Getting Data from a...
 
Notifications
Clear all

Getting Data from a Buffalo LinkStation

1 Posts
1 Users
0 Likes
611 Views
binarybod
(@binarybod)
Posts: 272
Reputable Member
Topic starter
 

I recently had to deal with a Buffalo LinkStation NAS device. Looking round the forum it has been encountered before but no-one has said how they managed to access the files on the device so I thought I would share my attempt

The Buffalo Linkstation is apparently a small Linux machine that exposes the files using a samba server.

The model No was LS-W1.OTGL/R1-EU containing 2 x 500GB hard drives. The literature from Buffalo states that the disks can be configured RAID0, RAID1 or JBOD. When questioned the IT guy reckoned he had configured the device as RAID1 (Mirrored).

Acquisition of the data from the disks was straight forward although it was obvious that the disks weren't exact copies of each other (the hashes didn't match and the compressed file sizes were wildly different, more on this later).

The partition tables and the data in some of the partitions seemed to be mirrored (as per the supposed set-up) but the Partition 4 on Disk 2 was empty. The partitions were set up as follows

Partition 1
Type Linux (83)
Size 980MB
Formatted Ext3
Partition 2
Type Linux (83)
Size 4.7GB
Formatted XFS
Partition 3
Type Linux Swap (82)
Size 980MB
Formatted Swap
Partition 4
Type Linux (83)
Size 458GB
Formatted XFS

As far as I can tell Partitions 1-3 contain the operating system and partition 4 contains the file data that is exposed by the samba server. The problem of course is that XFS is not recognised by any of the forensic applications that I use regularly and I therefore can't get at the evidence using these (other than by carving).

I could turn on the Buffalo but that would violate principle 1 of the ACPO guidelines so I want to mount the acquired image if I possibly can in order to extract the information I am after. Luckily XFS has been built in to the Linux kernel since version 2.4 so here is how I mounted my image (which is in EnCase ewf format) in a Linux machine

Ensure that you have the library and tools installed from the libewf project (http//sourceforge.net/projects/libewf/), sleuthkit (http//www.sleuthkit.org/sleuthkit/) and xfsprogs (http//oss.sgi.com/projects/xfs/)

Note on my system 'ewfmount' is a soft link to the 'mount_ewf-20090113.py' script from the aforementioned libewf project.

As root
mkdir /mnt/storage /mnt/ewf /mnt/exam
ntfs-3g /dev/sdb1 /mnt/storage
ewfmount /mnt/storage/[Path to image file].E* /mnt/ewf
mmls /mnt/ewf/[Image file name]

# Calculate the byte offset to Partition 4 (In my case, Sector 14024808 * 512 = 7180701696)

losetup -o7180701696 -r /dev/loop0 /mnt/ewf/[Image file name]
mount -t xfs -o loop /dev/loop0 /mnt/exam

/mnt/exam now contains the content of partition 4

This worked for me on Disk1 without any problem. In the case of JBOD or RAID0 configured disks then you will obviously have to reconstruct the disk image before mounting the partition in the manner I have outlined.

I have (as yet) no explanation why the files on Partition 4 of Disk1 weren't mirrored to the same partition on Disk2 other than to speculate that the device wasn't set-up properly by the IT guy.

Paul

 
Posted : 09/09/2010 7:26 pm
Share: