Archive for August, 2009

Look Ma No CDs!

Monday, August 31st, 2009

If you use virtual machines on a daily basis like I do, hopefully you have come to build a library of ISO image on your system to be used by virtual machines instead of physical CDs for OS installations and such.  It’s so much easier to simply click on the CD I want rather than trying to find it in my cluttered office.  The problem comes when I need to install some software on my host computer (think MS Office).  Luckily there are nifty little tools to tell your OS to use that saved ISO file rather than looking for the physical CD.  If you are using Windows the one I use is Virtual CloneDrive.

 

If you’re using Mac OSX of course, the ability to do this is already part of the operating system, you just have to double click the ISO file and it will mount to your file system.  In Linux just use your mount command to do the same thing. 

Posted in Uncategorized | No Comments »

NTFS Read/Write Support (Mac OSX)

Monday, August 31st, 2009

Extending my last discussion of NTFS support for Linux, attaching NTFS to Mac OSX machines can be a headache as well!  While Mac OSX does include support to read from NTFS volumes, no such luck on writing to them.

 

Like most Linux apps, ntfs-3g can also be ported to Mac OSX.  And lucky for us there’s already a pre-built installer too for Mac OSX (yea!).  You can find it here (http://macntfs-3g.blogspot.com/).

 

WARNING!  When I installed this there was an NTFS formatted flash drive in my Mac Pro which got hosed (technical term) after the install.  The contents of the disk were not even viewable on Windows systems (booooo!).  Time to run some forensics on it to see if I can recover any of the data.

 

That being said, ntfs-3g worked just as advertised (apart from losing my flash data).  It overrides the Mac OSX NTFS support mechanism for its own.  The app places a new item to your System Preferences from which you can change settings, disable it in favor of the native NTFS support (read only), or uninstall it.

 

Why not simply format my disks in a FAT format you say?  Minimum file size of course, we can only go to 4 gig with FAT.  My needs for more stem from the use of large files created by virtual machines.

 

 

 

Posted in Uncategorized | No Comments »

Working with NTFS formatted disks on CentOS

Monday, August 3rd, 2009

Often in doing computer forensics I use open source/linux tools, they are powerful and free.  Doing this means that we often will require our Linux operating systems to be able to read the NTFS formatted disks from Windows systems.  Helix has many of these tools and NTFS support built-in (and I cannot recommend it enough) but other Linux distros like my favorite CentOS do not.  CentOS is my distro of choice over Fedora because in general it has proven more stable, albeit less flash sometimes.

 

To accomplish the NTFS support we can install the ntfs-3g package.  Unfortunately this is not a standard package in the CentOS install and does not reside on their native yum repositories.  If you are not familiar with yum, it’s an insanely easy way to install/update software on your Linux system (similar to apt if you are of the Debian/Ubuntu bent).  A repository is simply a web database of software ready to be installed on your system (similar to Windows Update for your Microsoft folks but for tons of different software).

 

Fortunately we can add third party repositories to our system so when we are running our yum installs it will not only check the distro’s native repository but any third party ones that we add to the system.   So the solution to add NTFS support for our CentOS system is to add a third party yum repository then install the ntfs-3g driver using yum.

 

The CentOS community gets us started on how to install the required third party repository we need (http://wiki.centos.org/AdditionalResources/Repositories/RPMForge).  I’ll summarize here (currently using CentOS 5.3):

 

Download the rpmforge-release package. Choose one of the two links below, depending on your architecture. If you are unsure of which one to use you can check your architecture with the command uname – i

 

i386 http://apt.sw.be/redhat/el5/en/i386/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

x86_64 http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm

 

Go to the directory where the package was installed (probably /root/Desktop) and type:

 

rpm -i rpmforge*

 

This will install and setup the third party repository, now to install the NTFS support I’ll summarize from the CentOS wiki again (http://wiki.centos.org/TipsAndTricks/NTFS):

 

Install the ntfs-3g package and its dependancies using yum from the command line:

 

yum install fuse fuse-ntfs-3g dkms dkms-fuse

 

At this point your done!  You should be able to freely mount NTFS formatted volumes (or images of them as is often the case in computer forensics) and use great tools for forensics like the amazing and fast file recovery tool foremost which can also be installed using your new repository:

 

yum install foremost 

 

Check out the man page for foremost after the install to see how to run it.

Posted in Uncategorized | 3 Comments »