From: "Michael Kjörling" <michael@kjorling.se>
To: dm-crypt@saout.de
Subject: [dm-crypt] Re: LUKS partition creation date
Date: Thu, 27 May 2021 05:56:08 +0000 [thread overview]
Message-ID: <10107148-d436-47fc-a139-450f24c44d4f@localhost> (raw)
In-Reply-To: <Mabr40x--3-2@tutanota.com>
On 26 May 2021 10:48 +0200, from u961866@tutanota.com (Valdez):
> Could a forensic investigation of an unmounted LUKS partition on a
> USB flash drive used to run Tails reveal any information about the
> date when the LUKS partition was created?
Whether the storage device is a SATA SSD, USB flash drive, rotational
fixed disk, floppy disk, or something you keep only in your brain, is
immaterial to LUKS, as long as it can accurately retain and allow
reading back high-entropy data.
I'm also going to assume that when you say "LUKS partition", you mean
a LUKS container. LUKS containers do not necessarily live inside
partitions.
Also, I'm not familiar with Tails specifically.
However, the LUKS on-disk formats are linked to from the front page of
the Wiki, at <https://gitlab.com/cryptsetup/cryptsetup/-/wikis/home>.
I'm pretty sure there are no dedicated fields for such timestamps in
either on-disk format; I don't see how having them would serve any
valid purpose. However, you certainly can look over the format specs
if you're curious; for what they cover, they should be every bit as
authoritative as anything you'll get in replies here. You can also
compare them to the output of, say, `cryptsetup luksDump
--dump-master-key` on a dummy container.
Be aware that LUKS 2 is capable of storing arbitrary data in the
header. Something would still need to put such a timestamp there, of
course, but if this is a concern to you, you might consider sticking
with the (older and less featureful) LUKS 1 format. As an alternative,
you could set your computer's time to some other value before creating
the container; _if_ something stores such a timestamp, it would then
reflect that time value, not the actual real-world time of container
creation.
That said, some details from the LUKS header might provide clues in a
very gross sense; for example, encryption algorithm, key size and key
derivation function used for the container or a key slot might _hint_
at which version of the LUKS tools were _possibly_ used to create or
last update it, because defaults have slowly changed over time. But
then you'd probably be looking at a likely time span of years.
--
Michael Kjörling • https://michael.kjorling.se • michael@kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”
_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de
next prev parent reply other threads:[~2021-05-27 5:59 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-26 8:48 [dm-crypt] LUKS partition creation date Valdez
2021-05-27 5:56 ` Michael Kjörling [this message]
2021-05-27 8:04 ` [dm-crypt] " Milan Broz
2021-05-27 10:54 ` Arno Wagner
2021-05-27 11:03 ` Michael Kjörling
2021-05-27 12:05 ` Arno Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10107148-d436-47fc-a139-450f24c44d4f@localhost \
--to=michael@kjorling.se \
--cc=dm-crypt@saout.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).