Le 18/08/2016 23:09, Renaud (Ron) OLGIATI a écrit :
> On Thu, 18 Aug 2016 22:48:39 +0200
> "Dr. Nikolaus Klepp" <dr.klepp@???> wrote:
>
>>> Not sure, but could you try to also mount the disk with the noatime
>>> option. I don't know if ro implies noatime.
>> I remember an article in german "Linuxmagazin" ~ 10 Jears ago where it said that the stock kernel drivers for all journaling file systems on linux are broken for forensic analysis due to the fact that these drivers always update the journal despite the filesystem mounted read only. Looks like that statement is still true.
>>
>> The workaround given that time was to make a image of the whole device, make that image immutable, and mount the partions of that image.
> Would mounting as ext2 (non journaling) help in that case ?
Why not try it? ext2, ro, noatime.