Working with NTFS formatted disks on CentOS

Often in doing computer forensics I use open source/linux tools, they are powerful and free.  Doing this means that we often will require our Linux operating systems to be able to read the NTFS formatted disks from Windows systems.  Helix has many of these tools and NTFS support built-in (and I cannot recommend it enough) but other Linux distros like my favorite CentOS do not.  CentOS is my distro of choice over Fedora because in general it has proven more stable, albeit less flash sometimes.

 

To accomplish the NTFS support we can install the ntfs-3g package.  Unfortunately this is not a standard package in the CentOS install and does not reside on their native yum repositories.  If you are not familiar with yum, it’s an insanely easy way to install/update software on your Linux system (similar to apt if you are of the Debian/Ubuntu bent).  A repository is simply a web database of software ready to be installed on your system (similar to Windows Update for your Microsoft folks but for tons of different software).

 

Fortunately we can add third party repositories to our system so when we are running our yum installs it will not only check the distro’s native repository but any third party ones that we add to the system.   So the solution to add NTFS support for our CentOS system is to add a third party yum repository then install the ntfs-3g driver using yum.

 

The CentOS community gets us started on how to install the required third party repository we need (http://wiki.centos.org/AdditionalResources/Repositories/RPMForge).  I’ll summarize here (currently using CentOS 5.3):

 

Download the rpmforge-release package. Choose one of the two links below, depending on your architecture. If you are unsure of which one to use you can check your architecture with the command uname – i

 

i386 http://apt.sw.be/redhat/el5/en/i386/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

x86_64 http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

 

Go to the directory where the package was installed (probably /root/Desktop) and type:

 

rpm -i rpmforge*

 

This will install and setup the third party repository, now to install the NTFS support I’ll summarize from the CentOS wiki again (http://wiki.centos.org/TipsAndTricks/NTFS):

 

Install the ntfs-3g package and its dependancies using yum from the command line:

 

yum install fuse fuse-ntfs-3g dkms dkms-fuse

 

At this point your done!  You should be able to freely mount NTFS formatted volumes (or images of them as is often the case in computer forensics) and use great tools for forensics like the amazing and fast file recovery tool foremost which can also be installed using your new repository:

 

yum install foremost 

 

Check out the man page for foremost after the install to see how to run it.

3 Responses to “Working with NTFS formatted disks on CentOS”

  1. admin says:

    And btw, I use VMware to virtualize my Linux distros to do this work (Helix, CentOS). So no need to install a dedicated Linux machine or go through the pain of multi-boot systems.

  2. InsaneBovine says:

    What, you don’t run Linux as your standard desktop!
    Heathen!

    I’ve actually had Linux pull data off of NTFS that certain recovery tools wouldn’t touch.

  3. admin says:

    Ha! I am rather OS agnostic on the whole. On the desktop however my preference is an OS which doesn’t every get in my way (which to me equates to OS X). When I need others (like Linux for forensics work here), I fire up virtual machines.

Leave a Reply

You must be logged in to post a comment.