r*****s
发帖数: 262 | 1 请教一个保密问题。
我有一个linux的PC。 如果有人从我
的光驱用一个光盘linux启动了我的PC。
并且mount了我的linux硬盘,然后读取了硬盘上的数据
在我PC上的linux硬盘里会留下读取的痕迹吗?
如果有,如何找到这个读取痕迹?
谢谢 |
S*A
发帖数: 7142 | 2 It depend on how it is mounted.
If it is mount as read only. Then there are no write to the disk at all.
If it is mount as read/write. Then most likely there are some
write into the disk.
If the disk is ext3/ext4 did not disable the "atime" option.
The access time stamp will be modify on reading the file.
You can use find to find it.
The first thing you should do is "dd" the whole disk image
to a back up disk to save a snapshot.
Bao zi please. |
A**u
发帖数: 2458 | 3 高手啊 太崇拜了
【在 S*A 的大作中提到】
: It depend on how it is mounted.
: If it is mount as read only. Then there are no write to the disk at all.
: If it is mount as read/write. Then most likely there are some
: write into the disk.
: If the disk is ext3/ext4 did not disable the "atime" option.
: The access time stamp will be modify on reading the file.
: You can use find to find it.
: The first thing you should do is "dd" the whole disk image
: to a back up disk to save a snapshot.
: Bao zi please.
|
r*****s
发帖数: 262 | 4 大哥谢谢
现在只有7。7快钱,发布了豹子
还得请教 如何找到 atime. 这个atime是在你读取文件上, 还是硬盘里的某个地方
或者某个文件总管这个atime
【在 S*A 的大作中提到】
: It depend on how it is mounted.
: If it is mount as read only. Then there are no write to the disk at all.
: If it is mount as read/write. Then most likely there are some
: write into the disk.
: If the disk is ext3/ext4 did not disable the "atime" option.
: The access time stamp will be modify on reading the file.
: You can use find to find it.
: The first thing you should do is "dd" the whole disk image
: to a back up disk to save a snapshot.
: Bao zi please.
|
D*V
发帖数: 3096 | 5 /etc/mtab
/etc/fstab
【在 r*****s 的大作中提到】
: 大哥谢谢
: 现在只有7。7快钱,发布了豹子
: 还得请教 如何找到 atime. 这个atime是在你读取文件上, 还是硬盘里的某个地方
: 或者某个文件总管这个atime
|
S*A
发帖数: 7142 | 6 atime is one field of the file inode. It is per file.
There are three times field of typical UNIX inode,
ctime: create time
mtime: modify time
atime: access time
You can use "stat" to access the atime.
e.g.
$ stat /tmp/abc
File: `/tmp/abc'
Size: 2444 Blocks: 8 IO Block: 4096 regular file
Device: 803h/2051d Inode: 5684 Links: 1
Access: (0600/-rw-------) Uid: ( 500/ uname) Gid: ( 500/ uname)
Context: unconfined_u:object_r:user_tmp_t:s0
Access: 2011-09-24 10:30:14.095091232 -0700
Modify: 2011-09-16 21:01:14.001845523 -0700
Change: 2011-09-16 21:01:14.001845523 -0700
Birth: -
$
That show the ctime and mtime are the same.
But atime is different.
【在 r*****s 的大作中提到】
: 大哥谢谢
: 现在只有7。7快钱,发布了豹子
: 还得请教 如何找到 atime. 这个atime是在你读取文件上, 还是硬盘里的某个地方
: 或者某个文件总管这个atime
|
S*A
发帖数: 7142 | 7 高手个头啊,小混混,混口饭吃。
【在 A**u 的大作中提到】
: 高手啊 太崇拜了
|
