Read-Only Loopback to Physical Disk

I have been testing file carving to try to preview the contents of a drive before imaging. File carving takes a long, long time. A faster solution (I think) is to mount the drive and search. Now for forensics mounting a drive is a big no no, but sometimes it is just needed. Especially if you want a 15 minute preview instead of a 2 day 'preview'.

I work a lot with Debian Live, so the commands and how they work will pertain to Debian. Test everything (and tell me results)! Don't take my word for it.

For mounting a drive under Linux you have the standard 'mount' command. When mounting you can specify the -o ro option, which theoretically puts you in a safe read-only state... or does it? Does it always work? Does it stop everything?

Another option that I recently found was the 'blockdev' command. You can specify that the blockdev is ro even before mounting.

blockdev --report
blockdev --setro /dev/device

But my professor brought up the point - these probably depend on the driver used. Maybe a driver for ntfs totally ignores the ro switch? I don't totally agree that blockdev would be based on the driver, but how do you test whether the drive actually is in ro without writing? What if it fails?

Then the saving grace - loopback devices. Mount the partition as a file. You don't need to worry about drivers, support, etc.
To do this use losetup to create a loopback device:

losetup -r /dev/loop1 /dev/hda1

This creates a read-only loopback device pointing to /dev/hda1
Then you can mount the loopback device (read-only if you are paranoid)

mount -o ro /dev/loop1 /media/test

This mounts the loopback device loop1 at /media/test. You can then traverse the directory of /dev/hda1 just like it was mounted.