All of lore.kernel.org
 help / color / mirror / Atom feed
* xt4 - True Readonly mount [WAS - Re: [Bug 14354] Bad corruption with 2.6.32-rc1 and upwards]
@ 2009-10-30 14:20 Greg Freemyer
  2009-10-30 15:14 ` Eric Sandeen
                   ` (2 more replies)
  0 siblings, 3 replies; 15+ messages in thread
From: Greg Freemyer @ 2009-10-30 14:20 UTC (permalink / raw)
  To: Ted Augustine, Alexey Fisher; +Cc: linux-ext4

On Fri, Oct 30, 2009 at 4:22 AM,  <bugzilla-daemon@bugzilla.kernel.org> wrote:
> http://bugzilla.kernel.org/show_bug.cgi?id=14354
>
> --- Comment #152 from Alexey Fisher <bug-track@fisher-privat.net>  2009-10-30 08:22:10 ---
> Ted,
> Thank you for explanation :)
> Notice: i learning computer forensic, and was trained to mount all evidence
> systems with "-o ro" to not contaminate it. It seems like ext4 break this
> tradition, so many forensics will surprised  why md5sum do not match.

Ted,  (Alexey there is a response to further down).

I have not followed this thread ultra-closely but Alexey's comment got
my attention.

Ignoring computer forensics, with LVM snapshots, hardware raid array
snapshots, etc. even in the presence of a dirty log, we need to be
able to mount a drive in true read-only fashion fro many backup
operations to function correctly.

XFS added an extra mount flag for that 5 or so years ago.

I hope ext4 either has or will add a true read-only mount option.
Maybe Eric Sandeen remembers the actual drivers for adding that
feature to XFS.

Alexey,

I do computer forensics as part of my job (see my signature). Never
trust the -o ro flag with any filesystem type to keep evidence from
being modified.  It is not designed for forensic use.  And it is hard
to test because it may work in most scenarios, but then under certain
situations, the journal gets applied, or cleared, etc.

fyi: Yes I have read where doing so is advised, but I think that
technique was developed back before Journaled filesystems were common.
 With a modern FS, it is just not a reliable technique in all
situations.

If you must mount a filesystem readonly to perform an exam, then use a
hardware write-blocker to prevent modification.  If the filesystem
cannot be mounted readonly because a writeblocker is in use, then you
know you have issues.

The reality is that in more complex exams, we clone the original
evidence, then perform part of the exam in a live environment.  This
clearly modifies the clone, but not the original.  But the process
should be repeatable by simply making more clones, etc.

Greg
-- 
Greg Freemyer
Head of EDD Tape Extraction and Processing team
Litigation Triage Solutions Specialist
http://www.linkedin.com/in/gregfreemyer
Preservation and Forensic processing of Exchange Repositories White Paper -
<http://www.norcrossgroup.com/forms/whitepapers/tng_whitepaper_fpe.html>

The Norcross Group
The Intersection of Evidence & Technology
http://www.norcrossgroup.com
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, other threads:[~2009-11-04 16:20 UTC | newest]

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-10-30 14:20 xt4 - True Readonly mount [WAS - Re: [Bug 14354] Bad corruption with 2.6.32-rc1 and upwards] Greg Freemyer
2009-10-30 15:14 ` Eric Sandeen
2009-10-30 15:31   ` Alexey Fisher
2009-10-30 16:14     ` Eric Sandeen
2009-10-30 16:52       ` Alexey Fisher
2009-10-30 17:13         ` Eric Sandeen
2009-10-30 17:43           ` Duane Griffin
2009-10-30 15:47 ` Alexey Fisher
2009-11-01  5:45 ` Theodore Tso
2009-11-02 21:59   ` Greg Freemyer
2009-11-02 22:53     ` Andreas Dilger
2009-11-02 23:02       ` Eric Sandeen
2009-11-04  8:05         ` Andreas Dilger
2009-11-04 16:20           ` Eric Sandeen
2009-11-03 13:52     ` Theodore Tso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.