Ernest Baca wrote:

> Hi All,
>
> I am a computer forensic examiner here in Phoenix.  I use Linux as a 
> tool for the examination of suspect computers.  The one thing that is 
> very important for evidentiary reasons is that the state of the drive 
> does not change when you examine it.  Basically the md5 hash before 
> examination must match the hash after examination.  I have made a 
> bootable CD distro based on KNOPPIX to assist examiners in the live 
> preview of suspect computers.
>
> Now here is the problem I face.  I did some research and published a 
> white paper that indicates that when you mount ext3 and reiserfs 
> partitions read-only the state of the drive changes.  Further 
> reasearch which I did not publish showed that the mount count in the 
> journal is what actually changed, but none the less it changed and 
> that can be a disaster when it comes to evidentiary value believe it 
> or not.
>
> Now I discovered that mounting an ext3 partition as an ext2 partition 
> solved my ext3 problem, but reiser is a different story.  Reiser 
> demands low level write access to the journal.  No matter how you 
> mount it even using a loopback device, it changes.  If you lock the 
> drive with an hdpar -r reiser refuses to mount.
>
> Now down to what I need.  I have seen some really great talent here 
> and I need a person or group of people willing to tackle this issue.  
> I am pretty certain that a hack will need to be done to the reiser fs 
> that comes with the latest version of KNOPPIX or maybe someone has 
> some idea of how to get around it.  My goal is to place this solution 
> on my CD full credit given of course.
>
> If anyone is intrested let me know here or at my website address.  If 
> several people are intrested I would like to get a working group going.
>
>
>
> Ernie Baca
> ebaca@linux-forensics.com
> www.linux-forensics.com
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*  
> http://join.msn.com/?page=features/virus
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

use dd to write an image file of the drive to another device (say a usb 
hard drive), dd doesn't mount it as far as I know. 
You can examine the copy instead of mounting the original drive itself.
Something like dd if=/dev/hda of=suspect12345.img
Mount the image using the loopback device.

JD