Free Linux course from edX is a good introduction for investigators

Linux is being used in many more consumer devices. Investigators should at least have a basic idea of what Linux is, how it is different than Windows and basic usage (because hackers certainly will). This free course from edX by the Linux Foundation will give a good overview of how the Linux operating system functions and its usage.<div>
</div><div class="separator" style="clear: both; text-align: center;"></div><div><div>LFS101x: Introduction to Linux</div><div>
</div><div>I am taking it right now. So far it gives a quick and interesting overview and differences between popular distributions. It looks like it goes into some basic usage from a desktop as well as command-line interface. It probably won’t make you an expert, but it looks like a great place to start.</div></div><div>
</div><div>Once you have gone through this course, if you want to know more about investigations using Linux, I strongly recommend the book and resources at Linux LEO.</div>

~1 min read

[How To] Easy Install TexStudio on Ubuntu

I mess around with the internals of my operating systems a lot. This means that every few months I need to re-install my operating system, which, lately, is almost always Linux Mint. This also means that I have to remember most of the packages I have installed.
</div><div>Out of all the software I normally use, LaTeX is usually one of the most difficult to remember. However, I have found package combination that gets most - if not all - of the packages I would normally used for LaTeX.</div><div>
</div><div class="separator" style="clear: both; text-align: center;"></div><div>First, I use TeXstudio as a graphical front-end for LateX. Thankfully, they provide .deb packages on their site. First, download the latest version. There is a version in the apt repository, but it is older.</div><div>
</div><div>After downloading and installing TeXstudio, you may notice that LaTeX, bibtex and all the other packages you likely need to be able to produce documents is unavailable. Almost everything can be found in the following packages:</div><div>
apt-get install texlive texlive-latex-extra texlive-latex-recommended latex-xcolor pgf</pre>

If you prefer things like Biber, it can also be found in the repository. However, it will likely take more tweaking to get working properly.

That’s all it takes to get a fully functional LaTeX editor.

~1 min read

5th Annual Open Source Digital Forensics Conference

The 5th Annual Open Source Digital Forensics Conference (OSDFCon) will be held on November 5, 2014 at the Westin Washington Dulles in Herndon, VA. This conference focuses on tools and techniques that are open source and (typically) free to use. It is a one day event with short talks packed with information. There are both tool developers and users in attendance, and this is a unique opportunity to learn about new tools and provide feedback.

As an investigator, you should attend to learn about new tools and meet the developers building the software. As a developer, you should attend to raise awareness of your efforts. Everyone should consider submitting a talk to share their experiences and work.

The program for this year can be found here:

You can register now here:

~1 min read

ICDF2C 2014 early registration ends August 29th

The 6th International Conference on Digital Forensics & Cyber Crime is now open for registration!

<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;">
</div>ICDF2C 2014 will be held in New Haven, CT, USA on September 18 - 20th.

All three days are packed with some very interesting talks. See the preliminary program for more details:

Early registration ends August 29th. For more information please see:

~1 min read

[How to] Brute forcing password cracking devices (LUKS)

We have written in the past about how to crack passwords on password-protected RAR and ZIP files, but in those cases someone wrote a program to extract the password hashes from the RAR and ZIP files first. After that, we could use John the Ripper to generate passwords (or use a dictionary) to attack the password hashes. In this case, John the Ripper generates a password, then hashes the password with the same hashing/salting method as the hash we are attacking. If the hash matches, then we have the clear-text password.
</div><div class="separator" style="clear: both; text-align: center;"></div><div>However, in some situations, we don’t have a password hash to attack, or maybe we don’t know what algorithm is used. Either way, we may not be able to extract a hash for whatever reason. In this case, we can still brute-force the password using the standard authentication mechanism.</div><div>
</div><div>In this tutorial, I will be brute-force attacking a LUKS encrypted file using John the Ripper. A LUKS encrypted file is similar to a truecrypt container. It could be used to encrypt a disk, partition, or file.</div><div>
</div><div>Let’s assume that an investigator extracted all files from a suspect disk. By looking at the file headers, we find the following:</div><div>
encrypted: LUKS encrypted file, ver 1 [aes, xts-plain64, sha1] UUID: 811f8a08-85da-4f7d-b50f-3e64ed7a66f4</div>
Maybe the investigator has no memory image of the suspect device or any other information regarding the file, but still needs to get into it….

To mount a LUKS file from the (linux) command line, you have to use cryptsetup . The command usually looks like cryptsetup luksOpen container mountpoint . When you attempt to mount, by default it will ask for a password 3 times if the attempts are incorrect. We cannot pass the password directly to cryptsetup as an option, it will always ask for a password.

Regardless of some challenges, cryptsetup does have some useful options, such as -T which controls how many times it will ask for a password before giving up. And also the option –test-passphrase, which will see if the password worked without actually opening the device. So right now we have the following command to open the LUKS device:

cryptsetup luksOpen $1 x --test-passphrase -T1

Now we can use John the Ripper in incremental mode sending the output to standard out to generate our password list.

john -i --stdout

Now we just need a small script to capture the output of JtR and test the cryptsetup password:


# Using john the ripper to brute-force a luks container
if [ $(file $1 | grep -c "LUKS encrypted file") ]; then
    john -i --stdout | while read i; do
        echo -ne "\rtrying \"$i\" "\\r
        # as root
        echo $i | cryptsetup luksOpen $1 x --test-passphrase -T1 2> /dev/null
        if [ $STATUS -eq 0 ]; then
          echo -e "\nPassword is: \"$i\""
    echo "Start time $startTime"
    echo "End time $(date)"
        echo "The file does not appear to be a LUKS encrypted file"

</div><div>This bash script first uses file to check whether the input is recognized as a LUKS encrypted file. If so, it will run JtM in incremental mode, and output to stdout. A while loop is used to capture the generated password as a variable “i”. We then echo the password, and pipe it to the luksOpen command. That way, when cryptsetup asks for a password it will use the password we have piped to it. The status will be either 0 if it worked or 2 if the password failed. If the status is 0, then we print the password, and how long it took. If the status is not 0, we get a new password and try again.</div><div>
</div><div>Now, if you start to run this script you may notice that it is very, very, very slow. Generating passwords with JtM is relatively quick, but trying the passwords on a LUKS device is designed to be slow.</div><div>
</div><div>This process will likely take a very long time, but 1) it will eventually crack any type of device and 2) it can be used when you have no other option.</div><div>
</div><div>Try to use the script to play around with other password-protected files/devices.</div>

3 min read

[Hash sets] Korea University DFRC Reference Data Set

If you work in the area of digital investigation, you probably know about NIST’s National Software Reference Library (NSRL).
<blockquote>The National Software Reference Library (NSRL) is designed to collect software from various sources and incorporate file profiles computed from this software into a Reference Data Set (RDS) of information. The RDS can be used by law enforcement, government, and industry organizations to review files on a computer by matching file profiles in the RDS. This will help alleviate much of the effort involved in determining which files are important as evidence on computers or file systems that have been seized as part of criminal investigations.</blockquote>In other words, the NSRL is a very large collection of file hashes for ‘known’ software. In most cases it can be treated as a known good hash set, for filtering out potentially uninteresting files from a case.

The NSRL hashes are also hosted on, allowing you to query their database for a particular hash if you don’t want to store the files locally.

<div class="separator" style="clear: both; text-align: center;"></div>
NSRL is very useful, but it does have some limitations. The Korea University Digital Forensic Research Center is attempting to solve some of these limitations but providing the DFRC Reference Dataset.

Their Reference Data Set includes hash values from software used in South Korea as well as the NSRL. Currently, they have over 27 million hashes. Best of all, they provide a number of interfaces to test your data with. You can upload the suspect file directly, upload a list of hashes, search for a single sha1 or md5, or query their RDS via their REST interface! This way you can call their hash database directly from your tools.

Of course, you can also directly download their entire RDS.

1 min read