|
|
| Line 1: |
Line 1: |
| − | {{expand}}
| + | hi.im a student.my branch is computer software and I like forensics sciences. |
| − | | + | |
| − | The [[Linux]] Logical Volume Manager, is commonly abbreviated to LVM. Although LVM can used for other [http://en.wikipedia.org/wiki/Logical_Volume_Management Logical Volume Management] variants as well.
| + | |
| − | | + | |
| − | Not all forensic tools have support for Linux Logical Volume Manager (LVM) volumes, but most modern Linux distributions do.
| + | |
| − | | + | |
| − | == Mounting an LVM from an image ==
| + | |
| − | If you have an image mount the LVM read-only on a loopback device (e.g. /dev/loop1) by:
| + | |
| − | <pre>
| + | |
| − | sudo losetup -r -o $OFFSET /dev/loop1 image.raw
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | Note that the offset is in bytes.
| + | |
| − | | + | |
| − | If you need to write to the image, e.g. for recovery, use [[xmount]] to write the changes to a [[shadow file]] (or cachefile in xmount terminology).
| + | |
| − | <pre>
| + | |
| − | sudo xmount --in dd --cache sda.shadow sda.raw image/
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | You can then safely mount the LVM in read-write mode (just omit the -r in the previous losetup command).
| + | |
| − | | + | |
| − | To remove this mapping afterwards run:
| + | |
| − | <pre>
| + | |
| − | sudo losetup -d /dev/loop1
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | To scan for new physical volumes:
| + | |
| − | <pre>
| + | |
| − | lvm pvscan
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | You cannot unmount an active volume group. To detach (or deactivate) the volume group:
| + | |
| − | <pre>
| + | |
| − | vgchange -a n $VOLUMEGROUP
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | Where $VOLUMEGROUP is the corresponding name of the volume group
| + | |
| − | | + | |
| − | The individual volume devices are now available in:
| + | |
| − | <pre>
| + | |
| − | /dev/mapper/$VOLUMEGROUP-$VOLUMENAME
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | == Mounting an LVM from a device ==
| + | |
| − | | + | |
| − | To list the Volume Groups (VG) run:
| + | |
| − | <pre>
| + | |
| − | pvs
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | To list information about a Volume Group (VG) run:
| + | |
| − | <pre>
| + | |
| − | lvdisplay $VOLUMEGROUP
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | The field "LV Name" provides the volume name
| + | |
| − | | + | |
| − | To make the volume group known to the system
| + | |
| − | <pre>
| + | |
| − | vgexport $VOLUMEGROUP
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | And active the volumes in the volume group
| + | |
| − | <pre>
| + | |
| − | vgchange -a y $VOLUMEGROUP
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | The individual volume devices are now available in:
| + | |
| − | <pre>
| + | |
| − | /dev/mapper/$VOLUMEGROUP-$VOLUMENAME
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | These now can be analyzed with e.g. a tool like the [[Sleuthkit]] or loop-back mounted.
| + | |
| − | | + | |
| − | To read-only loop-back mount an individual volume:
| + | |
| − | <pre>
| + | |
| − | mount -o ro /dev/mapper/$VOLUMEGROUP-$VOLUMENAME filesystem/
| + | |
| − | </pre>
| + | |
| − | | + | |
| − | == Also see ==
| + | |
| − | * [[:Category:File Systems | File Systems]]
| + | |
| − | | + | |
| − | == External Links ==
| + | |
| − | * [http://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29 Wikipedia article on Logical Volume Manager]
| + | |
| − | * [http://www.datadisk.co.uk/html_docs/redhat/rh_lvm.htm RedHat - LVM cheatsheet]
| + | |
| − | | + | |
| − | [[Category:Volume Systems]]
| + | |
