With Oxygen Forensic® Detective v.15.4 and up, users can analyze physical images and external drives that use Logical Volume Manager technology.
Table of Contents
What is Logical Volume Manager?
Logical Volume Manager (LVM) is a device mapper framework that provides logical volume management for the Linux kernel. It can be used to:
- Create single logical volumes of multiple physical volumes or entire hard disks, allowing for dynamic volume resizing.
- Manage large hard disk farms by allowing disks to be added and replaced without downtime or service disruption, in combination with hot swapping.
- On small systems, like desktops, instead of having to estimate at installation time how big a partition might need to be, LVM allows filesystems to be easily resized as needed.
- Perform consistent backups by taking snapshots of the logical volumes.
- Encrypt multiple physical partitions with one password.
Logical Volume Manager is essentially a thin software layer on top of the hard disks and partitions, which creates an abstraction of continuity and ease of use for managing hard drive replacement, re-partitioning, and backup.
Forensic Challenges of Logical Volume Manager
Disk partitions or entire disks can be added to various Logical Volume Manager Physical Volumes. The Physical Volumes can then form Logical Volume Manager Volume Groups. There could be several Physical Volumes within a group, consisting of different disks and disk partitions. Each Volume Group can then be split into an arbitrary number of Logical Volumes. Logical Volumes are used in the same way as regular partitions: they can be formatted in some file system and used for writing and reading files.
There is no clear link between a logical volume and a physical volume. If a group of volumes includes several physical volumes, the logical volumes are placed randomly on these physical volumes. This means that if an investigator needs to examine a particular volume with a particular file system, they have to connect several physical disks or bitmaps of those disks simultaneously, which is not very convenient.
Logical Volume Manager support in Oxygen Forensic® Detective
Starting with Oxygen Forensic® Detective v.15.4, we have enabled analysis of physical images and external disks that use Logical Volume Manager technology.
If such logical volumes are detected, the user receives a notification, prompting to add additional data sources from the “Sources” tab.
As soon as all additional disk images are added, Oxygen Forensic® KeyScout forms a single logical space from these multiple images and allows the investigator to explore it just like a regular disk partition.
Learn more about KeyScout updates.
Get more from Oxygen Forensic® Detective
At Oxygen Forensics, we continuously update our software to ensure we stay at the forefront of digital forensic technology. We offer training courses and webinars that can help you learn the ins and outs of Oxygen Forensic® Detective and stay up to date on the latest features and tools needed for your investigation. Returning customer? Sign up for our newsletter to stay in the loop.