-m 18300 APFS

[l008com]

So there are instructions for getting the hash from an HFS volume and instructions for getting the hash from an APFS volume. HOWEVER my question is.... how do you know which one the computer is using? It's a computer you can't log in to, normal computer uses would never know what format their drive is, and if it's been sitting around for a while, can't reliably even tell you what macos version they are on.

I used the HFS method and I'm cracking away on a 16700 hash but is it... real? Or am I hashing against nonsense because the drive is actually an APFS volume?

[Banaanhangwagen]

If I understand it correctly, you have succesfully obtained a hash thanks to fvde2john, and you're cracking it with 16700 ?
This means you also used the file Encrypted.plist.wipekey, which is used by HFS ?
This means you have acces to the physical disk ?
This means that you can inspect/mount/analyze the image and lookup the filesystem ?

[l008com]

Yes until the very end, I can't mount the filesystem without the password, so i can't lookup the filesystem.

[Banaanhangwagen]

Encrypted.plist.wipekey is typical for FileVault on HFS+ filesystem.
You can lookup the filesystem without knowing the pwd, simply by attaching it.

Did you ask Google about "How to tell if I'm using HFS+ or APFS?" The first (!) result is exactly what you need.

[l008com]

Ok I just read the first result of your google search and it says to run `diskutil info /` but the drive is encrypted, thus it's not mounted, thus there is no path to this unknown volume. If I do diskutil info /dev/disk4s2 which is the unmounted volume, it tells me File System: none

[Grackle]

Banaanhangwagen, just wanting to confirm, as of now, on an Intel Mac with the T2 chipset, we can't obtain hashes, correct? Just going to get the failure of Initialization of KeyManager error, and nothing else to be done with that?

Specifically, this would be for an A1932 with Filevault2 and an APFS filesystem.

[Banaanhangwagen]

Correct