Re: [sleuthkit-users] Previewing drives
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] Previewing drives
|
From: Brian C. <ca...@sl...> - 2004-02-25 19:39:53
|
>> It shouldn't. The Sleuth Kit opens the image files (or devices) >> read-only so it will not make any changes. If the disk is mounted on >> a >> live system, then the disk maybe changed by loading the processes for >> The Sleuth Kit or Autopsy, but that would be the OS changing the disk >> because any process is running. > > An exception being Reiser perhaps? where the journal gets modified > even on > read only mounts? Or does the SluethKit have its own filesystem drivers > rather than the stock system ones? Well, TSK/Autopsy doesn't support Reiser... But, TSK doesn't rely on any kernel drivers (which is why you can, for example, examine NTFS and EXT3FS on a Solaris box). Therefore, the bug in the Linux kernel with respect to EXT3FS (and Reiser) doesn't apply to TSK. brian |
