Hiding files with mount

When filesystems are mounted on a directory, existing files in that directory are hidden and will not be accessible until the mount point is removed. This is a relatively decent way to thwart or slow down online analysis of a system. A recursive listing of files will not reveal these hidden files. Most investigators would be hesitant to unmount live filesystems especially if running services have handles to files residing on that mount point. For bonus points, create a dummy file with the same name on the mounted filesystem...

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
user@hostname:/tmp# mkdir folder
user@hostname:/tmp# echo "secret" > ./folder/hidden.txt
user@hostname:/tmp# ls ./folder/
hidden.txt
user@hostname:/tmp# mount /dev/sda1 /tmp/folder/
user@hostname:/tmp# ls ./folder/
bin   build  etc   initrd.img  lib32  libx32      media  opt   root  sbin  srv  tmp  var
boot  dev    home  lib         lib64  lost+found  mnt    proc  run   snap  sys  usr  vmlinuz
user@hostname:/tmp# umount /tmp/folder/
user@hostname:/tmp# ls ./folder/
hidden.txt
user@hostname:/tmp#