CAINE 1.0 and 1.5 and ext4

View previous topic View next topic Go down

CAINE 1.0 and 1.5 and ext4

Post  scribe63 on Fri Nov 20, 2009 11:50 pm

I just installed an ubuntu 9.10 server and was using a partition on it to store .dd images. But to my surprise after downloading and running the CAINE 1.5 livecd, i am stopmped by the fact that it is unable to mount my partitions which are formatted to use the ext4 filesystem.
They are reported in /etc/fstab as using ext2 filesystem in 1.0 and 1.5.
I initially used DEFT 5 and did not have that issue, but i decided to try CAINE also and came to this realisation.
Do correct me if i am wrong, if not, when will CAINE support ext4.

regards
scribe63

scribe63

Number of posts : 1
Registration date : 2009-11-20

View user profile

Back to top Go down

Re: CAINE 1.0 and 1.5 and ext4

Post  denis on Sat Nov 21, 2009 5:12 am

Caine actually not support Ext4 file system.
Our choice, as developers, has been to rely on Ubuntu 8.04 because this version will be supported up to 2011.
From a forensic point of view we could say that the support for ext4 is not essential according to the philosophy that the system on live-cd is used for imaging operations. Then is possible analyze the image on another system, which can be a Linux system then implements the most recent support for ext4, allowing mount the file system ext4 inside the forensic image.

is nevertheless true that, often, the systems on live-cd is used for the preview of suspect disc, in order to assess the actual need for seizure.
Specifically, it can not mount an ext4 file system could be a problem because at present the Sleuthkit, the only open source tool that would allow a quick preview of device, through the use of Autopsy, does not support ext4.
STK also in the latest version (3.0.1 that is installed on Caine) recognizes the ext4 file system generically as extX. The fls tool is able to tell us the list of files and directories within the file system, but in fact the icat tool does not work, because of differences in the structure of file system ext2/3 and ext4 and therefore can not make a nice preview of the file.

The extundelete project (http://extundelete.sourceforge.net) is presented as the only tool that can recover files from ext4 file system, but in fact requires to be compiled by downloading the kernel headers, which does not appear feasible on live-cd system.

On Caine Testdisk can help us, in fact it is able to show the list of files and directories contained in the ext4 file system and recover them, active and deleted.

I hope this answer can be satisfactory and will allow you to continue to use profitably Caine. I apologize for my English.

you could try to translate this http://www.denisfrati.it/?p=1646

regardes
Denis

denis

Number of posts : 52
Località : Torino, Italy
Registration date : 2008-10-27

View user profile http://www.denisfrati.it

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum