Page 1 of 1
Filevault 2
Posted: May 28th, 2022, 10:40
by drun
I have an M1 Mac with Monterey where the customer lost their recovery key for FileVault 2, with which the entire volume is encrypted. Thing is, they also can't remember the password for their local account but is sure that the password is LLLLNNNNS, where
L = a letter
N = a number
S = a special character
Also, there are some deleted files in the volume. That'd be the easy part - if it weren't for the volume being encrypted. I've tried everything I can think of to access a terminal and make an image with dd for further tampering but it won't let me. Chip-off is not an option. I'm at my wits' end with this.
Re: Filevault 2
Posted: May 28th, 2022, 13:22
by michael chiklis
Re: Filevault 2
Posted: May 28th, 2022, 18:25
by DRUG
Passware can crack it, but you wont be able to retrieve the deleted files.
That M1 has a ssd with trim enabled.
Re: Filevault 2
Posted: May 29th, 2022, 9:23
by drun
Thanks guys. I don't know why, but I had the notion that trim wasn't enabled by default on M1:s. Turns out it is.
You can check this with,
- Code:
log show --predicate "processID == 0" --start $(date "+%Y-%m-01") | grep spaceman
It doesn't look very active though, so maybe there's a chance. For instance, on another m1 Mac that I'm typing on right now doesn't have a record about trim since five days ago. Also, I did stumble upon Passware while doing research but got the impression that I'd need a disk image to work with. I guess I'll have a closer look. Thanks again!
Re: Filevault 2
Posted: June 2nd, 2022, 21:46
by DRUG
drun wrote:Thanks guys. I don't know why, but I had the notion that trim wasn't enabled by default on M1:s. Turns out it is.
You can check this with,
- Code:
log show --predicate "processID == 0" --start $(date "+%Y-%m-01") | grep spaceman
It doesn't look very active though, so maybe there's a chance. For instance, on another m1 Mac that I'm typing on right now doesn't have a record about trim since five days ago. Also, I did stumble upon Passware while doing research but got the impression that I'd need a disk image to work with. I guess I'll have a closer look. Thanks again!
If you believe trim will not be a issue, just boot via usb to clone the internal ssd and then proceed with passware.