±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 34064
New Yesterday: 0 Visitors: 97

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Helix and external USB drives

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 

Helix and external USB drives

Post Posted: Fri Jan 18, 2008 4:16 pm

I'm trying to use helix to store images acquired from the live cd. When I try to mount the drive, it shows RW but I can't write to it. I've read other forums that say you can only read from ntfs partitions within knoppix. What do you guys do when using helix? Do you have drives that are specifically partitioned with ext3? I tried to format the usb drive with fat32 but windows won't even give me that option.

The command I use to mount is:

sudo mount -t ntfs -o rw,noexec /dev/sda1 /media/usbext

Running mount without any arguments shows to be mounted as rw, and etc/mtab shows the same.

Thanks for all of your help!


Senior Member

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 4:34 pm

I've always used FAT32 drives to image to with Helix, and I'm sure I've used Helix to partition and format the drives, using fdisk and then mkfs.vfat with -F32 switch, if not Helix then any Linux box will do, or something like Partition Magic in Windows.

I don't actually know if Helix will write to NTFS drives, I've never tried, but from experience of using other Linux disks I've always defaulted to imaging to FAT32 because I know it works.

I know some people use ext3 formatted drives to image to, and profess them to be quicker - that may be the case, but as I always then transfer the images to a Windows server it would defeat any time savings in the lab.  

Senior Member

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 4:44 pm

Thanks for the quick reply! It's weird; I tried to delete the NTFS partition using fdisk under Helix, and it deletes all of them. I then created my ext3 partition, and it said that the disk would sync on next rebooted, so I rebooted. When I remounted the drive, it still shows as NTFS.

I didn't try the mkfs.vfat command yet, but I'll try that tonight.

Thanks JonN!  

Senior Member

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 4:52 pm

You could use ntfs-3g with Helix (it's on there). Google for it and read up a bit before doing so.

From a forensics perspective, writing to NTFS for acquisition is generally a BAD idea. Unless you've exhaustively tested it on your platfrom, I'd avoid using in a production environment. Even compared to VFAT on large images, it's pretty slow.

Format your thumbdrive Fat32 if you need to access from windows, or format EXT and use a Windows EXT driver (or software...again, check google).

My $.02  

Senior Member

Re: Helix and external USB drives

Post Posted: Fri Jan 18, 2008 4:57 pm

Well, this is just for dd to write to. I've booted a laptop up from Helix, mounted the local hdd as RO, and then mounted the external USB as rw. I was going to dd if=/dev/hda of=/dev/sda1/image.dd, and then open in Autopsy.

When you said "writing to NTFS for acquisition is generally a BAD idea", what do you suggest writing to? Should I expect to partition all of my storage drives to ext3?

Btw, this isn't for a "real" case. I've been asked by a client to see what data has been deleted, but it's not expected to go to court. I know that I can use other software, but I feel this is good practice. Smile  

Senior Member

Re: Helix and external USB drives

Post Posted: Mon Jan 28, 2008 12:56 am

To mount the NTFS volume as RW in Helix....From root shell or sudo:
mount -t ntfs-3g /dev/hdx /media/hdx -o force

force is for forcing a mount when the volume was umounted improperly which that will be the case when using mkntfs to format it.

Jeff Hansen
Hansen & Levey Forensics


Re: Helix and external USB drives

Post Posted: Fri Feb 15, 2008 2:17 pm

ntfs-3g is what you will use for writing reliably to NTFS file systems from Linux that is mounted locally.

Alternatively, mount your destination via CIFS or SAMBA and blow your image across the network. This way you write to your NTFS destination but go through CIFS or SAMBA, and if you use a crossover cable and an intel gig pci Ethernet card it will be fast with no outside interference.

I think some thought should be given to the type of file system you store your image files on. Unfortunately many "just use" NTFS because they work in a Windows environment. I would give consideration to these areas when choosing the FS TYPE to store image files on:
- how robust is the file system (can I include it in an LVM where I can grow or shrink as needed, simply by adding or removing a drive and changing the configuration file)
- how fast or slow is the file system, depending upon the type of files stored within it (large files vs small files)
- how fast (or slow) is the file system checker
- how accurate is the file system checker
- if I need cross-platform support, which are supported, and to what extent?

Just some thoughts ...


Senior Member

Page 1 of 2
Go to page 1, 2  Next