Mate Your Forensics Desktop Buddy
There has been a casualty in the Linux Desktop over the past year or two: forensics. Now, Im not saying forensics cant be conducted from a modern Linux desktop environment like Gnome3 or Unity, but those environments do make it more difficult. First, they are less configurable and second, they make it difficult to display more than one window at a time. What might be a simple, clean interface to a desktop user is a hindrance to a forensics practitioner.
As a result, I switched to XFCE. Its always been attractive to me because of its simplicity and size, and it does a lot of things right. But its a little rough around the edges. The various settings windows are not well integrated, and a new user can easily become lost and frustrated. More importantly, Thunar, the default file manager, is a little weak for exploring file systems from digital discovery point-of-view. While
Meet Mate
Fortunately, forensics gurus are not the only people dissatisfied with the direction of the Linux desktop. Gnome2 was a staple for many users, and it was common on Linux forensics boot disks, too. The Mate project arose from the ashes of Gnome2 and serves as a drop in replacement for the popular but deprecated classic.If you are a longtime or former Ubuntu user, Mate will look very familiar. There is a little bit of translating to do, however, as some of the application names to which youve grown accustomed:
| MATE | GNOME 2 | Type | Notes | |
|---|---|---|---|---|
 | Atril | Evince | Document viewer | �lectern, reading desk� |
 | Caja | Nautilus | File manager | �box� |
 | Engrampa | File-Roller | File archive manager | �clip together� |
 | Eye of MATE (EOM) | Eye of GNOME (EOG) | Image viewer | |
 | Marco | Metacity | Window manager | �framework, frame� |
 | MateCalc | gcalctool | Calculator | |
 | MateConf | GConf | DE configuration system | |
 | MateDialog | Zenity | GTK+ command-line dialog boxes | |
 | MDM | GDM | Display manager (graphical login) | |
 | Mozo | Alacarte | Menu editor | |
 | Pluma | Gedit | Text editor | �pen� |
The application gconf-editor was default GUI settings editor for Gnome2. It was an important tool to know, because with it, the forensicator could configure his/her system to not automount devices. The table above and a wiki entry at the Mate website indicate that gconf-editor will be replaced with, predictably, mateconf-editor, but as of Mate v1.40, no such application exists.
Configuring Mate
This brings me to the purpose of this post. There is a command line tool that can be used to configure the Mate desktop environment called mateconftool-2, but its use is not intuitive. Ill demonstrate its use to alter the media auto-mount setting.
First, its important to understand that the Mate settings expressed as key-value pairs and are stored in a series of XML files. Editing the XML files directly is not recommended (settings are read and applied by the mateconfd daemon), and if you try, youll see its quite difficult to chase down the correct file. The mateconftool-2 tool makes navigating and editing the settings straight forward.
If you choose to think of the settings as being stored in a file system-like hierarchy, and I think youll have little problem. Observe, to view the settings directories at the root of the settings tree, issue the command:
$ mateconftool-2 --all-dirs /
/system
/desktop
/schemas
/apps
We see that there are settings in four categories: system, desktop, schemas, and apps. We are seeking to change the behavior of the caja application, the file manager responsible for mounting attached devices. We can see that the caja settings are not the only Mate desktop environment settings that can be configured:
$ mateconftool-2 --all-dirs /apps
/apps/mate-dictionary
/apps/procman
/apps/mate-system-log
/apps/timer-applet
/apps/control-center
/apps/pluma
/apps/marco
/apps/panel
/apps/baobab
/apps/engrampa
/apps/caja
/apps/mate-terminal
/apps/mate-screenshot
/apps/mate-screensaver
/apps/notification-daemon
/apps/eom
/apps/mate-session
/apps/mate-power-manager
/apps/mate_settings_daemon
/apps/mate-search-tool
/apps/stickynotes_applet
/apps/mate-volume-control
To review the caja settings, we examine the categories with the all-directories option and learn there is a preferences directory. To view the preferences key-value pairs, we switch to the all-entries option:
$ mateconftool-2 --all-entries /apps/caja/preferences
...
media_automount = true
search_bar_type = search_by_text
media_autorun_never = false
media_autorun_x_content_start_app = [x-content/software]
mouse_back_button = 8
show_image_thumbnails = local_only
desktop_is_home_dir = false
media_autorun_x_content_ignore = []
start_with_sidebar = true
thumbnail_limit = 10485760
directory_limit = -1
Now, this might seem cumbersome. Thats because it is. If you know the path to the setting in which you are interested, you can address it directly:
$ mateconftool-2 --get /apps/caja/preferences/media_automounttrue
To change a setting, you must specify its type: integer, boolean, float, or a string. In our case, its pretty evident that we are dealing with a boolean value, and we want to set it to "false". We must specify the action (set) and the type (false). Silence means success, but we follow our change by reading the key for verification:
$ mateconftool-2 --set --type=bool /apps/caja/preferences/media_automount false$ mateconftool-2 --get /apps/caja/preferences/media_automountfalse
Now, when a device is plugged into the a Linux system running the Mate desktop, it will not be auto-mounted. This is particularly important in Linux forensic boot discs designed to be inserted in the device to be examined/imaged or where a write-blocker is not an option or available. None-the-less, well all be happier when mateconf-editor GUI is added to the Mate line-up!
download file now
alternative link download