You are right, it's the journal that can change the hash. Read this

But I wouldn't call that a bug, it's intended behaviour. If it wouldn't be implemented like that the journal could not guarantee the integrity of the filesystem after a crash.

Did some research on this, slide 53 suggest that the Journaled File system tracks the number of times the file system is mounted and that accounts for the changes in hashes.
http://www.blackhat.com/presentations/bh-usa-03/bh-us-03-willis-c/bh-us-03-willis.pdf#search=%22forensics%20ext3%20journaling%20hashes%22



I would say that this is a bug with the linux loopback driver, which is why that  sleuthkit article suggest modding it. Of course, the patch is only for the 2.4 kernel. Its funny because I discussed this possibility with two other forensics guys and they both agreed that this was impossible and none of us had ever seen it. So would you agree then, it would be best practices if using a host linux system and mounting either reiserfs or ext3 image to either use a hardware write blocker or burn the image to DVD to be on the safe side? Also, does this apply only to the mounting of the original device(because then it wouldn't really apply) or the image copy(which is what I'm concerned with).

I guess I completely misunderstood you then. I was thinking that your were suggesting that the image hashes would be changed. Thats what got me thinking about it. When I say image, I'm always refering to a copy, not original file system. I wasn't really worried about the original device because we never use that, unless its to determine if there is an actual incident worth investigating. Wow I really wasted a few hours researching this, but I least I know a little bit more about journaling now.

Most of the confusion seems to be around the term 'mount'. Tools like Encase do not mount forensic images as you would a loopback file system for example. Forensic tools analyse a file system in the same way as you would analyse any other binary file i.e.  it reads it and understands the structure but does not access it in the way it you natively would.

Another example of the difference between mounting and analysing could be drawn between file systems and MS Office documents. If you open a document in Word, the way you would normally, you risk altering the file. Tools exist to access the content of the document in a safe manner, or you can simply work on a copy (of a copy) of the evidence.

Good practice is to work on a copy of any image you have taken. This reduces the risk that you will need to re-image a device which can only act to increase the risk of compromising your evidence.

Jim