Why Snapshots Beat Live Acquisition
When you're responding to an incident on a running Linux system, pulling the disk offline for dd imaging isn't always possible — and a live system changes every second. LVM snapshots give you a consistent, point-in-time copy of a logical volume that you can hash, mount read-only, and ship to your forensic workstation while the host keeps running.
Creating a Forensic Snapshot
# Check free space in the volume group
vgdisplay vg0
# Create a 10 GB snapshot of the root LV
lvcreate -L10G -s -n root_snap /dev/vg0/root
# Verify
lvs
Mounting Read-Only
mkdir /mnt/forensic
mount -o ro,noload /dev/vg0/root_snap /mnt/forensic
Hashing for Chain of Custody
sha256sum /dev/vg0/root_snap > root_snap.sha256
Always hash the block device, not the mounted filesystem, for legal defensibility.
Transferring to Analysis Workstation
dd if=/dev/vg0/root_snap bs=4M | gzip -1 | \
ssh analyst@10.0.0.5 "cat > /cases/host1_root_snap_$(date +%F).img.gz"
Removing the Snapshot
umount /mnt/forensic
lvremove /dev/vg0/root_snap
Defensive Takeaways
- Pre-plan your VG free space — you need headroom for snapshots at incident time
- Always hash block device, not mounted path
- Document snapshot creation time precisely — it is your forensic timestamp
- Automate snapshot creation as the first step in your IR runbook
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.