±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35244
New Yesterday: 3 Visitors: 185

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Extract usernames from FileVault 2-encrypted disk image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

gostep
Newbie
 

Extract usernames from FileVault 2-encrypted disk image

Post Posted: Feb 06, 19 07:48

I am working on bitstream (`dd`) images of disks from MacBook (Mac OS X 10.11.6) encrypted with File Vault 2. I do not have any password, passphrase or recovery key to unlock the drive, but I am not interested on unlocking/decrypting the drive.

I only need to extract all the possible information related to the login screen. This information should include usernames enabled to log in and password suggestions (if any). For password suggestion, I mean the suggestions which are available if you click on the question mark (?) at the right of the password box.

As far as I understood, the system starts a special EFI pre-boot where it displays the FileVault 2 unlock screen with the icons of designated OS X accounts approved to unlock the disk. Login information (usernames, etc) should not be encrypted because they are available and visible when you start the system and before user logs in using the password (i.e., disk is not unlocked yet).

I have also tried to get this information by attaching the image and then using sudo fdesetup list -device <UUID> but apparently this operation is not allowed for an external device. Again, I am not able to unlock the image because I do not have any password. However, I believe that usernames should be available somewhere in a not encrypted format because they are visible when I start the system.

Here is the output of diskutil list after attaching the disk image (stored in an external USB drive) with hdiutil attach -nomount /Volumes/USB/image.dd.dmg:

/dev/disk0 (internal):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme 500.3 GB disk0
1: EFI EFI 314.6 MB disk0s1
2: Apple_APFS Container disk1 500.0 GB disk0s2

/dev/disk1 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +500.0 GB disk1
Physical Store disk0s2
1: APFS Volume Macintosh HD 143.2 GB disk1s1
2: APFS Volume Preboot 21.0 MB disk1s2
3: APFS Volume Recovery 522.1 MB disk1s3
4: APFS Volume VM 1.1 GB disk1s4

/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk2
1: Microsoft Reserved 16.8 MB disk2s1
2: Microsoft Basic Data TARGET 3.0 TB disk2s2

/dev/disk3 (disk image):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme +121.3 GB disk3
1: EFI EFI 209.7 MB disk3s1
2: Apple_CoreStorage Macintosh HD 120.5 GB disk3s2
3: Apple_Boot Recovery HD 650.0 MB disk3s3

Offline
Logical Volume Macintosh HD on disk3s2
UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
Locked Encrypted


Here is the output of diskutil cs list:

CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
=========================================================
Name: Macintosh HD
Status: Online
Size: 120473067520 B (120.5 GB)
Free Space: 12656640 B (12.7 MB)
|
+-< Physical Volume UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
| ----------------------------------------------------
| Index: 0
| Disk: disk3s2
| Status: Online
| Size: 120473067520 B (120.5 GB)
|
+-> Logical Volume Family UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
----------------------------------------------------------
Encryption Type: AES-XTS
Encryption Status: Locked
Conversion Status: Complete
High Level Queries: Fully Secure
| Passphrase Required
| Accepts New Users
| Has Visible Users
| Has Volume Key
|
+-> Logical Volume XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
---------------------------------------------------
Disk: -none-
Status: Locked
Size (Total): 120108089344 B (120.1 GB)
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
Content Hint: Apple_HFS

If I try the fdesetup command, I get the following error:

$ fdesetup status -device XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Error: The -device option is not allowed for this operation.

Every attempt using another UUID causes this error: "Error: The specified volume or device 'UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU' did not return any information."

Finally, the question is "How can I extract login information (not passwords) from a disk image encrypted with File Vault 2?". Based on the availability of this information before entering the password, I assume that usernames as well as other information (e.g., password hints) are not encrypted and could be extracted from a disk image.

Looking forward for your feedback.

Thanks a lot.
gostep  
 
  

Kenobyte
Member
 

Re: Extract usernames from FileVault 2-encrypted disk image

Post Posted: Feb 06, 19 10:35

I will start off saying I have had a similar thought but haven't gotten around to testing. I have successfully brute-forced filevault 2 using the encryptedroot.plist.wipekey so there was no need to dig further as we did want full access to the drive. If you had a test OS you could create several users and hints and encrypt the drive with a known password. If you believe the hints and usernames are stored in clear text outside of the core storage you could then just run searches and look at the path the information was found in. I would then apply what you found to what you are trying to do. Just a thought if there isn't an answer found here.  
 
  

gostep
Newbie
 

Re: Extract usernames from FileVault 2-encrypted disk image

Post Posted: Feb 07, 19 02:48

Thanks, @Kenobyte. I am not sure that hints and usernames are stored in clear text but I believe it should be somehow available without the need to unlock the disk. I like your suggestion to create a disk image from an installation including users that set hints for their password. We have a Mac that we can use for testing.
If there will not be any other answer before that, I will share the results of my test as soon as possible.

Thanks a lot.
gostep  
 
  

randomaccess
Senior Member
 

Re: Extract usernames from FileVault 2-encrypted disk image

Post Posted: Feb 14, 19 13:59

restore your image to a USB3 external drive, shut down your mac and then boot holding the option key
select your external and it will boot as if it was the suspect drive

From there you can see the login screen, get the password wrong, see the hint, etc etc  
 

Page 1 of 1