Any way around a MAC that is encrypted with FileVault 2 and powered off?
My understanding is that the way it work is slightly different to other full disk encryption software in that it only encrypts the startup disks, could there be another way of acquiring the rest of the data?
A little more about the Mac you are hoping to image would be helpful to be answer your question.
However, generally FV2 is FVE not FDE. So the data available are the EFI and Recovery Volumes. You can exploit data from the Recovery Partition to aid in cracking the FV2 password. Thus, FV2 is not impenetrable by any means. It's just difficult to crack if the FV2 password is complex.
Generally Macs only come with one internal drive now a days. A user may encrypt an external disk with FV2, but I don't often see it in my case work. We do see FV2 encrypted Macs often.
You can look at libfvde and mount the volume on another Mac if you have the recovery key or password as well.
It's a MacBook Pro laptop circa 2010. I'm certain the owner would have used a complex password.
Can you elaborate a bit more on what you mean by using the available volumes or any other routes to gain access?
Thank you
Is the device dated circa 2010 or the install dated circa 2010? FileVault2 was released with OSX Lion which wasn't officially released until July 2011.
If the equipment is circa 2010 and the install is current…
If you have access to AccessData PRTK or Passware Kit Forensic, they both have options. You will need to copy out the EncryptedRoot.plist.wipekey from the recovery partition and the encrypted volume. If you have other devices, you can put together a list of passwords you derive from them and they use this as the first attack in both PRTK and PKF. Then each piece of software will revert to more complex means.