[unisog] Do Windows file access, file mod, file create timestamps lie?

[Wyman Miles]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



- --On Wednesday, September 19, 2007 1:48 PM -0400 Valdis.Kletnieks at vt.edu 
wrote:

> On Wed, 19 Sep 2007 13:23:48 EDT, Brian Smith-Sweeney said:
>> Read-only volumes should be read-only.  Representing them otherwise,
>> even if you're not actually modifying them, is a Bad Thing.
>
> My personal pet peeve - Linux ext3 file system journalling will insist on
> replaying the journal even if you mount it as 'readonly'.  Wonderful
> semantics if you're a user/sysadmin - it brings the filesystem into a
> consistent state and then enforces no userspace writes.  Sucks if you're
> a kernel/filesystem developer or forensics person who *cares* about
> what's in the journal as it's relevant to why you're trying to access a
> filesystem without journal replay...

I've found this for several journaling filesystems -- XFS does it too. 
LVM2 volumes want to do volume consistency stuff at mount, regardless of 
the underlying filesystem.

Most of the time, going through a write-blocker is sufficient.  In my 
experimentation with XFS, though, it simply would not mount without 
replaying the journal.  No amount of write-blocker magic and arcane 
arguments to mount would change its mind.  I guess this speaks well for the 
filesystem but it's not so good for forensic purity.

We periodically test our write-blockers, software, and practices versus 
some reference hardware and the NIST hash reference files.  Things that 
sneak through and sour an image are surprising, to say the least.  And the 
write-blockers need constant firmware attention to keep pace with changing 
drive technology.


Wyman Miles
Senior Security Engineer
Cornell University, Ithaca, NY
(607) 255-8421
-----BEGIN PGP SIGNATURE-----
Version: Mulberry PGP Plugin v3.0
Comment: processed by Mulberry PGP Plugin

iQA/AwUBRvF9vsRE6QfTb3V0EQKzYgCg0taPrpEzxz99LdXVcX1tvwXmoBgAn0Rp
+eLUL4Udm5r41VeeHizO5i4l
=kBbR
-----END PGP SIGNATURE-----