Hi.I made a Linux system image E01 format, prompted after adding a disk image autopsy data sources, the following figure, and run in the process of any data, autopsy Windows version is installed, where is this operation is not correct
Perhaps the filesystem is encrypted, what do you see in HEX editor at sector 2048 and 2099200? Multiply number of sectors with sector size (most common 512 bytes and 4096 bytes if the disk is in andvanced format) to determine the offset in bytes and provide us with a hex dump.
On Linux you could do it real easy like this - "xxd -s $((512 * 2048)) | less
1 Like
I suspect Tic-Tac is right on the encryption. The partition sizes (1GB 0x83 - likely /boot and the remainder for LVM 0x8e) are a common default partitioning scheme for a LUKS encrypted Linux machine.
If you look at vol2 it should be a readable filesystem (most likely ext2) where the kernel and related modules are sitting which are used to unlock and boot the machine. You should also see that “LUKS” header in ASCII on 2099200.
So what is the current way to unlock passwords and analyze these encrypted directory files?
Did you confirm that it is indeed LUKS you are dealing with? That info would probably help others who come across this thread later on down the road.
If it is LUKS then take a look at hashcat for attacking it:
Sleuthkit don’t support LVM…
I suggest that you use Joachim Metz’s tool libvslvm found here GitHub - libyal/libvslvm: Library and tools to access the Linux Logical Volume Manager (LVM) volume system format
Firstly convert the E01’s to dd format using xmount and then use libvslvm to allow create a virtual dd image of the lvm which you can then put into autopsy.
However to analyse the lvm using the above method, autopsy would need to be installed on a linux operating system