On Fri, 16 Nov 2007 22:14:07 EST, Max Gribov said: > Tom, > you can mount the storage as read-only - any unix filesystem will > support read-only mount, and provided your root account isnt > compromised, no one can remount it as write. Root cant write to > read-only mounted filesystems without remount either.
Note that most journaled file systems (on Linux, this includes ext3, reiserfs, jfs, and xfs) will insist on replaying the journal and thus making changes to the disk, even when mounting as read-only. You'd really want to have some other utility that captures the journal datastream before you do the mount, and then a utility to reverse-apply the changes. In some cases, this may not be doable, as the journal doesn't record what the status was *before* the event - for instance, a file permission change event may only have the *new* value listed, so you can't roll it back. There's also another issue - if you *do* create a "mount without journal replay", you're quite likely going to screw things up gloriously, as the whole *point* of the journal is to gloss over inconsistent data that hasn't been fully synced to disk. You don't replay the journal, you may find some parts of the filesystem (those that are affected by live journal entries) won't be accurate, or may even crash the system. Of course, there's a very high probability that "the files that the hacker was working on when we pulled the plug" are *exactly* the pieces most likely to be zorkumblattum if you don't replay the journal.... And I won't even get into the forensics-relevant semantics of ext3's data=journaled/ordered/writeback options, other than to note that they *do* have forensics implications....
pgpB9Hch0VVMa.pgp
Description: PGP signature
