Difference between pages "Regimented Potential Incident Examination Report" and "Linux Unified Key Setup (LUKS)"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(How to detect =)
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
  
The Regimented Potential Incident Examination Report ('''RPIER''' or '''RAPIER''') is script based [[Incident Response|incident response]] tool released under the [[:Category:GPL|GPL]] by [[Intel]]. It is a modular framework.
+
Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.
  
== See Also ==
+
LUKS supports various encryption methods, like:
 +
* [[AES]]
 +
* [[Anubis]]
 +
* [[Blowfish|BlowFish]]
 +
* [[Cast5]]
 +
* [[Cast6]]
 +
* [[Serpent]]
 +
* [[Twofish|TwoFish]]
  
[[List of Script Based Incident Response Tools]]
+
These encryption methods can be used in various chaining modes and with various initialization vector modes.
 +
 
 +
== How to detect ===
 +
A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.
 +
 
 +
A hexdump of the start of the volume should look similar to:
 +
<pre>
 +
00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
 +
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
 +
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
 +
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
 +
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|
 +
</pre>
  
 
== External Links ==
 
== External Links ==
 +
* [http://clemens.endorphin.org/nmihde/nmihde-A4-ds.pdf New Methods in Hard Disk Encryption], by Clemens Fruhwirth, July 18, 2005
 +
* [http://wiki.cryptsetup.googlecode.com/git/LUKS-standard/on-disk-format.pdf LUKS On-Disk Format Specification - Version 1.2.1], by Clemens Fruhwirth, October 16, 2011
 +
* [https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-LUKS_Disk_Encryption.html LUKS Disk Encryption], by [[RedHat]]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSNUVYSFF1TmRONmc/Linux%20Unified%20Key%20Setup%20(LUKS)%20Disk%20Encryption%20format.pdf LUKS Disk Encryption format specification], by the [[libluksde|libluksde project]], July 2013
 +
* [http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ Practical malleability attack against CBC-Encrypted LUKS partitions], by Jakob Lell, December 22, 2013
  
* [http://code.google.com/p/rapier/ Official website]]
 
* [http://groups.google.com/group/rapier-development?hl=en Google Discussion Group]]
 
* [http://www.first.org/conference/2006/program/rapier_-_a_1st_responders_info_collection_tool.html Presentation at FIRST Conference 2006]
 
  
[[Category:Incident response tools]]
+
[[Category:Disk encryption]]
 +
[[Category:Linux]]

Revision as of 13:18, 23 December 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Linux Unified Key Setup (LUKS) is commonly used by Linux to encrypt storage media volumes. LUKS is implemented in the Linux kernel in dm-crypt (dm = Device Mapper) and the user-space component cryptsetup.

LUKS supports various encryption methods, like:

These encryption methods can be used in various chaining modes and with various initialization vector modes.

How to detect =

A LUKS encrypted volume starts with the "LUKS\xba\xbe" signature.

A hexdump of the start of the volume should look similar to:

00000000  4c 55 4b 53 ba be 00 01  61 65 73 00 00 00 00 00  |LUKS....aes.....|
00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  63 62 63 2d 65 73 73 69  |........cbc-essi|
00000030  76 3a 73 68 61 32 35 36  00 00 00 00 00 00 00 00  |v:sha256........|
00000040  00 00 00 00 00 00 00 00  72 69 70 65 6d 64 31 36  |........ripemd16|
00000050  30 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |0...............|

External Links