Hello everyone. Such the situation. I've one disk that was in LVM. The disk contains VHD images. I think there is (in LVM) a few disks because I can't assemble LVM and copy information. I decided to go to other way and use HEX editor. I wanted to find the start and the end of VHD images and cut them out then paste to another file. But I don't know how to find the end of VHD image…
Maybe somebody came across with such the situation and know what to do.
Thanks in advance.
I did not try this and don't recall without digging in the specs but there's a good chance a VHD parser doesn't care where the file ends.
So, simply locate the start of the VHD and copy *all* the rest to a new file.
Open the VHD and see if it works. There's a good chance the parser doesn't care about any excess 'rubbish' in the file's tail.
PS. I'm not sure what an LVM is here. I'm assuming the file is contiguous and not fragmented in any way.
Your likely issue will be the LVM.
If the LVM is set up as any RAID system other than 1, you are unlikely to be able to carve the file out.
I'm assuming this is a Linux set up? If so, clone the disks and put them back into a Linux box and rebuild the RAID using mdadm.
Then you can probably copy the files straight off.
CyberGonzo, thank for answer.
Yes, simply to find the start of the VHD but I have many starts of the VHD according to search signatures. I don't think not all starts of the VHD is VHD images. It use parser VHD it's the good idea. Maybe, Could you advise me good VHD parser?
What about LVM. There is LVM. It wrote in the first sectors of the disk. And when I tried to attach the disk to Linux, Linux showed me that whole the disk is LVM physical volume but it didn't consist any logical partitions. Therefore I think that disks were a few.
minime2k9, thank you for the answer too. Could I know how many disks were in LVM or RAID? Maybe, Does such information specified on the disk? I tried to find some information with help HEX editor, but I couldn't find it.
I don't know about LVM. If it is not storing files in a contiguous way then your approach will not work.
About signatures, I'd have to dig in the specs to find out. Sorry but I can't do that now.
FYI https://
About a VHD(X) parser. Except for Windows itself I only know of my software (signature below) but I'm sure there are plenty of others if you look for it.
You can get information about the LVM and disks in it.
It may be that the physical volume had partitions on it previously, either way you should image the whole volume onces its rebuilt and you may find you have more luck.
Edit I'm sure Encase has an option to scan an rebuild LVM's also
Please also remember that there are two kinds of VHD images (before and besides the LVM arrangement).
The first one (fixed size) is nothing but a RAW image with a single "Conectix" sector appended.
The second one (growable) has an "own format that will need a specialized parser.
jaclaz
One option is to analyze/explore using testdisk from
Just googling, I found a
As with all things forensic, you should test and validate against a known device. I'll say that I've used both testdisk and photorec for for many years with excellent results. Testdisk in particular has saved me from myself on several occasions as a result of dumb decisions I made with both LVM and Linux RAID. Both tools have proven indispensable in my work as an examiner.
Hoyt
… I've one disk that was in LVM. The disk contains VHD images. I think there is (in LVM) a few disks because I can't assemble LVM and copy information. …
OK, one disk so we're not talking RAID.
LVM is a Linux "Logical Volume Manager". It's somewhat like a SAN abstraction with virtual drives within the physical drive. This is not addressing the VHD, which is yet another abstraction layer. Before you can get to the VHD, you need to identify the LVM Logical Volume (LV).
hoyt.harness suggested "Testdisk" for this which is interesting, I've not tried this for LVM's before.
From Linux
1st figure out what you're dealing with. (Note many of the commands require root.)
The below assumes your disk in question is hard drive "A" (hda), alter as required.
# fdisk -l /dev/hda
You'll get something like
Disk /dev/hda 160.0 GB, 160041885696 bytes
255 heads, 63 sectors/track, 19457 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/hda1 * 1 13 104391 83 Linux
/dev/hda2 14 19457 156183930 8e Linux LVM
Identify the volume groups contained in the physical volume /dev/hda2
# pvs
You'll get something like
PV VG Fmt Attr PSize PFree
/dev/hda2 VolGroup01 lvm2 a- 148.94G 32.00M
/dev/hdb2 VolGroup00 lvm2 a- 114.94G 96.00M
To look at VolGroup01
# lvdisplay /dev/VolGroup01
You'll get something like
— Logical volume —
LV Name /dev/VolGroup01/LogVol00
VG Name VolGroup01
LV UUID zOQogm-G8I7-a4WC-T7KI-AhWe-Ex3Y-JVzFcR
LV Write Access read/write
LV Status available
# open 0
LV Size 146.97 GB
Current LE 4703
Segments 1
Allocation inherit
Read ahead sectors 0
Block device 2532
— Logical volume —
LV Name /dev/VolGroup01/LogVol01
VG Name VolGroup01
LV UUID araUBI-4eer-uh5L-Dvnr-3bI6-4gYg-APgYy2
LV Write Access read/write
LV Status available
# open 0
LV Size 1.94 GB
Current LE 62
Segments 1
Allocation inherit
Read ahead sectors 0
Block device 2533
The logical volume I would like to "mount" is /dev/VolGroup01/LogVol00. The other logical volume is a swap partition.
NOTE that the term "logical volume" here is not the same as a forensic "Logical". Full physical content with unallocated space is present.
# mount /dev/VolGroup01/LogVol00 /tmp/mnt -o ro,user
———————-
If vgscan did not run automatically, you may need to run it manually and activate the volume groups and try again.
# vgscan
# vgchange -a y
———————-
Assuming you mounted the correct logical volume, now you can look for your VHD.