This did get me quite a bit farther, but maybe you can help me some more. I went through the steps you provided and was able to browse the contents of the LVM. I tried to run dcfldd against the volume, but I don't have the partition information. I would like to run mmls against the image, but I'm not sure if it supports what I need to do. Any ideas?
Nehls, Patrick wrote: >>From here you can either: >dd if=/dev/<volumegroupname>/<logicalvolumename> >of=/path/to/<host>vg00lv00.img >OR >mount -o loop,ro,noexec,noatime,nodev >/dev/<volumegroupname>/<logicalvolumename> /mnt/point > >Patrick > >-----Original Message----- >From: Nathaniel Hall [mailto:[EMAIL PROTECTED] >Sent: Thursday, August 17, 2006 11:10 AM >To: [email protected] >Subject: Mounting LVM image for analysis > >Maybe I haven't looked deep enough, but I figure the experts would know >best. I believe a system of mine may have been compromised with a >rootkit. I have already taken an image of the system and split out the >partitions using the output from mmls and dcfldd. One of my partitions >is an LVM partition. It was on a SAN and we made it LVM so the >partition could be extended, but it never was. > >I have the image on a Forensic system and I would like to be able to >browse the image as if it was another disk in the system. What would I >need to do? > >-- >Nathaniel Hall, GSEC GCFW GCIA GCIH > > > -- Nathaniel Hall, GSEC GCFW GCIA GCIH
