Techniques and methods for obtaining access to data protected by linux-based encryption – A reference guide for practitioners

Abstract

This research presents an overview of the typical disc and folder-level encryption that a digital forensic investigator may encounter when investigating a Linux operating system. Based on prior first-hand experience and significant follow-up testing and research, this work examines the operation of such encryption from the user's perspective, discusses how the encryption operates “under the hood”; and explores methods and techniques that can be used to access and retrieve data from such encrypted devices, both during at-scene/live forensic investigation and also post-scene. Worked examples are presented, to aid the reader's understanding. This research also presents considerations, approaches and steps that can be used by an investigator, in order to maximise the potential for data acquisition, and most crucially discusses lessons learnt to facilitate getting the best evidence in such cases. A breakdown of the binary structure of the key files associated with fscrypt is also presented, for reference. Current limitations and gaps in knowledge are also discussed.