Encrypted TimeMachine Backup

[macusertimemachi]

Hi,

I recently tried to open my old timemachine backups, but i forgot the password. I searched all over the web, for the various formats that timemachine may use to store the hash, and i didn't get quite far. Most articles seem to mention a FileVault encrypted partition, or some newer technologies.

Is there anyone who knows how i would get the hash and or salt from this folder of files? And if this is even supported by hashcat?

Here is the folder structure of the backup:

Code:

bands/
com.apple.TimeMachine.MachineID.bckup
com.apple.TimeMachine.MachineID.plist
com.apple.TimeMachine.Results.plist
com.apple.TimeMachine.SnapshotHistory.plist
Info.bckup
Info.plist
lock
mapped/
token

The backup was initially created around 2013, and snapshots were added until 2014. I hope this gives enough indication on what type of encryption apple used.

[macusertimemachi]

Update!

I got the hash using john-jumbo's dmg2john. The hash seems to be PBKDF1-SHA1 which is supported by hashcat as "iTunes backup < 10.0".

The only problem now is that it's in a john-like format, i'll post a piece of the hash here to see if anybody can help transform it to be hashcat compatible:

Code:

0:$dmg$2*20*6c5e38....*32*0dc746....*48*0aff7a....*1*8192*42e463....*1*57d30d....*200000::::0

The dots represent the left out part of the hash.

[macusertimemachi]

Hi,

I just figured out that this is not supported by hashcat, i'll be using a cuda accelerated version of john for this. I hope my journey helps someone else in the future.