Recently our lab has faced a lot of Apple FileVault2 encrypted drives. Thankfully, in most cases we got the pass phrase used for encryption. Nevertheless, imaging of such drives could be a bit challenging, that’s why we decided to write a short article about it.
About FileVault2
FileVault2 was introduced with Mac OS Lion. It encrypts the entire OS X startup volume. The user’s login password is used as the encryption pass phrase. AES-XTS mode of AES with 128 bit blocks and a 256 bit key is used to encrypt the disk.
Imaging
The first thing an examiner should do is to create a classic bit-for-bit copy of the entire drive. You can use, for example, this solution.
Let’s look at our image via FTK Imager:
As you can see, we have two partitions: Recovery and Macintosh HD, the first is browsable, the second is not – the file system is uncategorized. That’s because it’s encrypted.
Now we need a Mac based computer. First, change the image extension from DD to DMG and mount the file using the following command:
hdiutil attach –nomount /path/to/the/image
Let’s list the core storage partitions available:
diskutil cs list
Now you need to copy Logical Volume GUID value and paste it in the following command:
diskutil cs unlockVolume <GUID>
Type the pass phrase. That’s it – the volume is unlocked. Now you can create a bit-for-bit image of the unlocked volume using, for example, dd.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
