Automounting read-only

Hello,

Thank you for making CAINE!

I am a new CAINE user. Will someone please describe the method CAINE uses Nautilus/Disk Mounter applet to mount devices read-only and to not write to swap? I'd like to understand and verify the method before using CAINE for forensics.

Thank you,
slo.sleuth

We decided to implement the same mounting process of Helix (in the last free downloadable version).

1. Mounting device.
We install a modded rebuildfstab device mounter (originally from Knoppix) that mount every device with ro, noatime and noexec option inside /etc/fstab. The file rebuildfstab is located in /usr/sbin and to work properly also fstype, scanpartition, disktype and gawk must be installed.
A rule inside /etc/udev/rules (91-fstab.rules) is also set to execute rebuildfstab.

This is a sample of rebuildfstab code:

Code:

 
    options="ro,noauto,users,noexec,nodev,noatime"
    case "$fstype" in
    ntfs) options="${options},ro,umask=000" ;;
    msdos) options="${options},umask=000,quiet" ;;
    vfat) options="${options},umask=000,shortname=mixed,quiet" ;;
    ext) options="${options}" ;;
    ext2) options="${options}" ;;
    ext3) options="${options}" ;;
    xfs) options="norecovery,${options}" ;;
    jfs) options="nointegrity,${options}" ;;
    reiserfs) options="nolog,${options}" ;;
    hfs) options="${options}" ;;
    hfsplus) options="${options}" ;;

2. Swap issue
As rebuildfstab is executed from the very beginning of the boot, we inserted "swapoff -a" to prevent swap space to be used and added inside /etc/fstab.

Thanks for the disclosure Giancarlo,

You're making me a real fan of CAINE with your willingness to share information, something I found lacking with the Helix devs. I'm creating my CAINE usb devices today and look forward to working with you.

I am developing an automated tool to examine Apple iPod's for ownership information that I will be happy to share with you and your team. iPods are a favorite theft item in my area and I am frequently called upon to try to identify the true owner, even in a restored device. My BASH skills are not the best, but the tool is effective in testing. Once I finalize the first version, maybe you'd like to look at it?

slo.sleuth

You are welcome! We are truly open source here!

It would be very interesting share a useful tool for iPod! Contact me via mail, if you want!

I am running an UBUNTU system and trying to get the rebuildfstab work somehow. Can you advice what should i do to get it work ?? I have copied udev rules and rebuiledfstab to the required location but somehow the drives are still writeable. Also is there a way by which i can have a desired device with specific label mounted readonly so that i can take images on that device.

aarat wrote:I am running an UBUNTU system and trying to get the rebuildfstab work somehow

I assume that by this comment, you have copied the rbfstab program from /usr/bin in the Caine Live CD into a directory of a previously installed Ubuntu system. Note that "rbfstab", which is installed in the last two Caine releases, and "rebuildfstab" (not currently installed on Caine) are not the same programs. I will proceed with the understanding that we are going to be using rbfstab from Caine 3.0, which is recommended.

aarat wrote:Can you advice what should i do to get it work ?? I have copied udev rules and rebuiledfstab to the required location but somehow the drives are still writeable.

The rbfstab program is located in /usr/sbin on Caine and must be run as administrator. You should copy rbfstab to the same directory on your Ubuntu system. The command:

Code:

rbfstab -h

will show a help to get you started. In short, all you have to do is run the command:

Code:

sudo rbfstab -i

The -i option installs the fstab rule which in turn launches the rbfstab program each time a device is plugged into your system. rbfstab writes new mounting rules in /etc/fstab for devices not currently mounted. Currently mounted devices remain unaffected. To return the mounting policies to stock Ubuntu, simply run the command:

Code:

sudo rbfstab -r

aarat wrote:Also is there a way by which i can have a desired device with specific label mounted readonly so that i can take images on that device.

That is simply a matter of using rbfstab how you wish. You can boot Ubuntu without rbfstab running (meaning you have not run rbfstab -i). Before you plug in a device you want write protected, issue the command rbfstab -i and then attach the device. You can now mount the device read-only. If later, you want to mount another device read-write to copy data from the read-only device, then run the command rbfstab -r and plug in the second device. The first will remain mounted read-only.

NOTE: The best way for you to make use of rbfstab if you are not too familiar with mounting policies, udev rules, and other mounting issues, is to install and use Caine 3.0 rather than modifying your current Ubuntu for the task. There are many more issues that have not been discussed here but are handled by Caine 3.0 to ensure you don't run into trouble.