[BBLISA] Does read only really mean it?
Nahum Shalman
nahamu+bblisa at gmail.com
Thu Dec 5 21:00:24 EST 2013
On Thu, Dec 5, 2013 at 4:48 PM, John P. Rouillard <rouilj at cs.umb.edu> wrote:
> I know from forensics work there can be a bunch of things that will
> change the filesystem/disk state. Hence most forensics people:
>
> 1) use a hardware rig that will NOT issue write commands to the
> source disk to copy the source disk to a disk they will use
> for investigation.
> 2) use tools that are designed to not mess up the filesystem in the
> investigation disk.
>
> I.E. they don't consider ro mode sufficient to not change the state of
> the disk.
>
Indeed. The forensics folks at my office use write-blocking bridges like
these:
http://www.tableau.com/index.php?pageid=products&category=forensic_bridges
Those devices filter out any stray write commands that might be issued by
the host and drop them rather than pass them through to the drive.
Question to which I don't know the answer off hand:
If you create a new ext4 file system it will tell you that it's going to
run fsck after a certain number of mounts.
If you proceed to mount it read-only (and only ever read-only) that many
times, will it try to do a fsck on the next mount?
-Nahum
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.bblisa.org/pipermail/bblisa/attachments/20131205/cd77648d/attachment.htm
More information about the bblisa
mailing list