search

libyal / libfvde

Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes
GNU Lesser General Public License v3.0
339 stars 34 forks source link

Extract hash from raw disk image #37

Closed cirolaferrara closed 6 years ago

cirolaferrara commented 6 years ago

I'm doing a forensic exame on a disk. I have a raw image:

root@myserver:/# fdisk -l /media/root/HD/1A.raw.001
Disk /media/root/HD/1A.raw.001: 233.8 GiB, 251000193024 bytes, 490234752 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt

Device                                  Start       End   Sectors   Size Type
/media/root/HD/1A.raw.001p1        40    409639    409600   200M EFI System
/media/root/HD/1A.raw.001p2    409640 488965175 488555536   233G Apple Core storage
/media/root/HD/1A.raw.001p3 488965176 490234711   1269536 619.9M Apple boot

How to extracts the hashes from disk? What is the right offset? I tried with:

root@myserver:/# fvdeinfo -v -o 488965176 /media/root/HD/1A.raw.001
fvdeinfo 20180505

Unable to open: /media/root/HD/1A.raw.001.
libcthreads_read_write_lock_grab_for_write: unable to lock read/write lock for write with error: Deadlock condition detected.
libfvde_volume_open_read: unable to grab read/write lock for writing.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Any help would be appreciated

joachimmetz commented 6 years ago

How to extracts the hashes from disk?

Unclear to me what you mean with this.

fvdeinfo 20180505

Try using the last pre-release 20180108 instead. The error you provided looks like there might be an issue with acquiring a thread lock in the under development (20180505) version

cirolaferrara commented 6 years ago

Ok thanks. I will try. Anyway i'm trying to extract hash of key of encrypted disk: https://github.com/magnumripper/JohnTheRipper/blob/bleeding-jumbo/doc/README.FileVault2

cirolaferrara commented 6 years ago 
root@myserver:~/libfvde-20180108# fvdeinfo -v /media/root/HD/1A.raw.001
fvdeinfo 20180108

Unable to open: /media/root/HD/1A.raw.001.
libcthreads_read_write_lock_grab_for_write: unable to lock read/write lock for write with error: Argument list too long
libfvde_volume_open_read: unable to grab read/write lock for writing.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
joachimmetz commented 6 years ago

Could you attach your config.log and last part of the output of configure

cirolaferrara commented 6 years ago

Fixed with binary on ubuntu. Thanks