Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Hardware write-blockers (not the whole anwser)

from [subscribe] Network Security [Permanent Link]
Subject: Re: Hardware write-blockers (not the whole anwser)
Date: Tue, 28 Dec 2004 10:19:14 -0500 
On Mon, 2004-12-27 at 11:44, Greg Freemyer wrote:

In response to a previous post about using the hdparm command as a
software write-blocker


I can't find this - who said you could/should use 'hdparm' as a software
write-blocker?





 a couple people sent private e-mails
suggesting a hardware write-blocker should always be used.


Yes, while fashionably bad, you can wear suspenders and a belt.





One particular concern was that doing Linux read-only mount of a
filesystem does make small changes to the filesystem and causes the
md5 hash to change.



WHY would anyone mount a filesystem to acquire it?  

Aside from that, if just previewing, you can mount ext3 as ext2 and that
prevents the journal count from incrementing.  Or why not change the
code in journal.c such that the count is *not* incremented?  I've done
this on my forensic boot cd, and testing thus far has proved it works
for ReiserFS as well.  I've not tested XFS, but it might be the same.





Below are my thoughts of why this is not really feasible and expresses
my hope that linux software write-blockers be implemented:

=====
I agree that mounting a drive read-only from Linux has the opportunity
to modify the original.



Absolutely.  If you don't know what you're doing and what might happen
you have the potential to alter data.




The fact that linux does so is a bug, and is recognized by at least
one filesystem support team as such. (XFS from SGI).


Is it a bug?  As well, have you tested the ext3 in 2.6 kernels?  This
was reported to be fixed in 2.5 ext3 code.




Still the bug has existed in various versions of the linux kernel for
various filesystems at various times, so I agree it is definately best
practice to not mount subject drives.



Yes, unless you need to.  Then do it safely.  Know your environment
(your Linux boot CD).  Know what you're doing.


Happy Holidays!

farmerdude


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Two hash, Barry J. Grundy
Next by Date:  Re: Two hash, Brian Carrier
Previous by Thread:  Hardware write-blockers (not the whole anwser), Greg Freemyer
Next by Thread:  Re: Hardware write-blockers (not the whole anwser), Rikard Johnels
Indexes:  [Date] [Thread] [Top] [All Lists]