±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 36595
New Yesterday: 5 Visitors: 701

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Yubikey and Mac OSX Encryption

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

UnallocatedClusters
Senior Member
 

Yubikey and Mac OSX Encryption

Post Posted: Feb 14, 20 23:14

Colleagues,

EDIT: When I booted the iMac to MacQuisition, there was no icon visible at all for the internal hard drive, just the MacQuisition icons. Thus it is my opinion that the internal hard drive holds no operating system. As in interesting side note, Recon Imager boots directly into Recon Imager on this particular iMac without the option to choose which version of Recon Imager to boot to (A/B/C), whereas MacQuisition does not boot directly to MacQuisition, but instead allows one to choose which version of MacQuisition to boot into.


I have a strange situation:

I used Sumuri Recon Imager to generate both a physical and logical image of a 2015 Apple iMac (no T2 chip); Recon Imager reports the total internal drive capacity to be 2.7TB, and both resulting DMG images are around 1TB in size.

However, both iMac forensic images created by Sumuri Recon Imager do not contain a file system (no files nor folders) that can be seen by BlackLight, notwithstanding the fact that Recon Imager successfully created two hash value matching DMG images (physical and logical), at least according to Recon Imager's imaging logs.

2.When I booted the iMac to Recon Imager by holding down the option key, the iMac automatically and directly booted to Recon Imager without allowing me to choose to boot to the internal drive or Recon Imager; normally holding down the option key will bring up icons for the internal Mac drive as well as icons for Recon Imager, but this iMac boots directly to Recon Imager with no option to choose to boot to the internal hard drive.

3.I have NOT booted the iMac into the Mac OSX directly to see if there is even an OS present on the internal drive as this case might turn into a criminal matter (currently a civil matter); a simple explanation to what I am seeing is that there is no OS installed on the internal drive.

4.There is a Yubikey 5 Nano plugged in to the back of the iMac, which could possibly be encrypting the drive contents; I booted the iMac to Recon Imager both with the Yubikey plugged in and without theYubikey plugged in but in both instances the iMac booted directly to Recon Imager and Recon Imager detected no encryption in place for the internal drive.

5.Recon Imager does NOT show the internal iMac drive as being encrypted at all; this is a 2015 iMac and no T2 chip is present.

My plan is to attempt to image the iMac using Macquisition next.

I am curious to see if Macquisition also boots immediately when I hold down the option key and also if Macquisition does not detect any encryption in place.

I suspect that the iMac is in fact FileVault encrypted and also configured to be used with the Yubikey: support.yubico.com/sup...tion-guide

I have NOT attempted to boot the iMac to the Mac OSX and would like to avoid doing so for obvious reasons.

Perhaps the addition of the Yubikey to FileVault is preventing Recon Imager from detecting the FileVault encryption?

It is also very strange that holding down the option key does not allow one to choose the internal hard drive or the Recon Imager dongle as boot options......  
 

Page 1 of 1