Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Mounting LVM image for analysis

from [Nehls, Patrick] Network Security [Permanent Link]
Subject: RE: Mounting LVM image for analysis
Date: Sun, 20 Aug 2006 19:09:29 -0700 
If you've already got the partitions dd'd out, this is what I normally
do using loop devices:

How to import LVM after first dd:
losetup -f (find a free loop device)
losetup -d (if needed to unmount other loop devices)
losetup /dev/loop0 /path/to/lvm.img (map loop device to image)
pvscan (scan for new physical volumes)
vgimport <volumegroupname> (import your VG*)
vgchange -ay <volumegroupname> (activate the VG)
mount /dev/<volumegroupname>

*-Sometime's I've had to "export" the VG before being able to import it
using vgexport


From here you can either:

dd if=/dev/<volumegroupname>/<logicalvolumename>
of=/path/to/<host>vg00lv00.img
OR
mount -o loop,ro,noexec,noatime,nodev
/dev/<volumegroupname>/<logicalvolumename> /mnt/point

You can mount the logical volumes from the mounted loop device if you
wish. One of the caveats to this approach is that as far as I know each
LVM you mount must have a unique Volume Group name (yes I ran into this
problem :)). If you dd out each of the LVs you can mount them as if they
were normal partitions in the future.

Also, as your LVM probably has a lot of LVs in it you will quickly run
out of the 8 loop devices linux allows by default. If using GRUB, you
must pass a max_loop=X argument to set the number of loop devices
available on boot. LILO probably has something similar.

More and more distributions seem to be using LVM now by default (RedHat
server and Ubuntu come to mind). I pieced this together but never found
anywhere on the web with this info in one place. I hope it helps!

Patrick

-----Original Message-----
From: Nathaniel Hall [mailto:nathaniel.d.hall@gmail.com] 
Sent: Thursday, August 17, 2006 11:10 AM
To: forensics@securityfocus.com
Subject: Mounting LVM image for analysis

Maybe I haven't looked deep enough, but I figure the experts would know
best.  I believe a system of mine may have been compromised with a
rootkit.  I have already taken an image of the system and split out the
partitions using the output from mmls and dcfldd.  One of my partitions
is an LVM partition.  It was on a SAN and we made it LVM so the
partition could be extended, but it never was.

I have the image on a Forensic system and I would like to be able to
browse the image as if it was another disk in the system.  What would I
need to do?

--
Nathaniel Hall, GSEC GCFW GCIA GCIH
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Mounting LVM image for analysis, Nathaniel Hall
Next by Date:  Fuzzy Hashing, Jesse Kornblum
Previous by Thread:  Mounting LVM image for analysis, Nathaniel Hall
Next by Thread:  Re: Mounting LVM image for analysis, Nathaniel Hall
Indexes:  [Date] [Thread] [Top] [All Lists]