Difference between pages "Adroit Photo Forensics" and "Linux Unified Key Setup (LUKS)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(How to detect =)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = Adroit Photo Forensics (APF) |
+
  maintainer = [[Digital Assembly]] |
+
  os = {{Windows}} |
+
  genre = {{Analysis}} |
+
  license = {{Commercial}} |
+
  website = [http://www.digital-assembly.com/products digital-assembly.com] |
+
}}
+
  
'''Adroit Photo Forensics''' ('''APF''') is a commercial forensic software package distributed by [[Digital Assembly]].
+
Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.
It specializes in the recovery and analysis of digital photographs.
+
  
=Features=
+
LUKS supports various encryption methods, like:
 +
* [[AES]]
 +
* [[Anubis]]
 +
* [[Blowfish|BlowFish]]
 +
* [[Cast5]]
 +
* [[Cast6]]
 +
* [[Serpent]]
 +
* [[Twofish|TwoFish]]
  
Adroit Photo Forensics can parse a number of filesystems, including [[FAT]] 12/16/32, [[NTFS]], [[HFS]], and [[HFS+]]. It can
+
These encryption methods can be used in various chaining modes and with various initialization vector modes.
read from [[EnCase]] as well as raw/[[dd]] images.  
+
  
It is best known for implementing the [[File_Carving:SmartCarving|SmartCarving]] and [[File_Carving:GuidedCarving|GuidedCarving]]
+
== How to detect ===
algorithms to recover fragmented photos.  
+
A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.
  
== Exif ==
+
A hexdump of the start of the volume should look similar to:
 +
<pre>
 +
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
 +
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
 +
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
 +
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
 +
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|
 +
</pre>
  
Adroit Photo Forensics also parses exif data and can be used to view and group files based on exif date stamps instead of
+
== External Links ==
file system date stamps. APF also includes a full zoomable time-line viewer based on exif and file system date stamps.  
+
* [http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf New Methods in Hard Disk Encryption], by Clemens Fruhwirth, July 18, 2005
 +
* [http://wiki.cryptsetup.googlecode.com/git/LUKS-standard/on-disk-format.pdf LUKS On-Disk Format Specification - Version 1.2.1], by Clemens Fruhwirth, October 16, 2011
 +
* [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html LUKS Disk Encryption], by [[RedHat]]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSNUVYSFF1TmRONmc/Linux%20Unified%20Key%20Setup%20(LUKS)%20Disk%20Encryption%20format.pdf LUKS Disk Encryption format specification], by the [[libluksde|libluksde project]], July 2013
 +
* [http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ Practical malleability attack against CBC-Encrypted LUKS partitions], by Jakob Lell, December 22, 2013
  
== Other Features ==
 
 
Adroit Photo Forensics interface is optimized for the display of photos. APF also include grouping and sorting options that are
 
photo relevant.
 
 
== External Links ==
 
  
* [http://digital-assembly.com/products/adroit-photo-forensics/ Adroit Photo Forensics Product Information]
+
[[Category:Disk encryption]]
 +
[[Category:Linux]]

Revision as of 12:18, 23 December 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.

LUKS supports various encryption methods, like:

These encryption methods can be used in various chaining modes and with various initialization vector modes.

How to detect =

A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.

A hexdump of the start of the volume should look similar to:

00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|

External Links