07-31-2018, 03:04 PM
After a lot of messing around, I got it working. It only works for Filevault on HFS+ filesystem, and not on the newest APFS.
For educational purposes, I'll post the steps that I followed (on a mac):
0) Install fvde2john as documented on his GitHub
1) First attach your image;
2) MacOS gives a pop-up that Filevault-protected-disk is detected and prompts you for the password;
3) Do not forget to click on "show hint", if shown ;-)
4) MacOS shows us that the image is correctly attached; the CoreStorage is the one we need
5) Obtain the Encrypted.plist.wipekey (different ways possible, but nicely documented on this GitHub-page)
6) Finally, execute the following:
7) It will give the hash (and some errors), needed to work with -m 16700
Good luck!
For educational purposes, I'll post the steps that I followed (on a mac):
0) Install fvde2john as documented on his GitHub
1) First attach your image;
Code:
hdiutil attach -imagekey diskimage-class=CRawDiskImage -nomount /Volumes/path/to/.DD2) MacOS gives a pop-up that Filevault-protected-disk is detected and prompts you for the password;
3) Do not forget to click on "show hint", if shown ;-)
4) MacOS shows us that the image is correctly attached; the CoreStorage is the one we need
Code:
/dev/disk3 GUID_partition_scheme
/dev/disk3s1 EFI
/dev/disk3s2 Apple_Corestorage
/dev/disk3s3 Apple_Boot5) Obtain the Encrypted.plist.wipekey (different ways possible, but nicely documented on this GitHub-page)
6) Finally, execute the following:
Code:
sudo fvdetools/fvdeinfo -e Encrypted.plist.wipekey -p whatever /dev/disk3s27) It will give the hash (and some errors), needed to work with -m 16700
Good luck!