Analyzing Synology Disks on Linux
Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I’m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of disks. They offer multiple disk management options but rely on many open-source software (like most appliances). For example, there are no expensive hardware RAID controllers in the box. They use the good old “MD” (“multiple devices”) technology, managed with the well-known mdadm tool[1]. Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools.
In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. The device had two drives configured in RAID0 (not the best solution I know but they lack storage capacity). The idea was to mount the file system (or at least have the block device) on a Linux host and run forensic tools, for example, photorec.
In such a situation, the biggest challenge will be to connect all the drivers to the analysis host! Here, I had only two drives but imagine that you are facing a bigger model with 5+ disks. In my case, I used two USB-C/SATA adapters to connect the drives. Besides the software RAID, Synology volumes also rely on LVM2 (“Logical Volume Manager”)[2]. In most distributions, the packages mdadm and lvm2 are available (for example on SIFT Workstation). Otherwise, just install them:
# apt install mdadm lvm2
Once you connect the disks (tip: add a label on them to replace them in the right order) to the analysis host, verify if they are properly detected:
# lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS sda 8:0 0 465.8G 0 disk |-sda1 8:1 0 464.8G 0 part / |-sda2 8:2 0 1K 0 part `-sda5 8:5 0 975M 0 part [SWAP] sdb 8:16 0 3.6T 0 disk |-sdb1 8:17 0 8G 0 part |-sdb2 8:18 0 2G 0 part `-sdb3 8:19 0 3.6T 0 part sdc 8:32 0 3.6T 0 disk |-sdc1 8:33 0 2.4G 0 part |-sdc2 8:34 0 2G 0 part `-sdc3 8:35 0 3.6T 0 part sr0 11:0 1 1024M 0 rom
"sdb3" and "sdc3" are the NAS partitions used to store data (2 x 4TB in RAID0). The good news, the kernel will detect that these disks are part of a software RAID! You just need to rescan them and "re-assemble" the RAID:
# mdadm --assemble --readonly --scan --force --run
Then, your data should be available via a /dev/md? device:
# cat /proc/mdstat
Personalities : [raid0]
md0 : active (read-only) raid0 sdb3[0] sdc3[1]
7792588416 blocks super 1.2 64k chunks
unused devices: <none>
The next step is to detect how data are managed by the NAS. Synology provides a technology called SHR[3] that uses LVM:
# lvdisplay WARNING: PV /dev/md0 in VG vg1 is using an old PV header, modify the VG to update. --- Logical volume --- LV Path /dev/vg1/syno_vg_reserved_area LV Name syno_vg_reserved_area VG Name vg1 LV UUID 08g9nN-Etde-JFN9-tn3D-JPHS-pyoC-LkVZAI LV Write Access read/write LV Creation host, time , LV Status NOT available LV Size 12.00 MiB Current LE 3 Segments 1 Allocation inherit Read ahead sectors auto --- Logical volume --- LV Path /dev/vg1/volume_1 LV Name volume_1 VG Name vg1 LV UUID fgjC0Y-mvx5-J5Qd-Us2k-Ppaz-KG5X-tgLxaX LV Write Access read/write LV Creation host, time , LV Status NOT available LV Size <7.26 TiB Current LE 1902336 Segments 1 Allocation inherit Read ahead sectors auto
You can see that the NAS has only one volume created ("volume_1" is the default name in DSM).
From now on, you can use /dev/vg1/volume_1 in your investigations. Mount it, scan it, image it, etc...
[1] https://en.wikipedia.org/wiki/Mdadm
[2] https://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux)
[3] https://kb.synology.com/en-br/DSM/tutorial/What_is_Synology_Hybrid_RAID_SHR
Xavier Mertens (@xme)
Xameco
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
| Reverse-Engineering Malware: Advanced Code Analysis | Singapore | Nov 18th - Nov 22nd 2024 |
Comments