1

I’m a beginner programmer and I'm try to learn how to successfully mount a disk image and analyse it but can't fine any guides online or any mention on web pages. I’ve set myself the task as I’m thinking of joining a computer forensics course next year and believe these skills will give me a head start.

This is the code I've made so far but I've become stuck. I want the script to be able to extract command history data for all users, and also log successful and unsuccessful login attempts from log files such as /var/log/wtmp.

I’m not exactly looking for someone to complete the code (as that would be counterproductive) but to point me towards hints and tips, guides and tutorials to get over these early stage of programming.

#!/bin/bash
mount="/myfilesystem"

if grep -qs "$mount" /proc/mounts; then
  echo "It's mounted."
else
  echo "It's not mounted."
  mount "$mount"
  if [ $? -eq 0 ]; then
   echo "Mount success!"
  else
   echo "Something went wrong with the mount..."
  fi
fi


sudo fdisk -l | grep/bin /sbin
Toby Speight
  • 27,591
  • 48
  • 66
  • 103
James
  • 25
  • 8
  • If you're doing forensics, make sure you're working with a copy of the original block devices (e.g. with `dd`) - don't `mount` the original, and definitely don't mount it read-write! – Toby Speight Mar 10 '17 at 11:08

1 Answers1

1

For mounting a filesystem, you need two arguments at least.

  1. The image file or block device to be mounted and
  2. The place where to mount it in your filesystem

So, if you want to mount some external USB drive, that e.g. shows as /dev/sda and has a single partition (sda1), you need to do the following:

  1. Find or create a directory to mount your device (easiest as root), say you created a directory /root/mountpoint
  2. Execute the mount command: mount /dev/sda1 /root/mountpoint

You then can step into the mounted filesystem cd /root/mountpoint and look around.

Just as a sidenote: For forensics, you should always draw an image from the device (e.g. dd if=/dev/sda1 of=/root/disk.img) to avoid destroying any evidence and then mount it through the loop driver (losetup /dev/loop1 /root/disk.img; mount /dev/loop1 /root/mountpoint).

Hope this gives you a hint to start over...

themole
  • 363
  • 3
  • 12
  • Any suggestions on how i could allow the user to bypass the mounting of the disk image file? – James Mar 13 '17 at 11:13
  • For mounting real disks, there is some auto-mount functionality in nearly every linux distro integrated. There are some rules defined, wehre to mount e.g. CDROMs, USB disks,... usually below /mnt or /media. A disk image FILE is just a file... Easiest solution: Write a script, that does all the steps and provide it to the user. – themole Mar 13 '17 at 20:53