I wonder why you don't simply use dd to dd the image of the drive to an
image file and then work from the image? Then you will never change the
master drive? That will get even the erased space not just the active
file area and allow you to work with it with no possibility of changing
the original.
Davidm
On Mon, 2003-08-04 at 21:20, Ernest Baca wrote:
> Hi All,
>
> I am a computer forensic examiner here in Phoenix. I use Linux as a tool
> for the examination of suspect computers. The one thing that is very
> important for evidentiary reasons is that the state of the drive does not
> change when you examine it. Basically the md5 hash before examination must
> match the hash after examination. I have made a bootable CD distro based on
> KNOPPIX to assist examiners in the live preview of suspect computers.
>
> Now here is the problem I face. I did some research and published a white
> paper that indicates that when you mount ext3 and reiserfs partitions
> read-only the state of the drive changes. Further reasearch which I did not
> publish showed that the mount count in the journal is what actually changed,
> but none the less it changed and that can be a disaster when it comes to
> evidentiary value believe it or not.
>
> Now I discovered that mounting an ext3 partition as an ext2 partition solved
> my ext3 problem, but reiser is a different story. Reiser demands low level
> write access to the journal. No matter how you mount it even using a
> loopback device, it changes. If you lock the drive with an hdpar -r reiser
> refuses to mount.
>
> Now down to what I need. I have seen some really great talent here and I
> need a person or group of people willing to tackle this issue. I am pretty
> certain that a hack will need to be done to the reiser fs that comes with
> the latest version of KNOPPIX or maybe someone has some idea of how to get
> around it. My goal is to place this solution on my CD full credit given of
> course.
>
> If anyone is intrested let me know here or at my website address. If
> several people are intrested I would like to get a working group going.
>
>
>
> Ernie Baca
> ebaca@linux-forensics.com
> www.linux-forensics.com
>
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*
> http://join.msn.com/?page=features/virus
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
David IS Mandala
gpg fingerprint 8932 E7EF CCF5 1B8C 1B5C A92E C678 795E 45B2 D952
Phoenix, AZ (480) 460-7545 HP, (602) 741-1363 CP
http://www.them.com/~davidm/
(text/plain)