±Forensic Focus Partners

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 0
New Yesterday: 7
Overall: 27350
Visitors: 61

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

Helix and external USB drives

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Helix and external USB drives

Post Posted: Fri Jan 18, 2008 11:16 am

I'm trying to use helix to store images acquired from the live cd. When I try to mount the drive, it shows RW but I can't write to it. I've read other forums that say you can only read from ntfs partitions within knoppix. What do you guys do when using helix? Do you have drives that are specifically partitioned with ext3? I tried to format the usb drive with fat32 but windows won't even give me that option.

The command I use to mount is:

sudo mount -t ntfs -o rw,noexec /dev/sda1 /media/usbext

Running mount without any arguments shows to be mounted as rw, and etc/mtab shows the same.

Thanks for all of your help!

John  

jblakley
Member
 
 
  

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 11:34 am

I've always used FAT32 drives to image to with Helix, and I'm sure I've used Helix to partition and format the drives, using fdisk and then mkfs.vfat with -F32 switch, if not Helix then any Linux box will do, or something like Partition Magic in Windows.

I don't actually know if Helix will write to NTFS drives, I've never tried, but from experience of using other Linux disks I've always defaulted to imaging to FAT32 because I know it works.

I know some people use ext3 formatted drives to image to, and profess them to be quicker - that may be the case, but as I always then transfer the images to a Windows server it would defeat any time savings in the lab.  

JonN
Senior Member
 
 
  

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 11:44 am

Thanks for the quick reply! It's weird; I tried to delete the NTFS partition using fdisk under Helix, and it deletes all of them. I then created my ext3 partition, and it said that the disk would sync on next rebooted, so I rebooted. When I remounted the drive, it still shows as NTFS.

I didn't try the mkfs.vfat command yet, but I'll try that tonight.

Thanks JonN!  

jblakley
Member
 
 
  

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 11:52 am

You could use ntfs-3g with Helix (it's on there). Google for it and read up a bit before doing so.

From a forensics perspective, writing to NTFS for acquisition is generally a BAD idea. Unless you've exhaustively tested it on your platfrom, I'd avoid using in a production environment. Even compared to VFAT on large images, it's pretty slow.

Format your thumbdrive Fat32 if you need to access from windows, or format EXT and use a Windows EXT driver (or software...again, check google).

My $.02  

bgrundy
Senior Member
 
 
  

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 11:57 am

Well, this is just for dd to write to. I've booted a laptop up from Helix, mounted the local hdd as RO, and then mounted the external USB as rw. I was going to dd if=/dev/hda of=/dev/sda1/image.dd, and then open in Autopsy.

When you said "writing to NTFS for acquisition is generally a BAD idea", what do you suggest writing to? Should I expect to partition all of my storage drives to ext3?

Btw, this isn't for a "real" case. I've been asked by a client to see what data has been deleted, but it's not expected to go to court. I know that I can use other software, but I feel this is good practice. Smile  

jblakley
Member
 
 
  

Re: Helix and external USB drives

Post Posted: Sun Jan 27, 2008 7:56 pm

To mount the NTFS volume as RW in Helix....From root shell or sudo:
mount -t ntfs-3g /dev/hdx /media/hdx -o force

force is for forcing a mount when the volume was umounted improperly which that will be the case when using mkntfs to format it.

Jeff Hansen
Hansen & Levey Forensics
www.HLforensics.com  

guyonright
Newbie
 
 
  

Re: Helix and external USB drives

Post Posted: Fri Feb 15, 2008 9:17 am

ntfs-3g is what you will use for writing reliably to NTFS file systems from Linux that is mounted locally.

Alternatively, mount your destination via CIFS or SAMBA and blow your image across the network. This way you write to your NTFS destination but go through CIFS or SAMBA, and if you use a crossover cable and an intel gig pci Ethernet card it will be fast with no outside interference.

I think some thought should be given to the type of file system you store your image files on. Unfortunately many "just use" NTFS because they work in a Windows environment. I would give consideration to these areas when choosing the FS TYPE to store image files on:
- how robust is the file system (can I include it in an LVM where I can grow or shrink as needed, simply by adding or removing a drive and changing the configuration file)
- how fast or slow is the file system, depending upon the type of files stored within it (large files vs small files)
- how fast (or slow) is the file system checker
- how accurate is the file system checker
- if I need cross-platform support, which are supported, and to what extent?


Just some thoughts ...

farmerdude  

farmerdude
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 2
Go to page 1, 2  Next