On Fri, 16 Nov 2007 22:14:07 EST, Max Gribov said:
> Tom,
> you can mount the storage as read-only - any unix filesystem will
> support read-only mount, and provided your root account isnt
> compromised, no one can remount it as write. Root cant write to
> read-only mounted filesystems without remount either.

Note that most journaled file systems (on Linux, this includes ext3, reiserfs,
jfs, and xfs) will insist on replaying the journal and thus making changes
to the disk, even when mounting as read-only.

You'd really want to have some other utility that captures the journal
datastream before you do the mount, and then a utility to reverse-apply
the changes. In some cases, this may not be doable, as the journal doesn't
record what the status was *before* the event - for instance, a file permission
change event may only have the *new* value listed, so you can't roll it back.

There's also another issue - if you *do* create a "mount without journal
replay", you're quite likely going to screw things up gloriously, as the
whole *point* of the journal is to gloss over inconsistent data that hasn't
been fully synced to disk. You don't replay the journal, you may find some
parts of the filesystem (those that are affected by live journal entries)
won't be accurate, or may even crash the system. Of course, there's a very
high probability that "the files that the hacker was working on when we
pulled the plug" are *exactly* the pieces most likely to be zorkumblattum
if you don't replay the journal....

And I won't even get into the forensics-relevant semantics of ext3's
data=journaled/ordered/writeback options, other than to note that they *do*
have forensics implications....
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001

iD8DBQFHRJ4zcC3lWbTT17ARAmd8AJ40cDr50dglgq07REejB7snNQO4/gCfc5Do
BJ7vRn+SLZS+olg93tFm4/8=
=iOLE
-----END PGP SIGNATURE-----

[ reply ]