Encrypted Mac image...
 
Notifications
Clear all

Encrypted Mac image missing Recovery HDD and Un-mountable

8 Posts
4 Users
0 Likes
786 Views
one234
(@one234)
Posts: 16
Active Member
Topic starter
 

Hello all

I'm a digital forensics analyst and am experienced in mainly Windows platforms and mobile devices. Today I have a problem on a Mac image which I'm hoping to pick your brain on.

Our firm currently has this project going on involving a number of mobile devices and laptop images. One of the exhibits we received is a ~250gb .img disk image created using dd3dd by the client. It contains 3 partitions named EFI System, Customer and (sorry can’t remember the third one). The Customer partition is the largest in size and is believed to be the main partition for OS and user files. Here’s the problem

- When we loaded this image into EnCase, we can see the partitions but no data at all, which is an indication that the partition is encrypted
- Based on the naming of the partitions we believe the disk image to be of a Mac which would mean it’s protected by FileVault2. However, there isn’t a ‘Recovery HD’ partition as Mac FileVault2 images usually would, nor does any of the partitions contain a .plist.wipekey file for decryption
- We tried mounting it on a macOS virtual machine running High Sierra (in attempt to decrypt it using MacQuisition), using the native mounting tool, however, the process would start and be aborted automatically midway. There was not any prompt of error encountered

Some more facts
- the Mac VM has MacFUSE installed, to handle potentially different filesystems
- the .img file is sitting on a Win10 host and accessed by the Mac guest VM via VMware sharefolder utility
- this VMDK is 80gb in size

We are yet to try, 1) expanding the Mac VM’s virtual disk to larger than the size of the .img file, and 2) mounting the .img on a Linux machine.

Do any of you have come across an image/situation such as the above? I'd be much interested to hear how you dealt with the image/situation, or any suggestion at all on possible next steps to try. Thanks so much in advance!

Cheers,
Jessie

 
Posted : 21/06/2018 5:08 am
PanTovarnik
(@pantovarnik)
Posts: 3
New Member
 

Can you try mounting the image manually from Terminal using diskutil utility? If it fails it should at least give you a reason.

I would also try restoring the image onto a physical drive, just to rule out a possibility that there is a problem with the hypervisor's drive emulation.

 
Posted : 21/06/2018 12:57 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

My clues would be that you got a corrupt image or the problem is around FileVault2 and AFPS.

 
Posted : 21/06/2018 1:01 pm
one234
(@one234)
Posts: 16
Active Member
Topic starter
 

Thanks guys! I'll give these a try and let you know the results as soon as practical

 
Posted : 22/06/2018 12:18 am
(@randomaccess)
Posts: 385
Reputable Member
 

between axiom (fv2 hfs) and blacklight (fv apfs) you should be covered. But either way you need the password

 
Posted : 22/06/2018 1:03 am
one234
(@one234)
Posts: 16
Active Member
Topic starter
 

So I restored this .img image to a physical disk and connect it to my macOS VM. Here are some more observations

- Using diskutil list in command line I can see the drive connected with three volumes
- I can see the drive in MacQuisition
- still cannot mount the disk using Disk Utility GUI
- still cannot mount the disk using Disk Utility in command line

Interestingly, when I tried imaging the perceived 'encrypted' volume, MacQuisition didn't appear to recognise it to be encrypted and just went on to start imaging it - please correct if I'm wrong, I thought MacQuisition would normally detect a FileVault2 encryption and give you a chance to enter password & recovery for it?

Through these observations I'm now considering a different hypothesis; is it possible that this is an image of a reset system, where nothing - including disk encryption - has been initiated (since the 'Recovery HD' partition is only created at the activation of disk encryption?)

 
Posted : 24/06/2018 1:44 am
(@randomaccess)
Posts: 385
Reputable Member
 

typically to answer these types of questions i restore disk0 to an external and then option boot my mac. Do you have that as an option?

 
Posted : 24/06/2018 5:58 am
one234
(@one234)
Posts: 16
Active Member
Topic starter
 

@randomaccess it does sound like a feasible way to try. However I'm trying to get my head around how to do it - am I right in thinking that an 'option boot' (using the 'C' key at startup?) will allow me to select which media I want to boot into instead of the default one? In this case a VM should work just as well? Will definitely give it a try tomorrow at work D thanks!

 
Posted : 24/06/2018 9:52 am
Share: