FileVault2 Data Rec...
 
Notifications
Clear all

FileVault2 Data Recovery

13 Posts
8 Users
0 Likes
1,565 Views
(@d1g14n6)
Posts: 12
Active Member
Topic starter
 

I have a Macbook Pro A1502 (Mid 2014) with an SSD I am trying to recover data off of after the whole Mac got covered with coffee. When I try to turn it on, I hear the Mac startup chime, but nothing happens past that. I've tried the resetting the PRAM and I still get a black screen. Target disk mode was unsuccessful as well for recovering the data. Im pretty sure much of the hardware is fried.

My last option was to take the SSD out and attach it as an external drive to another device, although the disk is encrypted with FileVault2. I have the decryption password. With an external enclosure I attached the device into another Mac and in terminal ran diskutil corestorage list to try and see if the device is detected and locked. It does not show up in the results of the command. I plugged the SSD into a Windows device just to see if anything different would happen, and I see it in Disk Management as a non initialized disk (assuming because of the encryption). EnCase did not detect the disk. The stick gets warm so I'm assuming that it is functioning still.

My question being, is there any way to get the data off of the FileValut2 drive while treating it as an external device? A lot of what I've found is ways to get data off of it while booting to the drive, but I don't have that option if the rest of the laptop is fried.

 
Posted : 08/07/2016 10:38 pm
(@vootz)
Posts: 27
Eminent Member
 

Did you try taking an image of the SSD and drop the image into EnCase (you also need the EnCase Decryption Suite license)? EnCase might only run its encryption detection on an image. Long shot, but maybe…

 
Posted : 08/07/2016 10:53 pm
Igor_Michailov
(@igor_michailov)
Posts: 529
Honorable Member
 

Have problems with FileVault2 encrypted drives?
Here is how to image it
http//www.weare4n6.com/imaging-apple-filevault2-encrypted-drives/

 
Posted : 08/07/2016 11:51 pm
citizen
(@citizen)
Posts: 38
Eminent Member
 

Assuming Igor's recommendation does not work…have you looked at how the disk is partitioned with a hex viewer? If so what was the partitioning scheme? If its GPT this makes it easies to interpret

https://en.wikipedia.org/wiki/GUID_Partition_Table

 
Posted : 09/07/2016 5:20 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Just to clear some inconsistencies.

A disk-like device seen as "non initialized" under any Windows NT it means - strangely enough wink - that is "not initialized" which - translated back from MS terminology means "there is no 55AA in the last two bytes of first sector of device or MBR".

A FileVault2 disk would normally have 2 (two) partitions, "Recovery and Macintosh HD" as in the given article
http//www.weare4n6.com/imaging-apple-filevault2-encrypted-drives/

If the disk is "MBR style" then any Windows NT will see its partition table (and the magic bytes 55AA).
If the disk is "GPT style" then any recent Windows NT will see its GPT partition table, and even non-recent Windows NT will be able to see the "protective MBR" that the GPT standard provides, the 55AA will also be seen by any Windows NT based system.

For the record, taking the SSD out of a flooded (with coffee) machine should actually be the FIRST option, while attempting to power up the machine should have been the VERY LAST option.

There is library and tools (you will need to compile them yourself, I believe) by our fellow member Joachim Metz
http//forensicswiki.org/wiki/Libfvde
https://github.com/libyal/libfvde

But - as citizen pointed out - before going that (or any other "filevault specific" path) a simple hex/disk editor will be enough to check if there is actually any data on that device (please read as check if the SSD device is still functional), and of course - as always - the first step would be anyway to make a dd-like, forensic sound image of it.

jaclaz

 
Posted : 09/07/2016 6:53 pm
(@badgerau)
Posts: 96
Trusted Member
 

This may be worth reading
https://az4n6.blogspot.com.au/2016/07/how-to-image-mac-using-single-user-mode.html

 
Posted : 10/07/2016 6:11 am
(@mark_adp)
Posts: 63
Trusted Member
 

1. Using either ftkimager command line for OS X or Paladin Boot CD, create a full forensic E01 image of the physical disk (/dev/disk0)

You should be able to start the process from this point on. I used to use the libfvde method, but this is no longer supported under El Capitan.

2. Using Paladin/similar tool, make a disk copy/clone of the physical disk (/dev/disk0) to an external HDD.

3. Power up a test/laboratory Macbook

4. Connect the external HDD containing the clone and run 'df' command to identify the disk number e.g. /dev/disk3 (this will be used through the remainder of this tutorial, but may differ from case to case)

5. Un-mount the external hdd using the 'umount' command

6. Using the hdiutil command, attach the /dev/disk3 device, but do not allow it to mount. To do this run the following command

hdiutil attach -no mount /dev/disk3

You should be prompted for a password. If you do not know the password, you must either ask the officer in the case or attempt to crack it using the .wipekey file in the Recovery partition along with a binary dump of the encrypted volume (dd with no fragmentation).

7. Once hdiutil attach command has attached the disk, run the following command to check that it has been properly attached

diskutil list

Under the /dev/disk3 virtual disk, you should see 'Unlocked Encrypted'.

8a. You will now be able to perform a command line 'dd' image of /dev/disk3 to a second external disk using the following command

sudo dd if=/dev/disk3 of=/Volume/target/imagename.dd

(You might need to use a mouse jiggler while performing your dd image to stop the machine from going to sleep.)

8b. Alternatively, you could use the ftkimager command line version of osx to image the mounted volume.

 
Posted : 10/07/2016 3:25 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

6. Using the hdiutil command, attach the /dev/disk3 device, but do not allow it to mount. To do this run the following command

hdiutil attach -no mount /dev/disk3

You should be prompted for a password. If you do not know the password, you must either ask the officer in the case or attempt to crack it using the .wipekey file in the Recovery partition along with a binary dump of the encrypted volume (dd with no fragmentation).

This is the big problem why this forum post was started, the password is unknown, .wipekey is not available, no memory dump is possible because the device is not accessible in locked state. Please correct me, if I understood something wrong…

 
Posted : 16/07/2016 2:13 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

This is the big problem why this forum post was started, the password is unknown, .wipekey is not available, no memory dump is possible because the device is not accessible in locked state. Please correct me, if I understood something wrong…

Hey, you asked for it.
If everyone posts here WITHOUT reading the OP, it is likely that some misunderstanding can happen, what the OP stated in his/her original post (the essential points IMHO)

… I am trying to recover data off of after the whole Mac got covered with coffee.

When I try to turn it on, I hear the Mac startup chime, but nothing happens past that. …

Im pretty sure much of the hardware is fried.

My last option was to take the SSD out and attach it as an external drive to another device, although the disk is encrypted with FileVault2. I have the decryption password. ….

… I plugged the SSD into a Windows device just to see if anything different would happen, and I see it in Disk Management as a non initialized disk (assuming because of the encryption). EnCase did not detect the disk. The stick gets warm so I'm assuming that it is functioning still.

And in a numbered list

  1. the Mac was covered with coffee (there is no detail if this happened while on or off)
  2. there were attempts to power the Mac after (there is no detail if this was attempted after having dismantled, washed and dried the machine) however the Mac is not anymore functional
  3. the SSD was extracted and connected to other systems as an external device through an adapter.
  4. the SSD has not been detected by another Mac
  5. the SSD has not been detected by Encase on a Windows machine
  6. the SSD has been detected in Disk Management on a Windows machine as "uninitialized disk" and it is assumed that this is because of the encryption
  7. it is assumed that since the SSD gets warm, it is functioning
  8. [/listo]

    As posted before by Igor_Michailov, citizen and yours truly (again in a nutshell)
    a) a Filevault2 device should show two partitions
    b) disk manager under windows NT will show "uninitialized disk" when it cannot read the bytes 55 AA as last two bytes of first sector of the device, this could be BOTH because those values are not there or because the sector cannot be read properly.
    c) before anything else, a quick look at the first few sectors of the device with a hex/disk editor/viewer is advised, as it would allow to verify the MBR or GPT partition table and verify that the SSD is actually working (there may be several reasons, including the adapter/converter or cable why the disk manager cannot read those two bytes on first sector)

    No reply from the OP, but it is clear that until there is a confirmation that the SSD (besides being warm) is functional and can be accessed as PhysicalDrive, anything else is premature or superfluous.

    jaclaz

 
Posted : 16/07/2016 4:17 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

You are right, thanks for correcting me! I have read the original post, just I have no idea why, I misunderstood the thing, like not having the password. I think now all is clear…

Everybody else making this kind of mistakes don't reply to posts when you are tired!!! )

 
Posted : 16/07/2016 5:59 pm
Page 1 / 2
Share: