Hello everyone, I am a new member in the Linux community...

Could anyone explain why we mount the disk for forensic situations or generally why we mount HDD or USB thumb in Linux?

best

Mounting the disk is necessary to make it readable or writable in a specific known location. Disks can be mounted read-only (as in the case for forensic / data recovery situations) or more commonly read-write.

Simplistically, mounting tells the underlying O/S how to treat a disk and where to make it appear in the file system.

(Windows also mounts disks, it just does it a lot more "behind the scenes")

USB tend to be automatically mounted under a certain file system location (mount point) depending on how the underlying O/S is configured.

1 members found this post helpful.

see man mount:

1 members found this post helpful.

Or to put it another way: anything can access a device as a raw object and read data from it. To do so the application needs to have the structure and data formats coded in and find that format that it expects. The application needs to know how to find the block it needs in that sea of data and how to read and buffer it for use.

If the operating system has been informed about the expected structure and detects that format, and MOUNTS the data, then the application only needs to know how to ask the operating system for the specific block of data using a generalized format (files and folders). The OS does the more involved job of structuring search, find, read, and buffer and only needs to serve the requests properly, and the application can be smaller, more simple, and fast.

Virtually all of the standard GNU tools are written to work on data that is mounted and addressed using the standard tree/file structure.

There are things that are best done ONLY with raw access, getting the OS and some of the drivers out of the way. For everything else, it makes better sense to mount the volume and let the OS help.

And that applies only to READING the data. When it comes to WRITING the data the slightest error has the potential to corrupt or destroy the data or structure so that it is difficult or impossible to use. Clearly, this is something where operating through a filter known to detect and use the structure properly is standadized and well tested to ensure that it is without fatal flaws.

Many things are done only with a volume mounted so that it can be easily accessed safely. If we are doing something unsafe, we mount it read only to prevent corruption. (NOTE: that is not absolute protection, but reduces the risk.) IN extreme cases when we must bypass existing structure for lower level access we address it as a raw device without mounting. Carefully.

I hope that helps.

4 members found this post helpful.

No, Sir!

I am quite sure that you aren't "a new member" of Linux community, because looks like you aren't even yet aware that the Linux is divided/distributed on "distributions" and each one has its own target audience.

Also, considering your uberbasic questions, I guess that you are a Windows user who just contemplate the eventual installation of a Linux distribution.

While I consider admirable your intentions, the fact that you look for "good video-tutorials" about commands and alike, makes me think that Slackware (and its community) is not what you are looking for, because the Slackware is not supposed to spoon-feed you.

So, I believe that probably the best for you is to post your questions there: https://www.linuxquestions.org/quest...inux-newbie-8/

And be kind to buy a good Linux book and to start learning, then continuing with learning, because the Linux cannot be understanded by some good video-tutorials - it's too much information to assimilate.

Finally, IF you intend to install Slackware into future, a good book is there: https://www.slackbook.org/html/index.html

3 members found this post helpful.

First, I agree that a good book should be preferred over learning from videos (for every subject). But I want to add that Linux is not rocket science either. As you mentioned, Slackware might not be the ideal distro if one is new to Linux, but you definitely don't need to read a book to do what you do on Windows on something like Ubuntu/Mind/Manjaro...

My point is: people are afraid that Linux is "complicated" and therefore stay away from it, which is a sad thing.

It should, however, be noted that part of this book are seriously outdated. Lynx and Links are not the only web browsers shipped with Slackware these days

This is a very broad question, with very little background information.
Please allow me to make some assumptions (or correct me if I'm wrong):
- "The disk is an original disk seized from a computer, most likely from a Windows pc, or a Mac.
- You have set up, are going to set up a Linux system, to do a forensic examination of "the disk".
- You connect "the disk" via USB or E-SATA

If you mount the disk RO on the OS (Linux distro) you use, you will see the structure "natively" and you can read from it. If you mount RW, you can also write to it "normally".
If you do not mount it, you can still read (and write!!!) from (to) it in RAW mode, e.g. with dd
If you want to be sure that you cannot write to it, your option is to use a (hardware) write-blocker. If you cannot afford this, a specialist forensic distro like Paladdin will be second best.
For examination, I recommend to follow best practice: Do not mount it. Make an image of the disk with the right software. This can be open "raw" format, with dd (or better dcfldd, rdd,ddrescue or the like), or closed formats (like EWF, with guymaker).
Then detach the disk and do your examination on the image.
For examination, there are also specialist forensic distro's available (like SANS SIFT). Or use Autopsy forensic tool. Easiest on Windows. Installing in Linux is possible, but you do have to understand what you're doing.


Questions? Happy to answer them.

1 members found this post helpful.

LuckyCyborg,
Just use the report button and ask a moderator to move the thread...

John Stockton, your thread has been moved to linux-newbie forum.

@John Stockton, I recommend you consider installing and playing with Linux in a virtual machine. Ubuntu or Linux Mint would be good starter distros. There are plenty of newbie friendly tutorials, and there's no problem with watching videos, if you learn better that way.

You'll want to learn the basics of the CLI (command line interface) and Bash, as that knowledge goes a long way in understanding and managing Linux. I recommend "The Linux Command Line" at https://linuxcommand.org/tlcl.php. The book is easy to read, the PDF is legally free to download. If you want, you can buy a print version to keep on the shelf, and support the author.

I think the newbie-hammer got slammed a bit hard here. We all gotta start somewhere, and sometimes we don't know what questions to ask when we're brand new. And where did he mention Slackware?

2 members found this post helpful.

The OP posted initially this thread on the Slackware main forum. And s/he not at the first commit - there s/he asked for for a video-tutorial regarding shell commands:

https://www.linuxquestions.org/quest...nd-4175701320/

That's why I suspected that s/he evaluate Slackware on his/her future plans.

Nothing wrong in that, it's rather admirable, BUT as someone who uses Slackware since over 10 years, I know that it's a hard nut to crack for someone who comes to it with a mindset focused in video-tutorials and not bothering at least to Google.

Heck, personally I come to Slackware with a solid Ubuntu experience and still I had issues to adapt.

Slackware is a great operating system, but I am afraid it's not for fans of Click'n'Roll...

This was my point of view, with no malice in my intentions.

And like you seen, I've guided her/him to this forums sections to be a better place for this type questions.

1 members found this post helpful.

Better understood.

I definitely learned the first lesson, thank you very much!