On Thu, Dec 5, 2013 at 4:48 PM, John P. Rouillard <[email protected]> wrote:
> I know from forensics work there can be a bunch of things that will > change the filesystem/disk state. Hence most forensics people: > > 1) use a hardware rig that will NOT issue write commands to the > source disk to copy the source disk to a disk they will use > for investigation. > 2) use tools that are designed to not mess up the filesystem in the > investigation disk. > > I.E. they don't consider ro mode sufficient to not change the state of > the disk. > Indeed. The forensics folks at my office use write-blocking bridges like these: http://www.tableau.com/index.php?pageid=products&category=forensic_bridges Those devices filter out any stray write commands that might be issued by the host and drop them rather than pass them through to the drive. Question to which I don't know the answer off hand: If you create a new ext4 file system it will tell you that it's going to run fsck after a certain number of mounts. If you proceed to mount it read-only (and only ever read-only) that many times, will it try to do a fsck on the next mount? -Nahum
_______________________________________________ bblisa mailing list [email protected] http://www.bblisa.org/mailman/listinfo/bblisa
