Imaging LUKS Encrypted Drives
This is a "guest diary" submitted by Tom Webb. We will gladly forward any responses or please use our comment/forum section to comment publically. Tom is currently enrolled in the SANS Masters Program.
When imaging a live system there are several factors to be taken into account. But this post is going to cover encrypted Linux systems. Use of the logical drive for imaging encrypted systems is critical if you do not have the decryption password.
A couple of key commands to use on Linux systems are: mount and fdisk. The mount command will give you a list of devices that are currently available to the OS. These mappings are the logical mounts on the system.
When reading output from the mount command on the left side is the device/object that is mounted and on the right is the logical mount point (e.g. Folder name).
# mount /dev/mapper/tw--pc-root on / type ext4 (rw,errors=remount-ro,commit=0)
proc on /proc type proc (rw,noexec,nosuid,nodev)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
/dev/sda1 on /boot type ext2 (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,default_permissions,allow_other)
gvfs-fuse-daemon on /home/twebb/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=twebb)
sysfs on /sys type sysfs (rw,noexec,nosuid,nodev)
/dev/sda1 on /boot type ext2 (rw)
binfmt_misc on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,noexec,nosuid,nodev)
vmware-vmblock on /run/vmblock-fuse type fuse.vmware-vmblock (rw,nosuid,nodev,default_permissions,allow_other)
gvfs-fuse-daemon on /home/twebb/.gvfs type fuse.gvfs-fuse-daemon (rw,nosuid,nodev,user=twebb)
In the example above, I'm running whole disk encryption using LUKS. You can tell this by seeing the /dev/mapper being used for the mount point / instead of a hard drive device.
The boot mount points to a hard disk device /dev/sda1. This device is being directly mounted to a disk partition and is not encrypted. This is a typical setup for LUKS where the kernel is located in an unencrypted volume and all other volumes are encrypted.
Now we know what is mounted on the file system, lets look at the available disks and see if there are additional disks not mounted that we need to capture.
root@tw-pc:/tmp# fdisk -l
Disk /dev/sdb: 1000.2 GB, 1000204886016 bytes �255 heads, 63 sectors/track, 121601 cylinders, total 1953525168 sectors� Units = sectors of 1 * 512 = 512 bytes� Sector size (logical/physical): 512 bytes / 512 bytes �I/O size (minimum/optimal): 512 bytes / 512 bytes �Disk identifier: 0x08020000
Disk /dev/sdb doesn't contain a valid partition table
Disk /dev/mapper/sda5_crypt: 999.9 GB, 999946186752 bytes�
255 heads, 63 sectors/track, 121569 cylinders, total 1953019896 sectors
�Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes
�I/O size (minimum/optimal): 512 bytes / 512 bytes
�Disk identifier: 0x00000000
Disk /dev/mapper/sda5_crypt doesn't contain a valid partition table
Disk /dev/mapper/tw--pc-root: 975.4 GB, 975435726848 bytes�
255 heads, 63 sectors/track, 118589 cylinders, total 1905147904 sectors�
Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes
�I/O size (minimum/optimal): 512 bytes / 512 bytes�
Disk identifier: 0x00000000
Disk /dev/mapper/tw--pc-root doesn't contain a valid partition table
Disk /dev/mapper/tw--pc-swap_1: 24.5 GB, 24461180928 bytes
�255 heads, 63 sectors/track, 2973 cylinders, total 47775744 sectors
�Units = sectors of 1 * 512 = 512 bytes
�Sector size (logical/physical): 512 bytes / 512 bytes�
I/O size (minimum/optimal): 512 bytes / 512 bytes
�Disk identifier: 0x00000000
Disk /dev/mapper/tw--pc-swap_1 doesn't contain a valid partition table
In the above output we see that /dev/sda has three partitions (sda1,sda2,sda5). We see that /dev/mapper is using sda5 and that tells us that partition is encrypted. We also have a /dev/sdb device that is not mounted and appears to not have a valid partition This is likely an encrypted drive that is not currently mounted.
what options do you have?
�If you know the encryption password and the system is not RAID I would image the physical drive. The Physical drive were /dev/sda and /dev/sdb.
#dcfldd if=/dev/sda of=/mount/usb/system-sda.dd conv=noerror,sync bs=512 hash=md5,sha256 hashwindow=10G md5log=sda.md5 sha256log=sda.sha256
#dcfldd if=/dev/sdb of=/mount/usb/system-sdb.dd conv=noerror,sync bs=512 hash=md5,sha256 hashwindow=10G md5log=sdb.md5 sha256log=sdb.sha256
If you do not know the password, grab the logical volume (in this case / which is mapped to the device /dev/mapper/tw--pc-root ) of the first drive and the physical of the second. Also grabbing memory from the system maybe used to guess the password.
Test to see if you imaged the physical partition could you mount it
#mount -o ro,loop /dev/sda5 /tmp/mount/ mount: unknown filesystem type 'crypto_LUKS'
It appears that it is a LUKS encrypted
Test the logical partition and see if it looks correct
#dd if=/dev/mapper/tw--pc-root of=/tmp/usb/test.dd count=10
Use the file command to see if it will detect the test as a valid partition.
#file test.dd test.dd: Linux rev 1.0 ext4 filesystem data, UUID=69cc19e5-5c81-4581-ac0b-9c8fac8f9d96 (needs journal recovery) (extents) (large files) (huge files)
Above, we can see that the file command successfully detected this as a valid partition.
Check and see if the partition is encrypted by running strings on the test image.
#strings test.dd
GNU GENERAL PUBLIC LICENSE�
Version 2, June 1991
�Copyright (C) 1989, 1991 Free Software Foundation, Inc.�
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
�Everyone is permitted to copy and distribute verbatim copies�
of this license document, but changing it is not allowed.
All signs appear to indicate that the logical image will work as we intend.
Collecting Logical Drive
#dcfldd if=/dev/mapper/tw--pc-root of=/mount/usb/logical-sda.dd conv=noerror,sync bs=512 hash=md5,sha256 hashwindow=10G md5log=logical-sda.md5 sha256log=logical-sda.sha256
Once collected you will need to use the following mount command, courtesy of Hal Pomeranz http://goo.gl/gdXhQk, to access it.
#mount -o loop,ro,noexec,noload logical-sda.dd /tmp/mount/
-----
Tom Webb
My next class:
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
×
Diary Archives
Comments
Anonymous
Aug 15th 2013
1 decade ago
Anonymous
Aug 15th 2013
1 decade ago
Think un-allocated portions of a disk drive could contain malware, or the boot block is infected. You never know the whole story unless you have the whole story. Alway image a drive if you are interested in forensic information. If all you care about is some of the files, get a good backup system and recover from that.
Anonymous
Aug 16th 2013
1 decade ago
You shouldn't use dcfldd any more though, as it isn't be maintained any more (latest update is from 2006!) and contains known bugs: http://sourceforge.net/p/dcfldd/bugs/
Instead, dd would be sufficient for illustration purposes in this blogpost, or alternatively the much more versatile dc3dd would be a good choice.
Marek
Anonymous
Aug 26th 2013
1 decade ago
You shouldn't use dcfldd any more though, as it isn't maintained any more (latest update is from 2006!) and contains known bugs: http://sourceforge.net/p/dcfldd/bugs/
Instead, dd would be sufficient for illustration purposes in this blogpost, or alternatively the much more versatile dc3dd would be a good choice.
Marek
Anonymous
Aug 26th 2013
1 decade ago