Logical Volume Manager Support.

Mai 10, 2023

Starting with Oxygen Forensic® Detective version v.15.4, we have enabled analysis of physical images and external disks that use Logical Volume Manager technology.

LVM support in KeyScout featured image

With Oxygen Forensic® Detective v.15.4 and up, users can analyze physical images and external drives that use Logical Volume Manager technology.

Table of Contents

What is Logical Volume Manager?

Logical Volume Manager (LVM) is a device mapper framework that provides logical volume management for the Linux kernel. It can be used to:

  • Create single logical volumes of multiple physical volumes or entire hard disks, allowing for dynamic volume resizing.
  • Manage large hard disk farms by allowing disks to be added and replaced without downtime or service disruption, in combination with hot swapping.
  • On small systems, like desktops, instead of having to estimate at installation time how big a partition might need to be, LVM allows filesystems to be easily resized as needed.
  • Perform consistent backups by taking snapshots of the logical volumes.
  • Encrypt multiple physical partitions with one password.

Logical Volume Manager is essentially a thin software layer on top of the hard disks and partitions, which creates an abstraction of continuity and ease of use for managing hard drive replacement, re-partitioning, and backup.

Forensic Challenges of Logical Volume Manager

Disk partitions or entire disks can be added to various Logical Volume Manager Physical Volumes. The Physical Volumes can then form Logical Volume Manager Volume Groups. There could be several Physical Volumes within a group, consisting of different disks and disk partitions. Each Volume Group can then be split into an arbitrary number of Logical Volumes. Logical Volumes are used in the same way as regular partitions: they can be formatted in some file system and used for writing and reading files.

There is no clear link between a logical volume and a physical volume. If a group of volumes includes several physical volumes, the logical volumes are placed randomly on these physical volumes. This means that if an investigator needs to examine a particular volume with a particular file system, they have to connect several physical disks or bitmaps of those disks simultaneously, which is not very convenient.

Logical Volume Manager support in Oxygen Forensic® Detective

Starting with Oxygen Forensic® Detective v.15.4, we have enabled analysis of physical images and external disks that use Logical Volume Manager technology.

If such logical volumes are detected, the user receives a notification, prompting to add additional data sources from the “Sources” tab.

 

Screenshot of viewing Image search settings in Oxygen Forensic® KeyScout on a Linux based PC

As soon as all additional disk images are added, Oxygen Forensic® KeyScout forms a single logical space from these multiple images and allows the investigator to explore it just like a regular disk partition.

Learn more about KeyScout updates.

Screenshot of logical volume sources found after a image search in Oxygen Forensic® KeyScout

Get more from Oxygen Forensic® Detective

At Oxygen Forensics, we continuously update our software to ensure we stay at the forefront of digital forensic technology. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on the latest features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.

Want to try out KeyScout?

Get a 15-day free trial.

Request Trial