Hi,
I've written another write-up how to Bruteforce LUK volumes using hashcat, how you can mount a LUK partition, and how we can image it once it's decrypted.
You can read it here
I hope it's useful to someone.
If you have any feedback, I'd appreciate it.
Thanks,
Patrick
Very, very, nice ) , thanks.
A couple notes/suggestions, if I may
1) I do like the practical and "hands on" approach you have ) , and the very specificity of naming exactly the programs used and the exact procedures used, but the suggestion of using FTK Imager to extract 2 MB or so from a RAW file and "stop it as soon as possible, then delete excess files" seems to me like (while ingenious idea ) "pure folly" 😯 .
I mean, if the audience is people interested in digital forensics, they should already have - besides each and every available dd and dd-like programs, any number of suitable hex editors and/or other programs with that capability.
If you prefer, the FTK Imager should IMHO be marked as optional as Encase is, maybe providing a few suggestions for Windows users, including FTK Imager itself, but focusing more on the steps needed (finding the offset to the beginning of the encrypted partition and get the first two MB out of it).
2) The time needed to "bruteforce" with hashcat, 18 seconds total from the screenshot is of course "unreal", as you correctly stated, what you actually did for the sake of the example was to supply a dictionary with just the correct password, so it is hardly "bruteforcing", it is more like "entering the correct password".
Actually bruteforcing will likely take days or weeks and with no guarantee whatsoever of success.
Maybe you could add a more visible note/warning to that effect just under the screenshot of the Hashcat run, or less experienced users may somehow assume that decrypting a LUKS volume is "almost instantaneous" and "guaranteed".
jaclaz
Hi,
Thanks for your feedback!
You're absolutely right about the FTK method for grabbing the header being pure folly. I was smiling broadly to myself while I was writing it, thinking it was silly, but I wanted to show an alternative to dd. I've taken your suggestion of marking FTK imager as optional ).
I've noted your second point and amended that bit to include a paragraph about how difficult bruteforcing is and stated my preferred method. Perhaps I was wrong to entitle the post "Bruteforcing LUKs" and would have been better with "Cracking LUKs" to save any confusion.
Thanks again
Why not just use the cryptsetup command to create the LUKS header?
cryptsetup luksHeaderBackup LUKS_Partition.001 --header-backup-file LUKS_Header.dd
Also, you go to the effort of extracting the LUKS header but then run hashcat across the whole partition…
Thank you for the write-up! We've been exploring other options outside of Passware for LUKS because the speeds we're getting are just abysmal (only 13k/sec running 30-odd agents, all with multiple GPUs…yeek).
(One extremely minor error you said the Macbook was running iOS instead of OSX/macOS)
Why not just use the cryptsetup command to create the LUKS header?
cryptsetup luksHeaderBackup LUKS_Partition.001 --header-backup-file LUKS_Header.dd
Seems like a good way to do it. The reason why is I didn't know. So thanks
(One extremely minor error you said the Macbook was running iOS instead of OSX/macOS)
My pleasure, I hope it helps! And thanks, I've corrected it now