Re: [sleuthkit-users] Previewing drives
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Previewing drives
|
From: Enda C. <en...@co...> - 2004-02-25 19:34:40
|
"Brian Carrier" > > On Feb 25, 2004, at 12:37 PM, Jon Nelson wrote: > > > Does anyone know if using the device name (e.g., /dev/hda1) as the > > image > > file for Autopsy will alter the drive? > > > It shouldn't. The Sleuth Kit opens the image files (or devices) > read-only so it will not make any changes. If the disk is mounted on a > live system, then the disk maybe changed by loading the processes for > The Sleuth Kit or Autopsy, but that would be the OS changing the disk > because any process is running. An exception being Reiser perhaps? where the journal gets modified even on read only mounts? Or does the SluethKit have its own filesystem drivers rather than the stock system ones? -Enda. |
