Thomas Weinbrenner wrote:
> The timestamps will show that the files weren't accessed for months or
> even years. And there are also all those logfiles in /var/log which
> include dates. I think there will be enough proof that the system wasn't
> can't be the system you are normally using.
Q: Why haven't files been accessed for months?
A: Because file system superblocks contain "noatime" default mount option.
Q: Why aren't there any log files in /var/log/* ?
A: Because init scripts have been modified to shred and remove /var/log/*
and some other files and directories in /var on shutdown.
In addition, a shell script, run as cron job once a week from 'normal' root
partition /dev/hda4, does these: (1) Fsck and mount /dev/hda2 (via encrypted
loop) and /dev/hda1 partitions so that their previous fsck and mount times
are updated on their superblocks. (2) Touch some decoy files and directories
from /dev/hda2 partition.
--
Jari Ruusu 1024R/3A220F51 5B 4B F9 BB D3 3F 52 E9 DB 1D EB E3 24 0E A9 DD
-
Linux-crypto: cryptography in and on the Linux system
Archive: http://mail.nl.linux.org/linux-crypto/
