I am working on bitstream (dd
) images of disks from MacBook (Mac OS X 10.11.6) encrypted with File Vault 2. I do not have any password, passphrase or recovery key to unlock the drive, but I am not interested on unlocking/decrypting the drive.
I only need to extract all the possible information related to the login screen. This information should include usernames enabled to log in and password suggestions (if any). For password suggestion, I mean the suggestions which are available if you click on the question mark (?) at the right of the password box.
Here is an example of login screen:
As far as I understood, the system starts a special EFI pre-boot where it displays the FileVault 2 unlock screen with the icons of designated OS X accounts approved to unlock the disk. Login information (usernames, etc) should not be encrypted because they are available and visible when you start the system and before user logs in using the password (i.e., disk is not unlocked yet).
I have also tried to get this information by attaching the image and then using sudo fdesetup list -device <UUID>
but apparently this operation is not allowed for an external device. Again, I am not able to unlock the image because I do not have any password. However, I believe that usernames should be available somewhere in a not encrypted format because they are visible when I start the system.
Here is the output of diskutil list
after attaching the disk image (stored in an external USB drive) with hdiutil attach -nomount /Volumes/USB/image.dd.dmg
:
/dev/disk0 (internal):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme 500.3 GB disk0
1: EFI EFI 314.6 MB disk0s1
2: Apple_APFS Container disk1 500.0 GB disk0s2
/dev/disk1 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +500.0 GB disk1
Physical Store disk0s2
1: APFS Volume Macintosh HD 143.2 GB disk1s1
2: APFS Volume Preboot 21.0 MB disk1s2
3: APFS Volume Recovery 522.1 MB disk1s3
4: APFS Volume VM 1.1 GB disk1s4
/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk2
1: Microsoft Reserved 16.8 MB disk2s1
2: Microsoft Basic Data TARGET 3.0 TB disk2s2
/dev/disk3 (disk image):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme +121.3 GB disk3
1: EFI EFI 209.7 MB disk3s1
2: Apple_CoreStorage Macintosh HD 120.5 GB disk3s2
3: Apple_Boot Recovery HD 650.0 MB disk3s3
Offline
Logical Volume Macintosh HD on disk3s2
UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
Locked Encrypted
Here is the output of diskutil cs list
:
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
=========================================================
Name: Macintosh HD
Status: Online
Size: 120473067520 B (120.5 GB)
Free Space: 12656640 B (12.7 MB)
|
+-< Physical Volume UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
| ----------------------------------------------------
| Index: 0
| Disk: disk3s2
| Status: Online
| Size: 120473067520 B (120.5 GB)
|
+-> Logical Volume Family UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
----------------------------------------------------------
Encryption Type: AES-XTS
Encryption Status: Locked
Conversion Status: Complete
High Level Queries: Fully Secure
| Passphrase Required
| Accepts New Users
| Has Visible Users
| Has Volume Key
|
+-> Logical Volume XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
---------------------------------------------------
Disk: -none-
Status: Locked
Size (Total): 120108089344 B (120.1 GB)
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
Content Hint: Apple_HFS
If I try the fdesetup
command, I get the following error:
$ fdesetup status -device XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Error: The -device option is not allowed for this operation.
Every attempt using another UUID causes this error: Error: The specified volume or device 'UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU' did not return any information.
Finally, the question is "How can I extract login information (not passwords) from a disk image encrypted with File Vault 2?". Based on the availability of this information before entering the password, I assume that usernames as well as other information (e.g., password hints) are not encrypted and could be extracted from a disk image.
Looking forward for your feedback.
Thanks a lot. gostep
On one of the partitions you will find a directory "Preboot". This directory contains a directory with a unique number, e.g. 52C97122313-4B77-... In this directory there is the directory "var" and there the directory "db". Here you can find the plist file CryptoUserInfo.plist which contains the desired information.
/Preboot/52C97122313-4B77.../var/db/CryptoUserInfo.plist
You can use a Texteditor to show the values