MOUNTING KNOWN-GOOD BINARIES

In most cases if you insert your USB drive with known-good binaries, it will be automounted. If this isn’t the case on the subject system, you will need to manually mount the drive. Once your drive is mounted you should run a known-good shell located on your drive. You are not done after you run this shell, however. You must set your path to only point at the directories on your USB drive and also reset the LD_LIBRARY_PATH variable to only reference library directories on the USB drive.

The first thing you will want to do is to check that your filesystem has in fact been mounted. Some versions of Linux will not automatically mount an extended (ext2, ext3, or ext4) filesystem. Most Linux systems will automount a FAT or NTFS filesystem, however. Recall that your system binaries must be housed on an extended filesystem in order to preserve their permissions. The easiest way to check if something is mounted is to execute the mount command. The results of running this command with my Linux forensics response drive are shown in Figure 2.3. Notice that my drive is mounted as /dev/sdb with three partitions. The first two partitions are a FAT and ext4 partition for a live version of Linux (SIFT in this case) and the third partition contains 64-bit system binaries.

FIGURE 2.3

Verifying That a USB Drive Is Mounted. In this figure the three highlighted partitions from the USB drive (/dev/sdb) have all been automatically mounted.

If you are unsure what drive letter will be assigned to your incident response drive the dmesg command can often help. The results of running dmesg after inserting a USB drive are shown in Figure 2.4. The portion that demonstrates the drive has been assigned to /dev/sdb is highlighted.

FIGURE 2.4

Result of running dmesg command. The portion that shows drive letter /dev/sdb has been assigned is highlighted.

If you need to manually mount your drive first create a mount destination by running sudo mkdir /mnt/{destination}, i.e. sudo mkdir /mnt/good-bins or similar. Now that a destination exists the drive can be mounted using sudo mount

/dev/{source partition} /mnt/{destination}, i.e. sudo mount /dev/sdb1 /mnt/good-bins.

Once everything is mounted change to the root directory for your know-good binaries and then run bash by typing exec bin/bash as shown in Figure 2.5. Once the knowngood shell is loaded the path must be reset to only point to the response drive by running export PATH=$(pwd)/sbin:$(pwd)/bin as shown in Figure 2.6. Here we are using a shell trick. If you enclose a command in parentheses that are proceeded by a $ the command is run and the results are substituted. Finally, the library path must also be set to point to known-good library files by running export

LD_LIBRARY_PATH=$(pwd)/lib64:$(pwd)/lib as shown in Figure 2.7. If you have also copied some of the directories under /usr (recommended) then these paths should also be included in the PATH and LD_LIBRARY_PATH.

FIGURE 2.5

Executing the known-good bash shell.

FIGURE 2.6

Making the path point to known-good binaries.

FIGURE 2.7

Making the library path point to known-good files.

results matching ""

    No results matching ""