Once the VG is mounted you should be able to see all the LVs (partitions) underneath /dev/<volumegroupname>.
In the example I'm looking at I've got an sdb4 LVM dd image with a volumegroupname of vg00. Doing an ls /dev/vg00/ shows me lv00-lv09. You should then be able to dd if=/dev/vg00/lv00 of=/images/lv00.img (or dcfldd). mmls doesn't seem to work against a logical volume. I believe mmls would and did work against the physical disk you imaged the LVM off of but the LVM partition structure is probably different enough that mmls won't work. I just tried it on my LVM example and it doesn't work. I've never needed it as the LVs under /dev/vg00/lv* in this case are the individual partitions and can be dd'd individually. Can you dcfldd each of those logical volumes rather than mmls and splitting the images? Patrick -----Original Message----- From: Nathaniel Hall [mailto:[EMAIL PROTECTED] Sent: Monday, August 21, 2006 9:14 AM To: Nehls, Patrick Cc: [email protected] Subject: Re: Mounting LVM image for analysis This did get me quite a bit farther, but maybe you can help me some more. I went through the steps you provided and was able to browse the contents of the LVM. I tried to run dcfldd against the volume, but I don't have the partition information. I would like to run mmls against the image, but I'm not sure if it supports what I need to do. Any ideas? Nehls, Patrick wrote: >>From here you can either: >dd if=/dev/<volumegroupname>/<logicalvolumename> >of=/path/to/<host>vg00lv00.img >OR >mount -o loop,ro,noexec,noatime,nodev >/dev/<volumegroupname>/<logicalvolumename> /mnt/point > >Patrick > >-----Original Message----- >From: Nathaniel Hall [mailto:[EMAIL PROTECTED] >Sent: Thursday, August 17, 2006 11:10 AM >To: [email protected] >Subject: Mounting LVM image for analysis > >Maybe I haven't looked deep enough, but I figure the experts would know >best. I believe a system of mine may have been compromised with a >rootkit. I have already taken an image of the system and split out the >partitions using the output from mmls and dcfldd. One of my partitions >is an LVM partition. It was on a SAN and we made it LVM so the >partition could be extended, but it never was. > >I have the image on a Forensic system and I would like to be able to >browse the image as if it was another disk in the system. What would I >need to do? > >-- >Nathaniel Hall, GSEC GCFW GCIA GCIH > > > -- Nathaniel Hall, GSEC GCFW GCIA GCIH
