Working with Raw LVM Disk Images

Mounting disk images on Linux is fairly straight forward, however an image with a Logical Volume Manager (LVM) partition requires a little more attention. The first thing I do is find out some information about the image(s):

-l lists the partition table and -o outputs the columns specified. This particular image has two partitions one of which is an LVM parition. In order to access this space we need to mount the image. I chose to use udiskctl, but you are free to use your own method:

We saw earlier that there is an LVM partition so we check for the volume group (VG) name:

rhel is the volume group name for the disk image that was just mounted and slack is the name for my existing SSD. Now we need to activate the volume group:

Activating the VGs exposes the logical volumes (LV), which is where our ext3, xfs, or btrfs file system will reside. For this instance I only care about the root (/) and home (/home) directories. To mount them we do the following:

A quick look at what was mounted:

To unmount you can use udiskctl or dmsetup:

Using dmsetup we get:

This has come in handy for various capture the flag (CTF) and Digtal Forensics and Incident Response (DFIR) challenges I have played.

Thanks for reading.



Categories: System Administration

Tags: , , , , , , , , , , , , , , ,

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: