In an effort to figure out what to do with this HDD sitting on my desk, I hassled just about everyone at my work whose technical skills and knowledge I trust how to take the next step in this. While I had a few ideas in mind, I needed some sounding boards to flesh out some ideas. Despite working for a very high-end network security company, there was little 'extra' info that was presented to me.

To be purely honest, I was rather disappointed with the suggestions that were offered. I kindbof expected a little more, or maybe that just the level I'm working at... But the one thing that was od most value in these interactions was that a coworker lent me an IDE to USB adapter. Awesome!

But how to mount and use?...

The physical connections were pretty obvious. There are only 2 connectors, and they are so dissimilar that it is physically impossible to mess up. Plugged it in, plugged in the power and USB, and voila, I see a popup on my desktop about a new connection. It even auto-mounted the boot partition. Well, this'll be easy, I thought to myself.

In error, of course.

If it were simple, then things would be simple I suppose, and we just can't have that now can we...?

Every iteration I ran of the mount command either gave me errors about a bad file system type, which I could understand and work with, or another error that just condused me: bad superblock.

Well, I know the HDD boots. It boots a little too well maybe... Read this post for more info on that.

So that means it was command. I tried everything I could think of, and nothing would work. I searched and searched and searched, and as far as I could tell, my attempts should work. Or at least one of them anyways... Then I remembered something about LVM and logical volume mounting or something like. So I searched for that instead.

A quick Google search confirmed these suspicions. It wasn't so much that my mount commands were wrong or incorrect, but more the method and use of mount in the first place. Logical Volume Management is a different method altogether.

So I ran vgscan to see what I would get:

# vgscan
  Reading all physical volumes.  This may take a while...
  Found volume group "OldServer" using metadata type lvm2
  Found volume group "NewServer" using metadata type lvm2

Awesome! The Logical group is being detected! Now to "mount" the LVM:

# vgchange -a y
  2 logical volume(s) in volume group "OldServer" now active
  2 logical volume(s) in volume group "NewServer" now active

No errors, that's a good sign. But now where to find/access that data?

# mount

This didn't show any new mount points, so there's still something else that needs doing.

# lvdisplay

Ok, now we're seeing something... I was able to see this of value:

LV Path                /dev/OldServer/root
LV Name                root
VG Name                OldServer
LV Size                185.20 GiB

Ok, the LV Path was something I can use. So I ran the following command:

# ls -al /dev/OldServer/
total 0
drwxr-xr-x  2 root root   80 Jan 12 10:54 .
drwxr-xr-x 17 root root 3620 Jan 12 10:54 ..
lrwxrwxrwx  1 root root    7 Jan 12 10:54 root -> ../dm-2
lrwxrwxrwx  1 root root    7 Jan 12 10:54 swap_1 -> ../dm-3

The LV Path is just a pointer to yet another location!? While unexpected, I can't say I am overly surprised as this is a bit of foreign teritory for me anyways. So let's check out what these dm-2 and 3 files are:

# ls -al /dev/dm-*
brw-rw---T 1 root disk 254, 0 Jan 12 09:15 /dev/dm-0
brw-rw---T 1 root disk 254, 1 Jan 12 09:15 /dev/dm-1
brw-rw---T 1 root disk 254, 2 Jan 12 10:54 /dev/dm-2
brw-rw---T 1 root disk 254, 3 Jan 12 10:54 /dev/dm-3

Block devices... Ok. Those can be mounted. Right?

mkdir /forensics

mount /dev/dm-2 /forensics/

No errors!? Wow, I think I may have gotten it.

ls /forensics/

I can now see my root filesystem! Woo yeah! Now time to start gatherting files for further analysis...







# Mckinley 2021-09-12 09:13
Aw, this was an extremely good post. Spending some time and actual effort to
make a great article… but what can I say… I procrastinate a whole lot and don't seem to get nearly anything done.
Reply | Reply with quote | Quote

Add comment

Security code