TD3 and EXT file sy...
 
Notifications
Clear all

TD3 and EXT file systems

4 Posts
3 Users
0 Reactions
681 Views
paninik
(@paninik)
Active Member
Joined: 15 years ago
Posts: 9
Topic starter  

Hi,

Normally, especially for small cases, I work (case files) directly on the drive where the image was acquired. Recently we bought 2 TD3s and I noticed the default format option only supports ext4/2. This creates an issue because our analysis workstations are Win7.

My questions are
1. Anyone with experience using the open source drivers, EXT2FSD or EXT2IFS on Win7? Are they reliable?

2. I guess the other option is to copy the image to our NAS and work off there for all cases (re-copy them back to the drive for archive once the case concludes). What's your process dealing with working copies?

Thank you,

AK


   
Quote
(@bithead)
Noble Member
Joined: 20 years ago
Posts: 1206
 

The underlying OS for the TD3 is Linux so EXT was native.

There are several ways to access the files after acquisition. You can attach the TD3 to your network and upload the files or you can follow some of the ideas at THIS link.

I have used EXT2FSD and the Disk Internals reader successfully.


   
ReplyQuote
(@patrick4n6)
Honorable Member
Joined: 16 years ago
Posts: 650
 

I highly recommend against working on your master image. I've always worked on a working copy and had the master image preserved. Of course, I don't do IR where that may not be an option.

I also have many images made using a Linux forensic boot disk, and in order to work those on Windows, I simply open the master image drive in FTK Imager and extract the image files out to my RAID, then re-hash them to validate. I used to use a file system driver for Windows, but found the aforementioned method easier.


   
ReplyQuote
paninik
(@paninik)
Active Member
Joined: 15 years ago
Posts: 9
Topic starter  

Thanks!

Normally we are trying to save time (copy to NAS, copy from NAS), but it sounds like I need to revise that process.

I am not too concerned about the 3rd party utilities where it provides read-only access. It's the write access I am worried about especially if I am working on the acquisition drive.


   
ReplyQuote
Share: