Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
KIT-CERT
Linux-Forensic-Checklist
Commits
a7fad363
Commit
a7fad363
authored
Sep 25, 2015
by
Heiko Reese
Browse files
Added paragraph about dumping LUKS masterkeys.
parent
ba4206c5
Changes
1
Hide whitespace changes
Inline
Side-by-side
Linux-Forensics-Checklist.md
View file @
a7fad363
...
...
@@ -329,7 +329,7 @@ kill -9 ${PID}
If you can't get an image of the system's storage afterwards for offline
forensics, you need to create a rudimentary timeline now. Otherwise, skim over
the next parts and process to
[
shutdown part
](
#power-down-system
)
.
the next parts and process to
[
dumping LUKS keysp
](
optionally-retrieve-LUKS-master-keys
)
.
Using
`find`
on
a filesystem will
`stat()`
every file and directory on a filesystem thus
...
...
@@ -431,9 +431,38 @@ are no hard rules here, just some general ideas:
TODO: journald, …
### Optionally
R
etrieve LUKS master keys
### Optionally
r
etrieve LUKS master keys
Find out if there are any LUKS-encrypted devices:
```
sh
for
dev
in
$(
lsblk
-n
-o
KNAME
)
;
do
if
cryptsetup isLuks
"/dev/
${
dev
}
"
;
then
echo
$dev
;
cryptsetup luksDump /dev/sdc2
>
cryptsetup_luksDump_
$dev
.txt
fi
;
done
```
There are two options if the system has encrypted disks and the current owner
does not want to share the secret key. Both options requires someone who knows
the encryption keys to enter them once for each device.
Option one: add another keys using
```
sh
cryptsetup luksAddKey /dev/…
```
While this changes the LUKS-header on-disk, it does not affect the containing filesystem.
Option two: dump the encryption masterkey. Handle with care!
```
sh
for
dev
in
$(
lsblk
-n
-o
KNAME
)
;
do
if
cryptsetup isLuks
"/dev/
${
dev
}
"
;
then
echo
$dev
;
cryptsetup
--dump-master-key
luksDump
"/dev/
${
dev
}
"
|
tee
cryptsetup_luksDump_
$dev
.masterkey
fi
;
done
```
## Power down system
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment