Friday, October 13, 2006

Helix Live CD - Ntfs RW Support

The latest Helix Forensic Live CD is just released not long time ago, I always love it for the ease of use for Forensic Practioner. This release includes few interesting features that you can find here.

Instead of using captive for NTFS rw capability, now they are using ntfs-3g which is this. The ntfs-3g is better and clean tool to acces NTFS file system. While most people have problem with their Windows boxen but need to access the NTFS file system to retrieve the data, Helix seriously provides a very good solution now. Here's my testing on it.

I booted the Helix Live CD on my Windows box and choose gui(which is default), and you will see the XFCE desktop. I setup the network configuration by using the Netword Card Configuration which under Network in Helix Menu. Then I first enable ssh sever by clicking on Helix Menu -> Services -> Start SSH server, I will have to set the password for user - knoppix and I'm good to go, then I login to Helix via my FreeBSD workstation -

[root@trinity /nsm]# ssh knoppix@192.168.0.195
The authenticity of host '192.168.0.195 (192.168.0.195)' can't be established.
DSA key fingerprint is ac:ac:3b:40:23:73:90:2e:36:d3:ea:c4:1b:0e:eb:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.195' (DSA) to the list of known hosts.
Password:
Welcome to Helix (Kernel 2.6.14-9)

[knoppix (~)]$ su

Checking the file system that mounted on boot -

[root (knoppix)]# cat /etc/fstab
proc /proc proc defaults 0 0
sysfs /sys sysfs noauto 0 0
/dev/pts /dev/pts devpts mode=0622 0 0
/dev/cdrom /media/cdrom0 udf,iso9660 user,noauto 0 0
/dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
# Added by HELIX
/dev/hda1 /media/hda1 vfat ro,noauto,users,noexec,nodev,noatime,umask=000,shortname=mixed,quiet 0 0
# Added by HELIX
/dev/hda5 /media/hda5 vfat ro,noauto,users,noexec,nodev,noatime,umask=000,shortname=mixed,quiet 0 0
# Added by HELIX
/dev/hda6 /media/hda6 ntfs ro,noauto,users,noexec,nodev,noatime,ro,umask=000 0 0

I have 3 partitions of which hda6 is using NTFS file system, then I can remount with read write capability by executing

[root (knoppix)]# ntfs-3g /dev/hda6 /media/hda6 -o force

Now I can read NTFS file system which is under /media/hda6

[root (knoppix)]# ls -la /media/hda6
total 371202
-rw------- 2 root root 32666 May 12 22:34 Cool-Ethereal-screenshot.PNG
-rw------- 2 root root 387584 Jul 26 01:29 Enterprise-Network-4.vsd
-rw------- 2 root root 421888 Jul 26 22:20 Enterprise-Network-6.vsd
-rw------- 2 root root 1655134 Apr 20 2005 GCIA.Silver.hi.eps
-rw------- 2 root root 1703856 Apr 12 2005 GCIA.Silver.hi.res.tif
-rw------- 1 root root 24498 Aug 22 05:18 ackcmd.zip
-rw------- 1 root root 62464 Jul 24 13:50 example.vsd
-rw------- 2 root root 1621662 Apr 21 2005 gcia_logos_silver.zip
-rw------- 1 root root 59767 May 24 15:37 hexquiz.pdf
-rw------- 2 root root 60636 May 24 15:37 hexquiz_answers.pdf

I can even delete one of the file since I have write permission -

[root (knoppix)]# rm -rf /media/hda6/hexquiz.pdf

[root (knoppix)]# ls -la /media/hda6/h*
-rw------- 2 root root 60636 May 24 15:37 /media/hda6/hexquiz_answers.pdf

It's gone. Now I can umount it with fuse :]

[root (knoppix)]# fusermount -u /media/hda6

This is neat indeed. Have fun with Helix Live CD.

Cheers (;])

No comments: