Re: filesystem damage
On 3/2/25 2:35 PM, David Christensen wrote:
The "norecovery" option for mount(8) seems like a dangerous design
choice. "readonly" is supposed to mean "do not write to disk". I must
remember that land mine if and when I want to do forensic work.
To be fair, the first step of forensic work is "make an image of the
drive and save it somewhere read-only." This way if you attempt to
mount the image without norecovery, it barks at you because the
underlying medium is read-only.
You then work either with copies of the image. (Or thin layered images
using the original as a backing image, which will redirect writes to the
higher layer, leaving the original image untouched. Semantically the
same as making a copy but without wasting a bunch of space.)
--
Chris Howie
http://www.chrishowie.com
http://en.wikipedia.org/wiki/User:Crazycomputers
If you correspond with me on a regular basis, please read this document:
http://www.chrishowie.com/email-preferences/
PGP fingerprint: 2B7A B280 8B12 21CC 260A DF65 6FCE 505A CF83 38F5
------------------------------------------------------------------------
IMPORTANT INFORMATION/DISCLAIMER
This document should be read only by those persons to whom it is
addressed. If you have received this message it was obviously addressed
to you and therefore you can read it.
Additionally, by sending an email to ANY of my addresses or to ANY
mailing lists to which I am subscribed, whether intentionally or
accidentally, you are agreeing that I am "the intended recipient," and
that I may do whatever I wish with the contents of any message received
from you, unless a pre-existing agreement prohibits me from so doing.
This overrides any disclaimer or statement of confidentiality that may
be included on your message.
Reply to: