Ivanti Connect Secure Forensics (Part 2): GRUB-based LUKS Decryption Methodology

In Part I of our Ivanti forensics series, we explored how attackers exploit Ivanti Connect Secure vulnerabilities and how investigators can extract evidence from LILO‑based appliances. This second installment moves deeper into the investigation workflow.

As exploitation campaigns continue to accelerate, especially around CVE‑2025‑0282 and related vulnerabilities, incident responders increasingly need reliable, repeatable methods to analyze Ivanti Connect Secure devices that use GRUB and LUKS‑based full‑disk encryption.

This blog builds on the foundational concepts introduced in Part I and focuses on the next step in the forensic process: obtaining recovery access on GRUB‑based appliances, extracting and decrypting LUKS‑encrypted partitions, and preparing evidence for detailed offline analysis. GRUB‑based systems introduce unique challenges and opportunities for investigators, and understanding these nuances is essential for any team responding to Ivanti VPN compromises at scale.

GRUB-based Ivanti Connect Secure Appliance Forensic Methodology

GRUB based Ivanti Connect Secure appliances implement full disk encryption (data at rest) using Linux Unified Key Setup (LUKS). Unlike older LILO based systems that relied on custom encryption mechanisms, the LUKS encryption keys on GRUB based systems are stored on disk and can be extracted once recovery shell access is obtained. This allows investigators to decrypt encrypted partitions using standard Linux tooling.

Requirements and preparation

• Appliance type: Ivanti Connect Secure appliance using GRUB as the bootloader with LUKS based full disk encryption.
• Access requirements: Physical console access, serial console access, or virtual console access sufficient to interact with the GRUB bootloader.
• Collection environment: A separate forensic collection host with a static IP address (for example, 192.168.0.1) to receive extracted evidence.
• Tools required:
  o    netcat for network-based evidence transfer
  o    dd for raw block-level extraction
  o    cryptsetup for LUKS decryption
  o    Standard Linux utilities (mount, losetup)
  
  
• Scope and assumptions: These steps assume the appliance is powered down or under investigator control and that actions are performed in a forensically controlled manner to minimize evidence contamination.

Step 1: Recovery shell access

At the GRUB bootloader, enter recovery mode and drop into a root shell:
init=//bin/sh
 
This provides a privileged shell in the early boot environment, prior to enforcing higher level security controls.

Step 2: LUKS key extraction

Copy the LUKS key material stored on the appliance:
cp /etc/lvmkey /tmp/luks_keys

This key file is required to decrypt the encrypted disk partitions offline.

Step 3: Encrypted partition extraction (network dumping)

Use the same network-based extraction steps described in Method 1, specifically:
•    From Method 1 – Step 4: Network interface configuration on the appliance
•    From Method 1 – Step 5: Netcat listener setup on the forensic collection host
•    From Method 1 – Step 8: dd based raw extraction of encrypted block devices
These steps are reused to stream raw, encrypted LUKS partitions and the luks_keys from the appliance to the forensic collection host.

Step 4: LUKS decryption and mounting

On the forensic workstation, decrypt the extracted partition using standard Linux tools:
cryptsetup luksOpen --key-file=luks_keys /dev/sdaX decrypted_partition
mount /dev/mapper/decrypted_partition /mnt/forensic_analysis

Once mounted, the decrypted filesystem can be examined using conventional forensic and incident response techniques.

In Part III of this series, we examine techniques for extracting the Ivanti snapshot, decrypting the acquired image, and preparing it for detailed forensic analysis.

Resources

This forensic investigation guide and vulnerability analysis incorporates research and tools developed by:

Ivanti/Pulse Secure Vulnerability Research

watchTowr Labs – Exploitation Walkthrough and Techniques: Ivanti Connect Secure RCE (CVE-2025-0282)
https://labs.watchtowr.com/exploitation-walkthrough-and-techniques-ivanti-connect-secure-rce-cve-2025-0282/#:~:text=Building%20The%20Exploit,for%20the%20readers%20at%20home

watchTowr Labs – CVE-2024-22024 (SAML XXE) Analysis
https://labs.watchtowr.com/are-we-now-part-of-ivanti/

Volexity – Active Exploitation of Ivanti Connect Secure VPNs
https://www.volexity.com/blog/2024/01/10/active-exploitation-of-ivanti-connect-secure-vpn/

Volexity – CVE-2023-46805 Authentication Bypass
https://www.cve.org/CVERecord?id=CVE-2023-46805

Northwave Security – Ivanti/Pulse Secure forensic tooling and analysis
https://northwave-cybersecurity.com/whitepapers-articles/investigating-a-possible-ivanti-compromise
 
Black Hat and historical context
Orange Tsai & Meh Chang – Infiltrating Corporate Intranet Like NSA (Black Hat USA 2019)
https://www.blackhat.com/us-19/briefings/schedule/#infiltrating-corporate-intranet-like-nsa-16202
https://www.youtube.com/watch?v=mKGq8z17Kd4
 
Web shell references
FireEye/Mandiant – China Chopper Web Shell Analysis
Breaking Down the China Chopper Web Shell - Part I |

Mandiant | Google Cloud Blog: https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-china-chopper-web-shell-part-i

Breaking Down the China Chopper Web Shell - Part II
 
https://cloud.google.com/blog/topics/threat-intelligence/breaking-down-the-china-chopper-web-shell-part-ii

https://www.volexity.com/blog/2024/01/15/ivanti-connect-secure-vpn-exploitation-goes-global/

https://github.com/stephen-murcott/Ivanti-ICT-Snapshot-decryption