Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Mounting LVM image for analysis

from [Nehls, Patrick] Network Security [Permanent Link]
Subject: RE: Mounting LVM image for analysis
Date: Mon, 21 Aug 2006 13:35:20 -0700 
Once the VG is mounted you should be able to see all the LVs
(partitions) underneath /dev/<volumegroupname>.

In the example I'm looking at I've got an sdb4 LVM dd image with a
volumegroupname of vg00. Doing an ls /dev/vg00/ shows me lv00-lv09. You
should then be able to dd if=/dev/vg00/lv00 of=/images/lv00.img (or
dcfldd). 

mmls doesn't seem to work against a logical volume. I believe mmls would
and did work against the physical disk you imaged the LVM off of but the
LVM partition structure is probably different enough that mmls won't
work. I just tried it on my LVM example and it doesn't work. I've never
needed it as the LVs under /dev/vg00/lv* in this case are the individual
partitions and can be dd'd individually.

Can you dcfldd each of those logical volumes rather than mmls and
splitting the images?

Patrick 

-----Original Message-----
From: Nathaniel Hall [mailto:nathaniel.d.hall@gmail.com] 
Sent: Monday, August 21, 2006 9:14 AM
To: Nehls, Patrick
Cc: forensics@securityfocus.com
Subject: Re: Mounting LVM image for analysis

This did get me quite a bit farther, but maybe you can help me some
more.

I went through the steps you provided and was able to browse the
contents of the LVM.  I tried to run dcfldd against the volume, but I
don't have the partition information.  I would like to run mmls against
the image, but I'm not sure if it supports what I need to do.  Any
ideas?

Nehls, Patrick wrote:


From here you can either:

dd if=/dev/<volumegroupname>/<logicalvolumename>
of=/path/to/<host>vg00lv00.img
OR
mount -o loop,ro,noexec,noatime,nodev
/dev/<volumegroupname>/<logicalvolumename> /mnt/point

Patrick

-----Original Message-----
From: Nathaniel Hall [mailto:nathaniel.d.hall@gmail.com]
Sent: Thursday, August 17, 2006 11:10 AM
To: forensics@securityfocus.com
Subject: Mounting LVM image for analysis

Maybe I haven't looked deep enough, but I figure the experts would know



best.  I believe a system of mine may have been compromised with a 
rootkit.  I have already taken an image of the system and split out the



partitions using the output from mmls and dcfldd.  One of my partitions



is an LVM partition.  It was on a SAN and we made it LVM so the 
partition could be extended, but it never was.

I have the image on a Forensic system and I would like to be able to 
browse the image as if it was another disk in the system.  What would I



need to do?

--
Nathaniel Hall, GSEC GCFW GCIA GCIH

 




--
Nathaniel Hall, GSEC GCFW GCIA GCIH
[More messages with this same subject...]


<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Use of USB devices, jay.tomas
Next by Date:  DFRWS File Carving Challenge Results, Brian Carrier
Previous by Thread:  Mounting LVM image for analysis, Randy Zagar
Next by Thread:  Fuzzy Hashing, Jesse Kornblum
Indexes:  [Date] [Thread] [Top] [All Lists]