Hi All,
I am a computer forensic examiner here in Phoenix. I use Linux as a tool
for the examination of suspect computers. The one thing that is very
important for evidentiary reasons is that the state of the drive does not
change when you examine it. Basically the md5 hash before examination must
match the hash after examination. I have made a bootable CD distro based on
KNOPPIX to assist examiners in the live preview of suspect computers.
Now here is the problem I face. I did some research and published a white
paper that indicates that when you mount ext3 and reiserfs partitions
read-only the state of the drive changes. Further reasearch which I did not
publish showed that the mount count in the journal is what actually changed,
but none the less it changed and that can be a disaster when it comes to
evidentiary value believe it or not.
Now I discovered that mounting an ext3 partition as an ext2 partition solved
my ext3 problem, but reiser is a different story. Reiser demands low level
write access to the journal. No matter how you mount it even using a
loopback device, it changes. If you lock the drive with an hdpar -r reiser
refuses to mount.
Now down to what I need. I have seen some really great talent here and I
need a person or group of people willing to tackle this issue. I am pretty
certain that a hack will need to be done to the reiser fs that comes with
the latest version of KNOPPIX or maybe someone has some idea of how to get
around it. My goal is to place this solution on my CD full credit given of
course.
If anyone is intrested let me know here or at my website address. If
several people are intrested I would like to get a working group going.
Ernie Baca
ebaca@linux-forensics.com
www.linux-forensics.com
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*
http://join.msn.com/?page=features/virus
(text/plain)