Mac OS X Forensics
Never give up, the answer is right in front of you...
-
Our Sponsors
-
Custom Search
Cracking
FileVault
Cracking FileVault is a bit of a misnomer. As of this writing, here is not a known flaw in the 128 bit AES encryption that is being used. When attempting to open a FileVault encrypted Home directory, there are two methods which can be used:
Brute Force
Brute Force with a dictionary attack
When the Brute Force method is used, this means that every combination of every letter, number, special character, etc. is being tried until the correct password is found. If you choose this method, good luck! This is VERY time consuming.
When a dictionary attack is used, we narrow the scope of the tries with a crafted list of words. The attack is using the human flaw of weak passwords OR the potential that the user left their very strong password “just lying around” thru careless web browsing and caching or passwords and forms.
Cracking FileVault in Tiger was an "easier" task (NOT EASY), because of the availability of some well crafted attack utilities that you can download. I do not have them available here because I have not received permission to post them. Simply search MacUpdate.com or VersionTracker.com for "filevault" and you will locate something to try.
To deal with each format Apple might use (DMG, sparseimage, sparsebundle), utilities have now been developed to dictionary attack with tremendous speed.
Spartan, our utility, is available for download. This utility is the slowest in what it attempts to do, because of the way it will try to do it. It is a true dictionary attack on the "sparsebundle" by a mount/fail methodology until we get to a mount/success. Once mounted, Spartan will mount the "sparsebundle" to the desktop using a shadowfile, display the password on the screen and quit.
Much faster utilities such as crowbarDMG and Mac Marshal are now available which will give you speeds Spartan will never attain in its current form. See the Mac Forensic Tools page for all of the latest offerings.
If you are dealing with evidence, lock your "sparsebundle" before starting!
As with any good examination, don’t let your evidence get encrypted in the first place! Before shutting down a powered on Macintosh, collect as much data as possible! This includes data from the Keychain. Once such utility, MacLockPick II from Subrosasoft, will collect the passwords for you, making the “cracking” a simple task.
Cracking FileVault is a bit of a misnomer. As of this writing, here is not a known flaw in the 128 bit AES encryption that is being used. When attempting to open a FileVault encrypted Home directory, there are two methods which can be used:
Sponsored Advertisement
Brute Force
Brute Force with a dictionary attack
When the Brute Force method is used, this means that every combination of every letter, number, special character, etc. is being tried until the correct password is found. If you choose this method, good luck! This is VERY time consuming.
When a dictionary attack is used, we narrow the scope of the tries with a crafted list of words. The attack is using the human flaw of weak passwords OR the potential that the user left their very strong password “just lying around” thru careless web browsing and caching or passwords and forms.
Cracking FileVault in Tiger was an "easier" task (NOT EASY), because of the availability of some well crafted attack utilities that you can download. I do not have them available here because I have not received permission to post them. Simply search MacUpdate.com or VersionTracker.com for "filevault" and you will locate something to try.
To deal with each format Apple might use (DMG, sparseimage, sparsebundle), utilities have now been developed to dictionary attack with tremendous speed.
Spartan, our utility, is available for download. This utility is the slowest in what it attempts to do, because of the way it will try to do it. It is a true dictionary attack on the "sparsebundle" by a mount/fail methodology until we get to a mount/success. Once mounted, Spartan will mount the "sparsebundle" to the desktop using a shadowfile, display the password on the screen and quit.
Much faster utilities such as crowbarDMG and Mac Marshal are now available which will give you speeds Spartan will never attain in its current form. See the Mac Forensic Tools page for all of the latest offerings.
If you are dealing with evidence, lock your "sparsebundle" before starting!
As with any good examination, don’t let your evidence get encrypted in the first place! Before shutting down a powered on Macintosh, collect as much data as possible! This includes data from the Keychain. Once such utility, MacLockPick II from Subrosasoft, will collect the passwords for you, making the “cracking” a simple task.