Hello,
I've done an E01 image of a LINUX system and when I try to mount it in ENCASE (8.05) or FTK Imager (4.1.1.1), i've found that it was LUKS crypt.
After a while, the person gave me the decryption password.
Now i'm wondering if it's possible to decrypt the E01 image with that password in software like ENCASE or FTK without having to do an image of the computer again.
I've googled it and I don't find anything that help me.
Thanks in advance for your help.
No.
You'll have to unlock using a Linux OS then image the decrypted device mapping.
sudo cryptsetup -r open –type luks <device> <name>
where <device> is your LUKS encrypted partition, e.g. /dev/sdg5
where <name> is a name for the device mapping of your choice.
remove the -r option if you don't require the mapping to be read only
sudo ewfacquire /dev/mapper/<name>