±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 182

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Acquiring LUKS (Linux)

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Christ143uk
Member
 

Acquiring LUKS (Linux)

Post Posted: May 02, 18 13:42

Hi,

So a bit of back ground. We have two exhibits both encrypted using LUKS encryption (Ubuntu). We have a password for one of the two user accounts as well as the password for the encryption. We have an encrypted image of both devices. I have used VFC to virtualise the laptops and this can be used to login to the user's desktop.

I am wondering if anyone has any advice on the best method to create a decrypted image of the laptops either using the original exhibit or the VM?

Thanks in advance.  
 
  

minime2k9
Senior Member
 

Re: Acquiring LUKS (Linux)

Post Posted: May 02, 18 14:31

Create your own VM with Linux on (SIFT is good) with LUKS support.
Attach the (mounted) disks to your VM and mount in your VM using LUKS and the password.
Then image with either DD or Guymager/similar program.  
 
  

AmNe5iA
Senior Member
 

Re: Acquiring LUKS (Linux)

Post Posted: May 02, 18 14:52

If you don't have a Linux workstation you could use Sumuri Paladin boot disk or similar. I can confirm Paladin works as have used it myself. I wouldn't recommend mounting (unless read only) and I have found that the decrypted device will not show up in a list in Guymager or the Paladin Toolkit unless you make use of the mknod command. You will probably need to use the command line.

Example command to unlock the luks device:
Code:
sudo cryptsetup open /dev/sdb1 unlocked_luks --type luks

(Replace /dev/sdb1 with whatever device/partition is the luks encrypted one. Name the decrypted device whatever you want to name it; it doesn't have to be "unlocked_luks".)

You should then find a decrypted device at /dev/mapper/unlocked_luks (or hatever you decided to name it).

You can now image it using ewfacquire, for example:

Code:
sudo ewfacquire /dev/mapper/unlocked_luks

then complete the on screen prompts to image the device.

I should add that you will need the password to use this method, obviously.  
 
  

AmNe5iA
Senior Member
 

Re: Acquiring LUKS (Linux)

Post Posted: May 02, 18 15:04

OR WITHIN the VM you've created you could first try the command "lsblk" and look for a line like:
Code:
sda2_crypt      254:0    0 250G  0 crypt

Look at the TYPE column for the word "crypt", that is the name of the decrypted luks device.

You can them image using dd or ewfacquire etc.

Code:
sudo ewfacquire /dev/mapper/sda2_crypt
 
 
  

AmNe5iA
Senior Member
 

Re: Acquiring LUKS (Linux)

Post Posted: May 02, 18 15:11

If you don't have the pasword see Bruteforcing Linux Full Disk Encryption (LUKS) With Hashcat is featured on Forensic Focus recently.  
 
  

Christ143uk
Member
 

Re: Acquiring LUKS (Linux)

Post Posted: May 03, 18 06:40

Hey,

Thank you both.

I shall have a look into this today and let you know how I get on.

Thanks  
 
  

Christ143uk
Member
 

Re: Acquiring LUKS (Linux)

Post Posted: May 03, 18 08:32

Hi,

I have tried the method of using Paladin to mount the encrypted partition as Unlocked_luks. I have ran EWFacquire and filled in the details as requested but for some reason it seems to stall at around 0.8% of the acquisition.

I am not sure if I am not being patient enough, i.e is it stopping to write the segment to disk which takes a while, or if I am making a mistake somewhere.

I am wanting to write the E01 to a removable drive which is mounted at /dev/sdb (one partition /dev/sdb/1)

EWFacquire prompts you for the path and filename without extension. Can anyone confirm the path (if I wanted to write back to /dev/sdb) as when I have googled it other people just seem to be inputting "floppy" or "exhibit" rather than giving it a file path.

Thanks

**EDIT it would appear that the E01 is being written back to the test laptop rather than the removable drive  
 

Page 1 of 2
Page 1, 2  Next