Case: Linux LVM mirror
- Oracle VM VirtualBox;
- Grml 2014.11;
- another live forensic distribution of your choice.
The Linux LVM mirror.ova file contains a virtual machine with two drives making up a mirrored Linux LVM set. The drives are out of sync, i.e. their contents represent different states of a logical volume being mirrored. In particular, the out-of-date volume on /dev/sda1 contains a text file that was deleted in the up-to-date volume on /dev/sdb1 (Fig. 1).
Several popular live forensic distributions automatically activate LVM volumes (when running in a forensic / write blocking mode), thus triggering their synchronization if required (Fig. 2-3).
In our case, this results in a text file on /dev/sda1 being implicitly deleted by the LVM driver (Fig. 4).
Grml 2014.11 includes the kernel patch available in this repository along with their own userspace tools to mark block devices as read-only (in the Forensic Mode). Since no LVM volumes are being automatically activated by Grml 2014.11 in the forensic mode, we need to activate them manually (vgchange -a y). As you can see (on Fig. 5), Grml 2014.11 successfully blocks write requests going to the drives, and the data remains untouched. Note that write requests were issued to the read-only block devices!