All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Filevault 2
PostPosted: May 28th, 2022, 10:40 
Offline

Joined: March 2nd, 2020, 6:04
Posts: 24
Location: Sweden
I have an M1 Mac with Monterey where the customer lost their recovery key for FileVault 2, with which the entire volume is encrypted. Thing is, they also can't remember the password for their local account but is sure that the password is LLLLNNNNS, where

L = a letter
N = a number
S = a special character

Also, there are some deleted files in the volume. That'd be the easy part - if it weren't for the volume being encrypted. I've tried everything I can think of to access a terminal and make an image with dd for further tampering but it won't let me. Chip-off is not an option. I'm at my wits' end with this.


Top
 Profile  
 
 Post subject: Re: Filevault 2
PostPosted: May 28th, 2022, 13:22 
Offline

Joined: December 5th, 2011, 5:38
Posts: 1626
Location: Italy
Maybe Passware Kit Forensic can help?
https://support.passware.com/hc/en-us/a ... Encryption

_________________
My firmware database:
https://mega.nz/folder/O01DkBRI#MxP2J6ZNqXDcrX40I8MoQQ


Top
 Profile  
 
 Post subject: Re: Filevault 2
PostPosted: May 28th, 2022, 18:25 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
Passware can crack it, but you wont be able to retrieve the deleted files.
That M1 has a ssd with trim enabled.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
 Post subject: Re: Filevault 2
PostPosted: May 29th, 2022, 9:23 
Offline

Joined: March 2nd, 2020, 6:04
Posts: 24
Location: Sweden
Thanks guys. I don't know why, but I had the notion that trim wasn't enabled by default on M1:s. Turns out it is.

You can check this with,
Code:
log show --predicate "processID == 0" --start $(date "+%Y-%m-01") | grep spaceman


It doesn't look very active though, so maybe there's a chance. For instance, on another m1 Mac that I'm typing on right now doesn't have a record about trim since five days ago. Also, I did stumble upon Passware while doing research but got the impression that I'd need a disk image to work with. I guess I'll have a closer look. Thanks again!


Top
 Profile  
 
 Post subject: Re: Filevault 2
PostPosted: June 2nd, 2022, 21:46 
Offline
User avatar

Joined: April 22nd, 2015, 20:32
Posts: 413
Location: Portugal
drun wrote:
Thanks guys. I don't know why, but I had the notion that trim wasn't enabled by default on M1:s. Turns out it is.

You can check this with,
Code:
log show --predicate "processID == 0" --start $(date "+%Y-%m-01") | grep spaceman


It doesn't look very active though, so maybe there's a chance. For instance, on another m1 Mac that I'm typing on right now doesn't have a record about trim since five days ago. Also, I did stumble upon Passware while doing research but got the impression that I'd need a disk image to work with. I guess I'll have a closer look. Thanks again!


If you believe trim will not be a issue, just boot via usb to clone the internal ssd and then proceed with passware.

_________________
BTC Wallet - 3AoQPTBsz9PbfoanCx44Lw76Y2TwtKa1x5
Instagram https://www.instagram.com/datarecovery_morde.pt/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: ddd123 and 27 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group