Lect10 - Mounting Flashcards

1
Q

How can you show the partition table of a block device?

A

# fdisk -l /dev/sdX (or # gdisk …)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How can you identify the file system?

A

# file -s /dev/sdX or # file -s <imagefile></imagefile>

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a loop device and how does it work?

A

The loop device allows us to associate a file with a device node. Once the file is associated, we can act on the loop device as if it were a disk or volume.

# losetup /dev/loop0 -o $((2048*512)) –sizelimit $((1021952*512)) evid.raw

then: mount -t ntfs -o ro /dev/loop0 /mnt/analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

How do you unmount a loop device?

A

root@forensicbox:~# umount /mnt/analysis

root@forensicbox:~# losetup -d /dev/loop0

root@forensicbox:~# losetup

returns nothing…

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How can you specify a loop in the mount command?

A

# mount -t ntfs -o ro,loop,offset=$((2048*512)) evid.raw /mnt/analysis

  • -t ntfs-3g : NTFS file system
  • -t vfat : FAT file system
  • -t ext4 : EXT4 file system
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is kpartx and how does it work?

A

f there are multiple partitions in an image, size limits for consecutive loop devices might become a concern. To ease the task of associating multiple partitions with loop devices, we use kpartx.

# kpartx -a -r image.raw

  • -r : Make the mappings read only
  • -a : Add them all at once
  • -l : list partitions devmappings that would be added by -a
  • -g : force GUID partition table (GPT)

Once we execute the command above, our mappings are created and we can now access each partition through the /dev/mapper/loop0pX device.

  • # mount -t ext4 -o ro /dev/dm-0 /mnt/analysis OR
  • # mount -t ext4 -o ro /dev/mapper/loop0p1 /mnt/analysis
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How can you unmount with kpartx?

A

# kpartx -d image.raw

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

How can you mount E01 images?

A

Mount:

  1. # ewfmount image.E01 /mnt/ewf
  2. # fdisk -l /mnt/ewf/ewf1
  3. # kpartx -r -a /mnt/ewf/ewf1
  4. # file -s /dev/dm-*
  5. # mount -o ro -t ntfs-3g /dev/mapper/loop0p1 /mnt/analysis

Unmount:

  1. # umount /mnt/analysis
  2. # kpartx -d /mnt/ewf/ewf1
  3. # fusermount -u /mnt/EWF
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How can you mount split images?

A

Mount:

  1. # affuse image.000 /mnt/AFF
  2. # fdisk -l /mnt/aff/able_3.raw
  3. # kpartx -r -a /mnt/aff/able_3.raw
  4. # file -s /dev/dm-*
  5. # mount -o ro -t ntfs-3g /dev/mapper/loop0p1 /mnt/analysis

Unmount:

  1. # umount /mnt/analysis
  2. # kpartx -d /mnt/aff/able_3.raw
  3. # fusermount -u /mnt/AFF/
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are those additional mount options for:

  1. noatime
  2. nodev
  3. nosuid
A
  1. Do not update inode access times on this filesystem
  2. Do not interpret character or block special devices on the file system.
  3. Do not allow set-user-identifier or set-group-identifier bits to take effect.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly