Showing posts from 2018

Bruteforcing Linux Full Disk Encryption (LUKS) with hashcat - The Forensic way!

This walk-through will show you how to Bruteforce LUK volumes using hashcat. How you can mount a LUK partition and how we can image it once it's decrypted.

Scenario: You've got a Macbook in. MacOS has been removed and Debian 9.0  has been installed. The suspect is using LUKS (Linux Unified Key Setup) full disk encryption to encrypt the disk. Password unknown and we need a forensically sound method to access the data. This is how I'd do it:
Requirements: Hashcat 3.5.0+ FTK imager (optional)
Encase (optional)

Skip to step 5 to just see the hashcat step. Skip to step 6 just to see the mounting and imaging.  
1. Image the Macbook and load into Encase Imaging hard drive can be done forensically sound via thunderbolt, another Mac and, target disk mode. This is fairly easy and common so won’t be detailed here.   
Once we have an evidence file and loaded into EnCase we can see that the boot partition is visible but hda2 appears as Unallocated Clusters in an EXT2 partition.

We can s…