Linux tool speeds up police computer forensics (ZDNet)

Except it's also, mysteriously, unable to write to the network.

>I think that it's more likely that it's done on the kernel-level. That they actually made a
patch that removed the ability of the kernel to write to drives.

That would be the cool way to do it, but I doubt that a few random admins in Australia really
want to start maintaining their own modified ATA/USB/Firewire/etc. stacks.  It also is
incompatible with the quote in the article that says "if for some reason a disk is writeable,
the system will halt automatically", which wouldn't make sense if their kernel had no
writeable state in the first place.  It sounds more like they just made a livecd that mounts
filesystems readonly, and also as a crude defense against "mount -o rw,remount" they added a
cronjob that does "mount | grep -q rw && halt" every few seconds.

Which makes sense, in context -- it sounds like the goal was to create a tool that ordinary
police officers could use to quickly check for the presence of contraband material, to reduce
the amount of work that skilled technicians would need to do.  Those who are clever enough to
convince the CD to give them a shell, remount the drives, and start modifying things, are
already working back in the lab anyway :-).

> I bet it would be useful for making images. Say you use dd to read the drive then netcat to
transmit the image over a network to another machine that has read-write ability. That way you
could prove in court that under no circumstances any OS other then the one used by the
defendant had any ability to write to that drive.

*cough* ...and the OS running on the machine that's actually writing out the disk image?  This
sounds more like gee-whiz -- not that there's anything wrong with gee-whiz! -- than real
security...