Working with Raw LVM Disk Images

by

Mounting disk images on Linux is fairly straight forward, however an image with a Logical Volume Manager (LVM) partition requires a little more attention. The first thing I do is find out some information about the image(s):

root@box:# fdisk -l -o Device,Type,Size disk.img

Device             Type    Size
disk.img1 Linux            1G
disk.img2 Linux    LVM     952.9G

-l lists the partition table and -o outputs the columns specified. This particular image has two partitions one of which is an LVM parition. In order to access this space we need to mount the image. I chose to use udiskctl, but you are free to use your own method:

root@box:# udisksctl loop-setup -f disk.img
Mapped file disk.img as /dev/loop0.

We saw earlier that there is an LVM partition so we check for the volume group (VG) name:

mech@box(tmp):$ sudo vgs
  VG    #PV #LV #SN Attr   VSize   VFree
  rhel    1   6   0 wz--n- 952.87g 4.00m
  slack   2   6   0 wz--n-   1.36t    0

rhel is the volume group name for the disk image that was just mounted and slack is the name for my existing SSD. Now we need to activate the volume group:

mech@box(tmp):$ sudo vgchange -ay rhel
  6 logical volume(s) in volume group "rhel" now active

Activating the VGs exposes the logical volumes (LV), which is where our ext3, xfs, or btrfs file system will reside. For this instance I only care about the root (/) and home (/home) directories. To mount them we do the following:

mech@box(tmp):$ sudo udisksctl mount -b /dev/mapper/rhel-home 
Mounted /dev/dm-13 at /run/media/root/0d36e505-f9b6-44e8-89e1-677a919fa983.

mech@box(tmp):$ sudo udisksctl mount -b /dev/mapper/rhel-root
Mounted /dev/dm-12 at /run/media/root/5c7a263e-ac51-496d-8454-d34cddf99161.

A quick look at what was mounted:

mech@box(Downloads):$ df -h
Filesystem                 Size  Used Avail Use% Mounted on
/dev/mapper/rhel-root      100G   23G   78G  23% /run/media/mech/5c7a263e-ac51-496d-8454-d34cddf99161
/dev/mapper/rhel-home      400G  2.3G  398G   1% /run/media/mech/0d36e505-f9b6-44e8-89e1-677a919fa983

To unmount you can use udiskctl or dmsetup:

mech@box(Downloads):$ udisksctl unmount -b /dev/mapper/rhel-home
Unmounted /dev/dm-13.

mech@box(Downloads):$ udisksctl unmount -b /dev/mapper/rhel-root
Unmounted /dev/dm-12.

Using dmsetup we get:

dmsetup remove /dev/mapper/rhel-*

This has come in handy for various capture the flag (CTF) and Digtal Forensics and Incident Response (DFIR) challenges I have played.

Thanks for reading.

Start a discussion or ask a question.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d