ZFS on Linux helps if the ZFS FUSE service refuses to work

Dancing with the Devil

Not Under Root

Caution is advised here: Without specifying any options, the zpool would be mounted in the root directory of the active system. The /var directory it contains then ends up in the active Linux system – on top of the existing /var. This just reeks of problems; it makes much more sense to specify a new / structure.

The following example uses /media/zfs,

zpool import -f -R /media/zfs/ zroot

where -f stands for --force, -R sets a new target root, and zroot is the name of the pool found in Listing 1.

Listing 1

ZFS Packages

01 p   libzfs-dev                          - Native ZFS filesystem development files for Linux
02 p   libzfs-dev:i386                     - Native ZFS filesystem development files for Linux
03 p   libzfs1                             - Native ZFS filesystem library for Linux
04 p   libzfs1:i386                        - Native ZFS filesystem library for Linux
05 p   libzfs1-dbg                         - Debugging symbols for libzfs1
06 p   libzfs1-dbg:i386                    - Debugging symbols for libzfs1
07 i A libzfs2                             - Native ZFS filesystem library for Linux
08 p   libzfs2:i386                        - Native ZFS filesystem library for Linux
09 p   libzfs2-dbg                         - Debugging symbols for libzfs2
10 p   libzfs2-dbg:i386                    - Debugging symbols for libzfs2
11 v   lzfs                                -
12 v   lzfs:i386                           -
13 v   lzfs-dkms                           -
14 v   lzfs-dkms:i386                      -
15 i   ubuntu-zfs                          - Native ZFS filesystem metapackage for Ubuntu.
16 p   ubuntu-zfs:i386                     - Native ZFS filesystem metapackage for Ubuntu.
17 p   zfs-auto-snapshot                   - ZFS Automatic Snapshot Service
18 i   zfs-dkms                            - Native ZFS filesystem kernel modules for Linux
19 p   zfs-dkms:i386                       - Native ZFS filesystem kernel modules for Linux
20 v   zfs-dkms-build-depends              -
21 c   zfs-fuse                            - ZFS als FUSE
22 p   zfs-fuse:i386                       - ZFS als FUSE
23 p   zfs-initramfs                       - Native ZFS root filesystem capabilities for Linux
24 p   zfs-initramfs:i386                  - Native ZFS root filesystem capabilities for Linux
25 v   zfs-mountall                        -
26 v   zfs-mountall:i386                   -
27 i   zfsutils                            - Native ZFS management utilities for Linux
28 p   zfsutils:i386                       - Native ZFS management utilities for Linux
29 p   zfsutils-dbg                        - Debugging symbols for zfsutils
30 p   zfsutils-dbg:i386                   - Debugging symbols for zfsutils

A look at /media/zfs shows that the admin has full access to the filesystem; the case is solved at that level, at least (Figure 2).

Figure 2: Success really can look this unspectacular: The contents of the ZFS pool below /media/zfs.

Other Complications

Of course, the court insists on solid evidence. The forensic scientist works with images and never on the original system, because of the obligation to provide evidence of not having made any changes and the risk of destroying evidence.

This requirement turns out to be tricky with ZFS and Linux: The zpool can't use the dd image because it only displays physical devices. The only solution here is a loopback device:

losetup -o $((4195362*512)) /dev/loop0 image.dd

The ZFS partition converts root into a loop device; it then informs the zpool that the ZFS pool data does not physically exist but is available as a loop device below /dev. The sector offset for the zfs0 partition is 4195362. Because this value needs to be converted into bytes, the command line shows a multiplication (*512). The adjusted zpool command is now:

zpool import -f -d /dev -R /media/zfs

This step also ensures logical access for the forensic scientist to an image with a ZFS filesystem. Because forensics experts usually prefer to work with the "Expert Witness" format, rather than using unwieldy raw images, the next step would be to use xmount to embed and convert the image on the fly:

xmount --in ewf --out dd --cache /tmp/zfs.ovl image.E* /ewf
losetup -o $((4195362*512)) /dev/loop0 /ewf/image.dd
zpool import -f -d /dev -R /media/zfs

Infos

ZFS filesystem: http://en.wikipedia.org/wiki/ZFS
FreeNAS: http://www.freenas.org
GPT: http://en.wikipedia.org/wiki/GUID_Partition_Table
FreeBSD 10: https://www.freebsd.org/releases/10.0R/announce.html
ZFS on Linux: http://zfsonlinux.org

The Author

Hans-Peter Merkel has focused on data forensics for many years in the open source community. He trains employees of law enforcement agencies in Europe, Asia, and Africa, and is a founding member and chairman of FreiOSS and Linux4Afrika.