Decrypting FileVaul...
 
Notifications
Clear all

Decrypting FileVault and Samsung Galaxy Note 9  

  RSS
DarrenF
(@darrenf)
New Member

Hi

I am a Digital Forensic analyst based in Ireland. Mostly focused on Windows devices and industrial systems.

Now my lab has a challenge to work with FileVault encrypted Macbook (early 2014 model) and passcode locked Samsung Galaxy Note 9 (encrypted by default?). I am not really familiar with these devices.

I have acquired a raw .dd image from a Macbook using Guymager on Caine from a macbook but somehow Elcomsoft Disk Decryptor does not allow me to extract a hash from it so i could start a brute force attack. Neither Oxygen Forensic Detective nor Magnet AXIOM can do anything with that image too. Any ideas on this? Could i be doing something wrong?

As for Samsung Galaxy Note 9 now this is a tricky one. Not much luck with Oxygen or AXIOM with this model in terms of acquisition. What options are left? Did anyone ever encounter locked devices like this for physical acquisition? Is there a way to do a raw image of the file system for further decryption or brute force attacks if the device is passcode locked? Good chances that this particular phone will have FRP protection enabled. Bootlocker is unlocked as far as i understand.

I would appreciate any suggestions from experts.

Quote
Posted : 25/07/2019 12:47 pm
Rich2005
(@rich2005)
Senior Member

Hi

I am a Digital Forensic analyst based in Ireland. Mostly focused on Windows devices and industrial systems.

Now my lab has a challenge to work with FileVault encrypted Macbook (early 2014 model) and passcode locked Samsung Galaxy Note 9 (encrypted by default?). I am not really familiar with these devices.

I have acquired a raw .dd image from a Macbook using Guymager on Caine from a macbook but somehow Elcomsoft Disk Decryptor does not allow me to extract a hash from it so i could start a brute force attack. Neither Oxygen Forensic Detective nor Magnet AXIOM can do anything with that image too. Any ideas on this? Could i be doing something wrong?

As for Samsung Galaxy Note 9 now this is a tricky one. Not much luck with Oxygen or AXIOM with this model in terms of acquisition. What options are left? Did anyone ever encounter locked devices like this for physical acquisition? Is there a way to do a raw image of the file system for further decryption or brute force attacks if the device is passcode locked? Good chances that this particular phone will have FRP protection enabled. Bootlocker is unlocked as far as i understand.

I would appreciate any suggestions from experts.

Cellebrite has been catching up with the Samsungs. They're up to Galaxy Note 8's for bypassing the lock and getting a physical extraction. I would imagine they'll probably cover 9's at some point.

Don't know if you've seen it but there's a elcomsoft blog guide for your Filevault problem in case that helps https://blog.elcomsoft.com/2016/07/mac-os-forensics-attacking-filevault-2/

ReplyQuote
Posted : 25/07/2019 4:10 pm
DarrenF
(@darrenf)
New Member

Cellebrite has been catching up with the Samsungs. They're up to Galaxy Note 8's for bypassing the lock and getting a physical extraction. I would imagine they'll probably cover 9's at some point.

Don't know if you've seen it but there's a elcomsoft blog guide for your Filevault problem in case that helps https://blog.elcomsoft.com/2016/07/mac-os-forensics-attacking-filevault-2/

Thanks for the tip on Cellebrite. I can also imagine Oxygen and Axiom will step up in a year or so but i have to tackle the job now somehow or at least find a way to make raw image of android on a locked phone in a forensically sound way to the extent that is possible given the circumstances.

As for Elcomsoft, this is a dated guide, i am using a newer version of their software to no avail. It just does not process raw .dd image for whatever reason, Oxygen can see it but there is no attack option in their software.

ReplyQuote
Posted : 25/07/2019 4:45 pm
(@unallocatedclusters)
Senior Member

Here are some ideas

MacBook

1. Attack Cloud Sources to get to MacBook data

A judges order to Apple to provide access to the MacBook owner's iCloud account might help reveal the FileVault encryption password used by the MacBook owner assuming the FileVault and iCloud login passwords were similar or identical; use the data produced by Apple in response to the judge's order to create a custom dictionary file to feed to Elcomsoft or Passware tools.

Use OSINT tools to also create a custom dictionary file based upon publicly available information about the MacBook owner (social media sites, www.whitepages.com, etc.)

My understanding is that a custom dictionary can radically speed up the decryption process.

2. Attempt to boot your forensic image using VMWare or Virtual Box to make sure you have a good physical image.

3. Test your DD image with TestDisk (https://www.cgsecurity.org/wiki/TestDisk_FAQ) and donate to TestDisk's author please.

"How to open the image.dd file ?
An image is interesting if the original disk has physical problem (ie. bad sectors) or if you really need a copy.

Linux.png mount -o loop,ro image.dd directory
Mac.png Macosx.png rename image.dd to image.img or image.dmg and double-click on the file
Specify the image pathname in parameter to run TestDisk or PhotoRec on the disk image."

ReplyQuote
Posted : 26/07/2019 1:27 am
Share: