12-09-2020, 12:06 AM
(This post was last modified: 12-09-2020, 04:15 PM by Zen6.
Edit Reason: Add diskutil apfs list output, add apfs-dump-quick output
)
I'm sorry, this is my mistake.
1) Yes, brand new MacBook Air with Intel CPU. I mean macOS 11 and not OS X 10.11. My bad.
2) Yes, this MacBook Air has a T2 chip.
3) It is an APFS filesystem. For the first dump I use Macquisiton 2020.1 and opened the raw file inside X-Ways Forensics. I think the first dump was corrupted. I make a new one inside macOS 10.15 over TDM.
4) I need to dd dump with no error,sync the physical drive (disk2), right? Or I need the synthesized (disk3) one?
5) Yes, i build Frome source but at fvdetools/fvdeinfo i get the "unsupported storage signature" error. Same in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux (5.9) as in macOS 10.15
6) I'm sorry, I don't want to hijack his post. For me was this the same topic.
Here the output of diskutil apfs list
Attampts to image :
1. try
2. try
Both times i get "Initialization of KeyManager failed."
See this issue in the upstream repro of apfs-fuse:
https://github.com/sgan81/apfs-fuse/issues/133
I think, apfs-fuse don't handle the 4k block size very well. I'm currently analyze the source of apfs-fuse to get an idea, what kind of error causes the "Initialization of KeyManager failed." error massage.
On macOS 10.15.5 i build https://github.com/kholia/fvde2john and get the same error:
1) Yes, brand new MacBook Air with Intel CPU. I mean macOS 11 and not OS X 10.11. My bad.
2) Yes, this MacBook Air has a T2 chip.
3) It is an APFS filesystem. For the first dump I use Macquisiton 2020.1 and opened the raw file inside X-Ways Forensics. I think the first dump was corrupted. I make a new one inside macOS 10.15 over TDM.
4) I need to dd dump with no error,sync the physical drive (disk2), right? Or I need the synthesized (disk3) one?
5) Yes, i build Frome source but at fvdetools/fvdeinfo i get the "unsupported storage signature" error. Same in The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) Linux (5.9) as in macOS 10.15
6) I'm sorry, I don't want to hijack his post. For me was this the same topic.
Here the output of diskutil apfs list
Code:
(snip)
+-- Container disk3 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
====================================================
APFS Container Reference: disk3
Size (Capacity Ceiling): 250685575168 B (250.7 GB)
Capacity In Use By Volumes: 87167000576 B (87.2 GB) (34.8% used)
Capacity Not Allocated: 163518574592 B (163.5 GB) (65.2% free)
|
+-< Physical Store disk2s2 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
| -----------------------------------------------------------
| APFS Physical Store Disk: disk2s2
| Size: 250685575168 B (250.7 GB)
|
+-> Volume disk3s1 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
| ---------------------------------------------------
| APFS Volume Disk (Role): disk3s1 (System)
| Name: Macintosh HD (Case-insensitive)
| Mount Point: Not Mounted
| Capacity Consumed: 10965684224 B (11.0 GB)
| FileVault: Yes (Locked)
|
+-> Volume disk3s2 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
| ---------------------------------------------------
| APFS Volume Disk (Role): disk3s2 (Data)
| Name: Macintosh HD - Data (Case-insensitive)
| Mount Point: Not Mounted
| Capacity Consumed: 72217112576 B (72.2 GB)
| FileVault: Yes (Locked)
|
+-> Volume disk3s3 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
| ---------------------------------------------------
| APFS Volume Disk (Role): disk3s3 (Preboot)
| Name: Preboot (Case-insensitive)
| Mount Point: Not Mounted
| Capacity Consumed: 82440192 B (82.4 MB)
| FileVault: No
|
+-> Volume disk3s4 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
| ---------------------------------------------------
| APFS Volume Disk (Role): disk3s4 (Recovery)
| Name: Recovery (Case-insensitive)
| Mount Point: Not Mounted
| Capacity Consumed: 542101504 B (542.1 MB)
| FileVault: No
|
+-> Volume disk3s5 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
---------------------------------------------------
APFS Volume Disk (Role): disk3s5 (VM)
Name: VM (Case-insensitive)
Mount Point: Not Mounted
Capacity Consumed: 3221245952 B (3.2 GB)
FileVault: No (Encrypted at rest)Attampts to image :
1. try
Code:
dd if=/dev/disk2 of=disk.dd conv=noerror,syncCode:
dd if=/dev/disk3 of=/disk.dd conv=noerror,sync bs=4mBoth times i get "Initialization of KeyManager failed."
See this issue in the upstream repro of apfs-fuse:
https://github.com/sgan81/apfs-fuse/issues/133
I think, apfs-fuse don't handle the 4k block size very well. I'm currently analyze the source of apfs-fuse to get an idea, what kind of error causes the "Initialization of KeyManager failed." error massage.
On macOS 10.15.5 i build https://github.com/kholia/fvde2john and get the same error:
Code:
sudo ./bin/apfs-dump-quick /dev/disk3 hash.txt
st_mode = 24864
Sector count = 61202533
Sector size = 4096
Device /dev/disk3 opened. Size is 250685575168
starting LoadKeybag
Initialization of KeyManager failed.
Unable to init container.