Le 18/08/2016 23:09, Renaud (Ron) OLGIATI a écrit :
On Thu, 18 Aug 2016 22:48:39 +0200
"Dr. Nikolaus Klepp" <[email protected]> wrote:
Not sure, but could you try to also mount the disk with the noatime
option. I don't know if ro implies noatime.
I remember an article in german "Linuxmagazin" ~ 10 Jears ago where it said
that the stock kernel drivers for all journaling file systems on linux are broken for
forensic analysis due to the fact that these drivers always update the journal despite
the filesystem mounted read only. Looks like that statement is still true.
The workaround given that time was to make a image of the whole device, make
that image immutable, and mount the partions of that image.
Would mounting as ext2 (non journaling) help in that case ?
Why not try it? ext2, ro, noatime.
_______________________________________________
Dng mailing list
[email protected]
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
