Mounts

Overview

Evidence: Mounts Description: Collect Mounts Category: System Platform: Linux Short Name: mounts Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Linux mount information provides details about mounted file systems, storage devices, and network shares. This data is essential for understanding storage configuration and detecting unauthorized storage access.

Data Collected

This collector gathers structured data about mounts.

Mounts Data

Field

Description

Example

ID

Primary key (auto-increment)

Path

Mount point path

Type

Filesystem type

ext4

BlockFree

Free blocks

1000000

BlockSize

Block size in bytes

4096

Blocks

Total blocks

2000000

BlockAvailable

Available blocks

1000000

Device

Device path

/dev/sda1

Flags

Mount flags

rw,relatime

Inodes

Total inodes

1000000

InodesFree

Free inodes

500000

Collection Method

This collector parses the necessary data from the mounts table.

This collector collects files from the following locations:

/proc/mounts
/etc/fstab

Usage

This evidence is crucial for forensic investigations as it provides storage configuration information. It helps investigators understand storage topology, detect unauthorized storage access, and investigate storage-based attacks. The data can reveal mounted devices, storage configurations, and potential storage vulnerabilities. Analysts can use this information to identify storage compromises, trace storage activities, and assess storage security posture.

Notes

This data may contain sensitive information that should be handled according to data protection requirements. Ensure proper chain of custody is maintained during collection and analysis.

PreviousFstab NextNFS Exports

Last updated 14 minutes ago

Was this helpful?