sgan81
commented
1 year ago In which key unwrap call did you put these changes?
Open arcticforensics opened 2 years ago
sgan81
commented
1 year ago In which key unwrap call did you put these changes?
Mehrtuerer
commented
5 months ago The 'Rfc3394_KeyUnwrap' function in 'KeyMgmt.cpp' returns false (a != rfc_3394_default_iv) when calling 'KeyManager::GetVolumeKey' for an APFS volume converted from FileVault/CoreStorage. If the 'Rfc3394_KeyUnwrap' function parameter 'aes_mode' is substituted with 'AES::AES_128', it works!
This comment saved me and made it work for me.
The line where I had to change it, is the one, where the VEK is decoded, once a KEK has been successfully decoded:
i.e. this one:
if (veke.hdr.info.flags & 2) { // AES-128. This method is used for FileVault and CoreStorage encrypted // volumes that have been converted to APFS. rc = Rfc3394_KeyUnwrap(vek, veke.wrapped_vek, 0x10, kek, kek_mode, &iv);
to
if (veke.hdr.info.flags & 2) { // AES-128. This method is used for FileVault and CoreStorage encrypted // volumes that have been converted to APFS. rc = Rfc3394_KeyUnwrap(vek, veke.wrapped_vek, 0x10, kek, AES::AES_128, &iv);
Right now this is KeyMgmt.cpp:537
The 'Rfc3394_KeyUnwrap' function in 'KeyMgmt.cpp' returns false (a != rfc_3394_default_iv) when calling 'KeyManager::GetVolumeKey' for an APFS volume converted from FileVault/CoreStorage. If the 'Rfc3394_KeyUnwrap' function parameter 'aes_mode' is substituted with 'AES::AES_128', it works!