The analysis
You can now view the contents of the read-only mounted or restored disk or loop-mounted image. If you are running the X window system, then you can use your favorite file browser to look through the disk. In most (if not all) cases, you will find the command line more useful and powerful in order to allow file redirection and permanent record of your analysis. We will use the command line here.
We are also assuming that you are issuing the following commands from the proper mount point (/mnt/analysis/). If you want to save a copy of each command’s output, be sure to direct the output file to your evidence directory (/root/evidence/)
Navigate through the directories and see what you can find. Use thelscommand to view the contents of the disk. The command in the following form might be useful:
ls –al
This will show all the hidden files (-a),give the list in long format to identify permission, date, etc. (-l). You can also use the–Roption to list recursively through directories. You might want to pipe that throughless.
ls –alR | less