Buffalo Linkstation Aquisition

Greetings,

Aye, it is running Linux and the filesystem is probably XFS, though it could be ext2/3, I think.

If you're not familiar with Linux, I'd probably try to rebuild the RAID with UFS Explorer (http//www.ufsexplorer.com/) and see what it can find. I don't think FTK or EnCase support XFS. X-Ways does not support XFS.

Otherwise, you'd want to do the analysis work on Linux.

-David

Thanks David, I will look into it.

Hi Alex,

Are you looking to acquire or analyze? It's unclear because you start with a note about acquisition …

So, if you're acquiring then the OS and FS are meaningless. As long as your acquisition environment recognizes the hardware you're golden. Acquire at will )

For analysis, maybe a different story. Confirm if you're potentially stumped on analysis or acquisition and maybe we can help more. For analysis you'll want an environment that supports the FS type. Provide the output of various commands (blkid, fdisk, ETC.) if you can and we can try to identify the FS type and such.

Cheers!

farmerdude

www.forensicbootcd.com

www.onlineforensictraining.com

It appears the device was wiped before we were able to seize it. The problem is that it seems to be Linux, and I am not a Linux expert.

It most probably hasn't. I have one, and I have partly jail broken it, so I have a fair idea how they work. The Oz version may be different (most other things are), but the file system is XFS.

It's a Linux system running busybox. Now here is the annoying thing, especially for me When ever you delete something, it doesn't delete it. It moves it to a hidden directory called trashbox. I have to keep sshing in and doing rm -rf * in the /mnt/disk1/share/trashbox directory.

Part of the OS's config is on the actual hard drive, as it's configuration can be "manipulated". There are quite a lot of resources on the net for hacking these things, so you will be able to get some idea how they work.