MacOS/FileVault

From Segfault
Jump to navigation Jump to search

libfvde

The libfvde tools appear to be able to decrypt FileVault volumes. Install on a Fedora system, as described in the build instructions: 

sudo dnf install automake autoconf libtool pkg-config gettext-devel fuse-devel zlib-devel openssl-devel rpm-build python-devel python3-devel annobin sleuthkit

gpg --recv-keys D9625E5D7AD0177E
gpg --keyid-format long --verify libfvde-experimental*.tar.gz.asc

mv libfvde-experimental-20180108.tar.gz libfvde-20180108.tar.gz                                   # Apparently rpmbuild gets confused by this string o_O
rpmbuild -ta libfvde*.tar.gz
sudo rpm -ihv ~/rpmbuild/RPMS/x86_64/libfvde{,-tools}-2*.x86_64.rpm

Let's see what we can do with these tools: 

$ rpm -ql libfvde-tools | grep bin
/usr/bin/fvdeinfo
/usr/bin/fvdemount
/usr/bin/fvdewipekey

$ sudo mmls -t gpt /dev/sda
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000409639   0000409600   EFI System Partition
005:  001       0000409640   0250069639   0249660000   OSX
006:  -------   0250069640   0250069679   0000000040   Unallocated

Rats - our Recovery HD is missing 🙁 Let's iterate through all available offsets anyway: 

$ sudo mmls -t gpt /dev/sda | tee mmls.out
$ for o in `awk '/^0/ {print $3}' mmls.out`; do echo "### Offset: $o"; sudo fls -r -o $o /dev/sda | head; echo; done
### Offset: 0000000000
Cannot determine file system type

### Offset: 0000000000
Cannot determine file system type

### Offset: 0000000001
Cannot determine file system type

### Offset: 0000000002
Cannot determine file system type

### Offset: 0000000040
r/r 3:  EFI         (Volume Label Entry)
r/r 5:  ._.Trashes
d/d 6:  EFI
+ d/d 309:      APPLE
++ d/d 326:     EXTENSIONS
+++ r/r 342:    Firmware.scap
+ d/d 310:      BOOT
++ r/r * 1966966:       ._startup.nsh
++ r/r 1966967: BOOTX64.efi
++ r/r 1966969: ._BOOTX64.efi

### Offset: 0000409640
Cannot determine file system type

### Offset: 0250069640
Cannot determine file system type

TBD!

Links

Retrieved from "https://trent.utfs.org/mediawiki/index.php?title=MacOS/FileVault&oldid=10494"