Open an encrypted LUKS volume
This section explains how to open an encrypted LUKS volume.
backup/forensic.img: LUKS encrypted file, ver 1 [aes, ecb, sha1] UUID: f832c51b-4f4d-446d-9d21-746b5c26095b
If you get the LUKS-passphrase
$ mkdir mount1
$ sudo cryptsetup luksOpen mem.img mount1
Enter passphrase for mem.img:
$ sudo mount /dev/mapper/mount1 mount1/
$ cd mount1/
$ [...]
$ cd ..
$ sudo umount mount1
Else
If you have a live memory dump, you can extract the key with findaes
(you can find the post Study a live memory dump here) :
$ ./findaes live-mem.dmp
Searching live-mem.dmp
Found AES-128 key schedule at offset 0x1c5f6c30:
1f ab 01 5c 1e 3d f9 ea c8 72 8f 65 a3 d1 66 46
$ echo 1fab015c1e3df9eac8728f65a3d16646 | xxd -r -p > key.bin
$ mkdir mount2
$ sudo cryptsetup --master-key-file key.bin luksOpen mem.img mount2
$ sudo mount /dev/mapper/mount2 mount2
$ cd mount2/
$ [...]
$ cd ..
$ sudo umount mount2
Written on June 7, 2020