Archive for the ‘Ubuntu’ Category

DEFT 7.2 was released a couple of weeks ago.  Some highlights of this release:

  • Option to use DEFT as a virtual appliance based on Vmware 5 with USB3 support
  • Kernel 3.0.0-26
  • Autopsy 3 beta 5 (using Wine – please note that you need minimum 1GB ram)
  • Log2tmeline 0.65
  • Guymager 0.6.12-1
  • Vmfs support
  • Some mirror fixes

http://www.deftlinux.net/

 

Also, YUMI 0.0.7.8 was released last week.  You will have to un-install any previous versions of DEFT through the YUMI interface, then install DEFT 7.2 through the same interface.  It takes about 25 minutes total.  A quick note about installation – you will have to manually browse for the DEFT 7.2 .iso file (put in *.* under file name) as YUMI wants to install version 7.1, not 7.2.  I’ve tested it, and YUMI will boot DEFT 7.2 without any problems.  I’m actually using DEFT 7.2 from YUMI to simultaneously image 3 drives on our portable forensics box via Guymager right now as I’m typing.

http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

DEFT 7.1 is my current “Live CD” of choice. Based on Ubuntu, DEFT is constantly updated to include the newest drivers (it even installed my 3rd party ExpressCard USB 3.0 port), allows commands to be executed to customize the kernel before starting the GUI, and has almost every open source tool that I use for digital forensics. My only complaints were how long it took to load and the response time once it was in the GUI. These complaints were directly connected to DEFT running on a DVD; the OS had to constantly task back and forth from the DVD, which made it crawl sometimes. So, I went on a hunt to install it onto a flash drive, thinking it would be a long and arduous task. I thought wrong.  Pendrivelinux.com already had installers built to run Linux distributions straight off a flash drive. And one of those distributions was DEFT 7.1. Not only that, but there was one called Your Universal Multiboot Installer (YUMI) that allowed me to choose from multiple builds at startup.

Installation onto the USB flash drive took just a few minutes, and now my boot-up time in DEFT 7.1 is 5 times faster.  Plus, the GUI never intermittently crawls like it used to on DVD.  In addition, I can also choose from other builds I installed onto the flash drive, such as BackTrack, Clonezilla, and a number of others.  I don’t even boot off my hard drive anymore – I just use YUMI installed on my USB flash drive.  I highly recommend this for digital forensics, penetration testing, anti-virus cleaning, data recovery, and too much else to name.

http://www.pendrivelinux.com/yumi-multiboot-usb-creator/

As a digital forensics examiner, I find myself imaging between multiple operating systems across multiple platforms.  Unfortunately, the file systems native to each major operating system are all not fully-compatible with each other, with the exception of FAT32 and exFAT.

FAT32 limitations are 2TB for drive size and 4GB per file, the latter of which is pretty significant since I usually don’t split my images.  exFAT does not have a file size limit (well, 16 EB, but I digress).

After doing some research and testing, I found that Ubuntu, along with other Linux flavors, actually does handle exFAT with the Filesystem in Userspace (FUSE) package.  Considering Ubuntu is the operating system used for DEFT and many other forensic Live CDs, this is significant. Here are the instructions to add exFAT support to Ubuntu*:

You can mount an exFAT filesystem using the fuse-exfat package, by running the following commands (in a terminal):

1. Add the repository:  sudo add-apt-repository ppa:relan/exfat
2. Update the package list:  sudo apt-get update
3. Install the exFAT package:  sudo apt-get install fuse-exfat
4. Create the mount folder:  sudo mkdir /media/exfat
5. Find your exFAT partition id:  sudo blkid (or sudo fdisk -l to get an expansive list)
6. Mount the filesystem (replace sdc1 with your exFAT partition id):  sudo mount -t exfat /dev/sdc1 /media/exfat
7. Read and write to /media/exfat
8. When you are done, unmount the filesystem:  sudo umount /media/exfat

I’ve confirmed that an exFAT-formatted 2 TB hard drive on a dock can be read and written from Ubuntu (DEFT 7.1) to OS X (10.7 Lion) to Windows 7 (64-bit), all with successful results. I hope this information is helpful to someone else besides myself.

*substantial information from http://stackoverflow.com/questions/6537878/how-to-mount-a-exfat-partition-in-ubuntu-11-04
_________________
Marc Yu
Chief Forensic Examiner
PensacolaForensics.com