Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
25 lines (16 sloc) 2 KB

Case: Linux LVM mirror

Requirements

  • Oracle VM VirtualBox;
  • Grml 2014.11;
  • another live forensic distribution of your choice.

Description

The Linux LVM mirror.ova file contains a virtual machine with two drives making up a mirrored Linux LVM set. The drives are out of sync, i.e. their contents represent different states of a logical volume being mirrored. In particular, the out-of-date volume on /dev/sda1 contains a text file that was deleted in the up-to-date volume on /dev/sdb1 (Fig. 1).

Fig. 1
Fig. 1

Several popular live forensic distributions automatically activate LVM volumes (when running in a forensic / write blocking mode), thus triggering their synchronization if required (Fig. 2-3).

Fig. 2
Fig. 2

Fig. 3
Fig. 3

In our case, this results in a text file on /dev/sda1 being implicitly deleted by the LVM driver (Fig. 4).

Fig. 4
Fig. 4

Grml 2014.11

Grml 2014.11 includes the kernel patch available in this repository along with their own userspace tools to mark block devices as read-only (in the Forensic Mode). Since no LVM volumes are being automatically activated by Grml 2014.11 in the forensic mode, we need to activate them manually (vgchange -a y). As you can see (on Fig. 5), Grml 2014.11 successfully blocks write requests going to the drives, and the data remains untouched. Note that write requests were issued to the read-only block devices!

Fig. 5
Fig. 5