Hi
I'm looking into forensic aspects of ZFS, in particular ways to use ZFS tools
to investigate ZFS file systems without writing to the pools. I'm working on
a test suite of file system images within VTOC partitions. At the moment,
these only have 1 file system per pool per VTOC partition for simplicity's
sake, and I'm using Solaris 10 6/06, which may not be the most up-to-date. At
the bottom are details of the tests.
The problem: I was not able to use a loopback device on a file system image
(see TEST section). Here are some questions:
* Am I missing something?
* Is there support for lofiadm in a more recent version of ZFS?
* Or is there any other way to safely mount a file system image?
Thanks for your help.
Regards
Mark
GOOD NEWS
It looks as if the zfs mount options can stop updates of file system metadata
(ie mount times etc) and file metadata (no writing of file access times).
Quote from man zfs 25 Apr 2006 p. 11 ("Temporary Mount Point Properties") :
... these options can be set on a per-mount basis
using the -o option, without affecting the property that is
stored on disk. The values specified on the command line
will override the values stored in the dataset. The -nosuid
option is an alias for "nodevices,nosetuid". These proper-
ties are reported as "temporary" by the "zfs get" command.
TEST
26.07.2007
Forensic mounting of ZFS File Systems.
Loopback device does not seem to work with ZFS using "zfs mount" or
legacy "mount".
However, temporary command-line options can prevent mounts from writing to a
file system.
MAKE COPY
root at sol10 /export/home# cp t1_fs1.dd t1_fs1.COPY.dd
CHECKSUMS
root at sol10 /export/home# gsha1sum t1*
5c08a7edfe3d04f5fff6d37c6691e85c3745629f t1_fs1.COPY.dd
5c08a7edfe3d04f5fff6d37c6691e85c3745629f t1_fs1.dd
CHECKSUM RAW DEV FOR FS1
root at sol10 /export/home# gsha1sum /dev/dsk/c0t1d0s1
5c08a7edfe3d04f5fff6d37c6691e85c3745629f /dev/dsk/c0t1d0s1
root at sol10 /export/home#
PREPARE LOOPBACK DEVICE
note need full path for file
root at sol10 /export/home# lofiadm -a /export/home/t1_fs1.COPY.dd /dev/lofi/1
root at sol10 /export/home# lofiadm
Block Device File
/dev/lofi/1 /export/home/t1_fs1.COPY.dd
root at sol10 /export/home#
ZFS MOUNT OF LOOPBACK DEVICE DOESNT WORK
root at sol10 /export/home# zfs mount -o
noexec,nosuid,noatime,nodevices,ro /dev/lofi/1 /fs1
too many arguments
usage:
[...]
root at sol10 /export/home# zfs mount -o ro,noatime /dev/lofi/1
cannot open '/dev/lofi/1': invalid filesystem name
NOR DOES LEGACY MOUNT
root at sol10 /export/home# mount -F zfs -o
noexec,nosuid,noatime,nodevices,ro /dev/lofi/1 /fs1
cannot open '/dev/lofi/1': invalid filesystem name
TRY MOUNT OF NORMAL FS
root at sol10 /export/home# mount -o noexec,nosuid,noatime,nodevices,ro fs1 /fs1
root at sol10 /export/home# ls -lR /fs1
/fs1:
total 520
-rw-r--r-- 1 mark staff 234179 Jul 17 20:17
gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
drwxr-xr-x 3 root root 5 Jul 26 14:12 level_1
/fs1/level_1:
total 1822
-rwxr-xr-x 1 mark staff 834236 Jul 17 20:16 imgp2219.jpg
-rw-r--r-- 1 mark staff 1388 Jul 17 20:15
imgp2219.jpg.head.tail.xxd
drwxr-xr-x 2 root root 5 Jul 26 14:12 level_2
/fs1/level_1/level_2:
total 1038
-rw-r--r-- 1 mark staff 234179 Jul 17 20:17
gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
-rw-r--r-- 1 mark staff 173713 Jul 17 20:15 imgp2219.small.jpg
-rw-r--r-- 1 mark staff 1388 Jul 17 20:15
imgp2219.small.jpg.head.tail.xxd
MUCK AROUND A BIT
root at sol10 /export/home#
file
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt:
ascii text
root at sol10 /export/home#
root at sol10 /export/home#
head
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
*****The Project Gutenberg Etext of A treatise on Good Works*****
#2 in our series by Dr. Martin Luther
Copyright laws are changing all over the world, be sure to check
the copyright laws for your country before posting these files!
Please take a look at the important information in this header.
We encourage you to keep this file on your own disk, keeping an
electronic path open for the next readers. Do not remove this.
root at sol10 /export/home#
root at sol10 /export/home#
rm
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
rm:
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt:
override protection 644 (yes/no)? y
rm:
/fs1/gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
not removed: Read-only file system
root at sol10 /export/home#
root at sol10 /export/home#
root at sol10 /export/home# ls -la /fs1/
total 543
drwxr-xr-x 3 root sys 4 Jul 26 14:13 .
drwxr-xr-x 26 mark staff 512 Jul 26 14:06 ..
-rw-r--r-- 1 mark staff 234179 Jul 17 20:17
gutenberg.org_martin_luther_treatise_on_good_works_with_intro_gwork10.txt
drwxr-xr-x 3 root root 5 Jul 26 14:12 level_1
root at sol10 /export/home#
UNMOUNT
root at sol10 /export/home# umount /fs1
root at sol10 /export/home#
CHECKSUM RAW DEV AGAIN: MATCHES (NO DATA WRITTEN)
root at sol10 /export/home#
root at sol10 /export/home# gsha1sum /dev/dsk/c0t1d0s1
5c08a7edfe3d04f5fff6d37c6691e85c3745629f /dev/dsk/c0t1d0s1
root at sol10 /export/home#
