Archive for the ‘File Systems’ Category

I recently contacted Digital Intelligence to confirm that their FRED computers, specifically the Intel X99 Chipset, could handle 10 TB drives. The answer was “We don’t know, but it should.” Not the answer I wanted to hear, especially since I’d already been told that updating this particular FRED from its factory Windows 8.1 to Windows 10 could downgrade the front USB 3.0 ports to 2.0 due to lack of driver support. So with my return guarantee from my vendor in hand, I ordered the 10 TB Seagate IronWolf NAS SATA 6Gb/s NCQ 256MB Cache 3.5-Inch Internal Hard Drive (ST10000VN0004).

First off, the 10 TB drive works in the FRED with the Intel X99 Chipset. Windows, of course, binaries it down to 9.3 TB. Performed a quick NTFS file system format, and promptly ran Crystal Disk Mark on it. Please note that I’m using the Hot Swap Bays, which are connected via USB 3.0, not SATA. Here are the results:

10TB

As a digital forensics examiner, I find myself imaging between multiple operating systems across multiple platforms.  Unfortunately, the file systems native to each major operating system are all not fully-compatible with each other, with the exception of FAT32 and exFAT.

FAT32 limitations are 2TB for drive size and 4GB per file, the latter of which is pretty significant since I usually don’t split my images.  exFAT does not have a file size limit (well, 16 EB, but I digress).

After doing some research and testing, I found that Ubuntu, along with other Linux flavors, actually does handle exFAT with the Filesystem in Userspace (FUSE) package.  Considering Ubuntu is the operating system used for DEFT and many other forensic Live CDs, this is significant. Here are the instructions to add exFAT support to Ubuntu*:

You can mount an exFAT filesystem using the fuse-exfat package, by running the following commands (in a terminal):

1. Add the repository:  sudo add-apt-repository ppa:relan/exfat
2. Update the package list:  sudo apt-get update
3. Install the exFAT package:  sudo apt-get install fuse-exfat
4. Create the mount folder:  sudo mkdir /media/exfat
5. Find your exFAT partition id:  sudo blkid (or sudo fdisk -l to get an expansive list)
6. Mount the filesystem (replace sdc1 with your exFAT partition id):  sudo mount -t exfat /dev/sdc1 /media/exfat
7. Read and write to /media/exfat
8. When you are done, unmount the filesystem:  sudo umount /media/exfat

I’ve confirmed that an exFAT-formatted 2 TB hard drive on a dock can be read and written from Ubuntu (DEFT 7.1) to OS X (10.7 Lion) to Windows 7 (64-bit), all with successful results. I hope this information is helpful to someone else besides myself.

*substantial information from http://stackoverflow.com/questions/6537878/how-to-mount-a-exfat-partition-in-ubuntu-11-04
_________________
Marc Yu
Chief Forensic Examiner
PensacolaForensics.com