LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-21-2013, 09:35 AM   #1
jamesblue
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Rep: Reputation: Disabled
Possible to know wether usb stick has been mounted any another person/computer?


I've got a usb memory stick.

If I put it down and forget to pick it up, I worry that the text files on the stick may have been viewed.

Is there a way I can know if someone has just even mounted the stick (on any operating system?). I know about encryption, but I was wondering specifically about the drive simply being mounted, is there a way to tell?
 
Old 03-21-2013, 12:03 PM   #2
rtmistler
Senior Member
 
Registered: Mar 2011
Location: Milford, MA. USA
Distribution: Angstrom, Debian, Ubuntu, MINT
Posts: 1,209
Blog Entries: 7

Rep: Reputation: 487Reputation: 487Reputation: 487Reputation: 487Reputation: 487
I'd just recommend using truecrypt and leave it at that if you really have a legitimate concern that someone else not inadvertently view your data.

After all, what happens if you take it to work/school/library, place it on a system there and then forget to take it away with you? Or if you literally lose it? Then it's lost forever and whatever is on it is now visible to any random person who has access to that system.
 
1 members found this post helpful.
Old 03-22-2013, 02:54 AM   #3
jamesblue
LQ Newbie
 
Registered: Mar 2013
Posts: 8

Original Poster
Rep: Reputation: Disabled
Yes I'll just use Truecrypt.

Thanks rtmistler
 
Old 03-22-2013, 03:46 PM   #4
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 539

Rep: Reputation: 51
sure,
windows keeps a record of the USB "id" that has been attached and when. you can simply pull that from the registry. for nix i am not sure.

check out USBDeview by NirSoft

Last edited by Linux_Kidd; 03-22-2013 at 04:23 PM.
 
Old 03-22-2013, 03:52 PM   #5
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Have a look at dmesg (/var/log/dmesg or run the dmesg command). You will undoubtedly want to filter it to find the relevant information so as an example:
Code:
dmesg | grep -i usb
 
1 members found this post helpful.
Old 03-22-2013, 04:01 PM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,234

Rep: Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577
The simple answer though, is:

No - it is not possible to know if someone else mounted the memory stick on a different computer.

To do that would require the memory stick itself to be able to record each mount... and it has nowhere to log that, nor does it have access to information to identify the host/person doing the mount.
 
1 members found this post helpful.
Old 03-22-2013, 04:10 PM   #7
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
You can also take precautions against this sort of thing happening again in the future. The best method is to probably just use Truecrypt if you want compatibility across systems, such as with Windows. There are also methods to use the built in ecryptfs in Linux. If you aren't concerned about Windows support, format the device with an ext file system and then you have the atime parameter from the file system to see when files were last accessed. You can also configure things such that root permissions are required to mount the device.

See the following for some info on using atime: http://linuxpoison.blogspot.com/2008...and-mtime.html and http://tldp.org/LDP/solrhe/Securing-...hap6sec73.html
 
1 members found this post helpful.
Old 03-23-2013, 04:48 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Quote:
Originally Posted by jpollard View Post
The simple answer though, is:
No - it is not possible to know if someone else mounted the memory stick on a different computer.
While an USB stick itself may not possess any functionality to record mounting hosts or users file systems indeed record changes as Noway2's excellent Syslog and atime remarks shows. Additionally a file system may record the last mount time in its superblock as for example dumpe2fs or tune2fs output would show. While from a forensics point of view this data should not be viewed as conclusive and while it is not recorded for auditing purposes it may be useful when trying to establish a time line in combination with other evidence.

Ergo the answer is neither "simple" or "no".
 
1 members found this post helpful.
Old 03-23-2013, 05:09 AM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 2,234

Rep: Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577Reputation: 577
Quote:
Originally Posted by unSpawn View Post
While an USB stick itself may not possess any functionality to record mounting hosts or users file systems indeed record changes as Noway2's excellent Syslog and atime remarks shows. Additionally a file system may record the last mount time in its superblock as for example dumpe2fs or tune2fs output would show. While from a forensics point of view this data should not be viewed as conclusive and while it is not recorded for auditing purposes it may be useful when trying to establish a time line in combination with other evidence.

Ergo the answer is neither "simple" or "no".
You are assuming the filesystem is mounted read/write. A readonly mount doesn't record anything. Nor does using "dd" (or cat, or any of a host of applications) to copy a device without mounting, which also doesn't have any mount records anywhere.

The simple answer is still no - you cannot know for sure if the data hasn't been read by someone else.
 
1 members found this post helpful.
Old 03-23-2013, 05:54 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,452
Blog Entries: 54

Rep: Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895Reputation: 2895
Quote:
Originally Posted by jpollard View Post
You are assuming the filesystem is mounted read/write. A readonly mount doesn't record anything. Nor does using "dd" (or cat, or any of a host of applications) to copy a device without mounting, which also doesn't have any mount records anywhere.
True.


Quote:
Originally Posted by jpollard View Post
The simple answer is still no - you cannot know for sure if the data hasn't been read by someone else.
As I said before while from a forensics point of view this data should not be viewed as conclusive and while it is not recorded for auditing purposes it may be useful when trying to establish a time line in combination with other evidence. Sure while one cannot conclusively establish mount ops based on absence or availability of file system data alone that doesn't automagically mean the chance of determining it equals zero always.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: USB Stick Size Computer 'Cotton Candy' Running Ubuntu 11.04 And Android 4.0 ICS LXer Syndicated Linux News 0 01-11-2012 01:41 AM
Best distro=Not me but for elderly person to use on older computer digital8doug General 9 11-15-2006 05:54 AM
usb stick gets auto-mounted pranavchoudhary Linux - Newbie 12 02-25-2006 05:31 PM
uninstall question, difficulties for a non computer literate person 123cats Mandriva 6 02-24-2006 02:46 AM
Have you ever taken advantage of a computer clueless person? R00ts General 6 07-27-2004 08:49 PM


All times are GMT -5. The time now is 10:14 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration