CSAW CTF 2022 Writeup

Encrypted disk

Forensics Category

3 min read

Untitled

<aside> 📖 Challenge content : Forensics.img , memory.raw

</aside>

┌──(rudrakshacker㉿kali)-[~/Downloads/CSAW]
└─$ file forensic.img
forensic.img: LUKS encrypted file, ver 1 [aes, ecb, sha1] UUID: 61478c6d-b04e-4f1a-aff6-b4bb3a29cfbe

┌──(rudrakshacker㉿kali)-[~/Downloads/CSAW]
└─$ mv forensic.img forensic.luks

┌──(rudrakshacker㉿kali)-[~/Downloads/CSAW]
└─$ file memory.raw  
memory.raw: data

┌──(rudrakshacker㉿kali)-[~/Downloads/CSAW]
└─$ hexdump -C forensic.img| head 
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  65 63 62 00 00 00 00 00  |........ecb.....|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000040  00 00 00 00 00 00 00 00  73 68 61 31 00 00 00 00  |........sha1....|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000060  00 00 00 00 00 00 00 00  00 00 08 00 00 00 00 10  |................|
00000070  a0 0c 4d c4 4a 53 5c 00  0c c3 33 63 13 5b 2c 41  |..M.JS\\...3c.[,A|
00000080  8e a3 3f a9 5e 84 10 01  a8 19 06 22 6a 7b 1b df  |..?.^......"j{..|
00000090  35 73 46 8e 0e 7e f4 68  b0 97 38 81 cf 6d 99 7c  |5sF..~.h..8..m.||

According to Wikipedia, the Linux Unified Key Setup (LUKS) is **a disk encryption specification created by Clemens Fruhwirth in 2004 and was originally intended for Linux** . LUKS uses a device-mapper crypt ( dm-crypt ) as a kernel module to handle encryption on the block device level.

Now, the encryption key's location We need the key now that we have the encrypted file container. Lucky for us, there is a memory dump. The raw encryption key will be present when memory is dumped and an encrypted file container is mounted at the same time.

**I'll be honest: I have no idea where the memory's encryption keys are stored. I could try to investigate this image using volatility or another memory analysis program, but I lack the expertise to accomplish that quickly.

I decided to employ a programme named bulk extractor**(http://digitalcorpora.org/downloads/bulk_extractor/). This is because AES keys from a file are one of the artefacts that bulk extractor may extract.