Bruteforcing Linux Full Disk Encryption (LUKS) with hashcat - The Forensic way!

This walk-through will show you how to Bruteforce LUK volumes using hashcat. How you can mount a LUK partition and how we can image it once it's decrypted.

Hashcast Image

Scenario: You've got a Macbook in. MacOS has been removed and Debian 9.0  has been installed. The suspect is using LUKS (Linux Unified Key Setup) full disk encryption to encrypt the disk. Password unknown and we need a forensically sound method to access the data. This is how I'd do it:


Skip to step 5 to just see the hashcat step.
Skip to step 6 just to see the mounting and imaging.  

1. Image the Macbook and load into Encase

Imaging hard drive can be done forensically sound via thunderbolt, another Mac and, target disk mode. This is fairly easy and common so won’t be detailed here.   

Once we have an evidence file and loaded into EnCase we can see that the boot partition is visible but hda2 appears as Unallocated Clusters in an EXT2 partition.

We can see however the LUKS header, which is telling us it is AES encrypted using XTS-plain64.

3. Export the encrypted partition

To decrypt and mount this we need to export out the encrypted partition as a raw image. I found the easiest way to do this was using FTK Imager. Either by mounting the partition in as emulated disk with EnCase or easier by just loading the image file into FTK Imager.

Once loaded "right click" on the encrypted partition and choose "Export Disk Image".

Set your fragmentation to 0.

4. Partition Header - Hashcat 'hash' file.

We will be using hashcat, a password cracking software available for both Windows and Linux.
Usually hashcat works by cracking a hashed copy of a password, so we would normal load in a single hash or a list of hashes in a text file. 

LUKS is different in that it does not store this Master Key used to encrypt the data in one location. Rather is it stored in Anti-forensic (AF) Stripes. AF stripes cause the key to be stored across a larger disk area so that overwriting one stripe causes all the data to be lost. Darell Tan has an excellent write up and explanation of this.

This is to say that we therefore need to run hashcat over the partition, with hashcat being clever enough to locate all these stripes. Luckily hashcat only needs around the 1st 2MB to crack the password, which means we can make it much more portable by segmenting this away. 

You can create a 2MB header using FTK imager by fragmenting the image to 2MB, and cancelling the imaging as quick as you can and deleting the 100 or so 2mb fragments created and leaving just the 1st one. Alternatively when you’ve moved the full partition to linux  you can use this dd command:

sudo dd if=LUKS_Partition.001 of=LUKS_Header.dd bs=512 count=4079

The FTK way:
Fragmentation set to 2.

If you prefer the dd method: 

5. Hashcat

Now we’re going to use hashcat. This step can be done in either windows or linux, but for sake of convenience I’m using linux as we’ll need that to decrypt the partition and mount it.

You’ll need a copy of hashcat 3.5+, either set as a variable on your system or just extracted into the folder you’re working from like I did.

Hashcat has many options to cracking a password, from straight bruteforcing to dictionary attacks, rule based attacks and mask attacks.

While bruteforcing is the most thought of when it comes to cracking it is the most inefficient, most likely taking months or centuries (or a millennia) to crack.  Rule based attacks and mask attacks can massively increase the effectiveness of your attack and dramatically lower the cracking time. They are the best way to crack, I recommend learning them. For more info look in the –help or the hashcat forums.

For the sake of this tutorial I already know the password for the container, so I am using a dictionary attack with a custom dictionary file (a text file with the password in). There are many good dictionary files you can use based on known passwords, Rockyou is a good one and can be downloaded along with others here

Once you have the partition image and the header image copied to linux and hashcat is ready, you want to run this command from the terminal, from the location your image files are. 
This runs hashcat using a dictionary attack, using a dictionary called “Dictionary.txt”

./hashcat-3.5.0/hashcat64.bin -m 14600 -a 0 -w 3 LUKS_Partition.001 Dictionary.txt -o luks_password.txt

The general hashcat syntax is:
In this instance:

-m = hash method - 14600 for LUK encryption
-a = Crack method - 0 for standard dictionary (3 for bruteforce)
-w = resource allocation - 3 for high
LUKS_Partition.001 = Encrypted partition
Dictionary.txt = dictionary
-o = output luks_password.txt

You should see this result (I've obscured my password):

6. Decrypting the partition

Now we have the password we can decrypt the container! Using cryptsetup with the command:

sudo cryptsetup luksopen LUKS_Partition.001 Decrypted_partition

Enter your admin password, then enter the LUKS password provided by hashcat. This will create a ‘file’ of the decrypted partition at: /dev/mapper/Decrypted_partition. Using ls we can see it:

7. Mounting the partition

First create a location you want to mount it to:
sudo mkdir /mnt/Decrypted_partition
if you try to mount it with:

sudo mount /dev/mapper/Decrypted_partition /mnt/Decrypted_partition

You’ll likely get the error of “mount: Unknown Filesystem type"

If so, just run:
sudo apt-get install lvm2
sudo lvscan

This shows you the logical volumes in the decrypted partition and we can now mount the root partition with:
sudo mount /dev/macdeb-vg/root /mnt/Decrypted_partition –r

We could also easily mount the swap partition using the same mkdir and mount command.

8. Browsing the data

We can now browse to the /mnt/Decrypted_partition and see our previously hidden data!

9. Imaging the de-crypted partition

Imaging the decrypted data is now easy using dd or even better dc3dd! But make sure you point it to /dev/mac-deb-vg. I used the command:

sudo dc3dd if=/dev/macdeb-vg/root of=/media/Patrick/KINGSTON/decrypted_partition.dd

10. Viewing it in EnCase!

With the de-crypted partition imaged, we can load it into EnCase or any other tool and see that the data is now readable.

Thanks again for reading. If you have any comments or suggestions, please comment them below!


  1. Great article. Thanks for including all the required steps. Do you have any suggestions for the best Linux environment for digital forensics?

    1. For acquisitions, live booting and quick & dirty work, Sumuri's Paladin Forensic Suite is currently the best. Especially if you want to learn, I did a final year university coursework with The Sleuth Kit. But for professional use, unfortunately, it is just Windows and MacOS (especially for mobile analysis).

  2. Great step by step information. Thanks


Post a Comment

Popular posts from this blog

How to Root Galaxy S7 Edge without wiping data to obtain a Physical Extraction