Re: Possible forensic issue with grub and RH8.0

From: Stephen Samuel (samuelat_private)
Date: Fri Jan 10 2003 - 21:50:28 PST

Next message: Ben Boulanger: "Re: Possible forensic issue with grub and RH8.0"

Previous message: Christine Siedsma: "New Digital Forensic resource"
In reply to: Hovis Chasteen: "Possible forensic issue with grub and RH8.0"
Next in thread: Ben Boulanger: "Re: Possible forensic issue with grub and RH8.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As many people pointed out, it's not a grub problem, it's
an ext3 LABEL problem. It's only useful if you make sure
that you label all of your partitions with unique names.

My guess is that when Linux surveys partitions to find
a label/partition mapping, it surveys all the partitions,
and in the case of duplicates, it's the last one found that
makes the mapping.
(any other guesses?)
-------------
There are essentially two ways around the problem: One is to
use the method that you did (use hard partition names). The
other is to ensure that your partition gets a unique name when
you create it (but you'll still end up messed up if you do
disk cloning like you did).

If you're doing an ad-hock forensic mount where you have
partition label clashes,you can always break into grub and
edit the boot line to specify the proper boot partition.
If you're also mounting LABELed /usr, /var, /home, etc.
directories, then you'll probably have to do a rescue
boot from CD and edit /etc/fstab and grub.conf before you
boot the system with the spare disk.

(If you look in /etc/fstab, you'll see LABEL= entries
for root and any other labeled FS that you created
with the system.)

I belive that this problem can also occur for LILO boots
under recent kernels.
Hovis Chasteen wrote:
> Greetings,

> I noticed if I attach another linux bootable drive to
> the computer (/dev/hdc) when the computer boots, it
> was trying to load the kernel, root and boot from
> /dev/hdc not /dev/hda as I expected. I cloned hda and

> 	kernel /vmlinuz-2.4.18-14 ro root=LABEL=/

> I changed the kernel line to read “kernel
> /vmlinuz-2.4.18-14 ro root=/dev/hda5” (hda5 is my root

-- 
Stephen Samuel +1(604)876-0426                samuelat_private
		   http://www.bcgreen.com/~samuel/
Powerful committed communication, reaching through fear, uncertainty and
doubt to touch the jewel within each person and bring it to life.


-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ben Boulanger: "Re: Possible forensic issue with grub and RH8.0"
Previous message: Christine Siedsma: "New Digital Forensic resource"
In reply to: Hovis Chasteen: "Possible forensic issue with grub and RH8.0"
Next in thread: Ben Boulanger: "Re: Possible forensic issue with grub and RH8.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Jan 11 2003 - 12:53:38 PST