Anybody have a good recommendation for imaging a Linux disk with LVM volumes and then mounting that image to extract files? This requires a forensic image for file integrity, but the end result is extracting certain files and maintaining the hashes of those files. I do not have access to AccessData FTK, EnCase, etc. so those solutions are out of the question.
Anyone have experience imaging and mounting the Linux image with an LVM volume, preferebly in Windows? When I mount it, as read only, I need to generate the hashes for all the files on the image or only certain files on the image. Will FTK Imager handle the mounting of an LVM volume? I know FTK Imager handles generating file hash lists very well.
Advice requested please… Thanks in advance!!!
If its a single volume, FTK imager will see it and allow you to generate file/hash lists from it. I did exactly this the other day and was surprised that it worked as encase didn't like it at all.
The other option is to write the image out and mount it on a linux box as read only. This is a bit of a stuff around due to the way LVM works, but I managed to do that also with vgscan, vgchange etc (I had to attempt to recover a file logically).
Good luck!
For anyone who wants to know, here are the steps that I took that worked. I used Helix boot cd during all of these steps.
Mounting an LVM disk image as RO (change device names accordingly)
—————————————————————–
#<image disk to DD file>
#losetup -f (display used loop devices)
#mount /media/sdb1 (mounts where DD image is located)
#losetup /dev/loop2 /media/sdb1/linuxdisk-wlvm.dd (maps loop device to DD image)
#pvscan (scan for new physical volumes )
#vgexport VolGroup00 (export the Volume Group)
#vgimport VolGroup00 (import the Volume Group
#vgchange -ay VolGroup00 (activate the Volume Group)
#lvs (displays LVM volumes)
#mount -o ro /dev/VolGroup00/LogVol00 /mnt (mounts VolGroup00/LogVol00 as RO to /mnt)
#cd /mnt (access the LVM image at the mounted dir)
To unmount it, a few commands have to be executed (umount for unmounting, vgchange -an to deactivate volume group, kpartx -d to delete device map and losetup -d to delete loop device used)
# umount /mnt/
# vgchange -an VolGroup00
# losetup -d /dev/loop2
================================================================
DD imaging a mounted LVM volume (image as a regular FS image, i.e. ext2)
————————————————
dd if=/dev/<volumegroupname>/<logicalvolumename> of=/path/to/<host>vg00lv00.img
i.e. dd if=/dev/VolGroup00/LogVol00 of=/media/sdb1/vg00lv00.img
Bobby,
Did you acquire each individual hard drive, or only the LVM container?
If the former, rock on - you have everything.
If the latter, uh oh, you may have missed something - all the data outside of the LVM. LVM is similar to RAID, in that every drive in the system may not be a member of the group, and any drive in the system, member or not, may not have all of its usable area devoted to the RAID or LVM.
Separately from the above, as a safety step, you might consider mounting the file system containing your image(s) read only. In my training I instruct my students to do this, especially when the file system(s) contain RAID images. This allows them to activate the RAID array, but on read-only medium, so the RAID superblock is _not_ updated. I do not know if the LVM information is updated when you mount the underlying file system read-write and and activate the volume group. But I am curious, because it would seem natural the meta-data for the LVM would be updated, just as with a RAID array. Do you know? Does your pre and post authentication value for the image file(s) match?
Cheers!
farmerdude
http//
http//