Forums
Main Category
General (Technical,...
Filevault 2 Encrypt...
 
Notifications
Clear all

Filevault 2 Encrypted HDD image

 
Page 1 / 2
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 9 years ago
13 Posts
6 Users
0 Reactions
2,487 Views
RSS
Adam10541
 Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
Topic starter 04/08/2016 1:11 pm  

I have a Macbook Pro which has filevault enabled. I've been able to decrypt the log in password with Passware and am in the process of acquiring a live unencrypted image with FTK imager CLI.

I had used a WinFE boot USB previously and XWF to acquire an image, but this was before I realised FileVault was enabled.

This got me thinking, and this is a purely academic exercise as I don't need to do it, but are there any Windows based applications which will let me access the encrypted E01 image files given that I know the password to access the volume?

I guess I'm thinking in terms of how Windows behaves if you attach a VHD of a Bitlocker volume or how Arsenal prompts for the bitlocker key when you mount an encrypted volume.

I installed MacDrive Pro on one of my machines but it completely borked it up and I had to system restore to get it working again, that software seems to be extremely buggy based on other forum posts I've seen about it.


   
Quote
citizen
 citizen
(@citizen)
Eminent Member
Joined: 10 years ago
Posts: 38
04/08/2016 2:35 pm  

Try this

http//digital-forensics.sans.org/community/downloads (SIFT)

It has this library

https://github.com/libyal/libfvde/blob/master/documentation/FileVault%20Drive%20Encryption%20(FVDE).asciidoc

Good luck.


   
ReplyQuote
Adam10541
 Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
Topic starter 05/08/2016 7:34 am  

I've played around with SIFT before and I find it a particularly frustrating piece of software. evil


   
ReplyQuote
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
05/08/2016 1:59 pm  

I reckon it's possible through DFVFS, but I don't know how.
If it is then there's a possibility that you could use Pancake Viewer in the future


   
ReplyQuote
citizen
 citizen
(@citizen)
Eminent Member
Joined: 10 years ago
Posts: 38
05/08/2016 2:30 pm  

I've played around with SIFT before and I find it a particularly frustrating piece of software. evil

If you want to share what you did that didn't work, or what you have questions on, I'm pretty confident we could point out references and other steps.


   
ReplyQuote
Adam10541
 Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
Topic starter 08/08/2016 8:20 am  

The frustration with SIFT comes primarily from my own lack of experience with using CLI based forensic software and a lack of time/willingness to learn.

I know the team that put SIFT together know their stuff and I have full confidence that the software does what it says on the box, it's purely a "me" problem with this.

I may sit down again at some point if I get a week off to look closer at the software, but one thing that jumped out at me straight away is the lack of clear 'how to' guides on using the software. Plenty of information out there but they all seem written with the pre-supposition that the reader/user is has an advanced understanding of using Unix based OS's so lots of helpful information is missing.

To be honest I don't have a massive motivation to learn the software as I have a pretty decent software library of commercial tools, but every now and then something comes along where SIFT of one of the open source tools would be good to know.

I use Paladin and DEFT semi regularly so I'm not averse to these types of tools, just find them difficult to get my head thinking in that direction I guess.


   
ReplyQuote
citizen
 citizen
(@citizen)
Eminent Member
Joined: 10 years ago
Posts: 38
08/08/2016 2:12 pm  

Yeah…if your adverse to using a cli that might hold you back from FOSS options. I am curious if you will get any more replies…the message I have gotten, as a rule of thumb from other practitioners, is that you need a mac to do mac forensics. If you took the time to mess with the cli side of things (check out linuxleo) it might pay you back if getting a mac is not a option for your shop.


   
ReplyQuote
 wookieshaver
(@wookieshaver)
Eminent Member
Joined: 14 years ago
Posts: 27
08/08/2016 8:29 pm  

Blacklight would work for this case. (https://www.blackbagtech.com/blacklight.html) It's very handy and has both Windows and Mac version installs.


   
ReplyQuote
citizen
 citizen
(@citizen)
Eminent Member
Joined: 10 years ago
Posts: 38
09/08/2016 12:28 am  

Blacklight would work for this case. (https://www.blackbagtech.com/blacklight.html) It's very handy and has both Windows and Mac version installs.

It cannot decrypt AFV2 protected drives. (As of 2016R1…maybe R2) You have to run it on a Mac.


   
ReplyQuote
 randomaccess
(@randomaccess)
Reputable Member
Joined: 14 years ago
Posts: 385
09/08/2016 3:23 am  

I haven't tried this but it may work through a write blocker
http//www.catacombae.org/hfsexplorer/

I just loaded up an encrypted DMG and it was quite easy to use
the menu options indicate that you can use it for a drive as well


   
ReplyQuote
Page 1 / 2
Forum Jump:
  Previous Topic
Next Topic  
Share: