Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Mounting LVM image for analysis

from [Randy Zagar] Network Security [Permanent Link]
Subject: Mounting LVM image for analysis
Date: Mon, 21 Aug 2006 07:57:42 -0500 
Use the iSCSI Enterprise Target software to serve your disk image as a
virtual disk.

There's a good HOWTO here:

        
http://fedoranews.org/mediawiki/index.php/Going_Enterprise_-_setup_your_FC4_iSCSI_target_in_5_minutes

and here:

        http://mail.digicola.com/wiki/index.php?title=User:Martin:iSCSI


Once you configure your iSCSI target and initiator, you'll be able to
see your forensic disk image as a virtual SCSI device on your system.

I have done this many times.

FYI, An iSCSI initiator is essentially a virtual SCSI controller, and
an iSCSI target is a virtual SCSI device.  You can run both pieces of
software on the same system.


On Sun, 2006-08-20 at 22:21 +0000, forensics-digest-
help@securityfocus.com wrote:

forensics Digest 20 Aug 2006 22:21:46 -0000 Issue 599

Topics (messages 3315 through 3315):

Mounting LVM image for analysis
      3315 by: Nathaniel Hall

Administrivia:

To subscribe to the digest, e-mail:
      <forensics-digest-subscribe@securityfocus.com>

To unsubscribe from the digest, e-mail:
      <forensics-digest-unsubscribe@securityfocus.com>

To post to the list, e-mail:
      <forensics@securityfocus.com>


----------------------------------------------------------------------
email message attachment (forensics_3315.ezm)
On Sun, 2006-08-20 at 22:21 +0000, forensics-digest-
help@securityfocus.com wrote:

Maybe I haven't looked deep enough, but I figure the experts would know
best.  I believe a system of mine may have been compromised with a
rootkit.  I have already taken an image of the system and split out the
partitions using the output from mmls and dcfldd.  One of my partitions
is an LVM partition.  It was on a SAN and we made it LVM so the
partition could be extended, but it never was.

I have the image on a Forensic system and I would like to be able to
browse the image as if it was another disk in the system.  What would I
need to do?
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Fuzzy Hashing, Jesse Kornblum
Next by Date:  Re: Mounting LVM image for analysis, Nathaniel Hall
Previous by Thread:  Re: Mounting LVM image for analysis, Nathaniel Hall
Next by Thread:  RE: Mounting LVM image for analysis, Nehls, Patrick
Indexes:  [Date] [Thread] [Top] [All Lists]