Getting Started
Learn the basic principles of exhuming the Logical Volume Manager (LVM) partitions from a diskimage.
The exhume_lvm tool helps you identify and display information about Logical Volume Manager (LVM) partitions, volume groups, logical volumes, and their segments.
You'll first need to identify the LVM partition using exhume_partitions to retrive the offsets.
🛠️ Prerequisites
Installing Rust
The Exhume Toolkit is built with Rust and requires it for development or compilation.
- Linux and MacOs
- Windows
curl --proto '=https' --tlsv1.2 https://sh.rustup.rs -sSf | sh
Visit https://www.rust-lang.org/tools/install to install rustup
You can also use winget to install rustup using the following command in PowerShell:
winget install --id Rustlang.Rustup
Be sure to restart your Terminal (and in some cases your system) for the changes to take affect.
Installing
The following will install Exhume lvm globally.
cargo install exhume_lvm@0.1.0
Contributing
If you want to enhance the tool, clone the ehxume_lvm repository and start coding.
git clone https://github.com/forensicxlab/exhume_lvm
cd exhume_lvm
🚀 Basic Usage
Required Flags:
-b,--body<FILE>: Path to the disk image or body.-o,--offset<OFFSET>: LVM partition starts at this offset.-s,--size<SIZE>: LVM partition size.
Optional Flags:
-f,--format<FORMAT>: Format of the image (raw or ewf).-l,--log-level<LEVEL>: Logging level (error, warn, info, debug, trace). Default is info.
exhume_lvm -b <path_to_image> -f <format> -o <offset> -s <size> [options]
📘 Example
exhume_lvm -b disk.E01 -f ewf -o 0xF500000 -s 0x3E86800
This will:
- Open disk.img as a ewf format file
- Start reading at offset
0xF500000for size0x3E86800 - Show information about the LVM partition and its components
Example output:
+--------------------------------------------+--------------------------------------------+--------------------------------------------+-----------------+
| Physical Volume | Volume Group | Logical Volume | Segment |
+--------------------------------------------+--------------------------------------------+--------------------------------------------+-----------------+
| Name: pv0 | Name: VulnOSv2-vg | Name: root | Key: segment1 |
| ID: SA3YAl-91Rk-W5FA-cQGz-TnXl-J4yN-awbQjd | ID: RJRcoE-WgWP-CS2S-5Gfp-v1ZF-31vJ-TT8SFQ | ID: cEA4A3-qwNJ-U3Sj-oYW9-mK9i-1rwE-bE6f2t | Start: 0 |
| | Extent Size: 4194304 | Size (extents): 7811 | Count: 7811 |
| | | | Type: striped |
| | | | Stripe Count: 1 |
| | | | Stripe Size: - |
+--------------------------------------------+--------------------------------------------+--------------------------------------------+-----------------+
| Name: pv0 | Name: VulnOSv2-vg | Name: swap_1 | Key: segment1 |
| ID: SA3YAl-91Rk-W5FA-cQGz-TnXl-J4yN-awbQjd | ID: RJRcoE-WgWP-CS2S-5Gfp-v1ZF-31vJ-TT8SFQ | ID: Q7X8aN-kcP5-SVUY-PS35-y3dz-pvRO-uAcg1f | Start: 0 |
| | Extent Size: 4194304 | Size (extents): 192 | Count: 192 |
| | | | Type: striped |
| | | | Stripe Count: 1 |
| | | | Stripe Size: - |
+--------------------------------------------+--------------------------------------------+--------------------------------------------+-----------------+