10
FILESYSTEM AND STORAGE DEVICE MANAGEMENT

image

If you are coming from a Windows environment, the way that Linux represents and manages storage devices will look rather different to you. You’ve already seen that the filesystem has no physical representation of the drive, like the C:, D:, or E: system in Windows, but rather has a file tree structure with / at the top, or root, of it. This chapter takes a look at how Linux represents storage devices such as hard drives, flash drives, and other storage devices.

We first look how additional drives and other storage devices are mounted upon that filesystem, leading up to the / (root) directory. Mounting in this context simply means attaching drives or disks to the filesystem to make them accessible to the operating system (OS). For you as a hacker, it’s necessary to understand the file and storage device management system, both on your own system and, often, the system of your target. Hackers commonly use external media to load data, hacking tools, or even their OS. Once you’re on your target system, you need to understand what you’re working with, where to find confidential or other critical files, how to mount a drive to the target, and whether and where you can put those files on your system. We cover all of these topics, plus how to manage and monitor storage devices, in this chapter.

We begin with the directory known as /dev, which you’ve probably already noticed in the directory structure: dev is short for device, and every device in Linux is represented by its own file within the /dev directory. Let’s start out by working with /dev.

The Device Directory /dev

Linux has a special directory that contains files representing each attached device: the appropriately named /dev directory. As your first introduction, navigate to the /dev directory and then perform a long listing on it. You should see something like Listing 10-1.

kali >cd /dev
kali >ls -l
total 0
crw-------   1  root root  10,175  May 16  12:44 agpgart
crw-------   1  root root  10,235  May 16  12:44 autofs
drwxr-xr-x   1  root root     160  May 16  12:44 block
--snip--
lrwxrwxrwx   1  root root       3  May 16  12:44 cdrom -> sr0
--snip--
drwxr-xr-x   2  root root      60  May 16  12:44 cpu
--snip--

Listing 10-1: A long listing of the /dev directory

The devices are displayed in alphabetical order by default. You may recognize some of the devices, such a cdrom and cpu, but others have rather cryptic names. Each device on your system is represented by a file in the /dev directory, including devices you’ve probably never used or even realized existed. On the off chance you do, there is a device file waiting to be used for it.

If you scroll down this screen a bit, you should see more listings of devices. Of particular interest are the devices sda1, sda2, sda3, sdb, and sdb1, which are the hard drive and its partitions and a USB flash drive and its partitions.

--snip--
brw-rw----  1  root root        8,     0    May 16 12:44   sda
brw-rw----  1  root root        8,     1    May 16 12:44   sda1
brw-rw----  1  root root        8,     2    May 16 12:44   sda2
brw-rw----  1  root root        8,     5    May 16 12:44   sda5
brw-rw----  1  root root        8,     16   May 16 12:44   sdb
brw-rw----  1  root root        8,     17   May 16 12:44   sdb1
--snip--

Let’s take a closer look at these.

How Linux Represents Storage Devices

Linux uses logical labels for drives that are then mounted on the filesystem. These logical labels will vary depending on where the drives are mounted, meaning the same hard drive might have different labels at different times, depending on where and when it’s mounted.

Originally, Linux represented floppy drives (remember those?) as fd0 and hard drives as hda. You will still occasionally see these drive representations on legacy Linux systems, but today most floppy drives are gone (thank goodness). Even so, old legacy hard drives that used an IDE or E-IDE interface are still represented in the form hda. Newer Serial ATA (SATA) interface drives and Small Computer System Interface (SCSI) hard drives are represented as sda. Drives are sometimes split up into sections known as partitions, which are represented in the labeling system with numbers, as you’ll see next.

When systems have more than one hard drive, Linux simply names them serially by incrementing the last letter in alphabetical order, so the first drive is sda, and the second drive is sdb, the third drive is sdc, and so on (see Table 10-1). The serial letter after sd is often referred to as the major number.

Table 10-1: Device-Naming System

Device file

Description

sda

First SATA hard drive

sdb

Second SATA hard drive

sdc

Third SATA hard drive

sdd

Fourth SATA hard drive

Drive Partitions

Some drives can be split into partitions in order to manage and separate information. For instance, you may want to separate your hard drive so that your swap file, home directory, and / directory are all on separate partitions—you might want to do this for a number of reasons, including to share resources and to relax the default permissions. Linux labels each partition with a minor number that comes after the drive designation. This way, the first partition on the first SATA drive would be sda1. The second partition would then be sda2, the third sda3, and so on, as illustrated in Table 10-2.

Table 10-2: Partition-Labeling System

Partition

Description

sda1

The first partition (1) on the first (a) SATA drive

sda2

The second (2) partition on the first (a) drive

sda3

The third (3) partition on the first (a) drive

sda4

The fourth (4) partition on the first (a) drive

At times, you may want to view the partitions on your Linux system to see which ones you have and how much capacity is available in each. You can do this by using the fdisk utility. Using the -l switch with fdisk lists all the partitions of all the drives, as shown in Listing 10-2.

kali >fdisk -l
Disk /dev/sda:  20GiB,  21474836480 bytes,  41943040  sectors
Units:  sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x7c06cd70

Device     Boot     Start       End   Sectors    Size  Id Type
/dev/sda1    *       2048  39174143  39172096   18.7G  83 Linux
/dev/sda2        39176190  41940991   2764802    1.3G   5 Extended
/dev/sda5        39176192  41940991   2764800    1.3G  82 Linux swap / Solaris

Disk /dev/sdb: 29.8 GiB, 31999393792 bytes, 62498816 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xc3072e18

Device     Boot  Start       End   Sectors   Size  Id  Type
/dev/sdb1           32  62498815  62498784  29.8G   7  HPFS/NTFS/exFAT

Listing 10-2: Listing partitions with fdisk

As you can see in Listing 10-2, the devices sda1, sda2, and sda5 are listed in the first stanza. These three devices make up the virtual disk from my virtual machine, which is a 20GB drive with three partitions, including the swap partition (sda5), which acts like virtual RAM—similar to page files in Windows—when RAM capacity is exceeded.

If you scan down Listing 10-2 to the third stanza, you see a second device output designated sdb1—the b label tells us that this drive is separate from the first three devices. This is my 64GB flash drive. Note that fdisk indicates that it is an HPFS/NTFS/ExFAT filesystem type. These file types—High Performance File System (HPFS), New Technology File System (NTFS), and Extended File Allocation Table (exFAT)—are not native to Linux systems but rather to macOS and Windows systems. It’s worth being able to recognize file types native to different systems when you investigate. The filesystem might indicate what kind of machine the drive was formatted on, which can be valuable information. Kali is able to utilize USB flash drives created on many different operating systems.

As you saw in Chapter 1, the Linux filesystem is structured significantly differently than are Windows and other proprietary operating systems. On top of this, the way files are stored and managed is different in Linux, too. New versions of Windows use an NTFS filesystem, whereas older Windows systems use File Allocation Table (FAT) systems. Linux uses a number of different types of filesystems, but the most common are ext2, ext3, and ext4. These are all iterations of the ext (or extended) filesystem, with ext4 being the latest.

Character and Block Devices

Something else to note about the naming of device files in the /dev directory is that the first position contains either c or b. You can see this in Listing 10-1 at the start of most of the entries, and it looks something like this:

crw-------   1  root root  10,175  May 16  12:44 agpgart

These letters represent the two ways that devices transfer data in and out. The c stands for character, and these devices are known, as you might expect, as character devices. External devices that interact with the system by sending and receiving data character by character, such as mice or keyboards, are character devices.

The b stands for the second type: block devices. They communicate in blocks of data (multiple bytes at a time) and include devices like hard drives and DVD drives. These devices require higher-speed data throughput and therefore send and receive data in blocks (many characters or bytes at a time). Once you know whether a device is a character or block device, you can easily get more information about it, as you’ll see next.

List Block Devices and Information with lsblk

The Linux command lsblk, short for list block, lists some basic information about each block device listed in /dev. The result is similar to the output from fdisk -l, but it will also display devices with multiple partitions in a kind of tree, showing each device with its partitions as branches, and does not require root privileges to run. In Listing 10-3, for example, we see sda, with its branches sda1, sda2, and sda5.

kali >lsblk
Name      MAJ:MIN  RM  SIZE  RO  TYPE  MOUNTPOINT
fd0         2:0     1    4K   0  disk
sda1        8:0     0   20G   0  disk
|-sda1      8:1     0 18.7G   0  part  /
|-sda2      8:2     0    1K   0  part
|-sda5      8:5     0  1.3G   0  part  [SWAP]
sdb         8:16    1 29.8G   0  disk
|-sdb1      8.17    1 29.8G   0  disk  /media
sr0         11:0    1  2.7G   0  rom

Listing 10-3: Listing block device information with lsblk

The output includes the floppy drive as fd0 and DVD drive as sr0, even though neither is on my system—this is simply a holdover from legacy systems. We can also see information on the mount point of the drive—this is the position at which the drive was attached to the filesystem. Note that the hard drive sda1 is mounted at / and the flash drive is mounted at /media. You’ll see more on the significance of this in the next section.

Mounting and Unmounting

Most modern operating systems, including most new versions of Linux, automount storage devices when they’re attached, meaning the new flash drive or hard drive is automatically attached to the filesystem. For those new to Linux, mounting might be a foreign subject.

A storage device must be first physically connected to the filesystem and then logically attached to the filesystem in order for the data to be made available to the operating system. In other words, even if the device is physically attached to the system, it is not necessarily logically attached and available to the operating system. The term mount is a legacy from the early days of computing when storage tapes (before hard drives) had to be physically mounted to the computer system—think of those big computers with spinning tape drives you might have seen old sci-fi movies.

As mentioned, the point in the directory tree where devices are attached is known as the mount point. The two main mount points in Linux are /mnt and /media. As a general rule, internal hard drives are mounted at /mnt, and external USB devices such as flash drives and external USB hard drives are mounted at /media, though technically any directory can be used.

Mounting Storage Devices Yourself

In some versions of Linux, you need to mount a drive manually in order to access its content, so this is a skill worth learning. To mount a drive on the filesystem, use the mount command. The mount point for the device should be an empty directory; if you mount a device on a directory that has subdirectories and files, the mounted device will cover the contents of the directory, making them invisible and unavailable. So, to mount the new hard drive sdb1 at the /mnt directory, you would enter the following:

kali >mount /dev/sdb1 /mnt

That hard drive should then be available for access. If you want to mount the flash drive sdc1 at the /media directory, you would enter this:

kali >mount /dev/sdc1 /media

The filesystems that are mounted on a system are kept in a file at /etc/fstab (short for filesystem table), which is read by the system at every bootup.

Unmounting with umount

If you’re coming from a Mac or Windows background, you’ve probably unmounted a drive without knowing it. Before you remove a flash drive from your system, you “eject” it to keep from causing damage to the files stored on the device. Eject is just another word for unmount.

Similar to the mount command, you can unmount a second hard drive by entering the umount command followed by the file entry of the device in the /dev directory, such as /dev/sdb. Note that the command is not spelled unmount but rather umount (no n).

kali >umount /dev/sdb1

You cannot unmount a device that is busy, so if the system is reading or writing to the device, you will just receive an error.

Monitoring Filesystems

In this section, we look at some commands for monitoring the state of the filesystem—a skill necessary for any hacker or system administrator. We’ll get some info about mounted disks and then check for and fix errors. Storage devices are particularly error prone, so it’s worth learning this skill.

Getting Information on Mounted Disks

The command df (for disk free) will provide us with basic information on any hard disks or mounted devices, such as CD, DVD, and flash drives, including how much space is being used and how much is available (see Listing 10-4). Without any options, df defaults to the first drive on your system (in this case, sda). If you want to check a different drive, simply follow the df command with the drive representation you want to check (for example, df sdb).

kali >df
Filesystem          1K-Blocks      Used  Available Use%     Mounted on
rootfs               19620732  17096196    1504788  92%     /
udev                    10240         0      10240   0%     /dev
--snip--

/dev/sdb1            29823024  29712544     110480  99%     /media/USB3.0

Listing 10-4: Getting information on disks and mounted devices with df

The first line of output here shows category headers, and then we get the information. The disk space is given in 1KB blocks. On the second line, we see that rootfs has 19,620,732 one-kilobyte blocks, of which it is using 17,096,196 (or about 92 percent), leaving 1,504,788 available. The df command also tells us that this filesystem is mounted on the top of the filesystem /.

In the last line, you can see my USB flash drive. Note that it is designated /dev/sdb1, is nearly 100 percent full, and is mounted at /media/USB3.0.

As a recap, my virtual disk on this system is designated sda1, which breaks down as follows:

sd SATA hard drive

a First hard drive

1 First partition on that drive

My 64GB flash drive is designated as sdb1, and my external drive as sdc1.

Checking for Errors

The fsck command (short for filesystem check) checks the filesystem for errors and repairs the damage, if possible, or else puts the bad area into a bad blocks table to mark it as bad. To run the fsck command, you need to specify the filesystem type (the default is ext2) and the device file to check. It’s important to note that you must unmount the drive before running a filesystem check. If you fail to unmount the mounted device, you will receive the error message shown in Listing 10-5.

kali >fsck
fsck from util-linux 2.20.1
e2fsck 1.42.5 (29-Jul-2012)
/dev/sda1 is mounted
e2fsck: Cannot continue, aborting.

Listing 10-5: Trying (and failing) to run an error check on a mounted drive

So, the first step when performing a filesystem check is to unmount the device. In this case, I will unmount my flash drive to do a filesystem check:

kali >umount /dev/sdb1

I can add the -p option to have fsck automatically repair any problems with the device, like so:

kali >fsck -p /dev/sdb1

With the device unmounted, I can now check for any bad sectors or other problems with the device, as follows:

kali >fsck -p /dev/sdb1
fsck from util-linux 2.30.2
exfatfsck 1.2.7
Checking file system on /dev/sdb1.
File system version           1.0
Sector size                 512 bytes
Cluster size                 32 KB
Volume size                7648 MB
Used space                 1265 MB
Available space            6383 MB
Totally 20 directories and 111 files.
File system checking finished. No errors found.

Summary

Understanding how Linux designates and manages its devices is crucial for any Linux user and hacker. Hackers will need to know what devices are attached to a system and how much space is available. Because storage devices often develop errors, we can check and repair those errors with fsck. The dd command is capable of making a physical copy of a device, including any deleted files.