0004088: Forensic Mode - Plugged in Devices AutoMounting - Kali Linux Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0004088	Kali Linux	General Bug	public	2017-06-26 17:29	2025-07-14 09:15

Reporter	kali_user-2017	Assigned To	rhertzog
Priority	normal	Severity	major	Reproducibility	have not tried
Status	closed	Resolution	no change required
Product Version	2017.1

Summary	0004088: Forensic Mode - Plugged in Devices AutoMounting
Description	According to this article (https://docs.kali.org/general-use/kali-linux-forensics-mode) the forensic mode: auto-mounting of removable media is disabled. USB thumb drives, CDs, and the like will not be auto-mounted when inserted. The idea behind this is simple: in forensic mode, nothing should happen to any media without direct user action. Anything that you do as a user is on you. This is the first time I have used Kali. I am testing it on a VM. I selected the forensic mode at boot. I plugged in a USB device, and when I select Computer - I see the device on the list AND I am able to write to the device. This seems like the opposite of what would be expected. I shouldn't be able to write to it unless I specifically tell Kali to write to it. When running the mount command - I can see that the device was mounted "rw" When going into the settings (org/gnome/desktop/media-handling) - automount is set to false. With all that said, I don't know if I am missing something here, but it doesn't seem to be working as expected.
Steps To Reproduce	Using VMware, create a VM and point it to the Kali ISO. Select Forensic Mode at boot. Wait until desktop is up. Plug in USB device. See if it shows up in the device list under COMPUTER. See if you can write to the device without ever having telling Kali to write to the device.
Attached Files	2017-06-26_13-27-11.jpg (376,968 bytes)

rhertzog 2017-06-26 18:31 administrator ~0006848	Is the USB device mounted before you click on its name in the file manager? Try running mount in a terminal after having plugged the USB device. It should not appear. But if you click on the device in the file manager, GNOME will mount it for you (how else do you want GNOME to show you its content?). In any case, I would not use the GNOME file manager for forensic purpose...

kali_user-2017 2017-06-26 19:51 reporter ~0006849	You are correct. It is not automounting unless I click on it in the file manager. It is not mounted before clicking the volume name in file manager, but once I do it does. I just noticed that if I hover over the volume name it says "Mount and open "volumename"". Therefore, this looks like user error. With all that said, I personally am not a fan of this approach. I would prefer some sort of app that displays the available devices and that allows me to toggle/change R/RW settings and handling mounting or mount via command line. Just seems way too easy to mistakenly click on the device while just trying to navigate around and accidently mount the device with one click. If you are taking an image, you likely will have multiple drives attached, so I think it could be really easy for someone to make this mistake in the field if they were not aware that simply clicking on the name would automount the device. In the end, this is your product, so you can do what you like, and you do have your disclaimer "nothing should happen to any media without direct user action. Anything that you do as a user is on you." In the end, people should be testing their process (like I did) and figure out these potential issues before it happens in the field. However, my two cents, a separate mounting app (or force any mounting via command line) would provide a little more control. Thanks again for providing this to the community and for the follow up on this.

rhertzog 2017-06-27 12:39 administrator ~0006851	I appreciate your comments and I agree with your feelings. We setup Kali/GNOME to not auto-mount the medias but in the end we don't have any recommended workflow/toolset for forensic purpose... so it's up to the user to select the most appropriate tools and nautilus would certainly not be among the selected tools as it's easy to make a mistake like this one.

Date Modified	Username	Field	Change
2017-06-26 17:29	kali_user-2017	New Issue
2017-06-26 17:29	kali_user-2017	File Added: 2017-06-26_13-27-11.jpg
2017-06-26 18:31	rhertzog	Assigned To	=> rhertzog
2017-06-26 18:31	rhertzog	Status	new => feedback
2017-06-26 18:31	rhertzog	Note Added: 0006848
2017-06-26 19:51	kali_user-2017	Note Added: 0006849
2017-06-26 19:51	kali_user-2017	Status	feedback => assigned
2017-06-27 12:39	rhertzog	Status	assigned => closed
2017-06-27 12:39	rhertzog	Resolution	open => no change required
2017-06-27 12:39	rhertzog	Note Added: 0006851
2025-07-14 09:15	g0tmi1k	Priority	immediate => normal