Difference between pages "Windows Application Compatibility" and "Linux Logical Volume Manager (LVM)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (RecentFileCache.bcf)
 
(Changing, since got no reply on the talk page)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
== sysmain.sdb ==
+
The [[Linux]] Logical Volume Manager, is commonly abbreviated to LVM. Although LVM can used for other [http://en.wikipedia.org/wiki/Logical_Volume_Management Logical Volume Management] variants as well.
  
== RecentFileCache.bcf ==
+
Not all forensic tools have support for Linux Logical Volume Manager (LVM) volumes, but most modern Linux distributions do.
In Windows 7 the RecentFileCache.bcf file is stored in:
+
 
 +
== Forensic analysis ==
 +
The metadata area of a LVM Physical Volume can contain multiple versions of metadata section that contains the LVM Volume Group definitions, including a creation date and time value.
 +
 
 +
== Mounting an LVM ==
 +
=== Mounting an LVM from an image ===
 +
If you have an image mount the LVM read-only on a loopback device (e.g. /dev/loop1) by:
 
<pre>
 
<pre>
C:\Windows\AppCompat\Programs\
+
sudo losetup -r -o $OFFSET /dev/loop1 image.raw
 
</pre>
 
</pre>
  
== Amcache.hve ==
+
Note that the offset is in bytes.
The Amcache.hve file is a [[Windows NT Registry File (REGF)]].
+
  
In Windows 8 the Amcache.hve file is stored in:
+
If you need to write to the image, e.g. for recovery, use [[xmount]] to write the changes to a [[shadow file]] (or cachefile in xmount terminology).
 
<pre>
 
<pre>
C:\Windows\AppCompat\Programs\
+
sudo xmount --in dd --cache sda.shadow sda.raw image/
 
</pre>
 
</pre>
  
== AppCompatCache ==
+
You can then safely mount the LVM in read-write mode (just omit the -r in the previous losetup command).
In Windows 2000 and XP:
+
 
 +
To remove this mapping afterwards run:
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
+
sudo losetup -d /dev/loop1
 
</pre>
 
</pre>
  
In Windows 2003 and later:
+
To scan for new physical volumes:
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
+
lvm pvscan
 
</pre>
 
</pre>
 +
 +
You cannot unmount an active volume group. To detach (or deactivate) the volume group:
 +
<pre>
 +
vgchange -a n $VOLUMEGROUP
 +
</pre>
 +
 +
Where $VOLUMEGROUP is the corresponding name of the volume group
 +
 +
The individual volume devices are now available in:
 +
<pre>
 +
/dev/mapper/$VOLUMEGROUP-$VOLUMENAME
 +
</pre>
 +
 +
=== Mounting an LVM from a device ===
 +
 +
To list the Volume Groups (VG) run:
 +
<pre>
 +
pvs
 +
</pre>
 +
 +
To list information about a Volume Group (VG) run:
 +
<pre>
 +
lvdisplay $VOLUMEGROUP
 +
</pre>
 +
 +
The field "LV Name" provides the volume name
 +
 +
To make the volume group known to the system (only if it was previously exported using ''vgexport'' command, note that ''vgimport'' would alter the data in the LVM2 header):
 +
<pre>
 +
vgimport $VOLUMEGROUP
 +
</pre>
 +
 +
And active the volumes in the volume group:
 +
<pre>
 +
vgchange -a y $VOLUMEGROUP
 +
</pre>
 +
 +
The individual volume devices are now available in:
 +
<pre>
 +
/dev/mapper/$VOLUMEGROUP-$VOLUMENAME
 +
</pre>
 +
 +
These now can be analyzed with e.g. a tool like the [[Sleuthkit]] or loop-back mounted.
 +
 +
To read-only loop-back mount an individual volume:
 +
<pre>
 +
mount -o ro,loop /dev/mapper/$VOLUMEGROUP-$VOLUMENAME filesystem/
 +
</pre>
 +
 +
== Also see ==
 +
* [[:Category:File Systems | File Systems]]
  
 
== External Links ==
 
== External Links ==
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
* [http://en.wikipedia.org/wiki/Logical_Volume_Manager_%28Linux%29 Wikipedia article on Logical Volume Manager]
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [http://www.tldp.org/HOWTO/LVM-HOWTO/ LVM Howto], by [http://www.tldp.org/ The Linux Documentation Project]
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.sourceware.org/lvm2/ LVM2 Resource Page]
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://www.redhat.com/magazine/009jul05/features/lvm2/ The Linux Logical Volume Manager], by Heinz Mauelshagen and Matthew O'Keefe
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
+
* [http://www.datadisk.co.uk/html_docs/redhat/rh_lvm.htm LVM cheatsheet], by [[RedHat]]
* [http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html Windows AppCompat Research Notes - Part 1], by Ollie, 28 April 2012
+
* [http://content.hccfl.edu/pollock/aunix1/lvm.htm Unix/Linux Administration Logical Volume Management Guide], by Wayne Pollock, 2005
* [http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html Windows AppCompat Research Notes - Part 2], by Ollie, 4 May 2012
+
* [http://lvb.sti.fce.vutbr.cz/public/LinuxAlt_2009/2009_11_08_LA_04_LVM/2009_11_08_LA_04_LVM.pdf LVM2 – data recovery], by Milan Brož, LinuxAlt 2009
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
 
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
[[Category:Volume Systems]]
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
+
* [http://journeyintoir.blogspot.ch/2014/04/triaging-with-recentfilecachebcf-file.html Triaging with the RecentFileCache.bcf File], by [[Corey Harrell]], April 21, 2014
+

Revision as of 16:28, 12 May 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The Linux Logical Volume Manager, is commonly abbreviated to LVM. Although LVM can used for other Logical Volume Management variants as well.

Not all forensic tools have support for Linux Logical Volume Manager (LVM) volumes, but most modern Linux distributions do.

Forensic analysis

The metadata area of a LVM Physical Volume can contain multiple versions of metadata section that contains the LVM Volume Group definitions, including a creation date and time value.

Mounting an LVM

Mounting an LVM from an image

If you have an image mount the LVM read-only on a loopback device (e.g. /dev/loop1) by:

sudo losetup -r -o $OFFSET /dev/loop1 image.raw

Note that the offset is in bytes.

If you need to write to the image, e.g. for recovery, use xmount to write the changes to a shadow file (or cachefile in xmount terminology).

sudo xmount --in dd --cache sda.shadow sda.raw image/

You can then safely mount the LVM in read-write mode (just omit the -r in the previous losetup command).

To remove this mapping afterwards run:

sudo losetup -d /dev/loop1

To scan for new physical volumes:

lvm pvscan

You cannot unmount an active volume group. To detach (or deactivate) the volume group:

vgchange -a n $VOLUMEGROUP

Where $VOLUMEGROUP is the corresponding name of the volume group

The individual volume devices are now available in:

/dev/mapper/$VOLUMEGROUP-$VOLUMENAME

Mounting an LVM from a device

To list the Volume Groups (VG) run:

pvs

To list information about a Volume Group (VG) run:

lvdisplay $VOLUMEGROUP

The field "LV Name" provides the volume name

To make the volume group known to the system (only if it was previously exported using vgexport command, note that vgimport would alter the data in the LVM2 header):

vgimport $VOLUMEGROUP

And active the volumes in the volume group:

vgchange -a y $VOLUMEGROUP

The individual volume devices are now available in:

/dev/mapper/$VOLUMEGROUP-$VOLUMENAME

These now can be analyzed with e.g. a tool like the Sleuthkit or loop-back mounted.

To read-only loop-back mount an individual volume:

mount -o ro,loop /dev/mapper/$VOLUMEGROUP-$VOLUMENAME filesystem/

Also see

External Links