Analyzing Synology Disks on Linux, (Wed, May 8th)

Category :

SANS Full Feed

Posted On :

Synology NAS solutions are popular devices. They are also used in many organizations. Their product range goes from small boxes with two disks (I’m not sure they still sell a single-disk enclosure today) up to monsters, rackable with plenty of disks. They offer multiple disk management options but rely on many open-source software (like most appliances). For example, there are no expensive hardware RAID controllers in the box. They use the good old “MD” (“multiple devices”) technology, managed with the well-known mdadm tool[1]. Synology NAS run a Linux distribution called DSM. This operating system has plenty of third-party tools but lacks pure forensics tools.

In a recent investigation, I had to investigate a NAS that was involved in a ransomware attack. Many files (backups) were deleted. The attacker just deleted some shared folders. The device had two drives configured in RAID0 (not the best solution I know but they lack storage capacity). The idea was to mount the file system (or at least have the block device) on a Linux host and run forensic tools, for example, photorec.

In such a situation, the biggest challenge will be to connect all the drivers to the analysis host! Here, I had only two drives but imagine that you are facing a bigger model with 5+ disks. In my case, I used two USB-C/SATA adapters to connect the drives. Besides the software RAID, Synology volumes also rely on LVM2 (“Logical Volume Manager”)[2]. In most distributions, the packages mdadm and lvm2 are available (for example on SIFT Workstation). Otherwise, just install them:

# apt install mdadm lvm2

Once you connect the disks (tip: add a label on them to replace them in the right order) to the analysis host, verify if they are properly detected:

# lsblk
sda 8:0 0 465.8G 0 disk
|-sda1 8:1 0 464.8G 0 part /
|-sda2 8:2 0 1K 0 part
`-sda5 8:5 0 975M 0 part [SWAP]
sdb 8:16 0 3.6T 0 disk
|-sdb1 8:17 0 8G 0 part
|-sdb2 8:18 0 2G 0 part
`-sdb3 8:19 0 3.6T 0 part
sdc 8:32 0 3.6T 0 disk
|-sdc1 8:33 0 2.4G 0 part
|-sdc2 8:34 0 2G 0 part
`-sdc3 8:35 0 3.6T 0 part
sr0 11:0 1 1024M 0 rom

“sdb3” and “sdc3” are the NAS partitions used to store data (2 x 4TB in RAID0). The good news, the kernel will detect that these disks are part of a software RAID! You just need to rescan them and “re-assemble” the RAID:

# mdadm –assemble –readonly –scan –force –run

Then, your data should be available via a /dev/md? device:

# cat /proc/mdstat
Personalities : [raid0]
md0 : active (read-only) raid0 sdb3[0] sdc3[1]
7792588416 blocks super 1.2 64k chunks

unused devices: <none>

The next step is to detect how data are managed by the NAS. Synology provides a technology called SHR[3] that uses LVM:

# lvdisplay
WARNING: PV /dev/md0 in VG vg1 is using an old PV header, modify the VG to update.
— Logical volume —
LV Path /dev/vg1/syno_vg_reserved_area
LV Name syno_vg_reserved_area
VG Name vg1
LV UUID 08g9nN-Etde-JFN9-tn3D-JPHS-pyoC-LkVZAI
LV Write Access read/write
LV Creation host, time ,
LV Status NOT available
LV Size 12.00 MiB
Current LE 3
Segments 1
Allocation inherit
Read ahead sectors auto

— Logical volume —
LV Path /dev/vg1/volume_1
LV Name volume_1
VG Name vg1
LV UUID fgjC0Y-mvx5-J5Qd-Us2k-Ppaz-KG5X-tgLxaX
LV Write Access read/write
LV Creation host, time ,
LV Status NOT available
LV Size <7.26 TiB
Current LE 1902336
Segments 1
Allocation inherit
Read ahead sectors auto

You can see that the NAS has only one volume created (“volume_1” is the default name in DSM).

From now on, you can use /dev/vg1/volume_1 in your investigations. Mount it, scan it, image it, etc…


Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.