Linux supports Logical Volume Management, which assists in managing partition features such as resizing and encryption. However, many forensic tools cannot directly access data on an LVM partition.
Thank you to our Members and Patrons, but especially to our Investigators, TheRantingGeek, Roman, and Alexis Brignoni! Thank you so much!
First, your forensic workstation must understand the volume group information, then access the logical volume. Once we can see the logical volume, we can mount it as normal. Today we look at mounting a logical volume from a Linux forensic disk image.
00:00 Logical Volume Manager in Forensic Images
00:24 Check the forensic image disk partition information
01:07 Try to access LVM partition directly with fls (fail)
01:33 LVM access procedure overview
02:18 How to mount LVM partition in Linux
02:36 Check forensic workstation devices
03:03 Mount the image with ewfmount
05:09 Create new partition mappings with kpartx
06:36 Scan volume groups for logical volumes with lvscan
07:22 Mount the logical volume with mount
08:30 Access the file system directly via the mount point
10:08 Use any forensic tool against the mounted logical volume
11:23 LVM observations
We use Tsurugi Linux to work with the LVM and mount the logical volumes, though most versions of Linux should work just fine. If your forensic workstation has logical volumes and the volume group name is the same in the suspect disk, you could have some conflicts.
🚀 Full Digital Forensic Courses → learn.dfir.science
Links:
* Link to disk image: archive.org/details/AfricaDFI...
* Guide to LVM in Linux (linuxhandbook.com/lvm-guide/)
* Tsurugi Linux (tsurugi-linux.org/)
Related book:
* The Linux Programming Interface: A Linux and UNIX System Programming Handbook (amzn.to/3MbzE9v)
#linux #lvm #forensics #dfir #infosec
010001000100011001010011011000110110100101100101011011100110001101100101
Get more Digital Forensic Science
👍 Subscribe → bit.ly/2Ij9Ojc
❤️ YT Member → bit.ly/DFIRSciMember
❤️ Patreon → / dfirscience
🕸️ Blog → DFIR.Science
🤖 Code → github.com/DFIRScience
🐦 Follow → / dfirscience
📰 DFIR Newsletter → bit.ly/DFIRNews
010100110111010101100010011100110110001101110010011010010110001001100101
Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.