search

sgan81 / apfs-fuse

FUSE driver for APFS (Apple File System)
GNU General Public License v2.0
1.77k stars 164 forks source link

Where are cryptousers stored in the partition? #97

Open neptunix opened 5 years ago

neptunix commented 5 years ago

I've got a faulty drive that has no cryptousers available (according to macOS). Probably it happened due to a disk power failure (maybe some data got lost and mac os can not find cryptousers).

Are there any ways to check if cryptousers data (containing disk encryption keys) is recoverable?

Linux behavior is similar to macOS: :( 

neptune@ubox:~/apfs-fuse/build$ sudo ./apfs-dump-quick  /dev/sdc2 plextor.txt
Device /dev/sdc2 opened. Size is 255850761728
starting LoadKeybag
 all blocks verified
starting LoadKeybag
Volume Plextor is encrypted.
starting LoadKeybag
Enter Password: 
Dumping Keybag (keys)

Version : 0002
Keys    : 0002
Bytes   : 00000224

Key 0:
UUID    : 7C7E5DC8-9491-4D96-A16A-4B273C063848
Type    : 0003 [Keybag Ref]
Length  : 0016

Block   : 0000000001277953
Count   : 0000000000000001

Key 1:
UUID    : 7C7E5DC8-9491-4D96-A16A-4B273C063848
Type    : 0002 [VEK]
Length  : 0124

[Blob Header]
Unk 80  : 0
HMAC    : 35106977EC109EE56469108A918BE544AEA1213027EEB776B4B7D539F4BC88CA
Salt    : 6B665510262498EF

[VEK]
Unk 80  : 0
UUID    : 7C7E5DC8-9491-4D96-A16A-4B273C063848
Unk 82  : 00000000 0001 05 219
VEK Wrpd: 516B0AC5EBBCCC6F6B0C433764A18390C51C644F8A142CC03BA0D4BCD268B338D006372FBFF0671B

starting LoadKeybag
Wrong password!
Banaanhangwagen commented 4 years ago

Are you sure that Filevault2 is activated?

neptunix commented 4 years ago

There's no FileVault2. It's a standalone encrypted apfs partition on an external drive.

Banaanhangwagen commented 4 years ago

Disregard my latest remark. I didn't correctly read your first post.

I assume that you gave the output from a Linux host? Can you describe what command you used in order to attach your device? (I am trying to reproduce.)

neptunix commented 4 years ago

@Banaanhangwagen yep, it's a linux host.

to attach your device

Can you please elaborate? I don't get it. As long as it's an external drive, I just connected it to the linux host (it appears as /dev/sdc2)

Banaanhangwagen commented 4 years ago

ow, I thought you were working with an image and looped it

Either way, I cannot reproduce your problem. Do you have knowledge of the pwd ?

neptunix commented 4 years ago

@Banaanhangwagen yep, I do know the password. But I can't apply it (at least on a mac). I may create an image from the partition (that's 256Gb - but should probably gzip well) and send it to you but only if you have time to play with it :)

neptunix commented 4 years ago

@Banaanhangwagen I converted the partition to a dmg volume. Here's what I have:

root@d1d1c51b9d61:/recover# /app/build/apfsutil recover.dmg  
Found partitions:
C12A7328-F81F-11D2-4BBA-00A0C93EC93B 3843C38E-2853-4727-8596-CB29D09BAEE7 0000000000000028 0000000000064027 0000000000000000 EFI System Partition
7C3457EF-0000-11AA-11AA-00306543ECAC 8C00C106-12CD-4CF8-D1BA-A73B05D2DA1C 0000000000064028 000000001DCF328E 0000000000000000 
First APFS partition is 1

Volume 0 7C7E5DC8-9491-4D96-A16A-4B273C063848
---------------------------------------------
Role:               Recovery
Name:               Plextor (Case-sensitive)
Capacity Consumed:  103752237056 Bytes
FileVault:          Yes
# /app/build/apfs-dump-quick recover.dmg log.txt
Info: Found valid GPT partition table on main device. Dumping first APFS partition.
starting LoadKeybag
 all blocks verified
starting LoadKeybag
Volume Plextor is encrypted.
starting LoadKeybag
starting LoadKeybag
Wrong password!
Banaanhangwagen commented 4 years ago

Are you able to attach you dmg to a macOS? hdiutil attach –nomount /path/to/recover.dmg What does diskutil ap list say then ?

Are you able to unlock the attached dmg? diskutil ap unlockVolume <Disk GUID>

Finally, are you able to extract an APFS-hash with https://github.com/Banaanhangwagen/apfs2hashcat?

neptunix commented 4 years ago

yep, I can

+-- Container disk8 0868BB17-EC01-44BA-B7B5-D2A87AF4061E
    ====================================================
    APFS Container Reference:     disk8
    Size (Capacity Ceiling):      255850758144 B (255.9 GB)
    Capacity In Use By Volumes:   103890497536 B (103.9 GB) (40.6% used)
    Capacity Not Allocated:       151960260608 B (152.0 GB) (59.4% free)
    |
    +-< Physical Store disk6s2 8C00C106-12CD-4CF8-BAD1-A73B05D2DA1C
    |   -----------------------------------------------------------
    |   APFS Physical Store Disk:   disk6s2
    |   Size:                       255850761728 B (255.9 GB)
    |
    +-> Volume disk8s1 7C7E5DC8-9491-4D96-A16A-4B273C063848
        ---------------------------------------------------
        APFS Volume Disk (Role):   disk8s1 (Recovery)
        Name:                      Plextor (Case-sensitive)
        Mount Point:               Not Mounted
        Capacity Consumed:         103752237056 B (103.8 GB)
        FileVault:                 Yes (Locked)
nepbook:LaCie neptune$ diskutil ap unlockVolume 7C7E5DC8-9491-4D96-A16A-4B273C063848
Passphrase:
Unlocking any cryptographic user on APFS Volume disk8s1
Passphrase incorrect or user does not exist
nepbook:LaCie neptune$ diskutil apfs listCryptoUsers 7C7E5DC8-9491-4D96-A16A-4B273C063848
No cryptographic users for disk8s1

apfs2hashcat gives this:

Info: Found valid GPT partition table on main device. Dumping first APFS partition.
starting LoadKeybag
 all blocks verified
starting LoadKeybag
Volume Plextor is encrypted.
starting LoadKeybag
starting LoadKeybag
Wrong password!

Looks like the hashes table got broken somehow in the partition, or something like that.

sgan81 commented 4 years ago

There is also a debug flag that will dump keys (both encrypted and decrypted) when mounting a volume. I don't know what the problem is in your case, though. The volume keybag would be at the position referenced by key 0 in the container keybag.

mihirgaikwad94 commented 2 years ago

Hi. Were you able to recover data from that drive? It seems that I have the exact same problem with my external ssd formatted to APFS (encrypted). Unable to mount it, and there seems to be no 'Disk User', so I cannot decrypt the drive. Were you able to find a solution to it? Thanks !

neptunix commented 2 years ago

Hi @mihirgaikwad94.

No, I was unable to recover it. I ended up storing it as a dmg image with a hope that I will be able to recover it one day

neptunix commented 2 years ago

There is also a debug flag that will dump keys (both encrypted and decrypted) when mounting a volume.

@sgan81 thanks, sorry, I have not seen your comment. So it's -d 16 as I read the docs. I will need to find my image and try that as well. Thanks

mihirgaikwad94 commented 2 years ago

@neptunix Thank you for the reply. Just to clarify, I should use disk utility and created a dmg of the container right?

neptunix commented 2 years ago

@mihirgaikwad94 I don't think you really need to do that (it's not a solution). I just converted that to a dmg in order not to keep the data on the external drive and have a copy of the disk stored in the cloud.

mihirgaikwad94 commented 2 years ago

@neptunix I understand. So, I want to keep a copy of the SSD on my computer and send the corrupt SSD to a professional data recovery company. The data on that SSD is quite important to me. Meanwhile, I want to make a clone of the SSD using the dmg to try some data recovery on my own if that works. Do you think it'd be possible for some professional data recovery companies to fix this issue?