Re: filesystem damage

[Christopher David Howie <me@chrishowie.com>]

On 3/2/25 2:35 PM, David Christensen wrote:
> The "norecovery" option for mount(8) seems like a dangerous design 
> choice.  "readonly" is supposed to mean "do not write to disk".  I must 
> remember that land mine if and when I want to do forensic work.

To be fair, the first step of forensic work is "make an image of the 
drive and save it somewhere read-only."  This way if you attempt to 
mount the image without norecovery, it barks at you because the 
underlying medium is read-only.

You then work either with copies of the image.  (Or thin layered images 
using the original as a backing image, which will redirect writes to the 
higher layer, leaving the original image untouched.  Semantically the 
same as making a copy but without wasting a bunch of space.)

--
Chris Howie
http://www.chrishowie.com
http://en.wikipedia.org/wiki/User:Crazycomputers

If you correspond with me on a regular basis, please read this document: 
http://www.chrishowie.com/email-preferences/

PGP fingerprint: 2B7A B280 8B12 21CC 260A DF65 6FCE 505A CF83 38F5

------------------------------------------------------------------------
                    IMPORTANT INFORMATION/DISCLAIMER

This document should be read only by those persons to whom it is 
addressed.  If you have received this message it was obviously addressed 
to you and therefore you can read it.

Additionally, by sending an email to ANY of my addresses or to ANY 
mailing lists to which I am subscribed, whether intentionally or 
accidentally, you are agreeing that I am "the intended recipient," and 
that I may do whatever I wish with the contents of any message received 
from you, unless a pre-existing agreement prohibits me from so doing.

This overrides any disclaimer or statement of confidentiality that may 
be included on your message.