<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Dec 5, 2013 at 4:48 PM, John P. Rouillard <span dir="ltr"><<a href="mailto:rouilj@cs.umb.edu" target="_blank">rouilj@cs.umb.edu</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I know from forensics work there can be a bunch of things that will<br>
change the filesystem/disk state. Hence most forensics people:<br>
<br>
1) use a hardware rig that will NOT issue write commands to the<br>
source disk to copy the source disk to a disk they will use<br>
for investigation.<br>
2) use tools that are designed to not mess up the filesystem in the<br>
investigation disk.<br>
<br>
I.E. they don't consider ro mode sufficient to not change the state of<br>
the disk.<br></blockquote><div><br></div><div>Indeed. The forensics folks at my office use write-blocking bridges like these:</div><div><a href="http://www.tableau.com/index.php?pageid=products&category=forensic_bridges">http://www.tableau.com/index.php?pageid=products&category=forensic_bridges</a></div>
<div><br></div><div>Those devices filter out any stray write commands that might be issued by the host and drop them rather than pass them through to the drive.</div><div><br></div><div>Question to which I don't know the answer off hand:</div>
<div>If you create a new ext4 file system it will tell you that it's going to run fsck after a certain number of mounts.</div><div>If you proceed to mount it read-only (and only ever read-only) that many times, will it try to do a fsck on the next mount?</div>
<div><br></div><div>-Nahum</div></div></div></div>