12-06-2020, 08:45 PM
Hi,
I'm trying to get the FileVault2-Hash of a 2020 MacBook Air with macOS 10.11. How you acquire the image?
I Use a second MacBook and the DUT in the Target disk mode:
sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd conv = noerr, sync
But there is not a "Recovery HD" partition. I get only a readable "preboot" partition.
Under /preboot/<UUID>/System/Library/Caches/com.apple.corestorage/ i find the EncryptedRoot.plist.wipekey
Under /preboot/<UUID>/var/db/ i get three files:
AdminUserRecoveryInfo.plist
CryptoUserInfo.plist
secureaccesstoken.plist
It's possible with these files to get the FileVault2-Hash and Recover the FileVault2-Password?
This MacBook has a T2 chip, but I think FileVault2 is turned on manually, because when I start the MacBook, after one minute I get the hint, to restart into Password Recovery Mode
With the fvdetools compiled under macOS 10.15 and the "EncryptedRoot.plist.wipekey" I get the unsupported storage signature error.
Have you some ideas for me?
I'm trying to get the FileVault2-Hash of a 2020 MacBook Air with macOS 10.11. How you acquire the image?
I Use a second MacBook and the DUT in the Target disk mode:
sudo dd if=/dev/disk2 of=/path/to/filevault_image.dd conv = noerr, sync
But there is not a "Recovery HD" partition. I get only a readable "preboot" partition.
Under /preboot/<UUID>/System/Library/Caches/com.apple.corestorage/ i find the EncryptedRoot.plist.wipekey
Under /preboot/<UUID>/var/db/ i get three files:
AdminUserRecoveryInfo.plist
CryptoUserInfo.plist
secureaccesstoken.plist
It's possible with these files to get the FileVault2-Hash and Recover the FileVault2-Password?
This MacBook has a T2 chip, but I think FileVault2 is turned on manually, because when I start the MacBook, after one minute I get the hint, to restart into Password Recovery Mode
With the fvdetools compiled under macOS 10.15 and the "EncryptedRoot.plist.wipekey" I get the unsupported storage signature error.
Have you some ideas for me?