search

log2timeline / plaso

Super timeline all the things
https://plaso.readthedocs.io
Apache License 2.0
1.72k stars 347 forks source link

Unable to process Linux LVM image #4044

Open nkl0x55 opened 2 years ago

nkl0x55 commented 2 years ago

Description of problem: Unable to process Linux LVM image using latest plaso (Docker)

Please describe the problem in as much detail as possible. What does the tool not do that it should? What would you like it to do? Was expecting plaso to be enable to process the image

Command line and arguments: log2timeline.py --parsers linux /L2T/test.raw

Source data: Private data

Plaso version: 20211229

Operating system Plaso is running on: Windows 10

Installation method: Docker

Debug output/tracebacks: pyvslvm_volume_group_get_logical_volume_by_index: unable to retrieve logical volume: 0. libvslvm_volume_group_get_physical_volume_by_name: invalid physical volume value already set. libvslvm_logical_volume_initialize: unable to retrieve physical volume by name. libvslvm_volume_group_get_logical_volume: unable to create logical volume.

Please run the tool with "-d" to generate debug output, and include anything relevant. Also see: [Producing debug logs][https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html#producing-debug-logs]

For more information see the [troubleshooting guide][https://plaso.readthedocs.io/en/latest/sources/Troubleshooting.html]

joachimmetz commented 2 years ago

@nkl0x55 LVM support is limited (see: https://dfvfs.readthedocs.io/en/latest/sources/Supported-formats.html#volume-systems), can you provide more information about the layout of the LVM

nkl0x55 commented 2 years ago

Below are the config of the disk image, not sure if this help.

VolGroup {
id = "Ums3r6-zTOw-VXGm-JESa-J9sR-02OM-YsZYWi"
seqno = 12
format = "lvm2"
status = ["RESIZEABLE", "READ", "WRITE"]
flags = []
extent_size = 8192
max_lv = 0
max_pv = 0
metadata_copies = 0

physical_volumes {

pv0 {
id = "vmNr4q-g6UC-pyV2-p3G2-6EWr-IhTe-02g8ay"
device = "/dev/sda2"

status = ["ALLOCATABLE"]
flags = []
dev_size = 66075409
pe_start = 2048
pe_count = 8065
}
}

logical_volumes {

lv_var {
id = "WcHx8U-b16U-tttv-3GBo-Oqvg-uDJ5-8cpyuN"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054409
segment_count = 2

segment1 {
start_extent = 0
extent_count = 512

type = "striped"
stripe_count = 1

stripes = [
"pv0", 0
]
}
segment2 {
start_extent = 512
extent_count = 1280

type = "striped"
stripe_count = 1

stripes = [
"pv0", 4994
]
}
}

lv_root {
id = "Swg1G6-Cueb-uMmg-2Zc3-Epxn-6hFV-2uRghd"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054411
segment_count = 2

segment1 {
start_extent = 0
extent_count = 1035

type = "striped"
stripe_count = 1

stripes = [
"pv0", 512
]
}
segment2 {
start_extent = 1035
extent_count = 2560

type = "striped"
stripe_count = 1

stripes = [
"pv0", 2434
]
}
}

lv_home {
id = "yc6gsz-uOrd-uRLw-2ITU-JFKw-9XgT-qU9V0U"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054413
segment_count = 2

segment1 {
start_extent = 0
extent_count = 125

type = "striped"
stripe_count = 1

stripes = [
"pv0", 1547
]
}
segment2 {
start_extent = 125
extent_count = 1280

type = "striped"
stripe_count = 1

stripes = [
"pv0", 6274
]
}
}

lv_swap {
id = "07XLHa-D2RO-KZ5Q-0d5Y-y9El-bGSy-zvHLFy"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054414
segment_count = 1

segment1 {
start_extent = 0
extent_count = 256

type = "striped"
stripe_count = 1

stripes = [
"pv0", 1672
]
}
}

lv_tmp {
id = "GvI4nJ-EAzi-kzyt-922r-cwSd-JZh7-WMELEH"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054415
segment_count = 1

segment1 {
start_extent = 0
extent_count = 125

type = "striped"
stripe_count = 1

stripes = [
"pv0", 1928
]
}
}

lv_audit {
id = "dsAXdQ-2PVc-Zsbc-pf0q-U3cM-PALf-oyc99Y"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054415
segment_count = 1

segment1 {
start_extent = 0
extent_count = 125

type = "striped"
stripe_count = 1

stripes = [
"pv0", 2053
]
}
}

lv_log {
id = "yWVHK7-qm6H-1eKh-Oag5-2z3U-GwhQ-zdpEmv"
status = ["READ", "WRITE", "VISIBLE"]
flags = []
creation_host = "localhost.localdomain"
creation_time = 1403054416
segment_count = 1

segment1 {
start_extent = 0
extent_count = 256

type = "striped"
stripe_count = 1

stripes = [
"pv0", 2178
]
}
}
}
}
joachimmetz commented 2 years ago

I'll have a closer look when time permits, the quickest way to get this solved if the image can be shared or if it can be generated with https://github.com/dfirlabs/lvm-specimens