Hello fellow investigators,
I am currently working on a case that involves a Mac where the home directory is encrypted with sparsebundle, unfortunately a live acquisition with memory was not possible at the time. I have read some articles and papers where people claimed that the algorithm is not that tuff (FYI using 128AES). However I am having some difficulties with it. None of my fellow investigators has worked with sparsebundles or sparseimages before.
I am currently running a dictionary attack on the keychain file (currently at about 900 000 attempts) but so far no luck.
I checked the sleepimage and swapfile for passwords, but also no luck (
As I am searching for alternative approaches, Mac Lock Pick 2.2 comes to my mind, however the main component (Apple Key Chain extractor )that would be of interest is only available to LE. And would also require the situation for a live acquisition.
Any ideas?
Thanks!
As far as dictionary-based cracking goes, you have basically three options the FileVault recovery keychain, the user's login password, and the encrypted sparsebundle itself. If this is a FileVault-encrypted home directory for an active user, then the user login password and FileVault password must be the same. The user's login password is, cryptographically, the weakest. There should be a modified John the Ripper that can handle this. For targeting the sparsebundle itself, both Mac Marshal and crowbarDMG can handle this.
Thanks for the reply.
I have been trying to crack the FileVault Keychain, but no luck as of yet.
Due to the knowledge level of the user I am certain that he has used a complex password. I agree that the user login password should be the easiest. Although it's Leopard and I think that the password uses a salted SHA1 hash. crowbarDMG did not work for me since this sparsebundle has a bunch of files not a single image. I am using crowbarKC on the FileVault Keychain. JTR does not handle salts, or at least not very well. I am checking now to see if there is a zero salted SHA1 or a NTLM which I doubt, but I will check anyways.
What do you think or Rainbow tables, any chances of dealing with the salt?
Mac Marshall looks, good but I can't find any info on how it approaches the FileVault (only from memory, brute force, etc..) I will try to contact them.
Thanks!
You could also try this. Restore the image to a drive, boot the MAC in a MAC with the OSX (assuming it is OSX) disc and change the admin password to get into the machine. From there you can reset the user password and possibly the filevault password at the same time.
Got this from the book MAC OSX, Ipod and Iphone Forensics, page 141. There are other tool out there to crack the sparseimage file directly. Being as I am new to MAC forensics, I am still trying to find one's that work. Hope this helps in some small way.
you can also check if there are some network shares with samba, since samba for backward compatibility uses NTLM passwords, and if you have some luck, the password is the same as the user's
You could also try this. Restore the image to a drive, boot the MAC in a MAC with the OSX (assuming it is OSX) disc and change the admin password to get into the machine. From there you can reset the user password and possibly the filevault password at the same time.
Got this from the book MAC OSX, Ipod and Iphone Forensics, page 141. There are other tool out there to crack the sparseimage file directly. Being as I am new to MAC forensics, I am still trying to find one's that work. Hope this helps in some small way.
This won't work. The user login is used as part of the key generating scheme for the filevault , it is not the key for the file vault itself. If you change the login passphrase but are not logged into filevault as the owner the filevault encryption key will not be changed.
You may want to try vfcrack. This pdf http//
I agree with Beetle on that changing the login will not grant access to the fileVault. Yes, I have looked at vfcrack which also was demonstrated at ccc. but again, I was not impressed. You can see that the demonstrated password was a very short and easy. Not trying to discredit these guys for all of their great research, but I think that in allot of research papers there is some difference between being applicable in theory and in the real world. I also tried calling the guys that develop the Mac Lock Pick a few times yesterday, but I never got anyone to actually answer the phone. However, while my attempt of cracking the FileVault keychain has now reached over 2 Million combination's and still going i have a possible alternative solution that I am working on.
I will keep you guys posted. Thanks for all the valuable input!
There should be a patch to JtR to handle Apple's salted-SHA1 password format. Unfortunately, with salts, rainbow tables are basically useless; you're study brute-forcing passwords. However, brute-forcing the login password is more than 1000 times easier than brute-forcing a FileVault password (despite the fact that they're the same password) – the stored value for login is a single SHA1 computation, but testing a FileVault password takes a thousand SHA1 computations (and then one cheap 3DES decrypt).
I was able to cracked the encrypted sparsebundle! Since this system was upgraded a non salted SHA1 hash was available and I put the Rainbow tables to work. Thanks again to everyone for their input.
P.S. crowbarKC was still running after almost 4 million attempts on the FileVault keychain itself.
Thanks
CONGRATULATIONS AvRM on cracking the sparsebundle!
My question concerning the mac .keychain file is this
How on earth do you locate it's shadow file/hash, or extract the HASH from the .keychain file itself?
I am a new member to this site, and hope that this is a beginning to many discoveries for FA. Any information would be very much appreciated!
Thanks