less than 1 minute read

Linux supports Logical Volume Management, which assists in managing partition features such as resizing and encryption. However, many forensic tools cannot directly access data on an LVM partition.

First, your forensic workstation must understand the volume group information, then access the logical volume. Once we can see the logical volume, we can mount it as normal. Today we look at mounting a logical volume from a Linux forensic disk image.

We use Tsurugi Linux to work with the LVM and mount the logical volumes, though most versions of Linux should work just fine. If your forensic workstation has logical volumes and the volume group name is the same in the suspect disk, you could have some conflicts.