Open BeanBagKing opened 3 months ago
lfcnassif
commented
3 months ago I think it may be related. Please also see @arisjr and @joachimmetz implemented several fixes and improvements in TSK LVM support and it is waiting review from the TSK team here: https://github.com/sleuthkit/sleuthkit/pull/2820
joachimmetz
commented
3 months ago Unfortunately the whole pool layer and integration with TSK framework is scarcely documented see: https://github.com/sleuthkit/sleuthkit/issues/2748
joachimmetz
commented
3 months ago @bcarrier @simsong for awareness
simsong
commented
3 months ago Thanks. Do you think this is an autopsy issue or a TSK issue? Do you have a small disk image that we can replicate it with?
simsong
commented
3 months ago The current plan is to start cleaning things up in a few weeks, As soon as we get some tooling in place to allow us to verify the correctness of patches.
So what I would really like is some kind of self test that fails right now and that then passes when the patches supplied.
joachimmetz
commented
3 months ago @simsong I think the changes pending in https://github.com/sleuthkit/sleuthkit/issues/2748 will likely address the immediate issue, but the TSK pool layer documentation and implementation could benefit from some love and attention
lfcnassif
commented
3 months ago Do you have a small disk image that we can replicate it with?
AFAIK @arisjr generated a few ones to reproduce the issue and test the fixes he sent to @joachimmetz for review who later created https://github.com/sleuthkit/sleuthkit/pull/2820, not sure if @arisjr still has the test images.
arisjr
commented
3 months ago Hello,
Right now I could find this two small and simple images that could be tested with the PR.
Simple test disk with lvm https://drive.google.com/file/d/1UuG8C0k6PLl3bCAtvY-ome6OVX1mZy38/view?usp=share_link
Ubuntu server default installation https://drive.google.com/file/d/1MvDbIazpsWWclhGPyZb6j-6HsSbgP1lG/view?usp=sharing
Thanks and regards
buzzdeee
commented
2 weeks ago just ran into the same
I noticed that Autopsy seems to have issues with LVM volumes on Linux images. The image file is added, and you'll probably get the boot partition, but nothing else. All other partitions show up as unknown/unallocated and aren't browsable. Notice there's no root, home, etc, var, etc.
This is the same disk viewed in FTK, just to show it isn't a corrupted disk or something. You can see the beginning of dev, etc, and the rest of a Linux file system.
Tip for anyone else having this issue, right click and create disk as is shown in that screenshot, and you can open that disk in Autopsy.
I don't know if this is related to https://github.com/sepinf-inc/IPED/issues/587 which seems to be a downstream issue for Sleuthkit, which may be a downstream issue for Autopsy. Given that I can see references to libvslvm in Autopsy though, I'm hoping the issue may be the same (build is not linking) and it will be an easy fix.