Encrypted TimeMachine external backup disk
#1
Hi all, 

I just finished the upgrade / new installation from El Captain to macOS Sierra, when I connected my external backup / TimeMachine disk I am asked a password. 

In my rush I totally forgot to backup my login.keychain where the password to the encrypted backup disk was saved or better, it is also on the encrypted backup. Basically all my personal life and work is stored there and my attempt to guess the password has failed so far. 

I am somewhat certain that the password is a combination of my name, year and some upper / lower case letter as well as 2 or 3 special characters I always use. 

I read through the forums and the documentation but can not quite figure out how to get started. I already installed the git version of hashcat. 


1. How do I create a hash of the backup disk?
2. What would be the recommended way of trying to recover the password? Should I make an image of the disk first?

Thank you so much
Andreas
#2
I am not really familiar with these TimeMachine backups, but I assume that whenever you have a Manifest.plist file (does that file ship with the backup?) and itunes_backup2hashcat.pl extracted some "hashes", that you should be able to crack it.

Therefore: 1. search for the Manifest.plist file, 2. use itunes_backup2hashcat.pl, 3. crack it.
#3
Thank you philsmd!

Unfortunately I don't have any access to the disk, as soon as I connect it to the computer it asks me for the Encryption password (screenshot attached).

As far as I understand and according to wikipedia FileFault 2 uses "AES-XTS mode of AES with 128 bit blocks and a 256 bit key to encrypt the disk". 

I thought about using dd to create a disk image of the encrypted volume. Any idea how to continue here?

Thank you!
#4
Nobody?
#5
I don't know how Time Machine backup are encrypted. If it's FileVault2 like you say you check https://github.com/libyal/libfvde. It provides an open source implementation for decrypting FileVault2. You will have to script something as it is not built to crack password only decrypt and mount.
#6
(04-12-2017, 06:26 PM)mrleau Wrote: I don't know how Time Machine backup are encrypted. If it's FileVault2 like you say you check https://github.com/libyal/libfvde. It provides an open source implementation for decrypting FileVault2. You will have to script something as it is not built to crack password only decrypt and mount.

Thank you so much, this looks like a promising start. 
Many greetings, Andreas