Acquiring LUKS (Lin...
 
Notifications
Clear all

Acquiring LUKS (Linux)

9 Posts
3 Users
0 Likes
2,656 Views
(@christ143uk)
Posts: 51
Trusted Member
Topic starter
 

Hi,

So a bit of back ground. We have two exhibits both encrypted using LUKS encryption (Ubuntu). We have a password for one of the two user accounts as well as the password for the encryption. We have an encrypted image of both devices. I have used VFC to virtualise the laptops and this can be used to login to the user's desktop.

I am wondering if anyone has any advice on the best method to create a decrypted image of the laptops either using the original exhibit or the VM?

Thanks in advance.

 
Posted : 02/05/2018 1:42 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Create your own VM with Linux on (SIFT is good) with LUKS support.
Attach the (mounted) disks to your VM and mount in your VM using LUKS and the password.
Then image with either DD or Guymager/similar program.

 
Posted : 02/05/2018 2:31 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

If you don't have a Linux workstation you could use Sumuri Paladin boot disk or similar. I can confirm Paladin works as have used it myself. I wouldn't recommend mounting (unless read only) and I have found that the decrypted device will not show up in a list in Guymager or the Paladin Toolkit unless you make use of the mknod command. You will probably need to use the command line.

Example command to unlock the luks device
sudo cryptsetup open /dev/sdb1 unlocked_luks --type luks
(Replace /dev/sdb1 with whatever device/partition is the luks encrypted one. Name the decrypted device whatever you want to name it; it doesn't have to be "unlocked_luks".)

You should then find a decrypted device at /dev/mapper/unlocked_luks (or hatever you decided to name it).

You can now image it using ewfacquire, for example

sudo ewfacquire /dev/mapper/unlocked_luks
then complete the on screen prompts to image the device.

I should add that you will need the password to use this method, obviously.

 
Posted : 02/05/2018 2:52 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

OR WITHIN the VM you've created you could first try the command "lsblk" and look for a line like
sda2_crypt 2540 0 250G 0 crypt
Look at the TYPE column for the word "crypt", that is the name of the decrypted luks device.

You can them image using dd or ewfacquire etc.

sudo ewfacquire /dev/mapper/sda2_crypt

 
Posted : 02/05/2018 3:04 pm
AmNe5iA
(@amne5ia)
Posts: 173
Estimable Member
 

If you don't have the pasword see Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat is featured on Forensic Focus recently.

 
Posted : 02/05/2018 3:11 pm
(@christ143uk)
Posts: 51
Trusted Member
Topic starter
 

Hey,

Thank you both.

I shall have a look into this today and let you know how I get on.

Thanks

 
Posted : 03/05/2018 6:40 am
(@christ143uk)
Posts: 51
Trusted Member
Topic starter
 

Hi,

I have tried the method of using Paladin to mount the encrypted partition as Unlocked_luks. I have ran EWFacquire and filled in the details as requested but for some reason it seems to stall at around 0.8% of the acquisition.

I am not sure if I am not being patient enough, i.e is it stopping to write the segment to disk which takes a while, or if I am making a mistake somewhere.

I am wanting to write the E01 to a removable drive which is mounted at /dev/sdb (one partition /dev/sdb/1)

EWFacquire prompts you for the path and filename without extension. Can anyone confirm the path (if I wanted to write back to /dev/sdb) as when I have googled it other people just seem to be inputting "floppy" or "exhibit" rather than giving it a file path.

Thanks

**EDIT it would appear that the E01 is being written back to the test laptop rather than the removable drive

 
Posted : 03/05/2018 8:32 am
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
 

Hi,

I am wanting to write the E01 to a removable drive which is mounted at /dev/sdb (one partition /dev/sdb/1)

**EDIT it would appear that the E01 is being written back to the test laptop rather than the removable drive

The drive won't be mounted to /dev/sdb or not in a usable form.
You will need to mount the partition on /dev/sdb to a mount point.
sdb1 would be partition 1 on the disk, I imagine you have only got one partition on the removable disk.

You then mount using a similar command

mount /dev/sdb1 /mnt

May have to specify filesystem type depending on what filesystem is on the drive.

You then image to /mnt
So /mnt/evidence.e01 would create a file named evidence.e01 on the root of the external drive.

 
Posted : 03/05/2018 9:50 am
(@christ143uk)
Posts: 51
Trusted Member
Topic starter
 

Update

It wasn't allowing me to mount the external disk as RW using terminal. However, Paladin did allow us to mount as read/write using the GUI under the path /media/.

It has imaged more of the disk than previously, at a much slower pace, and the activity light is going on the external drive which would suggest it is working as expected.

Thanks for your help.

If successful I shall do a better write up of how we got there.

Thanks again

 
Posted : 03/05/2018 10:57 am
Share: