macosencryptionauthenticationcomputer-forensicsfilevault

Extraction of usernames from FileVault 2-encrypted disk image


I am working on bitstream (dd) images of disks from MacBook (Mac OS X 10.11.6) encrypted with File Vault 2. I do not have any password, passphrase or recovery key to unlock the drive, but I am not interested on unlocking/decrypting the drive.

I only need to extract all the possible information related to the login screen. This information should include usernames enabled to log in and password suggestions (if any). For password suggestion, I mean the suggestions which are available if you click on the question mark (?) at the right of the password box.

Here is an example of login screen:

Login screen example

As far as I understood, the system starts a special EFI pre-boot where it displays the FileVault 2 unlock screen with the icons of designated OS X accounts approved to unlock the disk. Login information (usernames, etc) should not be encrypted because they are available and visible when you start the system and before user logs in using the password (i.e., disk is not unlocked yet).

I have also tried to get this information by attaching the image and then using sudo fdesetup list -device <UUID> but apparently this operation is not allowed for an external device. Again, I am not able to unlock the image because I do not have any password. However, I believe that usernames should be available somewhere in a not encrypted format because they are visible when I start the system.

Here is the output of diskutil list after attaching the disk image (stored in an external USB drive) with hdiutil attach -nomount /Volumes/USB/image.dd.dmg:

/dev/disk0 (internal):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                         500.3 GB   disk0
   1:                        EFI EFI                     314.6 MB   disk0s1
   2:                 Apple_APFS Container disk1         500.0 GB   disk0s2

/dev/disk1 (synthesized):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      APFS Container Scheme -                      +500.0 GB   disk1
                                 Physical Store disk0s2
   1:                APFS Volume Macintosh HD            143.2 GB   disk1s1
   2:                APFS Volume Preboot                 21.0 MB    disk1s2
   3:                APFS Volume Recovery                522.1 MB   disk1s3
   4:                APFS Volume VM                      1.1 GB     disk1s4

/dev/disk2 (external, physical):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        *3.0 TB     disk2
   1:         Microsoft Reserved                         16.8 MB    disk2s1
   2:       Microsoft Basic Data TARGET                  3.0 TB     disk2s2

/dev/disk3 (disk image):
   #:                       TYPE NAME                    SIZE       IDENTIFIER
   0:      GUID_partition_scheme                        +121.3 GB   disk3
   1:                        EFI EFI                     209.7 MB   disk3s1
   2:          Apple_CoreStorage Macintosh HD            120.5 GB   disk3s2
   3:                 Apple_Boot Recovery HD             650.0 MB   disk3s3

Offline
                                 Logical Volume Macintosh HD on disk3s2
                                 UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
                                 Locked Encrypted

Here is the output of diskutil cs list:

CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
    =========================================================
    Name:         Macintosh HD
    Status:       Online
    Size:         120473067520 B (120.5 GB)
    Free Space:   12656640 B (12.7 MB)
    |
    +-< Physical Volume UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk3s2
    |   Status:   Online
    |   Size:     120473067520 B (120.5 GB)
    |
    +-> Logical Volume Family UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
        ----------------------------------------------------------
        Encryption Type:         AES-XTS
        Encryption Status:       Locked
        Conversion Status:       Complete
        High Level Queries:      Fully Secure
        |                        Passphrase Required
        |                        Accepts New Users
        |                        Has Visible Users
        |                        Has Volume Key
        |
        +-> Logical Volume XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
            ---------------------------------------------------
            Disk:                  -none-
            Status:                Locked
            Size (Total):          120108089344 B (120.1 GB)
            Revertible:            Yes (unlock and decryption required)
            LV Name:               Macintosh HD
            Content Hint:          Apple_HFS

If I try the fdesetup command, I get the following error:

$ fdesetup status -device XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Error: The -device option is not allowed for this operation.

Every attempt using another UUID causes this error: Error: The specified volume or device 'UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU' did not return any information.

Finally, the question is "How can I extract login information (not passwords) from a disk image encrypted with File Vault 2?". Based on the availability of this information before entering the password, I assume that usernames as well as other information (e.g., password hints) are not encrypted and could be extracted from a disk image.

Looking forward for your feedback.

Thanks a lot. gostep


Solution

  • On one of the partitions you will find a directory "Preboot". This directory contains a directory with a unique number, e.g. 52C97122313-4B77-... In this directory there is the directory "var" and there the directory "db". Here you can find the plist file CryptoUserInfo.plist which contains the desired information.

    /Preboot/52C97122313-4B77.../var/db/CryptoUserInfo.plist
    

    You can use a Texteditor to show the values