ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
Linux Logical Volume Manager (LVM)
Not all forensic tools have support for Linux Logical Volume Manager (LVM) volumes, but most modern Linux distributions do.
Mounting an LVM from an image
If you have an image mount the LVM read-only on a loopback device (e.g. /dev/loop1) by:
sudo losetup -r -o $OFFSET /dev/loop1 image.raw
Note that the offset is in bytes.
sudo xmount --in dd --cache sda.shadow sda.raw image/
You can then safely mount the LVM in read-write mode (just omit the -r in the previous losetup command).
To remove this mapping afterwards run:
sudo losetup -d /dev/loop1
To scan for new physical volumes:
You cannot unmount an active volume group. To detach (or deactivate) the volume group:
vgchange -a n $VOLUMEGROUP
Where $VOLUMEGROUP is the corresponding name of the volume group