12-09-2020, 11:15 PM
1) and 2) ok
3) and 4) In order to avoid further headache, you need to take your image with a mac.
Since you have access to Macquisition, boot your host with it, and connect the guest with TDM to this host. It will appear as "disk2 - Target Disk Mode - Thunderbolt".
Since this disk is encrypted with T2, you do not need to image this one, but the "virtual APFS container disk3".
5) finally, the image you just took should be encrypted with APFS Filevault; follow these steps to extract the hash (and not fvdetools)
3) and 4) In order to avoid further headache, you need to take your image with a mac.
Since you have access to Macquisition, boot your host with it, and connect the guest with TDM to this host. It will appear as "disk2 - Target Disk Mode - Thunderbolt".
Since this disk is encrypted with T2, you do not need to image this one, but the "virtual APFS container disk3".
5) finally, the image you just took should be encrypted with APFS Filevault; follow these steps to extract the hash (and not fvdetools)