Forums
Main Category
General (Technical,...
Powered on locked M...
 
Notifications
Clear all

Powered on locked MacBook pro 2018

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 7 years ago
5 Posts
4 Users
0 Reactions
1,340 Views
RSS
 pfressola
(@pfressola)
New Member
Joined: 8 years ago
Posts: 4
Topic starter 08/01/2019 3:37 am  

Hi everyone I have a MacBook pro 2018 that was seized from a homicide. The device was found on but is password protected. Is there a way to do a ram dump to possibly get the user password .

Thanks


   
Quote
 armresl
(@armresl)
Noble Member
Joined: 21 years ago
Posts: 1011
08/01/2019 7:44 am  

It's currently still on?

Hi everyone I have a MacBook pro 2018 that was seized from a homicide. The device was found on but is password protected. Is there a way to do a ram dump to possibly get the user password .

Thanks


   
ReplyQuote
 dandaman_24
(@dandaman_24)
Estimable Member
Joined: 11 years ago
Posts: 172
08/01/2019 10:08 am  

Hi everyone I have a MacBook pro 2018 that was seized from a homicide. The device was found on but is password protected. Is there a way to do a ram dump to possibly get the user password .

Thanks

The only way to get a RAM dump is if you have the password for the device and can get into the OS.

If the device has been switched off, I would still dump the RAM as previous tests show that RAM still keeps some data after being powered off. You wont get the Filevault password/hash in the RAM though.

it is highly likely your mac has a T2 chip, you eill need to boot it into TDM and image to obtain the disk and then look for the hash there, look online for instructions on where to find this.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
08/01/2019 1:47 pm  

There are some papers that say that you can, but it's trivial to explain that in court.

Can you clarify what you mean? ?

Anyway, from the article you linked to the first approach has been patched since December 2016, with the release of macOS 10.12.2.

The second seems more like a PoC (on MacOS) than anything else, since
https://github.com/ufrisk/pcileech#limitationsknown-issues

Limitations/Known Issues

Does not work if the OS uses the IOMMU/VT-d. This is the default on macOS (unless disabled in recovery mode).

jaclaz


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
08/01/2019 4:48 pm  

@jaclaz I'm happy to hear any other ideas. The POC is as is. I don't know the OS version on the macbook pro, so it's merely a suggestion to start a search. The alternative is shutting down the laptop and hoping for the best.

What i didn't understand (and still don't ) is the sentence

There are some papers that say that you can, but it's trivial to explain that in court.

If the (as in the OP) the Macbook is a "MacBook pro 2018", surely it will be running an OS later than December 2016, and most probably (like 99.99% probable) it will use "default settings", including the IOMMU/VT-d (whatever it is).

The first part seemingly doesn't apply (as the given [1] possibilities seemingly don't work) but IF they did, would it be trivial or non-trivial to explain that in court? ?

jaclaz

[1] by given possibilities I mean the two that were originally posted
https://www.tomshardware.com/news/mac-encryption-passwords-dma-attack,33209.html
https://github.com/ufrisk/pcileech
before you added the Passware and the other references.


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: