If you are coming from a Windows environment, the way that Linux represents and manages storage devices will look rather different to you. You’ve already seen that the filesystem has no physical representation of the drive, like the C:, D:, or E: system in Windows, but rather has a file tree structure with / at the top, or root, of it. This chapter takes a look at how Linux represents storage devices such as hard drives, flash drives, and other storage devices.
We first look how additional drives and other storage devices are mounted upon that filesystem, leading up to the / (root) directory. Mounting in this context simply means attaching drives or disks to the filesystem to make them accessible to the operating system (OS). For you as a hacker, it’s necessary to understand the file and storage device management system, both on your own system and, often, the system of your target. Hackers commonly use external media to load data, hacking tools, or even their OS. Once you’re on your target system, you need to understand what you’re working with, where to find confidential or other critical files, how to mount a drive to the target, and whether and where you can put those files on your system. We cover all of these topics, plus how to manage and monitor storage devices, in this chapter.
We begin with the directory known as /dev, which you’ve probably already noticed in the directory structure: dev is short for device, and every device in Linux is represented by its own file within the /dev directory. Let’s start out by working with /dev.
Linux has a special directory that contains files representing each attached device: the appropriately named /dev directory. As your first introduction, navigate to the /dev directory and then perform a long listing on it. You should see something like Listing 10-1.
kali >cd /dev
kali >ls -l
total 0
crw------- 1 root root 10,175 May 16 12:44 agpgart
crw------- 1 root root 10,235 May 16 12:44 autofs
drwxr-xr-x 1 root root 160 May 16 12:44 block
--snip--
lrwxrwxrwx 1 root root 3 May 16 12:44 cdrom -> sr0
--snip--
drwxr-xr-x 2 root root 60 May 16 12:44 cpu
--snip--
Listing 10-1: A long listing of the /dev directory
The devices are displayed in alphabetical order by default. You may recognize some of the devices, such a cdrom and cpu, but others have rather cryptic names. Each device on your system is represented by a file in the /dev directory, including devices you’ve probably never used or even realized existed. On the off chance you do, there is a device file waiting to be used for it.
If you scroll down this screen a bit, you should see more listings of devices. Of particular interest are the devices sda1, sda2, sda3, sdb, and sdb1, which are the hard drive and its partitions and a USB flash drive and its partitions.
--snip--
brw-rw---- 1 root root 8, 0 May 16 12:44 sda
brw-rw---- 1 root root 8, 1 May 16 12:44 sda1
brw-rw---- 1 root root 8, 2 May 16 12:44 sda2
brw-rw---- 1 root root 8, 5 May 16 12:44 sda5
brw-rw---- 1 root root 8, 16 May 16 12:44 sdb
brw-rw---- 1 root root 8, 17 May 16 12:44 sdb1
--snip--
Let’s take a closer look at these.
Linux uses logical labels for drives that are then mounted on the filesystem. These logical labels will vary depending on where the drives are mounted, meaning the same hard drive might have different labels at different times, depending on where and when it’s mounted.
Originally, Linux represented floppy drives (remember those?) as fd0 and hard drives as hda. You will still occasionally see these drive representations on legacy Linux systems, but today most floppy drives are gone (thank goodness). Even so, old legacy hard drives that used an IDE or E-IDE interface are still represented in the form hda. Newer Serial ATA (SATA) interface drives and Small Computer System Interface (SCSI) hard drives are represented as sda. Drives are sometimes split up into sections known as partitions, which are represented in the labeling system with numbers, as you’ll see next.
When systems have more than one hard drive, Linux simply names them serially by incrementing the last letter in alphabetical order, so the first drive is sda, and the second drive is sdb, the third drive is sdc, and so on (see Table 10-1). The serial letter after sd is often referred to as the major number.
Table 10-1: Device-Naming System
Device file |
Description |
sda |
First SATA hard drive |
sdb |
Second SATA hard drive |
sdc |
Third SATA hard drive |
sdd |
Fourth SATA hard drive |
Some drives can be split into partitions in order to manage and separate information. For instance, you may want to separate your hard drive so that your swap file, home directory, and / directory are all on separate partitions—you might want to do this for a number of reasons, including to share resources and to relax the default permissions. Linux labels each partition with a minor number that comes after the drive designation. This way, the first partition on the first SATA drive would be sda1. The second partition would then be sda2, the third sda3, and so on, as illustrated in Table 10-2.
Table 10-2: Partition-Labeling System
Partition |
Description |
sda1 |
The first partition (1) on the first (a) SATA drive |
sda2 |
The second (2) partition on the first (a) drive |
sda3 |
The third (3) partition on the first (a) drive |
sda4 |
The fourth (4) partition on the first (a) drive |
At times, you may want to view the partitions on your Linux system to see which ones you have and how much capacity is available in each. You can do this by using the fdisk utility. Using the -l switch with fdisk lists all the partitions of all the drives, as shown in Listing 10-2.
kali >fdisk -l
Disk /dev/sda: 20GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x7c06cd70
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 39174143 39172096 18.7G 83 Linux
/dev/sda2 39176190 41940991 2764802 1.3G 5 Extended
/dev/sda5 39176192 41940991 2764800 1.3G 82 Linux swap / Solaris
Disk /dev/sdb: 29.8 GiB, 31999393792 bytes, 62498816 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xc3072e18
Device Boot Start End Sectors Size Id Type
/dev/sdb1 32 62498815 62498784 29.8G 7 HPFS/NTFS/exFAT
Listing 10-2: Listing partitions with fdisk
As you can see in Listing 10-2, the devices sda1, sda2, and sda5 are listed in the first stanza. These three devices make up the virtual disk from my virtual machine, which is a 20GB drive with three partitions, including the swap partition (sda5), which acts like virtual RAM—similar to page files in Windows—when RAM capacity is exceeded.
If you scan down Listing 10-2 to the third stanza, you see a second device output designated sdb1—the b label tells us that this drive is separate from the first three devices. This is my 64GB flash drive. Note that fdisk indicates that it is an HPFS/NTFS/ExFAT filesystem type. These file types—High Performance File System (HPFS), New Technology File System (NTFS), and Extended File Allocation Table (exFAT)—are not native to Linux systems but rather to macOS and Windows systems. It’s worth being able to recognize file types native to different systems when you investigate. The filesystem might indicate what kind of machine the drive was formatted on, which can be valuable information. Kali is able to utilize USB flash drives created on many different operating systems.
As you saw in Chapter 1, the Linux filesystem is structured significantly differently than are Windows and other proprietary operating systems. On top of this, the way files are stored and managed is different in Linux, too. New versions of Windows use an NTFS filesystem, whereas older Windows systems use File Allocation Table (FAT) systems. Linux uses a number of different types of filesystems, but the most common are ext2, ext3, and ext4. These are all iterations of the ext (or extended) filesystem, with ext4 being the latest.
Something else to note about the naming of device files in the /dev directory is that the first position contains either c or b. You can see this in Listing 10-1 at the start of most of the entries, and it looks something like this:
crw------- 1 root root 10,175 May 16 12:44 agpgart
These letters represent the two ways that devices transfer data in and out. The c stands for character, and these devices are known, as you might expect, as character devices. External devices that interact with the system by sending and receiving data character by character, such as mice or keyboards, are character devices.
The b stands for the second type: block devices. They communicate in blocks of data (multiple bytes at a time) and include devices like hard drives and DVD drives. These devices require higher-speed data throughput and therefore send and receive data in blocks (many characters or bytes at a time). Once you know whether a device is a character or block device, you can easily get more information about it, as you’ll see next.
The Linux command lsblk, short for list block, lists some basic information about each block device listed in /dev. The result is similar to the output from fdisk -l, but it will also display devices with multiple partitions in a kind of tree, showing each device with its partitions as branches, and does not require root privileges to run. In Listing 10-3, for example, we see sda, with its branches sda1, sda2, and sda5.
kali >lsblk
Name MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
fd0 2:0 1 4K 0 disk
sda1 8:0 0 20G 0 disk
|-sda1 8:1 0 18.7G 0 part /
|-sda2 8:2 0 1K 0 part
|-sda5 8:5 0 1.3G 0 part [SWAP]
sdb 8:16 1 29.8G 0 disk
|-sdb1 8.17 1 29.8G 0 disk /media
sr0 11:0 1 2.7G 0 rom
Listing 10-3: Listing block device information with lsblk
The output includes the floppy drive as fd0 and DVD drive as sr0, even though neither is on my system—this is simply a holdover from legacy systems. We can also see information on the mount point of the drive—this is the position at which the drive was attached to the filesystem. Note that the hard drive sda1 is mounted at / and the flash drive is mounted at /media. You’ll see more on the significance of this in the next section.
Most modern operating systems, including most new versions of Linux, automount storage devices when they’re attached, meaning the new flash drive or hard drive is automatically attached to the filesystem. For those new to Linux, mounting might be a foreign subject.
A storage device must be first physically connected to the filesystem and then logically attached to the filesystem in order for the data to be made available to the operating system. In other words, even if the device is physically attached to the system, it is not necessarily logically attached and available to the operating system. The term mount is a legacy from the early days of computing when storage tapes (before hard drives) had to be physically mounted to the computer system—think of those big computers with spinning tape drives you might have seen old sci-fi movies.
As mentioned, the point in the directory tree where devices are attached is known as the mount point. The two main mount points in Linux are /mnt and /media. As a general rule, internal hard drives are mounted at /mnt, and external USB devices such as flash drives and external USB hard drives are mounted at /media, though technically any directory can be used.
In some versions of Linux, you need to mount a drive manually in order to access its content, so this is a skill worth learning. To mount a drive on the filesystem, use the mount command. The mount point for the device should be an empty directory; if you mount a device on a directory that has subdirectories and files, the mounted device will cover the contents of the directory, making them invisible and unavailable. So, to mount the new hard drive sdb1 at the /mnt directory, you would enter the following:
kali >mount /dev/sdb1 /mnt
That hard drive should then be available for access. If you want to mount the flash drive sdc1 at the /media directory, you would enter this:
kali >mount /dev/sdc1 /media
The filesystems that are mounted on a system are kept in a file at /etc/fstab (short for filesystem table), which is read by the system at every bootup.
If you’re coming from a Mac or Windows background, you’ve probably unmounted a drive without knowing it. Before you remove a flash drive from your system, you “eject” it to keep from causing damage to the files stored on the device. Eject is just another word for unmount.
Similar to the mount command, you can unmount a second hard drive by entering the umount command followed by the file entry of the device in the /dev directory, such as /dev/sdb. Note that the command is not spelled unmount but rather umount (no n).
kali >umount /dev/sdb1
You cannot unmount a device that is busy, so if the system is reading or writing to the device, you will just receive an error.
In this section, we look at some commands for monitoring the state of the filesystem—a skill necessary for any hacker or system administrator. We’ll get some info about mounted disks and then check for and fix errors. Storage devices are particularly error prone, so it’s worth learning this skill.
The command df (for disk free) will provide us with basic information on any hard disks or mounted devices, such as CD, DVD, and flash drives, including how much space is being used and how much is available (see Listing 10-4). Without any options, df defaults to the first drive on your system (in this case, sda). If you want to check a different drive, simply follow the df command with the drive representation you want to check (for example, df sdb).
kali >df
Filesystem 1K-Blocks Used Available Use% Mounted on
rootfs 19620732 17096196 1504788 92% /
udev 10240 0 10240 0% /dev
--snip--
/dev/sdb1 29823024 29712544 110480 99% /media/USB3.0
Listing 10-4: Getting information on disks and mounted devices with df
The first line of output here shows category headers, and then we get the information. The disk space is given in 1KB blocks. On the second line, we see that rootfs has 19,620,732 one-kilobyte blocks, of which it is using 17,096,196 (or about 92 percent), leaving 1,504,788 available. The df command also tells us that this filesystem is mounted on the top of the filesystem /.
In the last line, you can see my USB flash drive. Note that it is designated /dev/sdb1, is nearly 100 percent full, and is mounted at /media/USB3.0.
As a recap, my virtual disk on this system is designated sda1, which breaks down as follows:
sd SATA hard drive
a First hard drive
1 First partition on that drive
My 64GB flash drive is designated as sdb1, and my external drive as sdc1.
The fsck command (short for filesystem check) checks the filesystem for errors and repairs the damage, if possible, or else puts the bad area into a bad blocks table to mark it as bad. To run the fsck command, you need to specify the filesystem type (the default is ext2) and the device file to check. It’s important to note that you must unmount the drive before running a filesystem check. If you fail to unmount the mounted device, you will receive the error message shown in Listing 10-5.
kali >fsck
fsck from util-linux 2.20.1
e2fsck 1.42.5 (29-Jul-2012)
/dev/sda1 is mounted
e2fsck: Cannot continue, aborting.
Listing 10-5: Trying (and failing) to run an error check on a mounted drive
So, the first step when performing a filesystem check is to unmount the device. In this case, I will unmount my flash drive to do a filesystem check:
kali >umount /dev/sdb1
I can add the -p option to have fsck automatically repair any problems with the device, like so:
kali >fsck -p /dev/sdb1
With the device unmounted, I can now check for any bad sectors or other problems with the device, as follows:
kali >fsck -p /dev/sdb1
fsck from util-linux 2.30.2
exfatfsck 1.2.7
Checking file system on /dev/sdb1.
File system version 1.0
Sector size 512 bytes
Cluster size 32 KB
Volume size 7648 MB
Used space 1265 MB
Available space 6383 MB
Totally 20 directories and 111 files.
File system checking finished. No errors found.
Understanding how Linux designates and manages its devices is crucial for any Linux user and hacker. Hackers will need to know what devices are attached to a system and how much space is available. Because storage devices often develop errors, we can check and repair those errors with fsck. The dd command is capable of making a physical copy of a device, including any deleted files.