|Posted by M. Gene Shantz on December 29, 2015 at 6:45 PM||comments (47)|
Recently during an engagement, I encountered Linux Unified Key Setup (LUKS), a partition encryption method used in various versions of Linux. Some companies require PGP full disk encryption for their Windows workstations and LUKS is the Linux alternative to maintaining the company encryption policies for those that allow Linux workstations.
This Blog is not to tell you how LUKS works but to explain the way to deal with it should you come across it during an engagement. Additionally, I owe thanks to Tom Millar, Lance Mueller for their insight and assistance and Carlos Cajigas who’s blog at http://mashthatkey.blogspot.com/ was a huge help in combining the Linux command lines used in this presentation.
First, let’s look at two images in FTK imager and see how the volumes are laid out. The 320GB drive is the PGP volume and the Toshiba is the LUKS volume.
Because PGP is a full disk encryption system, PGP can quickly be identified in physical sector zero with a header of ëH.PGPGUARD in the first 11 bytes.
The LUKS volume on the other hand is slightly different because it is a partition encryption system. In this example the first volume is the Linux 1GB boot volume and is not encrypted, but the second volume, the main Linux OS volume, is encrypted. The location of the LUKS header, “LUKSº¾..aes”, is located in first 11 bytes of logical sector zero of the second volume.
At the time of this writing, I was using DEFT 8 as a Linux forensics tower and when I connected the write blocked physical drive to the tower via firewire, DEFT 8 identified the two volumes flagging the LUKS volume as encrypted.
What was interesting was, while DEFT 8 identified the volume as encrypted, it could not decrypt it right away even though I had a password. I learned that I needed to install the Cryptsetup for it to work. For some reason the installation package of the DEFT 8 version I was using had either a corrupted Cryptsetup program or did not have one at all. Once I obtained it, I had no issue decrypting the drive by simply mounting the volume in the file manager and entering the password when prompted and then following it with my systems password.
One point of interest though; the DEFT 8 live boot CD did not have any issues accessing the volume. I boot a laptop to the DEFT 8 live boot CD and connected the drive through a write blocker and was able to immediately mount and decrypt the volume for imaging.
While this was a nice easy way to access the encrypted volume it does not give you access to the swap volume that is included inside the encrypted volume. To access the swap volume we need to take a different approach.
For this explanation we will mount a RAW image of the same physical drive rather than using the physical disk through a write blocker.
Since I do not consider myself a Linux buff and will likely have to refer to this blog in the future, I’m going to walk through the process step by step.
Because we are working with a RAW image we can simply look at the partitions on the image to determine size and location. We can do this in one of 2 ways.
One way is to use the fdisk command.
sudo fdisk –l [image path and name]
Or we can use the mmls command
sudo mmls –aB [image path and name]
-a: Show allocated volumes and -B: print the rounded length in bytes
Note there are two partitions both with Linux systems. The first partition starts at sector 2048 and ends at 2050047. The second partition is the likely LUKS volume and it starts at sector 2050048. This information is needed as we progress through the remaining steps.
Next, we need to caculate the start of the second partition in bytes by multiplying 2050048 by 512, the sector size, and we get 1049624576 bytes.
Now, using the losetup command we will determine the next available loop device so we can mount the encrypted volume and map the logic volumes inside it.
sudo losetup -f tells us the next available loop device is /dev//loop0
Now we mount the volume with:
sudo losetup –r –o 1049624576 /dev/loop0 [path and name].img
-r is read only –o is offset in bytes
If you get your prompt back with no errors then we will confirm there is a LUKS volume mounted at loop0 with:
sudo cryptsetup luksUUID /dev/loop0
Then we will decrypt the volume with:
sudo cryptsetup luksOpen /dev/loop0 decrypted
After entering the decryption password you should get your command prompt back.
What this has effectively done is decrypted the volume and ported the decrypted data to a mount point in the /dev/mapper location.
So now we can see what is there by taking a closer look at the decrypted file in /dev/mapper and we should see the decrypted logical volume manager with the GUID.
Now we can list out the mapped volumes and see the swap volume which can now be easily accessed to copy out or imaged for further analysis.
From this point you can change directories and create images of the volume with your favorite tool.