Dancing with the Devil

The differences between Linux and BSD start with everyday tools, such as ifconfig and fdisk. When it comes to the popular and powerful ZFS filesystem [1], the incompatibilities extend to hard disk images. The new FreeBSD 10 in particular can cause Linux admins problems when reconstructing data from ZFS pools.

As a case in point, an expert in a recent court case was tasked with evaluating a disk image: The injured party created a dd image of his server and saved the image to a hard disk connected to a FreeNAS [2] system, which is based on BSD. The idea was for experts to analyze the server image directly from the data disk on a Linux forensics station. Windows was ruled out from the start because it cannot handle the ZFS system.

Missing Info

Surprisingly, the data disk had no partition information in the form of a master boot record (MBR) or a GUID partition table (GPT) [3]. The tricks the expert used to revive RAID systems (Figure  1) did not help: Neither fdisk nor mmls – the forensic counterpart from The Sleuth Kit – were willing to cooperate.

Because the victim had stored the image on a FreeNAS system, the standard file format should have provided UFS information. However, the filesystem information was unavailable. Was this disk using ZFS?

The recently released FreeBSD 10 [4] uses ZFS, which will boost the number of ZFS installations. That means more admins will be confronted with this scenario in the future.

Solution

If you remove a ZFS drive and try to mount it on a Linux system, you are likely to face the same problem as the forensics expert in the example: The installed ZFS FUSE detects a zpool, but mounting it is impossible because the FUSE driver currently uses an obsolete version of ZFS. The solution comes courtesy of the ZFS on Linux project [5].

In contrast to the FUSE driver from the default repository, ZFS on Linux works with kernel drivers that offer comparable performance. You need to add the PPA with:

add-apt-repository ppa: zfs-native/stable

The aptitude update command lists the necessary programs (Listing  1).

Importing the Zpool

The aptitude install ubuntu-zfs command installs all the programs and drivers. DKMS automatically completes the upgrade after fairly frequent Ubuntu kernel upgrades. Now, when you use fdisk and mmls, you see some (fairly) useful information (Figure 1).

Figure 1: Fdisk doesn't understand the GPT partition, whereas mmls at least outputs some information.

What you need is access to the filesystem, which could reside in 06:zfs0; however, to determine the name of the pool, you need a zpool import (Listing 2). The name of the pool is zroot (line 2); you can finally mount it under this name.

01 zpool import
02    pool: zroot
03      id: 8592000589434241473
04   state: ONLINE
05  status: The pool was last accessed by another system.
06  action: The pool can be imported using its name or numeric identifier and
07         the '-f' flag.
08    see: http://zfsonlinux.org/msg/ZFS-8000-EY
09  config:
10
11         zroot                      ONLINE
12           ata-ST380215AS_9QZ68Z7S  ONLINE