[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: filesystem damage



On 3/2/25 2:35 PM, David Christensen wrote:
The "norecovery" option for mount(8) seems like a dangerous design choice.  "readonly" is supposed to mean "do not write to disk".  I must remember that land mine if and when I want to do forensic work.

To be fair, the first step of forensic work is "make an image of the drive and save it somewhere read-only." This way if you attempt to mount the image without norecovery, it barks at you because the underlying medium is read-only.

You then work either with copies of the image. (Or thin layered images using the original as a backing image, which will redirect writes to the higher layer, leaving the original image untouched. Semantically the same as making a copy but without wasting a bunch of space.)

--
Chris Howie
http://www.chrishowie.com
http://en.wikipedia.org/wiki/User:Crazycomputers

If you correspond with me on a regular basis, please read this document: http://www.chrishowie.com/email-preferences/

PGP fingerprint: 2B7A B280 8B12 21CC 260A DF65 6FCE 505A CF83 38F5

------------------------------------------------------------------------
                    IMPORTANT INFORMATION/DISCLAIMER

This document should be read only by those persons to whom it is addressed. If you have received this message it was obviously addressed to you and therefore you can read it.

Additionally, by sending an email to ANY of my addresses or to ANY mailing lists to which I am subscribed, whether intentionally or accidentally, you are agreeing that I am "the intended recipient," and that I may do whatever I wish with the contents of any message received from you, unless a pre-existing agreement prohibits me from so doing.

This overrides any disclaimer or statement of confidentiality that may be included on your message.


Reply to: