1

If I've well understood, in the modern linux distributions, attaching an external device (usb stick or ide/sata hard disk) to a PC, Udev, HAL and Dbus allows to manage it.

udev - identify the hardware component which is plugged into and run a specific application, Dbus - is used for inter-process communication HAL - gets information from the Udev service, notifying the corresponding desktop application to open the mounted device.

QUESTION: I want to install mini-ubuntu to have a basic configuration that avoid the previous steps (autorun, automount, autoplay, ecc...). Please, can you tell me what happen when I attach an external device in a minimal Ubuntu configuration ? that is, in other words, which is the process'chain informing Ubuntu kernel that an external device has been attached ?

Thanks in advance.

applejtter
  • 41
  • 1
  • 1
  • 5

1 Answers1

1

Note: This is my understanding of the chain with my experience in Ubuntu 16.04. So things may change. Also anyone may correct me if I got it wrong, please share reference if available.

  • kernel/linux → sysfs → udev → udisks2 → GVolumeMonitor → desktop-manager (usually, same as the file manager).

    udisks2 is the first daemon to provide an API through DBUS. If you don't have it in the mini-ubuntu or not running, no auto-mount will happen. Like in Ubuntu server:

    kernel/linux → sysfs → udev

    Mounting is made manually.

  • OP commented about ISO/IEC 27037 Information technology -- Security techniques -- Guidelines for identification, collection, acquisition and preservation of digital evidence

    OK ... So, Ubuntu and Ubuntu-like O.S. (also if modified) are not an eligible system for Forensic Analysis. This is the truth, as you wrote, because it doesn't fit the standard qualifications required by a court.

    ...

    the suspect device has to be protected by any possible matadata changes ... and this is never guaranteed by Ubuntu 16.04, also if you manually disable the autorun and automount !! This is sure.

    Well, I would say there is a conflict of interest here. Specially user desktop parts (udisks2, GVolumeMonitor & desktop-manager) they have different aims to make more unintended/auto and easy for user.

    We shouldn't make assumption for tools prepared to general users (Like those coming from Free Desktop & Gnome projects), Even kernal may need some tuning.

    Better to stick to OS's (same case for MS windows & MacOS) that built for Forensic Analysis specifically.

    Guaranty! If you talking for professional use like in court, that is really a hard topic here. From the end, I couldn't find any post in Ubuntu official site that mention getting Ubuntu certified for ISO/IEC 27037.

user.dz
  • 48,105
  • OK ... So, Ubuntu and Ubuntu-like O.S. (also if modified) are not an eligible system for Forensic Analysis. This is the truth, as you wrote, because it doesn't fit the standard qualifications required by a court. – applejtter May 09 '18 at 17:27
  • @vince66, Sorry I am not sure about what are you trying to do, neither familiar with forensic analysis topic. Could you add a reference link to that standard? – user.dz May 09 '18 at 18:31
  • of corse ... standard ISO 27037 ! – applejtter May 09 '18 at 20:46
  • the suspect device has to be protected by any possible matadata changes ... and this is never guaranteed by Ubuntu 16.04, also if you manually disable the autorun and automount !! This is sure. – applejtter May 09 '18 at 20:54
  • https://www.iso.org/standard/44381.html – applejtter May 09 '18 at 20:59