On Sun, Sep 09, 2012 at 01:53:08PM +0100, Marcos wrote: > Hi, > > On 08.09.2012 23:47, Arno Wagner wrote: > >Wups, what is that? Quite non-standard. Did you select that yourself? > > As per the docs I read back in the time, yes, I selected that cipher. > > >>Hash spec: sha1 > >>Payload offset: 3016 > >>MK bits: 384 > > > > > >With that your first keyslot should be from 0x1000 to 0x2ee00. > > Find the 'hd' dump at [1], from 0x1000 to 0x2ee00 (didn't attached > because its size is 329K). > > >>Key Slot 0: ENABLED > >> Iterations: 254001 > > > >Pretty large. Unless you have a liquid-nitrogen cooled > >CPU, did you increase the iteration time? > > Nope, actually, the problem is on a laptop hard disk... > > >Have you looked at the whole keyslot up to 0x2ee00? > > I haven't untill you pointed me to do it with this email :) > It's attached. > > And having it done after running the code you attach in another > email, going straight to the low-entropy blocks that it points > to, I have found what seems an image file: > > 0002a000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 90 > |......JFIF......| > 0002a010 00 90 00 00 ff e1 00 16 45 78 69 66 00 00 4d 4d > |........Exif..MM| > 0002a020 00 2a 00 00 00 08 00 00 00 00 00 00 ff fe 00 17 > |.*..............| > 0002a030 43 72 65 61 74 65 64 20 77 69 74 68 20 54 68 65 |Created > with The| > 0002a040 20 47 49 4d 50 ff db 00 43 00 05 03 04 04 04 03 | > GIMP...C.......| Well, on one hand I am glad my tool actually works, on the other hand this means your data is really gone. Wonder how that got in there though. Maybe used as swap because of the leftover signature? > One thing I don't understand: as per the docs I read for setting > the encryption, I selected a size of 384 bits for the key (that > in the case of lrw just 256 are used). What are we looking for > at 0x2ee00 far? LUKS splits the key (really: blows it up) with the AF splitter. It blows it up to exactly 4000 times the original key size. Your key is 384 bit = 48 B. 48 * 4000 = 192'000 = 0x2ee00. And then add the start-offset (which I forgot ;-) to get 0x2fe00. > >Most people are hosed in your situations, but there have been > >some miraculous recoveries. So really knowing what happened > >is the key. > > I suppose it. With an analysis of what happened it's all easier. > > Thanks, No problem. Arno -- Arno Wagner, Dr. sc. techn., Dipl. Inform., Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt