I don't normally use dd for forensic acquisitions, but I have a case involving forensic images with Linux LVM partitions that I needed to recover and image. Using tips I found elsewhere on the site and other places, I was able to mount the LVM in a virtual Linux machine and use dd to copy the contents of the LVM to a partitioned but unformatted disk with this syntax
dd if=/dev/VolGroup00/LogVol00 of=/dev/sdd
The result was a disk that is readable in Encase. However, I noticed that there are no creation dates maintained for any of the files. Last accessed, last written and entry modified dates were all maintained.
Can any of the Linux experts out there shed any light on why this may have occurred?
Mark
Greetings,
Have you mounted the image with any other tool? Mount Image Pro, FTK, or simply a loopback device on another Linux box? This sounds like an EnCase error rather than an imaging error? And which version of EnCase?
-David
Most Unix file systems don't store the creation time.
Greetings,
Have you mounted the image with any other tool? Mount Image Pro, FTK, or simply a loopback device on another Linux box? This sounds like an EnCase error rather than an imaging error? And which version of EnCase?
-David
The particular LVM data was from an LVM that spanned two physical disks. The only way to access these two disks from the original raw disk images was to mount one through Encase PDE and one through a loopback device in Linux. This allowed me to access the LVM with the vgchange -ay command. The LVM itself was never mounted. Are you saying that mounting the images caused the created dates to not be maintained? This was with version 6.13 of Encase.
Mark
Greetings,
thefuf is spot on, my bad - Most Unix/Linux file systems do not store the creation date. The date you get from the file system is the last modified date. The creation date information wasn't stored in the first place.
-David