On boot Knoppix polls the various partitions on the system, includes them in fstab and as mount icons on the desktop. Knoppix will also auto-mount a linux swap partition if it finds one on the harddrive (type 82). Is there any other partiton type that Knoppix mounts rw (even momentarily) on boot? How would I disable this either as a cheatcode or in miniroot -> linuxrc? Functions that concern me:

mountit()
mountmodules()

I can see that they are necessary to find and mount KNOPPIX, but I can't see where it's finding the linux swap partition. I'm concerned about data modification, specifically MAC times.

Thanks. L. Riske

the scanning and modifying of fstab is in knoppix-autoconfig calling rebuildfstab which calls scanpartition.

just out of curiosity, what is the concern of mounting swap partition ?

Thanks for the tip. That helps a lot.

There's also a cheatcode: noswap. This is exactly what I was looking for.

The reason I want to turn off swap is for forensic analysis. If I'm doing an autopsy on a linux machine I don't want Knoppix overwriting the swap partition. There may be a lot of evidence in there. :).

I also can't have Knoppix accessing any of the partitions rw and changing their mac times. This would also tamper with possible evidence. (I'm embarassed to say that the cheatcode page even references this: "The "noswap" option is useful for a forensic analysis without touching existing swap partitions.")

Thanks again for the help. All of those knoppix- files in init.d are "interesting" :).

thanks for the perspective. Now my next linux system would have AES-loop filters on the swap, would that beat you :wink:

I to need this functionallity also. I am currentlly re-mastering a forensic tool kit out of KNOPPIX. I should be able to change this script and get knoppix not to mount swap on boot right? Also, for those of you using KNOPPIX for forensic analysis of machines, I have done a validation study and have found mounting EXT3 and reiserfs partitions read-only changes the state of the drive. I am publishing my paper on my website later next week. Now the good news is that it seems to be the Kernel and not KNOPPIX. I have repeated these test with other distros and have come up with the same results. Now I do know that mounting read-only will not let you write to the drive and I believe it is probably a journaling issue since EXT3 and reiser are newer journaling file systems. The tests were conducted on NTFS, FAT32, ETX2, EXT3, and reiserfs. FAT32, NTFS and EXT2 mounts read-only faired ok and did not change the state of the drive. Although it may just be a journaling issue, it may not fly when it comes to law enforcement evidnce issues. Now those in the private sector it may be a different story. Oh well, hope my white paper explains it well. I lost my inital test results and had to do it all over again so one more week till it gets on to my publications section of my website....


Thanks,
Ernie Baca
www.linux-forensics.com

wow, Very good information. I'll watch for that paper.

I finally posted my Knoppix study and my new re-master called the Penguin Sleuth. You can find them at

www.linux-forensics.com

The Knoppix paper is in the publications section.

Thanks,
Ernie Baca
www.linux-forensics.com