Extract usernames f...
 
Notifications
Clear all

Extract usernames from FileVault 2-encrypted disk image

4 Posts
3 Users
0 Likes
1,090 Views
(@gostep)
Posts: 2
New Member
Topic starter
 

I am working on bitstream (`dd`) images of disks from MacBook (Mac OS X 10.11.6) encrypted with File Vault 2. I do not have any password, passphrase or recovery key to unlock the drive, but I am not interested on unlocking/decrypting the drive.

I only need to extract all the possible information related to the login screen. This information should include usernames enabled to log in and password suggestions (if any). For password suggestion, I mean the suggestions which are available if you click on the question mark (?) at the right of the password box.

As far as I understood, the system starts a special EFI pre-boot where it displays the FileVault 2 unlock screen with the icons of designated OS X accounts approved to unlock the disk. Login information (usernames, etc) should not be encrypted because they are available and visible when you start the system and before user logs in using the password (i.e., disk is not unlocked yet).

I have also tried to get this information by attaching the image and then using sudo fdesetup list -device <UUID> but apparently this operation is not allowed for an external device. Again, I am not able to unlock the image because I do not have any password. However, I believe that usernames should be available somewhere in a not encrypted format because they are visible when I start the system.

Here is the output of diskutil list after attaching the disk image (stored in an external USB drive) with hdiutil attach -nomount /Volumes/USB/image.dd.dmg

/dev/disk0 (internal)
# TYPE NAME SIZE IDENTIFIER
0 GUID_partition_scheme 500.3 GB disk0
1 EFI EFI 314.6 MB disk0s1
2 Apple_APFS Container disk1 500.0 GB disk0s2

/dev/disk1 (synthesized)
# TYPE NAME SIZE IDENTIFIER
0 APFS Container Scheme - +500.0 GB disk1
Physical Store disk0s2
1 APFS Volume Macintosh HD 143.2 GB disk1s1
2 APFS Volume Preboot 21.0 MB disk1s2
3 APFS Volume Recovery 522.1 MB disk1s3
4 APFS Volume VM 1.1 GB disk1s4

/dev/disk2 (external, physical)
# TYPE NAME SIZE IDENTIFIER
0 GUID_partition_scheme *3.0 TB disk2
1 Microsoft Reserved 16.8 MB disk2s1
2 Microsoft Basic Data TARGET 3.0 TB disk2s2

/dev/disk3 (disk image)
# TYPE NAME SIZE IDENTIFIER
0 GUID_partition_scheme +121.3 GB disk3
1 EFI EFI 209.7 MB disk3s1
2 Apple_CoreStorage Macintosh HD 120.5 GB disk3s2
3 Apple_Boot Recovery HD 650.0 MB disk3s3

Offline
Logical Volume Macintosh HD on disk3s2
UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
Locked Encrypted

Here is the output of diskutil cs list

CoreStorage logical volume groups (1 found)
|
+– Logical Volume Group UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
=========================================================
Name Macintosh HD
Status Online
Size 120473067520 B (120.5 GB)
Free Space 12656640 B (12.7 MB)
|
+-< Physical Volume UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
| —————————————————-
| Index 0
| Disk disk3s2
| Status Online
| Size 120473067520 B (120.5 GB)
|
+-> Logical Volume Family UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
———————————————————-
Encryption Type AES-XTS
Encryption Status Locked
Conversion Status Complete
High Level Queries Fully Secure
| Passphrase Required
| Accepts New Users
| Has Visible Users
| Has Volume Key
|
+-> Logical Volume XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
—————————————————
Disk -none-
Status Locked
Size (Total) 120108089344 B (120.1 GB)
Revertible Yes (unlock and decryption required)
LV Name Macintosh HD
Content Hint Apple_HFS

If I try the fdesetup command, I get the following error

$ fdesetup status -device XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Error The -device option is not allowed for this operation.

Every attempt using another UUID causes this error "Error The specified volume or device 'UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU' did not return any information."

Finally, the question is "How can I extract login information (not passwords) from a disk image encrypted with File Vault 2?". Based on the availability of this information before entering the password, I assume that usernames as well as other information (e.g., password hints) are not encrypted and could be extracted from a disk image.

Looking forward for your feedback.

Thanks a lot.
gostep

 
Posted : 06/02/2019 1:48 pm
(@kenobyte)
Posts: 36
Eminent Member
 

I will start off saying I have had a similar thought but haven't gotten around to testing. I have successfully brute-forced filevault 2 using the encryptedroot.plist.wipekey so there was no need to dig further as we did want full access to the drive. If you had a test OS you could create several users and hints and encrypt the drive with a known password. If you believe the hints and usernames are stored in clear text outside of the core storage you could then just run searches and look at the path the information was found in. I would then apply what you found to what you are trying to do. Just a thought if there isn't an answer found here.

 
Posted : 06/02/2019 4:35 pm
(@gostep)
Posts: 2
New Member
Topic starter
 

Thanks, @Kenobyte. I am not sure that hints and usernames are stored in clear text but I believe it should be somehow available without the need to unlock the disk. I like your suggestion to create a disk image from an installation including users that set hints for their password. We have a Mac that we can use for testing.
If there will not be any other answer before that, I will share the results of my test as soon as possible.

Thanks a lot.
gostep

 
Posted : 07/02/2019 8:48 am
(@randomaccess)
Posts: 385
Reputable Member
 

restore your image to a USB3 external drive, shut down your mac and then boot holding the option key
select your external and it will boot as if it was the suspect drive

From there you can see the login screen, get the password wrong, see the hint, etc etc

 
Posted : 14/02/2019 7:59 pm
Share: