Filevault 2 Encrypt...
 
Notifications
Clear all

Filevault 2 Encrypted HDD image

13 Posts
6 Users
0 Reactions
2,458 Views
(@badgerau)
Trusted Member
Joined: 12 years ago
Posts: 96
 

Have you considered that the Filevault password and the login password may be different?

Accessing the drive from a OSX VM should work if you don't have access to Apple hardware.


   
ReplyQuote
Adam10541
(@adam10541)
Honorable Member
Joined: 13 years ago
Posts: 550
Topic starter  

Citizen is correct, Blacklight on Windows can't decrypt FV2 even when you know the password, it must be run on a Mac to deal with that.

All in all pretty impressed with Blacklight, only complaint is that it's verrrrry slow but that may be because it's the trial version or maybe running on Windows slows it down. Will definitely be looking to add it to the arsenal and maybe see if I can convince the boss to splash out on a Mac analysis machine as well.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

Just in case, a newish thingy
http//blog.frizk.net/2016/12/filevault-password-retrieval.html
https://github.com/ufrisk/pcileech

macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches.

Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access - unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.

Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!

jaclaz


   
ReplyQuote
Page 2 / 2
Share: