All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Carve files from a Mac OS X encrypted volume : any hope ?
PostPosted: March 29th, 2016, 6:53 
Offline

Joined: July 7th, 2014, 6:44
Posts: 144
Location: Switzerland
Hi,

A customer brought me a recent MacBook Pro (A1502) with the hope to recover some overwritten iWork ".pages" file.

After some headache -- the SSD has some special interface that did not fit into my adapters, and it was impossible to boot from Linux live CDs because of probably lacking drivers --, I could boot from another MacBook's SATA drive and clone the SSD to a drive with a SATA interface.

The "Apple_CoreStorage" is disk0s2.
The logical volume on disk0s2 is marked as "Locked Encrypted". :(

I have at my disposal :
- the file signature for the files to recover is their unencrypted version
- the password of the encrypted volume
- if necessary, some older version of the file (about 1 week old), which I hope has the same beginning (as it is some thesis).
The size of the file to recover is ~1 Mb.

I assume that the cyphering is "FileVault 2".

My questions :


1. Does FileVault 2 encrypts "per file" or the whole volume ?

2. Is it possible to decipher the whole volume (e.g. by applying some 128-bit pattern or so) ?

3. Assuming that I have an example file with the same beginning (several Kb), is there a way to find its file signature it is ciphered form ? Would the ciphered file signature of an other version of the file be the same ?

4. If none of above technique works, is there a possibility to programmatically create file records in the encrypted volume (pointing at every offset that is a multiple of the sector size), so that the overwritten files "bubble up" ?

Any other suggestion ?

Thank you


Top
 Profile  
 
 Post subject: Re: Carve files from a Mac OS X encrypted volume : any hope
PostPosted: March 29th, 2016, 8:56 
Offline
User avatar

Joined: April 3rd, 2011, 0:19
Posts: 1699
Location: Providence, RI
Filevault uses XTS-AES 128 encryption. UFSExplorer I know has a feature to decrypt using this encryption method if the key is known. I've never used it, but I assume it's for cases such as this.

_________________
Hard Drive & RAID Data Recovery Services
https://www.data-medics.com/raid-data-recovery/


Top
 Profile  
 
 Post subject: Re: Carve files from a Mac OS X encrypted volume : any hope
PostPosted: March 29th, 2016, 13:51 
Offline

Joined: July 7th, 2014, 6:44
Posts: 144
Location: Switzerland
Thank you data-medics,
You're right, the professional recovery edition of UFSExplorer seems having this feature :
http://www.ufsexplorer.com/sol_encript_rec.php
But the commercial license costs 800€ (799.95€ to be exact), so that I'm still looking for a cheaper "in-house" alternative solution if I can find any.

I found these interesting articles
https://derflounder.wordpress.com/2011/ ... oot-drive/
https://derflounder.wordpress.com/2013/ ... n-decrypt/

Assuming that AES-XTS and XTS-AES are the same thing, my basic understanding is that this encryption depends on 4 factors: key, data, sector and block within a sector.
Quote:
"Because all of the bytes of a sector are dedicated to storage, there is no additional space available so store other information. This means that inputs to a encryption algorithm that is useful for encrypting data on a hard disk should only include a cryptographic key, the data itself, the sector number where the data is stored, and the block number within a sector, and AES-XTS does exactly this."
Source: https://www.voltage.com/security/unders ... ts-part-1/

I believe that FileVault 2 (https://en.wikipedia.org/wiki/FileVault#FileVault_2) encrypts the whole volume.
By turning off the encryption for the volume, I have some hope that all ciphered blocks would be rewritten to the drive in their unciphered form, including deallocated areas, which are the interesting ones in my case.
As a precaution, I won't do it on the original drive.


Top
 Profile  
 
 Post subject: Re: Carve files from a Mac OS X encrypted volume : any hope
PostPosted: March 29th, 2016, 14:22 
Offline

Joined: January 8th, 2008, 5:21
Posts: 808
Location: uk
Diskwarrior 5 will unlock a Filevault drive with a known password.

Also read these articles about other Filevault decryption scenarios......
https://derflounder.wordpress.com/2011/ ... oot-drive/
and
http://apple.stackexchange.com/question ... overy-mode


Top
 Profile  
 
 Post subject: Re: Carve files from a Mac OS X encrypted volume : any hope
PostPosted: March 31st, 2016, 13:32 
Offline

Joined: July 7th, 2014, 6:44
Posts: 144
Location: Switzerland
Thank you, dick.

In the first article is written :
Quote:
If you turn off the encryption, the encrypted drive will decrypt. Once it’s finished decrypting, you should be able to access your data again using normal recovery methods (booting from another 10.6 or 10.7 boot drive, utility drive, etc.)


However, it is not mentioned :
- if the decryption affects the whole drive, including the deallocated areas, or only the sectors where the data are stored.
The normal user is not expected to carve data in unallocated areas.
- if there is a risk the decryption being data-destructive in unallocated areas.

Concerning DiskWarrior, is it able to carve ".pages" files in unallocated areas ?
Or does it make the data recovery basing only on the (possibly damaged) file system ?

Basically, I should not need DiskWarrior as I already have a solution to recover ".pages" files.

Currently, the big issue, is that --for security reasons-- I don't want to unlock/decrypt before having cloned the SSD, and the cloning with the dd command displays a warning/error:
Code:
dd if=/dev/disk0 of=/dev/disk2
dd: /dev/disk2 Device not configured
4031049+0 records in
4031048+0 records out

It appears that the dd command stopped prematurely, the drive being 121.3 GB.
I tried with two different output drives, which both are healthy, and always see this "Device not configured" message which is printed when the dd command takes end.
Any idea ?


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group