3

This article shows me how to see if Ubuntu has encrypted swap. What I would like to know is how I can determine that swap (or any other partition) is truly encrypted. What I would like to see is that some disk utility tries to read the encrypted contents, showing me gibberish, but after inputting the correct passphrase, it shows me the files as expected.

This would be difficult for swap since crypttab uses a random key, but I /should/ be able to see the gibberish that indicates that it is encrypted.

EDIT: I'm adding the output from testdisk. I don't know what to look for here.

 Disk /dev/sda - 500 GB / 465 GiB - ST3500413AS
 Disk /dev/mapper/cryptswap1 - 4008 MB / 3823 MiB
 Disk /dev/mapper/vg_doulos-home - 453 GB / 422 GiB - ST3500413AS
 Disk /dev/mapper/vg_doulos-root - 39 GB / 37 GiB - ST3500413AS
 Disk /dev/mapper/vg_doulos-tmp - 1996 MB / 1904 MiB - ST3500413AS
 Disk /dev/sr0 - 735 MB / 701 MiB (RO) - hp      DVD D  DH16D6SH
 Disk /dev/dm-0 - 39 GB / 37 GiB - ST3500413AS
 Disk /dev/dm-1 - 1996 MB / 1904 MiB - ST3500413AS
 Disk /dev/dm-2 - 453 GB / 422 GiB - ST3500413AS
 Disk /dev/dm-3 - 4008 MB / 3823 MiB

At this point, what should I select to check? For example, I selected /dev/mapper/vg_doulos_home. Then I get a screen that looks like this:

Please select the partition table type, press Enter when done.
 [Intel  ] Intel/PC partition
 [EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
 [Humax  ] Humax partition table
 [Mac    ] Apple partition map
>[None   ] Non partitioned media
 [Sun    ] Sun Solaris partition
 [XBox   ] XBox partition
 [Return ] Return to disk selection

I automatically select Non partitioned media because that's the default here. I list the files here:

   P ext4                           0  885940223  885940224
Directory /

>drwxr-xr-x     0     0      4096 30-May-2012 11:33 .
 drwxr-xr-x     0     0      4096 30-May-2012 11:33 ..
 drwx------     0     0     16384 30-May-2012 11:03 lost+found
 dr-x------  1000  1000      4096 30-May-2012 11:33 averyc
 drwxr-xr-x     0     0      4096 30-May-2012 11:33 .ecryptfs

I'm still able to drill down into the averyc home directory where I find this directory layout, but I'm unable to copy any of the files:

P ext4 0 885940223 885940224 Directory /averyc

>dr-x------  1000  1000      4096 30-May-2012 11:33 .
 drwxr-xr-x     0     0      4096 30-May-2012 11:33 ..
 lrwxrwxrwx  1000  1000        32 30-May-2012 11:33 .ecryptfs
 lrwxrwxrwx  1000  1000        31 30-May-2012 11:33 .Private
 lrwxrwxrwx  1000  1000        52 30-May-2012 11:33 README.txt
 lrwxrwxrwx  1000  1000        56 30-May-2012 11:33 Access-Your-Private-Data.desktop

Can someone explain what's going on here? How can I verify that this partition is really encrypted?

Community
  • 1
Son of the Wai-Pan
  • 1,165

2 Answers2

2

You can boot a live CD and try almost any data recovery tool, such as testdisk. When you run the data recovery tool it will identify all sorts of files. Open any of them and you will see random data.

Panther
  • 102,067
  • Unfortunately, testdisk is not available off of the live Ubuntu CD. Can you recommend another data recovery tool similar to testdisk? – Son of the Wai-Pan Jun 01 '12 at 00:57
  • Ugh. Sorry. I found testdisk and I can give some of the other Live CDs a whirl. I thought testdisk was part of every default linux distro. Ignore my lame comment above. – Son of the Wai-Pan Jun 01 '12 at 01:18
  • testdisk is in the repositories so you can install it easily enough. – Panther Jun 01 '12 at 05:17
  • So I burned a liveCD with test disk on it. testdisk was able to detect my partitioned hard drives but after reading the documentation, I'm still unclear on how to show that my drive is truly encrypted. It is true that testdisk was unable to find any deleted files, but I'm not sure what I should ask test disk to try and detect. I'll update the question with the partition layout. – Son of the Wai-Pan Jun 04 '12 at 04:54
  • 1
    You will have to try to recover data off the disk. Once you do so you will see it is encrypted. Test disk is easy enough to use, otherwise you will need to look at other forensics tools. – Panther Jun 04 '12 at 06:31
  • @AveryChan it is available, you must run sudo apt-get update (if sudo apt-get install testdisk returns no results) first to make it availabe – mchid Apr 04 '15 at 22:06
0

Short general answer

You can't. The goal of encryption is to make valid data look like gibberish, i. e. as indistinguishable from random data as possible.

Long answer fitting most cases

On the other hand, most useful data (e. g. file systems) is structured and non-random. With that in mind you can:

  1. Try to match it against known patterns like well-known file formats or file system headers. Suitable tools for that are file(1) (general file formats) and blkid(8) (file systems and partition tables).

    As a bonus, some encryption protocols (e. g. LUKS) attach headers to the encrypted data, which the previously mentioned tools recognise.

  2. Perform a statistical analysis of the data to see, if it appears random enough, but that's no proof for encryption, only a hint. The data may actually be an unencrypted record of a series of random events.

    Here's a C program, that I wrote a while ago, to do that: https://gist.github.com/davidfoerster/079b6d8c92fb702b89aa

  3. Try a bunch of encryption protocols and keys and try to decipher it. The problem is, that most common protocols are unable to tell you, if the cipher text was encrypted with a particular protocol and key.

    As a workaround, use point 1 to see, if the decrypted data fits a known pattern (which it doesn't have to; see point 2. Some encryption protocols (e. g. TrueCrypt) use an encrypted header, so tools can quickly see, if a decryption was successful.

David Foerster
  • 36,264
  • 56
  • 94
  • 147