Archive for September, 2012

As a digital forensics examiner, I find myself imaging between multiple operating systems across multiple platforms.  Unfortunately, the file systems native to each major operating system are all not fully-compatible with each other, with the exception of FAT32 and exFAT.

FAT32 limitations are 2TB for drive size and 4GB per file, the latter of which is pretty significant since I usually don’t split my images.  exFAT does not have a file size limit (well, 16 EB, but I digress).

After doing some research and testing, I found that Ubuntu, along with other Linux flavors, actually does handle exFAT with the Filesystem in Userspace (FUSE) package.  Considering Ubuntu is the operating system used for DEFT and many other forensic Live CDs, this is significant. Here are the instructions to add exFAT support to Ubuntu*:

You can mount an exFAT filesystem using the fuse-exfat package, by running the following commands (in a terminal):

1. Add the repository:  sudo add-apt-repository ppa:relan/exfat
2. Update the package list:  sudo apt-get update
3. Install the exFAT package:  sudo apt-get install fuse-exfat
4. Create the mount folder:  sudo mkdir /media/exfat
5. Find your exFAT partition id:  sudo blkid (or sudo fdisk -l to get an expansive list)
6. Mount the filesystem (replace sdc1 with your exFAT partition id):  sudo mount -t exfat /dev/sdc1 /media/exfat
7. Read and write to /media/exfat
8. When you are done, unmount the filesystem:  sudo umount /media/exfat

I’ve confirmed that an exFAT-formatted 2 TB hard drive on a dock can be read and written from Ubuntu (DEFT 7.1) to OS X (10.7 Lion) to Windows 7 (64-bit), all with successful results. I hope this information is helpful to someone else besides myself.

*substantial information from http://stackoverflow.com/questions/6537878/how-to-mount-a-exfat-partition-in-ubuntu-11-04
_________________
Marc Yu
Chief Forensic Examiner
PensacolaForensics.com