Retrieve hash from wipekey only

libyal / libfvde

Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes

GNU Lesser General Public License v3.0

339 stars 34 forks source link

Retrieve hash from wipekey only #52

Closed Vsevosemnog closed 2 years ago

Vsevosemnog commented 2 years ago

Good day.

Is it available to retrieve FileVault hash for hashcat only with .wipekey file? I have this file but don't have any access to the encrypted volume.

joachimmetz commented 2 years ago

@EightLegs what do you mean with "FileVault hash" ?

Vsevosemnog commented 2 years ago

@EightLegs what do you mean with "FileVault hash" ? I mean a hash string like this example below $fvde$1$16$3fc886d887bef6f52b6d3f275c290e23$135098$5f852cd981bdad55bd8e60de04ab28742961b3c55e28a0f5

Is it available to retrive a hash like this with only EncryptedRoot.plist.wipekey file? Do i misunderstand anything?

joachimmetz commented 2 years ago

I mean a hash string like this example below

and what does this represent? I assume $ is some separator and fvde a type indicator but what do the other values represent? This is a format unknown to this project.