Decrypting algorithms - dfirdoctor/dfir GitHub Wiki
Some command lines and information about regular alogrithms. Easy extraction method to obtain the hashes.
Standard algorithm container: Standard algorithm boot-mode:
dd if=container.dd of=TC-hash.hash bs=512 count=1
Extract hash for hidden container
dd if=hashcat_ripemd160_AES_hidden.raw of=hashcat_ripemd160_AES_hidden.tc bs=1 skip=65536 count=512
dd if=container.dd of=TC-hash.hash bs=512 skip=31744 count=1
Standard algorithm container: Standard algorithm boot-mode:
dd if=container.dd of=VC-hash.hash bs=512 count=1
dd if=container.dd of=VC-hash.hash bs=1 skip=31744 count=512
Same command for system drive and non system drive.
dd if=container.dd of=header.luks bs=512 count=4097
dd if=/dev/sda1 of=header.luks bs=512 count=4097
Check for TPM with a raw image
mmls imaged-drive.d
Check for the start offset in the partition.
Insert the start partition offset in the bold area
dislocker-metadata -V ./imaged-drive.d -o $((1492992*512))
dislocker-metadata -V ./imaged-drive.d -o $((1492992*512)) | grep -i tpm