 Welcome back everyone. If you're dealing with Linux forensic disk images, then you might run into something called logical volume management. And I'll show you what an LVM looks like in a Linux disk image. We have this physical disk image copied from a normal Linux system. And one of these partitions has a logical volume management setup on it. So let's go ahead and take a look at what that partition table looks like. I'm going to CD into the directory with the image. We have our first disk 001, E01, and then it's a multi-part disk image. So I'm going to use the SluiceKit tool, MMLS. Let's do the clear MMLS to look at the partition of this disk image. Disk 01 is the E01. And I only needed to give it the first part because SluiceKit is smart enough to know this is a multi-part disk image. So if I hit enter, then we get the partition table. And what we're really interested in here is the logical volume manager partition. So Linux logical volume manager. And it looks like the primary partition on this disk. So let's say I wanted to look in this file system. If we use also a SluiceKit tool, FLS-O, and then we give it the offset for the starting partition, paste that in there and then give it the disk image. Then we get cannot determine file system type. And what will happen, whether you're looking at it with a SluiceKit or in a tool like Autopsy, if the tool does not understand the logical volume manager format of partition, you won't be able to get into the logical data in here. And this isn't encrypted or anything. Basically, you just don't have direct access to the file system. First, you have to rebuild the logical volume and then you can get access to what looks like a partition on top of the logical volume. So there's kind of an extra step in there. We have the physical hard drive, we have the partition, we have the logical volume manager and then a virtual, essentially partition with a file system. And a lot of tools don't seem to support logical volume manager. So let's go ahead and show how to get access to this data directly from my Linux system. Now, I am using a Linux system as the forensic workstation. I'm in Surugi Linux right now and it's best if you are in a Linux system that doesn't already have logical volume management set up because you don't want the names essentially to conflict with each other. And I'll show you that in a second. Okay. So just to check what we have so far on this forensic workstation, we can look at the devices in dev mapper. So LS dash L and that's just listing the directory in dev mapper. Okay. So the only thing I have in here is control basically in my local system, the forensic workstation, I do not have logical volumes set up. So the next thing I want to do is mount the disk image and get access to the raw data inside. So I can use a tool inside EWF tools package called EWF mount. So I'm going to do pseudo EWF mount. And then I need to give it the, um, disk name, disks, one, uh, disk zero, zero, one, easy or one in this case, and then my mount point. And this is going to be the mount point for basically the physical suspect disk. So, uh, Surugi Linux already has some mount points created inside slash MNT. If I do tab tab, I can see all of the different folders that have already been created by default. These are just empty mount points. So we can pretty much use any of them. If we haven't already, I'm going to use EWF one, because we have an expert witness format type of image. So I'm going to mount it to EWF one. So slash MNT EWF one, hit enter. Okay. Now, if, uh, you see this EWF mount and the version number and doesn't say anything else, then it should be successful. We can check that by typing mount. So we do have dev views on MNT EWF one, right? So now, uh, what EWF mount does is create a type of physical, uh, volume, essentially, so we can use sudo slash MNT slash EWF one. That's the folder that we mounted to, and then EWF mount creates a special type of file inside that folder called EWF one. And this second EWF one is the physical volume inside the disc image. So this is basically uncompressed, um, physical disc image, essentially. So we can treat it exactly like a physical disc. So I'm going to go ahead and run, uh, MMLS again from Sleuthkit on that. So sudo MMLS MNT EWF one, EWF one, this is our special device, press enter. And then we get the same partition table again. So we know that this device is a representation of the suspects system. All right. So now we have access to that. We need to start, uh, identifying and mounting up the, uh, logical volume manager partition. All right. So I'm going to clear that and I'm going to use a tool called K part X. So sudo K part X and then dash A dash V slash MNT EWF one, EWF one. Okay. So basically I'm using K part X to identify, uh, all of the partitions inside our new physical disc that we've now attached, press enter. And then we found, uh, looks like a couple of different devices. Right. So now I can go back and just to verify that my system can see this logical volume. I can use LS dash L slash dev mapper. Remember LS is just showing the directory L is just a, a switch to control what we can see essentially, and then slash dev mapper folder in our system. And now we have, uh, three loopback devices as well as VG mint root and VG mint swap. Now these are interesting to us because they're going to be related to the logical volume and specifically we're almost definitely interested in the, uh, root VG mint root, uh, drive. Uh, we could be interested in swap. That's going to give us, um, things like, uh, any information that was available in Ram. So that could be interesting to us for now. Let's go ahead and mount root. That way we can get access to the suspects root, uh, directory. All right. So now that our system, our computer can actually see, uh, what volumes are inside this logical volume manager. Now we can use pseudo L V scan. Okay. Now all we're doing is basically scanning for logical volumes. And then we have those two logical volumes that were detected because they were in our, uh, mapper directory. So now our computer can actually see those logical volumes as logical volumes. And you can say that logical volume or the group is the, um, VG mint. And then one of the partitions is root and that's an 18.5 gig partition. And then we have a one gig swap. So again, we're probably interested in that route there. Okay. So now we have access, uh, at dev VG mint slash root. We can access these directly as devices because our computer understands the logical volume and the, uh, volumes that are inside of there. Okay. So now we can just use this plain old pseudo mount. Mount is just built into our system. And then we want to give it the dev VG mint slash root. And then I need to mount this where I would normally mount a partition. Right. So where am I going to mount the partition again into the MNT folder? Let's look at what we have available. We've already used EWF one. This root directory is actually probably the, um, slash directory in Linux, but in windows, the slash directory equivalent is C drive. So even though it's not a windows system, it's a Linux system. I'm just going to mount it to MNT slash C just because it's a normal. Okay. We got an error. It says warning device right protected, which is good. That's what we wanted. And mounted read only, uh, EWF mount will mount these, uh, read only inside MNT slash C, we've actually mounted up the logical volume and specifically the root partition in the logical volume. So we should be able to see all of the files in that logical volume in, uh, this directory. So we can do CD slash MNT C. And what I would expect to see if I do LS or I'll do LL, um, is all of the files that we would normally see in a Linux root directory. So things like root, uh, var, et cetera, opt, things like that. Okay. So listing everything out. Yeah. So we have bin, boot, dev, et cetera, home, um, media mount. All of these are coming from the suspect logical volume. All right. So now we have a root directory. And, um, a couple of weeks ago, I posted a video about Linux forensics and how I eventually used pseudo CH, um, CH root. And then the, um, what would be MNT slash C. And then you can actually change your own root directory into the suspects root directory and search around just like you're the suspect. Um, but, uh, we don't need to do that today. So now, once you have that mounted up, I'll show you what my mount points look like. We have dev fuse on MNT, EWF one, and we have dev mapper VG mint root on MNT C. So this is the, um, uh, logical volume inside the, um, uh, logical volume manager, and then this fuse device is our physical disc, essentially. So we have our two mount points inside. We can see all of the files inside the logical, um, volume. Now we can throw any tool. Uh, if we're using forensics tools, we can throw any tool at this. So I can even use built-in forensic commands. So for example, I could find, uh, let's do bash history, something like that. Okay. Oh, we found bash completion. So I can even use my built-in Linux, uh, Linux commands to, you know, do keyword searching, grep over the entire file system. Uh, we don't have permission, but if I would have used, um, uh, pseudo, or if I would have CH rooted into, uh, this directory, I would have had access to all that. Um, so now I can just basically use any tool that I would normally use, um, to process this. And if I want to use something like autopsy, now in my autopsy case, instead of just adding the forensic disc image directly, I can add a local logical volume or I think the option was called files. So add, add files from a directory. So now the directory that I'm interested into process would be slash M and T slash C, add all of those files to autopsy. And then it will process everything just like a normal disc image. Okay. So this is how you can get access to a logical volume on site inside a, um, forensic disc image, logical volume or LVM is normally set up. Like in, in all of the Linux systems that I've used, uh, in the last several years, LVM was the default and not only LVM, but also LVM with encryption. So it's good to know if you're not getting something out of a Linux system, check and see if that partition has logical volume management. Um, and then if it does, then you have to do it usually an extra step. Now some of the forensic tools, especially the commercial ones will support, uh, LVM, but for example, um, autopsy didn't support it by default. So you just have to mount LVM first and then add it to autopsy second. I hope this helps. If you ever find LVM, have a great day.