If you've already got the partitions dd'd out, this is what I normally do using loop devices:
How to import LVM after first dd: losetup -f (find a free loop device) losetup -d (if needed to unmount other loop devices) losetup /dev/loop0 /path/to/lvm.img (map loop device to image) pvscan (scan for new physical volumes) vgimport <volumegroupname> (import your VG*) vgchange -ay <volumegroupname> (activate the VG) mount /dev/<volumegroupname> *-Sometime's I've had to "export" the VG before being able to import it using vgexport >From here you can either: dd if=/dev/<volumegroupname>/<logicalvolumename> of=/path/to/<host>vg00lv00.img OR mount -o loop,ro,noexec,noatime,nodev /dev/<volumegroupname>/<logicalvolumename> /mnt/point You can mount the logical volumes from the mounted loop device if you wish. One of the caveats to this approach is that as far as I know each LVM you mount must have a unique Volume Group name (yes I ran into this problem :)). If you dd out each of the LVs you can mount them as if they were normal partitions in the future. Also, as your LVM probably has a lot of LVs in it you will quickly run out of the 8 loop devices linux allows by default. If using GRUB, you must pass a max_loop=X argument to set the number of loop devices available on boot. LILO probably has something similar. More and more distributions seem to be using LVM now by default (RedHat server and Ubuntu come to mind). I pieced this together but never found anywhere on the web with this info in one place. I hope it helps! Patrick -----Original Message----- From: Nathaniel Hall [mailto:[EMAIL PROTECTED] Sent: Thursday, August 17, 2006 11:10 AM To: [email protected] Subject: Mounting LVM image for analysis Maybe I haven't looked deep enough, but I figure the experts would know best. I believe a system of mine may have been compromised with a rootkit. I have already taken an image of the system and split out the partitions using the output from mmls and dcfldd. One of my partitions is an LVM partition. It was on a SAN and we made it LVM so the partition could be extended, but it never was. I have the image on a Forensic system and I would like to be able to browse the image as if it was another disk in the system. What would I need to do? -- Nathaniel Hall, GSEC GCFW GCIA GCIH
