RE: [sleuthkit-users] opensourceforensics.org
Brought to you by:
carrier
Menu
▾
▴
RE: [sleuthkit-users] opensourceforensics.org
|
From: Altheide, C. B. <Alt...@nv...> - 2003-06-12 15:23:47
|
> -----Original Message----- > From: Brian Carrier [mailto:ca...@sl...] > > > Knoppix is a very useful boot cd for forensic work > especially if you > > like to do manual poking around, as by defult it mounts the local > > disks read only so that the file's atime settings won't be modified > > accidentally. > > There has actually been a thread on the linux_forensics@yahoo > list about this since someone noticed that the hash on an > EXT3FS file system changed after mounting it read-only with > knoppix. They have been doing more tests and will be > publishing a final report. > I've actually done some independent testing to see if I could reproduce those results, but my findings indicate that knoppix does *not* write to the journal when mounting a drive read-only. Granted - I may have been doing something different than Ernie, so I'm anxiously awaiting his report. Cory Altheide Computer Forensics Specialist NCI Information Systems, Inc. NNSA Cyber Forensics Center alt...@nv... |
