On 3/8/25 21:40, Christopher David Howie wrote:
On 3/2/25 2:35 PM, David Christensen wrote:
The "norecovery" option for mount(8) seems like a dangerous design
choice. "readonly" is supposed to mean "do not write to disk". I
must remember that land mine if and when I want to do forensic work.
To be fair, the first step of forensic work is "make an image of the
drive and save it somewhere read-only." This way if you attempt to
mount the image without norecovery, it barks at you because the
underlying medium is read-only.
You then work either with copies of the image. (Or thin layered images
using the original as a backing image, which will redirect writes to the
higher layer, leaving the original image untouched. Semantically the
same as making a copy but without wasting a bunch of space.)
AIUI the ideal approach for forensics is to ddrescue(1) the source disk
to a known good, identical disk, and then work on the copy.
David
