of four distributed processing engines working in unison to handle nearly any volume of data. The inclusion of a NAS device, while not required, can improve the rate at which evidence can be accessed and sent to the processing engine(s).


Leave a Response