Feeds, issues, packages and code source about emulation and pograming, of VENENUX proyects, Debian related distros and massenkoh!

forensics recoverung data: Journaling or reading will always touch the data

|
When try to recover data, untouch the disk its very important, but live disk or mount readonly are not enought, due journaling features... so precautions must be taken to property make images of the disk after testing data or try to recover those important files.. the untouched data its important to preciceslly maketrace of history of ...

SPANISH VERSION: https://groups.google.com/forum/m/#!topic/vegnuli/Lr-corc2Xrw (with updates)

The Journaling file system will always touch the data

When mounting (and unmounting) several journaling file systems with only "-o ro" mount flag a different number of data writes will happened, thats happened due journaling, so this its a list of options that must be use when preform the mount command and u must passed with "-o" flag:
File systemWhen data writes happenNotes
Ext3/Etx4File system requires journal recoveryTo disable recovery: use "noload" flag, or use "ro,loop" flags, or use "ext2" file system type
btfsFile system has unfinished transactions"nolog" flag does not work (see man mount). To disable journal updates: use "ro,loop" flags
ReiserFSFile system has unfinished transactions"nolog" flag does not work (see man mount). To disable journal updates: use "ro,loop" flags
XFSAlways (when unmounting)"norecovery" flag does not help (fixed in recent 2.6 kernels). To disable data writes: use "ro,loop" flags.

Read process can be interpreted as write process

If u perform read operations over mounted or inclusivelly non-mounted filesystem, the operative system wil try to make reading again, for sure its not a itsefl problem, then a hardware problem, that's, the second must be avoid, ah of course stupid winbuntu linux always perform that checks, and also of course systemd now.

During boot process the init modified script will test existing partions for Ext3/4 file systems on fixed media, and this happened due these scripts mount every supported file system type on every supported media type using only "-o ro" flag in order to find a root file system image, as we didit, with the previous topic, those are not enought.

Concluding

You must use a right linux, VenenuX 0.9 does not perform those stupid "windo-like" "features".

0 comments/comentarios:

Publicar un comentario

si vienes de guindo, winbuntu o parecido, limitate y escribe algo util...