BackTrack 4 Pre Release is not forensically safe in "forensics" mode

[thefuf1]

BackTrack 4 Pre Release recovers Ext3 file systems during the boot process and thus modifies the data on suspect media (including at least one important file system timestamp: "Last Write Time"); the screenshot is below. The "bug" is in initrd casper scripts that perform unsafe fake read-only mounts of several file system types. The patch for scripts/casper-helpers function get_fstype():

Code:

 get_fstype() { 
     local FSTYPE 
     local FSSIZE 
     eval $(fstype < $1) 
 
     # Fix: do not allow journal recovery on Ext3 
     if [ "$FSTYPE" = "ext3" ]; then 
         echo "ext2" 
         return 0 
     fi 
 
     # Fix: do not allow journal recovery on Ext4 
     if [ "$FSTYPE" = "ext4" ]; then 
         echo "ext2" 
         return 0 
     fi 
 
     if [ "$FSTYPE" != "unknown" ]; then 
         echo $FSTYPE 
         return 0 
     fi 
     /lib/udev/vol_id -t $1 2>/dev/null 
 }

This will force all possible Ext3/4 mounts during the boot to disable all journal recovery actions.

hxxp://img53.imageshack.us/img53/8003/bt4fail.png (change to "http"; not allowed to post URLs to external sites)