Quote:
It should be possible of course with software, to mount a writable media read-only, in such a fashion that NO writes are done whatsoever to it.
This won't work for all filesystems because they often increase a mount count even if mounting read-only, thus rendering it impossible to verify hashes.
Quote:
If that is not possible, then it should be possible to use a software modification which causes the block device driver to behave as a readonly one, even if the device is writable.
That's a nice theory, and honestly, I would think that's the case with the linux kernel. However, consider that a lot of forensics are done using Windows boxes. It may be a crutch in theory, but in practice it's apparently the difference between having your evidence thrown out and having it admitted.