« Previous 1 2
ZFS on Linux helps if the ZFS FUSE service refuses to work
Dancing with the Devil
Not Under Root
Caution is advised here: Without specifying any options, the zpool would be mounted in the root directory of the active system. The /var
directory it contains then ends up in the active Linux system – on top of the existing /var
. This just reeks of problems; it makes much more sense to specify a new /
structure.
The following example uses /media/zfs
,
zpool import -f -R /media/zfs/ zroot
where -f
stands for --force
, -R
sets a new target root, and zroot
is the name of the pool found in Listing 1.
Listing 1
ZFS Packages
01 p libzfs-dev - Native ZFS filesystem development files for Linux 02 p libzfs-dev:i386 - Native ZFS filesystem development files for Linux 03 p libzfs1 - Native ZFS filesystem library for Linux 04 p libzfs1:i386 - Native ZFS filesystem library for Linux 05 p libzfs1-dbg - Debugging symbols for libzfs1 06 p libzfs1-dbg:i386 - Debugging symbols for libzfs1 07 i A libzfs2 - Native ZFS filesystem library for Linux 08 p libzfs2:i386 - Native ZFS filesystem library for Linux 09 p libzfs2-dbg - Debugging symbols for libzfs2 10 p libzfs2-dbg:i386 - Debugging symbols for libzfs2 11 v lzfs - 12 v lzfs:i386 - 13 v lzfs-dkms - 14 v lzfs-dkms:i386 - 15 i ubuntu-zfs - Native ZFS filesystem metapackage for Ubuntu. 16 p ubuntu-zfs:i386 - Native ZFS filesystem metapackage for Ubuntu. 17 p zfs-auto-snapshot - ZFS Automatic Snapshot Service 18 i zfs-dkms - Native ZFS filesystem kernel modules for Linux 19 p zfs-dkms:i386 - Native ZFS filesystem kernel modules for Linux 20 v zfs-dkms-build-depends - 21 c zfs-fuse - ZFS als FUSE 22 p zfs-fuse:i386 - ZFS als FUSE 23 p zfs-initramfs - Native ZFS root filesystem capabilities for Linux 24 p zfs-initramfs:i386 - Native ZFS root filesystem capabilities for Linux 25 v zfs-mountall - 26 v zfs-mountall:i386 - 27 i zfsutils - Native ZFS management utilities for Linux 28 p zfsutils:i386 - Native ZFS management utilities for Linux 29 p zfsutils-dbg - Debugging symbols for zfsutils 30 p zfsutils-dbg:i386 - Debugging symbols for zfsutils
A look at /media/zfs
shows that the admin has full access to the filesystem; the case is solved at that level, at least (Figure 2).
Other Complications
Of course, the court insists on solid evidence. The forensic scientist works with images and never on the original system, because of the obligation to provide evidence of not having made any changes and the risk of destroying evidence.
This requirement turns out to be tricky with ZFS and Linux: The zpool can't use the dd image because it only displays physical devices. The only solution here is a loopback device:
losetup -o $((4195362*512)) /dev/loop0 image.dd
The ZFS partition converts root into a loop device; it then informs the zpool that the ZFS pool data does not physically exist but is available as a loop device below /dev
. The sector offset for the zfs0
partition is 4195362
. Because this value needs to be converted into bytes, the command line shows a multiplication (*512
). The adjusted zpool command is now:
zpool import -f -d /dev -R /media/zfs
This step also ensures logical access for the forensic scientist to an image with a ZFS filesystem. Because forensics experts usually prefer to work with the "Expert Witness" format, rather than using unwieldy raw images, the next step would be to use xmount
to embed and convert the image on the fly:
xmount --in ewf --out dd --cache /tmp/zfs.ovl image.E* /ewf losetup -o $((4195362*512)) /dev/loop0 /ewf/image.dd zpool import -f -d /dev -R /media/zfs
Infos
- ZFS filesystem: http://en.wikipedia.org/wiki/ZFS
- FreeNAS: http://www.freenas.org
- GPT: http://en.wikipedia.org/wiki/GUID_Partition_Table
- FreeBSD 10: https://www.freebsd.org/releases/10.0R/announce.html
- ZFS on Linux: http://zfsonlinux.org
« Previous 1 2
Buy this article as PDF
(incl. VAT)