No. From a forensics point of view you want to do as little as possible to modify *anything* on the filesystem. You should (if at all possible) mount the filesystem read-only and without an FSCK. (mounting it read-only will probably make Linux a bit more willing to mount it even in the face of errors). If you absolutely *must* do an FSCK to get the image to mount, then keep an unadulterated copy of the FS in case the defence questions the data that you generate from the FSCKed image. Valdis.Kletnieksat_private wrote: > On Mon, 30 Dec 2002 18:30:52 +0800, Susan Chan Lee said: > 'mke2fs' is the moral equivalent of the Microsoft 'format c:'. You've just > trashed any useful data there. Try again from an unmangled copy - what you > probablyh wanted to use was 'losetup' and then 'fsck' (file system consistency > checker). -- Stephen Samuel +1(604)876-0426 samuelat_private http://www.bcgreen.com/~samuel/ Powerful committed communication, reaching through fear, uncertainty and doubt to touch the jewel within each person and bring it to life. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jan 05 2003 - 15:44:25 PST