Capture Image of FileVault2 Encrypted Media With Recovery Key

Forensics Blotter
0 Comments

Objective

The purpose of this walkthrough is to demonstrate how to successfully decrypt and gain access to a FileVault® 2 protected volume when the recovery key or passphrase is known in order to capture a forensic image for analysis.

Tools Used

  • EnCase® v6.18
  • MacQuisition
  • FTK® Imager
  • Mac OS® Terminal

Note: MacQuisition 2013 R2 now supports auto-detection of FV2 protected volumes which allows the examiner to enter a known password or recovery key to unlock it.

Step 1

Remove hard drive from MacBook Pro and capture forensic image using preferred tool. In our example, we used EnCase v6.18 and captured an image in the .E01 forensic image file format. You can bypass Step 1 by capturing a raw (dd) image as your first step.

Step 2

Convert .E01 image to raw (dd) format using FTK Imager.

Step 3

Rename the dd image to .dmg

Step 4

Using another Mac based computer or booting into MacQuisition, boot into the OS and mount the dmg file using the terminal command hdiutil attach –nomount /path/to/DMG

Step 5

List the core storage partitions available using the Terminal command diskutil cs list

Step 6

Identify the correct logical volume GUID and copy the string. This is the lowest logical volume, not the volume family ID.

Step 7

Using Terminal, run the command util cs unlockVolume <GUID> (paste logical volume GUID here)

Step 8

When prompted, enter the passphrase or recovery key.

Step 9

If you correctly entered the passphrase, you will receive confirmation that it “Finished CoreStorage operation.”

Step 10

Using MacQuisition or another tool, forensically image the mounted, unencrypted disk to your preferred format. Begin your analysis!

Leave a Reply

Your email address will not be published. Required fields are marked *