Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LVM/LVM2 Volume Support #7888

Open
BeanBagKing opened this issue Mar 20, 2024 · 8 comments
Open

LVM/LVM2 Volume Support #7888

BeanBagKing opened this issue Mar 20, 2024 · 8 comments

Comments

@BeanBagKing
Copy link

I noticed that Autopsy seems to have issues with LVM volumes on Linux images. The image file is added, and you'll probably get the boot partition, but nothing else. All other partitions show up as unknown/unallocated and aren't browsable. Notice there's no root, home, etc, var, etc.

image

This is the same disk viewed in FTK, just to show it isn't a corrupted disk or something. You can see the beginning of dev, etc, and the rest of a Linux file system.

image

Tip for anyone else having this issue, right click and create disk as is shown in that screenshot, and you can open that disk in Autopsy.

I don't know if this is related to sepinf-inc/IPED#587 which seems to be a downstream issue for Sleuthkit, which may be a downstream issue for Autopsy. Given that I can see references to libvslvm in Autopsy though, I'm hoping the issue may be the same (build is not linking) and it will be an easy fix.
@lfcnassif
Copy link

lfcnassif commented Mar 20, 2024
edited

I think it may be related. Please also see @arisjr and @joachimmetz implemented several fixes and improvements in TSK LVM support and it is waiting review from the TSK team here: sleuthkit/sleuthkit#2820

@joachimmetz
Copy link

Unfortunately the whole pool layer and integration with TSK framework is scarcely documented see: sleuthkit/sleuthkit#2748

@joachimmetz
Copy link

@bcarrier @simsong for awareness

@simsong
Copy link
Member

simsong commented Mar 20, 2024

Thanks. Do you think this is an autopsy issue or a TSK issue? Do you have a small disk image that we can replicate it with?

@simsong
Copy link
Member

simsong commented Mar 20, 2024

The current plan is to start cleaning things up in a few weeks, As soon as we get some tooling in place to allow us to verify the correctness of patches.

So what I would really like is some kind of self test that fails right now and that then passes when the patches supplied.

@joachimmetz
Copy link

joachimmetz commented Mar 20, 2024
edited

@simsong I think the changes pending in sleuthkit/sleuthkit#2748 will likely address the immediate issue, but the TSK pool layer documentation and implementation could benefit from some love and attention

@lfcnassif
Copy link

Do you have a small disk image that we can replicate it with?

AFAIK @arisjr generated a few ones to reproduce the issue and test the fixes he sent to @joachimmetz for review who later created sleuthkit/sleuthkit#2820, not sure if @arisjr still has the test images.

@arisjr
Copy link

arisjr commented Mar 20, 2024

Hello,

Right now I could find this two small and simple images that could be tested with the PR.

Simple test disk with lvm
https://drive.google.com/file/d/1UuG8C0k6PLl3bCAtvY-ome6OVX1mZy38/view?usp=share_link

Ubuntu server default installation
https://drive.google.com/file/d/1MvDbIazpsWWclhGPyZb6j-6HsSbgP1lG/view?usp=sharing

Thanks and regards

@grzeniek grzeniek mentioned this issue Mar 29, 2024
Open
@JSchimmelpfennig JSchimmelpfennig mentioned this issue Apr 18, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@simsong @joachimmetz @BeanBagKing @lfcnassif @arisjr