No. 10. LINUX Basics for Hackers (File System and Storage Management)

25 August 2023 15 minutes
Author: Lady Liberty

Effective Management of File System and Storage Devices in Linux

Managing the file system and storage devices in the Linux operating system is an important aspect of working effectively with this platform. Linux, due to its open nature and flexibility, gives users and administrators enormous control over the file system and data storage. The Linux file system is an important component of the operating system that allows you to organize and store data. There are many different file systems in Linux, each with its own unique benefits and features. Users can create, copy, move, delete and rename files and directories. They can also grant different users and groups access rights to files.

Storage devices in Linux: Storage devices such as hard drives, SSDs, USB drives and others are the main means of data storage in Linux. Management of these devices includes mounting (mounting) and dismounting (dismounting) media, formatting to prepare for data storage, as well as monitoring available disk space and diagnostics of device status. Linux also supports various levels of data protection, including backups and RAID configurations, which help avoid data loss in the event of disk hardware failure. Key Commands and Tools: Linux has a number of useful commands and tools for managing the file system and storage devices. These tools allow users and administrators to efficiently interact with files and storage devices, providing complete control over data and system resources. In conclusion, managing the file system and storage devices in Linux is an important aspect that helps ensure reliable data storage and access, ensuring high efficiency and security of the operating system. This system allows users to work efficiently with files and storage devices, ensuring the reliability and security of their data.

Device directory /DEV

First, we’ll look at how additional disks and other storage devices are mounted on this file system, leading to the / (root) directory. Mounting in this context simply means attaching a disk or drives to a file system to make them available to the operating system (OS). For you, as a hacker, it is necessary to understand the system of managing files and storage devices, both in your own system and, most often, in the system of your object. Hackers usually use external media to download data, hacking tools or even their OS. Once you’re on the target system, you need to understand what you’re working with, where to find sensitive or other critical files, how to mount the drive to the target device, and whether you can host those files on your system. In this section, we’ll cover all of these topics, as well as how to manage and monitor your storage devices.

We’ll start with a directory known as dev, which you’ve probably already noticed in the directory structure: dev is short for device, and each device in Linux is represented by its own file in the /dev directory. Let’s start with /dev.

Linux has a special directory that contains files representing each connected device: the /dev directory with the appropriate name. As your first introduction, change to the /dev directory and then run a long list on it.

kali >cd/dev
kali >ls-l
total 0
crw­­­­­­­ 1 root root 10,175 May 16 12:44 agpgart
crw­­­­­­­ 1 root root 10,235 May 16 12:44 autofs
drwxr­xr­x 1 root root 160 May 16 12:44 block
lrwxrwxrwx 1 root root 3 May 16 12:44 cdrom ­> sr0
drwxr­xr­x 2 root root 60 May 16 12:44 cpu

Devices are displayed in alphabetical order by default. You may recognize some devices like cdrom and cpu, but others have rather cryptic names. Every device on your system is represented by a file in the /dev directory, including devices you’ve probably never used or even knew existed. If you do, there is a device file waiting to be used.

If you scroll down this screen a bit, you will see more lists of devices. Of particular interest are the devices sda1, sda2, sda3, sdb and sdb1, which are a hard disk and its partitions, as well as a flash drive and its partitions.

brw­rw­­­­ 1 root root 8, 0 May 16 12:44 sda
brw­rw­­­­ 1 root root 8, 1 May 16 12:44 sda1
brw­rw­­­­ 1 root root 8, 2 May 16 12:44 sda2
brw­rw­­­­ 1 root root 8, 5 May 16 12:44 sda5
brw­rw­­­­ 1 root root 8, 16 May 16 12:44 sdb
brw­rw­­­­ 1 root root 8, 17 May 16 12:44 sdb1

How Linux represents storage devices

Linux uses logical labels for drives, which are then mounted in the file system. These logical labels can vary depending on where the drives are mounted, meaning the same hard drive can have different labels at different times, depending on where and when it was mounted.

Initially, Linux represented floppy disks (remember them?) as fd0, and hard disks as mali. You’ll still occasionally see these disk representations on older Linux systems, but today most floppy disks are gone (thank goodness). Despite this, the old legacy hard drives that used the IDE or EIDE interface are still available in the small form factor. The new Serial ATA (SATA) interface drives and Small Computer System Interface (SCSI) hard drives are presented as SDA. Drives are sometimes divided into sections known as partitions, which are represented by a numbering system, as you’ll see next.

When systems have more than one hard drive, Linux simply names them sequentially by increasing the last letter in alphabetical order, so the first drive is sda, the second drive is sdb, the third drive is sdc, and so on (see Table 10-1). The serial letter after sd is often called the main number.

Table 10-1: Device naming system

Disk partitions

Some drives can be partitioned to manage and separate information. For example, you can partition your hard drive so that your swap file, home directory, and / directory are on separate partitions – you can do this for a number of reasons, including sharing resources and relaxing default permissions. Linux designates each partition with a secondary number that follows the drive designation. So the first partition on the first SATA drive will be sda1. Then the second partition will be sda2, the third sda3, and so on, as shown in Table 10-2.

Table 10-2: Section labeling system

Sometimes you may want to look at the partitions on your Linux system to see which ones you have and how much capacity is available in each. This can be done using the fdisk utility. Using the -l switch with fdisk displays all partitions on all disks, as shown in Listing 102.

kali >fdisk-l
Disk /dev/sda: 20GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x7c06cd70
Device Boot Start End Sectors Size Id Type
/dev/sda1 * 2048 39174143 39172096 18.7G 83 Linux
/dev/sda2 39176190 41940991 2764802 1.3G 5 Extended
/dev/sda5 39176192 41940991 2764800 1.3G 82 Linux swap / Solaris
Disk /dev/sdb: 29.8 GiB, 31999393792 bytes, 62498816 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0xc3072e18
Device Boot Start End Sectors Size Id Type
/dev/sdb1 32 62498815 62498784 29.8G 7 HPFS/NTFS/exFAT
Listing 10­2: Listing partitions with fdisk

As you can see in listing 102, devices sda1, sda2 and sda5 are listed in the first stanza. These three devices make up a virtual disk from my virtual machine, which is a 20 GB disk with three partitions, including a swap partition (sda5) that acts as virtual RAM – similar to page files in Windows – when the RAM capacity yati is exceeded.

If you scan  listing 102 to the third stanza, you will see the output of the second device labeled sdb1 – the label b tells us that this drive is separate from the first three devices. This is my 64GB flash drive. Note that fdisk indicates that it

File system type HPFS/NTFS/ExFAT. These file types are a high performance file system

(HPFS), New Technology File System (NTFS), and Extended File Allocation Table

(exFAT) are not native to Linux systems, but rather to macOS and Windows systems. It pays to be able to recognize file types native to different systems as you research. The file system can indicate which computer the drive was formatted on, which can be valuable information. Kali is capable of using USB flash drives created in many different operating systems.

As you saw in Chapter 1, the Linux file system is structured much differently than Windows and other non-free operating systems. In addition, the way files are stored and managed is also different in Linux. Newer versions of Windows use the NTFS file system, while older Windows systems use the File Allocation Table (FAT) system.

Linux uses a number of different types of file systems, but the most common are ext2, ext3, and ext4. These are all iterations of the ext (or extended) file system, with ext4 being the latest.

Character and block devices

Another thing to note about the naming of the device files in the /dev directory is that the first position contains either c or b. You can see this in Listing 10-1 at the beginning of most entries, and it looks something like this:

crw­­­­­­­ 1 root root 10,175 May 16 12:44 agpgart

These letters represent the two ways that devices transfer data in and out. C stands for symbol, and these devices are known, as you would expect, as character devices. External devices that interact with the system by sending and receiving data character by character, such as mice or keyboards, are character devices.

The letter b stands for the second type: block devices. They exchange blocks of data (multiple bytes at a time) and include devices such as hard drives and DVDs. These devices require higher data rates and therefore send and receive data in blocks (many characters or bytes at a time). Once you know whether a device is token or block, you can easily get more information about it, as you’ll see next.

List block devices and information using lsblk

The Linux lsblk command, short for list block, provides some basic information about each block device listed in /dev. The output is similar to the output  from fdisk -l, but it will also display devices with multiple partitions in a kind of tree, showing each device with its partitions as branches, and does not require root to run. For example, in listing 103 we see sda with branches sda1, sda2, and sda5.

kali >lsblk
fd0 2:0 1 4K 0 disk
sda1 8:0 0 20G 0 disk
|­sda1 8:1 0 18.7G 0 part /
|­sda2 8:2 0 1K 0 part
|­sda5 8:5 0 1.3G 0 part [SWAP]
sdb 8:16 1 29.8G 0 disk
|­sdb1 8.17 1 29.8G 0 disk /media
sr0 11:0 1 2.7G 0 rom
Listing 10­3: Listing block device information with lsblk

The output includes the floppy drive as fd0 and the DVD drive as sr0, although neither is present on my system – just a holdover from legacy systems. We can also see information about the disk’s mount point, which is the position in which the disk was mounted on the file system. Note that the hard disk sda1 is mounted on / and the flash drive is mounted on / media. You will see more about the meaning of this in the next section.

Installation and dismantling

Most modern operating systems, including most newer versions of Linux, automatically mount storage devices when they are connected, meaning that a new flash drive or hard drive is automatically mounted to the file system. For those new to Linux, mounting can be a foreign topic.

The storage device must first be physically attached to the file system and then logically attached to the file system in order for the data to be accessible to the operating system. In other words, even if a device is physically connected to the system, it is not necessarily logically bound and accessible to the operating system. The term mount is a holdover from the early days of computing, when storage drives (before hard drives) had to be physically mounted in a computer system – think of those large spinning tape drive computers you may have seen in old sci-fi movies .

As mentioned, the point in the directory tree where the devices are mounted is known as the mount point. The two main mount points in Linux are /mnt and /media. Typically, internal hard drives are mounted on /mnt, and external USB devices such as flash drives and external USB hard drives are mounted on /media, although technically any directory can be used.

Independent installation of memory devices

Some versions of Linux require you to manually mount a drive to access its contents, so this is a skill worth learning. To mount a disk on a file system, use the mount command. The device mount point must be an empty directory; If you mount a device in a directory that contains subdirectories and files, the mounted device will cover the contents of the directory, making them invisible and inaccessible. So, to mount the new sdb1 hard drive in the /mnt directory, you would type the following:

kali >mount/dev/sdb1/mnt

This hard drive must be accessible. If you want to mount the sdc1 flash drive in the /media directory, you should type this:

kali >mount /dev/sdc1 /media

File systems mounted on the system are stored in a file at /etc/fstab (short for file system table), which is read by the system at each boot.

Unmounting with umount

If you’re using a Mac or Windows background, you may have unmounted a drive without realizing it. Before you remove the flash drive from the system, you “eject” it to avoid damaging the files stored on the device. Eject is just another word for dismantle.

Similar to the mount command, you can unmount a second hard drive by entering the umount command followed by writing the device file in the /dev directory, such as /dev/sdb. Note that the command is not written unmount, but rather umount (no n).

kali >umount/dev/sdb1

Unmounting a busy device won’t work, so if the system is reading or writing to the device, you’ll just get an error.

Monitoring of file systems

In this section, we will look at some commands for monitoring the health of the file system, a skill that any hacker or system administrator needs. We will get some information about the mounted drives and then check and fix the errors. Storage devices are especially prone to errors, so it’s worth learning this skill.

Getting information about mounted disks

The df command (for free disks) will give us basic information about any hard disks or mounted devices such as CDs, DVDs, and flash drives, including the amount of space used and available (see Listing 104). Without any options, df defaults to using the first drive on your system (sda in this case). If you want to check another drive, just run the df command with the representation of the drive you want to check (eg df sdb).

kali >df
Filesystem 1K­Blocks Used Available Use% Mounted on
rootfs 19620732 17096196 1504788 92% /
udev 10240 0 10240 0% /dev
/dev/sdb1 29823024 29712544 110480 99% /media/USB3.0
Listing 10­4: Getting information on disks and mounted devices with df

The first line of output here shows the category headings, and then we get the information.

Disk space is allocated in 1 KB blocks. On the second line, we see that rootfs has 19,620,732 one-kilobyte blocks, of which it uses 17,096,196 (or about 92 percent), leaving 1,504,788 available. The df command also tells us that this file system is mounted at the top of the file system. systems /.

In the last line you can see my flash drive. Note that it’s labeled /dev/sdb1, almost 100 percent full, and mounted to /media/USB3.0.

As a summary, my virtual disk on this system is labeled sda1, which is partitioned as follows:

  • sd SATA hard drive

  • a The first hard drive

  • 1 The first chapter on this disc

My 64GB flash drive is labeled sdb1 and my external drive is labeled sdc1.

Error checking

The fsck command (short for file system check) checks the file system for errors and either fixes the corruption if possible, or places the bad area in the bad block table to mark it as bad. To run the fsck command, you must specify the file system type (default is ext2) and the device file to check. It is important to note that the disk must be unmounted before running the file system check. If you fail to unmount a mounted device, you will receive the error message shown in Listing 105.

kali >fsck
fsck from util­linux 2.20.1
e2fsck 1.42.5 (29­Jul­2012)
/dev/sda1 is mounted
e2fsck: Cannot continue, aborting.
Listing 10­5: Trying (and failing) to run an error check on a mounted drive

Listing 105: Attempting (and failing) to run error checking on a mounted disk

So, the first step in performing a file system check is to unmount the device. In this case, I unmount my flash drive to perform a file system check:

kali >umount/dev/sdb1

I can add the -p option to have fsck automatically fix any problems with the device, for example:

kali >fsck-p/dev/sdb1

With the device unmounted, I can now check for bad sectors or other issues with the device as follows:

kali >fsck-p/dev/sdb1
fsck from util­linux 2.30.2
exfatfsck 1.2.7
Checking file system on /dev/sdb1.
File system version 1.0
Sector size 512 bytes
Cluster size 32 KB
Volume size 7648 MB
Used space 1265 MB
Available space 6383 MB
Totally 20 directories and 111 files.
File system checking finished. No errors found.


Understanding how Linux assigns and manages its devices is critical for any Linux user and hacker. Hackers will need to know which devices are connected to the system and how much free space is available. Since storage devices often experience errors, we can check and fix these errors using fsck. The dd command is able to make a physical copy of the device, including any deleted files.

We used materials from the book “LINUX BASICS FOR HACKERS” written by William Pollock

Found an error?
If you find an error, take a screenshot and send it to the bot.