search

sepinf-inc / IPED

IPED Digital Forensic Tool. It is an open source software that can be used to process and analyze digital evidence, often seized at crime scenes by law enforcement or in a corporate investigation by private examiners.
Other
981 stars 220 forks source link

lvm/lvm2 volumes #587

Open MariasStory opened 3 years ago

MariasStory commented 3 years ago

Hi, Congratulations on the progress with the cool tool. I just Love it. Can you please improve the lvm/lvm2 volumes parsing? FTKimager is able to read it, but IPED does not recognize the separate volumes.

lfcnassif commented 3 years ago

Hi. Unfortunately this needs to be implemented at the sleuthkit level. See: https://github.com/sleuthkit/sleuthkit/issues/1148 https://github.com/sleuthkit/sleuthkit/issues/1191

As a workaround, you can create an AD1 volume per partition (may include unallocated) using FTKImager and IPED will process the AD1 directly without sleuthkit.

MariasStory commented 3 years ago

Hi @lfcnassif, you've done a good job in paying attention to this problem. It seems that relying on sleuthkit is somewhat problematic. The Sleuthkit development is not so agile, and the issues are not being addressed. I suggest automating some kind of workaround, not only for this case, but also for similar issues.

lfcnassif commented 2 years ago

Work in progress in TSK here: https://github.com/sleuthkit/sleuthkit/pull/2751

lfcnassif commented 1 year ago

Depends on #1340

lfcnassif commented 1 year ago

Closed by https://github.com/sepinf-inc/IPED/commit/35e423a2d54aaad5b171b87628073687342de487

lfcnassif commented 1 year ago

Reopening, Sleuthkit-4.12.0 windows build is not linking to libvslvm automatically, we'll have to adjust their build...