Closed hydrocloricacid closed 8 years ago
joachimmetz
commented
8 years ago With which version of Mac OS X was the FileVault volume created? There are some issues with FVDE volumes from later versions of Yosemite (and later) regarding the volume size. Looks like the format might have changed a bit.
hydrocloricacid
commented
8 years ago Fairly sure it's Yosemite. I'll check and get back to you. Has a PCIE SSD, was impressed Linux acquired it.
On Tue, 27 Oct 2015 04:28 Joachim Metz notifications@github.com wrote:
With which version of Mac OS X was the FileVault volume created? There are some issues with FVDE volumes from later versions of Yosemite (and later) regarding the volume size. Looks like the format might have changed a bit.
— Reply to this email directly or view it on GitHub https://github.com/libyal/libfvde/issues/11#issuecomment-151217177.
hydrocloricacid
commented
8 years ago The apple is a Macbook Pro Retina. (A1398) Haven't been able to get in to check the OS yet.
We were unable to mount the drive using 2014 Macquisition, but when we connected a reverse cloned drive to a OSX Yosemite machine it decrypted it fine. (currently dd'ing it (must get around to statically compiling ewfacquire for OSX.))
Assume it's a newer sersion of OSX.
Am happy to create a small test volume and upload it for you if that's of any use for you.
On Tue, 27 Oct 2015 at 08:22 Daniel Walton daniel.walton@gmail.com wrote:
Fairly sure it's Yosemite. I'll check and get back to you. Has a PCIE SSD, was impressed Linux acquired it.
On Tue, 27 Oct 2015 04:28 Joachim Metz notifications@github.com wrote:
With which version of Mac OS X was the FileVault volume created? There are some issues with FVDE volumes from later versions of Yosemite (and later) regarding the volume size. Looks like the format might have changed a bit.
— Reply to this email directly or view it on GitHub https://github.com/libyal/libfvde/issues/11#issuecomment-151217177.
joachimmetz
commented
8 years ago Am happy to create a small test volume and upload it for you if that's of any use for you.
Thanks that could be useful.
minexew
commented
8 years ago I'm having a similar issue with an El Capitan-encrypted flashdrive. fvdeinfo is able to identify it as follows:
fvdeinfo 20160108
Core Storage information:
Physical volume:
Size: 15174950912 bytes
Encryption method: AES XTS
Logical volume:
Size: 14803664896 bytesHowever, fvdemount doesn't even ask for a password - <mountpoint>/fvde1 is created, but impossible to mount (doesn't contain a valid filesystem).
joachimmetz
commented
8 years ago Cannot solve issue without test data. Closing issue. This will likely be addressed by https://github.com/libyal/libfvde/issues/2
From a 233GB "apple core storage" partition the fvdemount'ed volume size is 17GB. This 17GB volume/device cannot be mounted.
Bug ?
Only changes I did after git clone libfvde , was to rem out lines 21&22 in configure.ac so that autogen.sh would work. Created deb pkgs under debian.
fdisk information (ewfmount'ed E01's + losetup)
fdisk -l /dev/loop0
Disk /dev/loop0: 233.8 GiB, 251000193024 bytes, 490234752 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: 5C60C4BD-5B27-4F0C-AFD6-DF7061C9DFBD
Device Start End Sectors Size Type /dev/loop0p1 40 409639 409600 200M EFI System /dev/loop0p2 409640 488965175 488555536 233G Apple Core storage /dev/loop0p3 488965176 490234711 1269536 619.9M Apple boot
fvdeinfo
root@syd-nb7-666:/tmp# fvdeinfo -p ?????? -e /tmp/EncryptedRoot.plist.wipekey /dev/loop0p2 /tmp/mac fvdeinfo 20151018
Core Storage information:
Physical volume: Size: 250140434432 bytes Encryption method: AES XTS
Logical volume: Size: 17070227456 bytes
volume listing
root@syd-nb7-666:/tmp# cd /tmp/mac/ root@syd-nb7-666:/tmp/mac# ls -lh total 0 -r--r--r-- 1 root root 16G Oct 26 21:58 fvde1 root@syd-nb7-666:/tmp/mac# ls -l total 0 -r--r--r-- 1 root root 17070227456 Oct 26 21:58 fvde1