Yesterday, 08:46 AM
Since you have a non-encrypted image of the device, you can try to crack the user password by extracting the login-hash from the correct user-plist file...or (and this one is much faster) by extracting the keychain-hash from the login.keychain of that user.
Since there is a high probability that the user used the same password for login and keychain, I would try the keychain-hash. Do not forget the --keep-guessing in order to tackle the false positives.
You can obtain the content of the keychain of your first user with some dedicated (commercial) tools, like Chainbreaker.
Since there is a high probability that the user used the same password for login and keychain, I would try the keychain-hash. Do not forget the --keep-guessing in order to tackle the false positives.
You can obtain the content of the keychain of your first user with some dedicated (commercial) tools, like Chainbreaker.