libyal / libfvde Goto Github PK
View Code? Open in Web Editor NEWLibrary and tools to access FileVault Drive Encryption (FVDE) encrypted volumes
License: GNU Lesser General Public License v3.0
libfvde's Introduction
libfvde is a library to access FileVault Drive Encryption (FVDE) (or FileVault2) encrypted volumes. The FVDE format is used by Mac OS X, as of Lion (10.7), to encrypt data on a storage media volume. Project information: * Status: experimental * Licence: LGPLv3+ Supported Core Storage / FileVault2 implementations: * Mac OS X Lion (10.7) * Mac OS X Mountain Lion (10.8) * Mac OS X Mavericks (10.9) * Mac OS X Yosemite (10.10) * Mac OS X El Capitan (10.11) * macOS Sierra (10.12) * macOS High Sierra (10.13) * macOS Mojave (10.14) * macOS Catalina (10.15) Supported encryption volume types: * removable media volume - with encrypted context (initial support as of 20121113 version) * system volume * multiple logical volumes Supported protection methods: * password * recovery password * VMK key data (as of 20121114 version) Unsupported Core Storage format features: * multiple physical volumes Also see: * VileFault; for accessing FileVault encrypted disk images (or user directories): https://code.google.com/p/vilefault/ * Infiltrate the Vault: Security Analysis and Decryption of Lion Full Disk Encryption: http://eprint.iacr.org/2012/374.pdf * Security Analysis and Decryption of FileVault 2: http://www.cl.cam.ac.uk/~osc22/docs/slides_fv2_ifip_2013.pdf If you find this project useful please cite the following paper in your publications: Omar Choudary, Felix Grobert and Joachim Metz. "Security Analysis and Decryption of Filevault 2", in Advances in Digital Forensics IX, IFIP Advances in Information and Communication Technology 410, 2013, pp 349-363. Work in progress: * DEFLATE compressed XML plist * removable media volume - without encrypted context * removable media volume - decrypted * extend CoreStorage volume support * partial encrypted volumes Planned: * Dokan support For more information see: * Project documentation: https://github.com/libyal/libfvde/wiki/Home * How to build from source: https://github.com/libyal/libfvde/wiki/Building
libfvde's People
Contributors
Stargazers
Watchers
Forkers
ldgriffin parkisan janmitchell cloudxtreme infgeoax roox zyxtarmo yang123vc bootmanga mikalv w3aryb0arpig apardo rob--w glowdb daedadu baykus405 bob1634854 bulhakov-adf lilin007007 animco imeckler fbion vlad-krsk miltecnico hartl3y94 amonospl rnshah9 ink-splatters hohle kkpan11 backup999 djds cemalincelibfvde's Issues
libfplist_property_get_value_string: unsupported value type
Non-verbose output:
fvdeinfo 20161110
Unable to open: /dev/loop0p2.
libfplist_property_get_value_string: unsupported value type.
libfplist_property_value_uuid_string_copy_to_byte_stream: unable to retrieve logical volume family identifier.
libfvde_encrypted_metadata_read_type_0x001a: unable to copy LVF UUID string to byte stream.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
Turning on verbose output yields the following info (with everything before the seeming error removed, and UUIDs snipped out, as I don't know what is/isn't private):
libfvde_metadata_read_core_storage_plist: XML:
<dict><key>com.apple.corestorage.label.sequence</key><integer size="32">0x1</integer><key>com.apple.corestorage.lvg.uuid</key><string>UUID_WAS_SNIPPED</string><key>com.apple.corestorage.lvg.name</key><string>Macintosh HD</string><key>com.apple.corestorage.lvg.physicalVolumes</key><array><string>UUID_WAS_SNIPPED</string></array></dict>xml_scanner: offset: 5 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 6 token: XML_TAG_END
xml_scanner: offset: 10 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 11 token: XML_TAG_END
xml_scanner: offset: 47 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 53 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 61 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 66 token: XML_ATTRIBUTE_NAME
xml_scanner: offset: 67 token: XML_ATTRIBUTE_ASSIGN
xml_scanner: offset: 71 token: XML_ATTRIBUTE_VALUE
xml_parser: rule: xml_attribute
xml_scanner: offset: 72 token: XML_TAG_END
xml_scanner: offset: 75 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 85 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 89 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 90 token: XML_TAG_END
xml_scanner: offset: 120 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 126 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 133 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 134 token: XML_TAG_END
xml_scanner: offset: 170 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 179 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 183 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 184 token: XML_TAG_END
xml_scanner: offset: 214 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 220 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 227 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 228 token: XML_TAG_END
xml_scanner: offset: 240 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 249 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 253 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 254 token: XML_TAG_END
xml_scanner: offset: 295 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 301 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 307 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 308 token: XML_TAG_END
xml_scanner: offset: 315 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 316 token: XML_TAG_END
xml_scanner: offset: 352 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 361 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 369 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 376 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
Unable to open: /dev/loop0p2.
libfplist_property_get_value_string: unsupported value type.
libfvde_metadata_read_core_storage_plist: unable to retrieve logical volume group identifier.
libfvde_metadata_read_type_0x0011: unable to read metadata block type 0x0011.
libfvde_metadata_read: unable to read metadata block type 0x0011.
libfvde_volume_open_read: unable to read primary metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
Error in fvdeinfo and fvdemount
Hello, I am trying to use the fvdetools but I consistently get the same error and I wonder if there is something wrong with my build (or if I am using. I am using the 20160918 build.
I built the image of an USB driver (8 GB). The output of mmls is the following
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0014876631 0014466992 HFSTest
006: 002 0014876632 0015138775 0000262144 Booter
007: ------- 0015138776 0015138815 0000000040 Unallocated
Then I tried both fvdemount and fvdeinfo with the following syntax:
fvdeinfo -p XXXX /data01/scratch/testfv2.dd
and
fvdemount -X allow_root -p XXXX /data01/scratch/testfv2.dd /tmp/abcd
but, in both cases, I got the following error
Unable to open: /data01/scratch/testfv2.dd.
libfvde_io_handle_read_volume_header: unsupported core storage signature.
libfvde_volume_open_read: unable to read volume header.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
I have exactly the same problem with the image of a full disk having the following structure (from mmls):
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0488965175 0488555536 Customer
006: 002 0488965176 0490234711 0001269536 Recovery HD
007: ------- 0490234712 0490234751 0000000040 Unallocated
I built the image of the USB drive because it is "reasonably" small (slight less than 8 GB) so, maybe, Joachim can take a look at it (I can make it available for download).
Any help by Joachim or by other, expert users, is very welcome!
Massimo
Password Displayed in Process List (security concern)
I noticed that fvdemount will display the partition's password in the process list (which can be seen by any user), as it is taken as a parameter when mounting. Can this security issue be corrected in a future release?
performance issues due to corrupted external disk
I decrypted an fvde partition and then mounted this partition (to the external USB 3.0 hdd where the raw file is located too).
Then I tried to copy with cp to another folder on the same external hdd (to store data decrypted).
I'm trying to copy about 90GB of files and inspecting the current progress it would take about 3-4 days to copy this.
Any hints on why this is taking so long? Or is it "normal" when using this tool?
Unable to open: /dev/sda2
Hi there,
I am using pre-release version libfvde-20160918 on Ubuntu 16.04 and I am hitting this error when trying to mount encrypted HFS. I am describing the commands I am issuing and the according error.
$ sudo mount -t auto /dev/sda3 appboot/
$ sudo fvdemount -e appboot/com.apple.boot.P/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -r XAYL-67N3-DPXM-PUTQ-36TK-33RJ /dev/sda2 /media/osx/ -v
fvdemount 20160918
Unable to open: /dev/sda2.
libfvde_encryption_context_plist_decrypt: invalid plist - decrypted data already set.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to decrypt encrypted root plist.
libfvde_volume_open_read: unable to read keys from secondary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
Thanks for taking your time on this experimental tool.
libfvde_encryption_context_plist_get_passphrase_wrapped_kek: unable to retrieve PassphraseWrappedKEKStruct sub property
Hello everyone,
I'm trying to use libfvde but I've encountered several problems:
initialy, I had a couple of error starting with libfvalue_utf8_string_with_index_copy_to_integer: unsupported character value: 0x78 at index: 1. which was resolved by adding the code given in this post #36.
However, it still doesn't work; here is the command line used and their results
sudo mmls /dev/sda
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0488965175 0488555536 Customer
006: 002 0488965176 0490234711 0001269536 Recovery HD
007: ------- 0490234712 0490234751 0000000040 Unallocated
sudo fls -r -o 488965176 /dev/sda | grep -i encryptedroot
+++++ r/r 3597: EncryptedRoot.plist.wipekey
sudo icat -o 488965176 /dev/sda 3597 > EncryptedRoot.plist.wipekey
sudo fvdemount -e EncryptedRoot.plist.wipekey -p 'PASSWD' /dev/sda2 test/fvdevolume
Unable to open: /dev/sda2.
libfvde_encryption_context_plist_get_passphrase_wrapped_kek: unable to retrieve PassphraseWrappedKEKStruct sub property.
libfvde_encrypted_metadata_get_volume_master_key: unable to retrieve passphrase wrapped KEK: 1 from encryption context plist.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to retrieve volume master key from encrypted metadata.
libfvde_volume_open_read: unable to read keys from primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
You can find attached the log of the verbose/debug mode :
log_verbose.txt
I'm currently on 4.18.7-arch1-1-ARCH, the password used in for the program is certain.
The drive was encrypted using filevault2 on Sierra 10.12.6 => source of the problem?
Thank you for your help,
Tiago
libfvde_sector_data_read: unable to read sector data
I've successfully mounted an encrypted volume using the following command:
fvdemount -e EncryptedRoot.plist.wipekey -V -o 209735680 -p 'PASSWORD' imagefile.dd /mnt/tmp/
However, when I try and copy or 'dd' /mnt/tmp/fvde1 I start getting repeated Input/output errors from the imaging tool after reading about 600mb.
In verbose mode, fvdemount gives the following repeated errors when this point is met:
mount_handle_read_buffer: unable to read buffer from input volume
fvdemount_fuse_read: unable to read from mount handle.
libfvde_sector_data_read: unable to read sector data
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 01c338b2000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 1303816 value
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 667553792
libfvde_volume_read_buffer: unable to read buffer.
./fvdeinfo -o 209735680 imagefile.dd
fvdeinfo 20160609
Physical volume:
Size: 120473067520 bytes
Encryption method: AES XTS
Logical volume:
Size: 120108089344 bytes
Any ideas why this is failing?
Thanks
fix failing tests
- setup.py build failing due to missing autogenerated source
- skip test target? setup.py designed to work with dist package
libfplist/libfplist_property_list.c:31:34: fatal error: libfplist_xml_parser.h: No such file or directory
#include "libfplist_xml_parser.h"
Missing drive encryption context plist
I'd like to help contribute to this issue and it just so happens I have a drive that gets the dreaded "Unable to unlock source volume" error of #34 and #41 fame. I'm not sure what the issue is, but I see that it does have a section 0x0505 and it only has one physical and one logical volume. Below is the output of fvdeinfo and the debug log from fvdemount.
fvdeinfo 20220125
Logical volume: 1 is locked and a password is needed to unlock it.
Password:
Unable to unlock volume.
Core Storage information:
Logical volume group:
Identifier : ef237066-fea3-4327-8c8a-11735a2b05ad
Name : South America
Number of physical volumes : 1
Number of logical volumes : 1
Physical volume: 1
Identifier : 16a74bae-2148-458f-9168-0baf6c756509
Size : 3.4 TiB (3800274411520 bytes)
Encryption method : AES-XTS 128-bit
Logical volume: 1
Identifier : ec33f8f9-8e80-4e08-8296-46a7be62ad6a
Name : South America
Size : 3.4 TiB (3799903109120 bytes)
Is locked
Based on the "invalid logical volume - volume is locked" message, it looks like I'm hitting this in libfvde_internal_logical_volume_read_buffer_from_file_io_pool, or this in libfvde_internal_logical_volume_seek_offset. This just looks like a symptom though, and I'm not familiar enough with the code base to figure out the root cause.
If you can point me in the right direction, I can investigate by looking at hex offsets and matching them up to the code and slides linked to in the README file. The quantity of debug information is just a bit overwhelming for me, as I'm just picking up Apple Core Storage and FileVault tonight.
Originally posted by @anon8675309 in #2 (comment)
Unable to mount an encrypted OS drive
I've got an OS drive (m.2) that I need to access. I do not know exactly which version of macOS that is installed on it. However I can not mount it. I took out the EncryptedRoot.plist.wipekey per instructions in the wiki.
fvdemount -e EncryptedRoot.plist.wipekey -r 35AJ-AC98-TI1H-N4M3-HDUQ-UQFG /dev/sdb2 /mnt/fvdevolume/
fvdemount 20190104
Unable to open source volume
libfvde_encryption_context_plist_get_passphrase_wrapped_kek: unable to retrieve PassphraseWrappedKEKStruct sub property.
libfvde_encrypted_metadata_get_volume_master_key: unable to retrieve passphrase wrapped KEK: 1 from encryption context plist.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to retrieve volume master key from encrypted metadata.
libfvde_volume_open_read: unable to read keys from primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
And fvdeinfo
fvdeinfo /dev/sdb2
fvdeinfo 20190104
Unable to unlock keys.
I've attached the output from a verbose run (after recompiling with it turned on).
outputfvdeinfo.txt
Add option to force logical volume offset
If the format support is unable to detect the logical volume offset correctly allow for a manual override?
libcsystem_string_decimal_copy_to_64_bit: unsupported character value: a at index: 0
This is the boot disk in a MBP, originally installed in 10.10, then resized to dual-boot Linux (where I'm running these commands from), and upgraded to 10.11.
$ fvdeinfo -e EncryptedRoot.plist.wipekey -p '' /dev/sda -v >fvdeinfo.txt 2>&1
$ fvdemount -e EncryptedRoot.plist.wipekey -p '' /dev/sda2 /mnt -v
fvdemount 20160719
libfvde_volume_set_utf8_password: user password:
libfvde_encryption_context_plist_read_file_io_handle: reading file of size: 1867168
Unable to set volume offset.
libcsystem_string_decimal_copy_to_64_bit: unsupported character value: a at index: 0.
mount_handle_set_volume_offset: unable to copy string to 64-bit decimal.
Can't run (cross-)compiled binary on Windows
I cross-compiled for Windows on Linux based on the instructions at https://github.com/libyal/libfvde/wiki/Building.
Instead of MinGW32 I used MinGW-W64, with the following command:
./configure --host=i686-w64-mingw32 --enable-winapi=yesThe above produces a binary (e.g. fvdeinfo.exe), but when I run it on Windows 7, I get the following error:
The program can't start because libgcc_s_sjlj-1.dll is missing from your computer. Try reinstalling the program to fix this problem.
It seems that libvfde-1.dll is dynamically linked against libgcc_s_sjlj-1.dll, which is not present on Windows 7 by default. I tried --enable-static-executables=yes as suggested by the wiki, but that didn't compile at all.
I also tried overriding CFLAGS and LDFLAGS, but that had no effect.
Ultimately I got a working binary with:
CC=/usr/bin/i686-w64-mingw32-gcc\ -static-libgcc ./configure --host=i686-w64-mingw32 --enable-winapi=yesComplete Python bindings
- add function to set encrypted context plist
fvdeinfo: Unable to unlock keys
Hello,
with fvdeinfo 20170917 it's impossible to mount / have infos on Filevaulted devices:
it's says Unable to unlock keys.
What diskutil shows:
~/Desktop/libfvde(master*) ยป sudo diskutil list
/dev/disk0 (internal):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme 500.3 GB disk0
1: EFI EFI 314.6 MB disk0s1
2: Apple_CoreStorage Macintosh HD 499.3 GB disk0s2
3: Apple_Boot Recovery HD 650.0 MB disk0s3
/dev/disk1 (internal, virtual):
#: TYPE NAME SIZE IDENTIFIER
0: Apple_HFS Macintosh HD +499.0 GB disk1
Logical Volume on disk0s2
9FEA6F1C-6745-481D-88D4-440BF17FFD4C
Unlocked Encrypted
/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *32.2 GB disk2
1: EFI EFI 209.7 MB disk2s1
2: Apple_CoreStorage Sans titre 31.9 GB disk2s2
3: Apple_Boot Boot OS X 134.2 MB disk2s3
Offline
Logical Volume Sans titre on disk2s2
4A429E5D-2A2A-46FA-BC5B-91A106284811
Locked Encrypted
------------------------------------------------------------
And I don't what I'm doing wrong but although I compiled libfvde with debug output it shows nothings
Features:
Multi-threading support: pthread
Wide character type support: no
fvdetools are build as static executables: no
Python (pyfvde) support: no
Python version 2 (pyfvde) support: no
Python version 3 (pyfvde) support: 3.6
Verbose output: yes
Debug output: yes
-------------------------------------------------
sudo ./fvdetools/fvdeinfo -v /dev/disk2s2 -p password
fvdeinfo 20170917
Unable to unlock keys.
Do you have an idea of what I'm doing wrong ?
Thanks!
unable to retrieve ConversionInfo key
I'm trying to unlock an external drive encrypted last week. It wasn't encrypted on my machine, so I'm not sure which version of OSX or filevault was used in the encryption. In any case, here is what I'm getting:
[giovanni@arch libfvde-20160918]$ sudo fvdemount -p ValidPass /dev/sda2 /mnt/fvdevolume/
fvdemount 20160918
Unable to open: /dev/sda2.
libfvde_encryption_context_plist_read_xml: unable to retrieve ConversionInfo key.
libfvde_encryption_context_plist_set_data: unable to retrieve XML.
libfvde_encrypted_metadata_read_type_0x0019: unable to set encryption context plist data.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x0019.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
And here is my debug_output.txt
Unable to build libfvde on Mac OS 10.14
I am unable to build any of the source distribution packages (20190104, 20191221) as well as with git clone on macos 10.14.
It seems to be related to the libcaes library.
Here's the error I get on make:
libcaes_context.c:365:6: error: use of undeclared identifier 'libcaes_tables_initialized'; did you mean
'libcaes_context_initialize'?
if( libcaes_tables_initialized == 0 )
libcaes_context.c:379:3: error: use of undeclared identifier 'libcaes_tables_initialized'
libcaes_tables_initialized = 1;
fvdemount: Unable to unlock keys
I'm trying to mount some encrypted external drives, all created under 10.9 with either DiskUtility or Finder(rightlick encrypt). Based on what I've read on the wiki that should be mountable like this:
$> sudo fvdemount -p "mypass" /dev/sdb2 /mnt/fvde/
fvdemount 20140907
Unable to unlock keys.
I always get this error, I'm certain that the password is correct.
Is this not supported or am I missing something?
Logical Volume size 0 bytes
Hi
to give a little background - I'm trying to get data from a macbook air that got rather wet. The PCI-E SSD seems intact, but I doubt it was cleanly shutdown.
using fvdeinfo on the encrypted partition I get this
fvdeinfo 20150222
Core Storage information:
Physical volume:
Size: 120472952832 bytes
Encryption method: AES XTS
Logical volume:
Size: 0 bytes
and
fvdemount -X allow_root -e ./EncryptedRoot.plist.wipekey -p user_password -v /dev/sda2 /mnt/container
works, but the file /mnt/container/fvde1 is 0 bytes, can't be mounted, etc.
the debug output from fvdeinfo -v /dev/sda2 is 234MB, compressed is 87MB and is available at http://www.melts.net/debug.log.bz2
I'm going to see if I can figure it out myself, via the source - but I'll be honest I'm no programmer. I'm doing it as a favour for a friend who has uni assignments on it, so hoping i can bodge together a fix (i don't care if i overstate the size and can't even mount it, as long as i can scan the unencrypted data with photorec to receive the documents I'd be happy) but hopefully it's something trivial for you to deal with properly too.
dfvfs unit test fails with libfvde experimental-20180108
Hi,
With version experimental-20180108, 1 regression test from dfvfs fails:
======================================================================
ERROR: testScanFVDE (helpers.source_scanner.SourceScannerTest)
Test the Scan function on FVDE.
----------------------------------------------------------------------
Traceback (most recent call last):
File "/wrkdirs/dfvfs-20171230/tests/helpers/source_scanner.py", line 182, in testScanFVDE
self._source_scanner.Scan(scan_context)
File "./dfvfs/helpers/source_scanner.py", line 565, in Scan
self._ScanNode(scan_context, scan_node, auto_recurse=auto_recurse)
File "./dfvfs/helpers/source_scanner.py", line 440, in _ScanNode
scan_context, sub_scan_node, auto_recurse=auto_recurse)
File "./dfvfs/helpers/source_scanner.py", line 450, in _ScanNode
file_object.close()
File "./dfvfs/file_io/file_io.py", line 98, in close
self._Close()
File "./dfvfs/file_io/file_object_io.py", line 35, in _Close
self._file_object.close()
IOError: pyfvde_volume_close: unable to close volume. libfvde_volume_close: invalid volume - missing file IO handle.
----------------------------------------------------------------------
Mounted file system has encrypted files?
Hi, I am recovering an old mac hard drive and managed to mount the drive successfully. But the files themselves are still encrypted. How do i go about decripting them?
These are the steps i did (using Ubuntu 20.04):
- Downloaded, installed and built fvde, using the .deb section on the wiki (https://github.com/libyal/libfvde/wiki/Building#using-debian-package-tools-deb).
- Found the EncryptedRoot.plist.wipekey file from recovery
$ sudo fvdemount -v -p <password> -e EncryptedRoot.plist.wipekey /dev/<fvde_drive> /mnt/fuse- Downloaded, compiled and installed hfsfuse (https://github.com/0x09/hfsfuse). As it is on the github page.
$ hfsfuse -o ro --force /dev/<fvde_device> /mnt/file_system
Thanks in advance for any help :D
libfvde_metadata_block_read: unsupported block size
Hello. I'm trying to mount an external OS X 10.10 encrypted drive. I compiled 20150222 from git on Ubuntu 15.04 but every time I try using both fvdemount and fvdeinfo this is what I get.
$ sudo fvdeinfo -v /dev/sdb2
fvdeinfo 20150222
Unable to open: /dev/sdb2.
libfvde_metadata_block_read: unsupported block size: 2568736962.
libfvde_encrypted_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from volume handle.
info_handle_open_input: unable to open input volume.
Here is the mmls output on the drive:
$ sudo mmls /dev/sdb
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000000039 0000000040 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000033 0000000032 Partition Table
04: 00 0000000040 0000409639 0000409600 EFI System Partition
05: 01 0000409640 1953262983 1952853344 Disco esterno
06: 02 1953262984 1953525127 0000262144 Booter
07: ----- 1953525128 1953525167 0000000040 Unallocated
I don't understand what is going on, but I'd really like to be able to mount it since I just quitted using OS X.
Thank in advance.
Giovanni
Pre-compiled package for Windows?
Dear all,
A thousand sorry... but even by following and trying multiples times : i wasn't able to compile the tool. (Visual studio 2010, mingw, etc...)
Is there any precompiled packages available somewhere ?
Thank you
Extract hash from raw disk image
I'm doing a forensic exame on a disk. I have a raw image:
root@myserver:/# fdisk -l /media/root/HD/1A.raw.001
Disk /media/root/HD/1A.raw.001: 233.8 GiB, 251000193024 bytes, 490234752 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Device Start End Sectors Size Type
/media/root/HD/1A.raw.001p1 40 409639 409600 200M EFI System
/media/root/HD/1A.raw.001p2 409640 488965175 488555536 233G Apple Core storage
/media/root/HD/1A.raw.001p3 488965176 490234711 1269536 619.9M Apple boot
How to extracts the hashes from disk? What is the right offset?
I tried with:
root@myserver:/# fvdeinfo -v -o 488965176 /media/root/HD/1A.raw.001
fvdeinfo 20180505
Unable to open: /media/root/HD/1A.raw.001.
libcthreads_read_write_lock_grab_for_write: unable to lock read/write lock for write with error: Deadlock condition detected.
libfvde_volume_open_read: unable to grab read/write lock for writing.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
Any help would be appreciated
wrong fs type, bad option, bad superblock
When i try to mount the fvde1 partition i get this error "wrong fs type, bad option, bad superblock on /dev/loop11, missing codepage or helper program, or other error." please help i have a homeworkon this HD
Add support for compressed encryption context plist
In newer versions of Mac OS-X the encryption context plist seems to be zlib compressed.
Seen in metadata block 0x0019
Need reproducible test data
libfvde_io_handle_read_volume_header: unsupported core storage signature
I am trying to decrypt and external USB drive (time machine back up generated by Mac OS X).
Am I missing something obvious?
(See below the steps to reproduce).
mmls output is as follows:
$ sudo mmls /dev/sda
[sudo] password for george:
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000000039 0000000040 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000033 0000000032 Partition Table
04: 00 0000000040 0000409639 0000409600 EFI System Partition
05: 01 0000409640 1953262983 1952853344 TIME_MACHINE
06: 02 1953262984 1953525127 0000262144 Booter
07: ----- 1953525128 1953525167 0000000040 Unallocated
When running fvdemount I get the following error
$ sudo ./fvdemount -o $(( 409640 * 512 )) /dev/sda2 /mnt/Samsung
fvdemount 20170827
Unable to open: /dev/sda2.
libfvde_io_handle_read_volume_header: unsupported core storage signature.
libfvde_volume_open_read: unable to read volume header.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
To obtain more detailed information I have built fvdemount with debug and verbose output. More detailed output is below.
I tried with the actual password (with -p), but still get the same error.
$ sudo ./fvdemount -v -o $(( 409640 * 512 )) /dev/sda2 /mnt/Samsung
fvdemount 20170827
libcfile_file_get_size: device media size: 999860912128
Reading volume header:
libfvde_io_handle_read_volume_header: reading volume header at offset: 0 (0x00000000)
libfvde_io_handle_read_volume_header: volume header data:
00000000: 50 a3 8a d1 71 40 35 09 ef a3 ab 84 f3 d3 09 d3 P...q@5. ........
00000010: b9 d7 1b 0b 48 7c fc 6a 89 11 95 3d af be ae fc ....H|.j ...=....
00000020: 02 34 44 bf 04 ce 76 89 20 c8 ae 0d 88 a6 92 e1 .4D...v. .......
00000030: cc 25 89 6e 98 27 19 82 8d d9 60 f6 97 81 3d 7a .%.n.'.. ..`...=z
00000040: 08 e5 fc c9 d8 8e 18 3d ed 8d 60 6a 31 b3 7e 07 .......= ..`j1.~.
00000050: db ba 1e d9 63 e8 f6 75 64 d0 e1 09 7b 73 b9 05 ....c..u d...{s..
00000060: 51 73 7e 82 f0 4a bb f4 b2 44 28 c7 15 25 a2 b2 Qs~..J.. .D(..%..
00000070: a7 f3 2c 8c 2c e9 86 9e 08 b2 1d c9 67 0d b1 6f ..,.,... ....g..o
00000080: 77 b1 1b 76 bc 6a 27 70 68 a2 ed 4e c6 f8 dc d8 w..v.j'p h..N....
00000090: 57 f5 39 3a f9 ed ed 06 a6 09 55 6d ea 7d df e9 W.9:.... ..Um.}..
000000a0: ae 6c f5 44 a8 06 16 87 7e 4c cd b0 86 83 1e 27 .l.D.... ~L.....'
000000b0: 71 af 1b b0 33 0d 49 3f 14 47 3e e8 fe f3 22 a3 q...3.I? .G>...".
000000c0: fb e2 a9 e9 84 2e 91 5f 47 03 07 c8 42 60 46 20 ......._ G...B`F
000000d0: 2f ae ac 09 3f ec 20 3f 3a 2d 3b b1 a3 fe 52 cc /...?. ? :-;...R.
000000e0: 02 84 87 bf ed d3 02 97 32 f4 d1 33 c7 8a ba 55 ........ 2..3...U
000000f0: 74 92 ec f2 fc 28 19 8b 8f 4c 0b 75 4f 76 b5 b4 t....(.. .L.uOv..
00000100: a8 d1 5c cc 87 0a 8f 2a 4e bf 60 4a 0f 57 e5 f3 ..\....* N.`J.W..
00000110: 5b d6 78 7f b0 70 d6 48 f0 22 d8 47 59 ce 49 b3 [.x..p.H .".GY.I.
00000120: 47 15 f8 b5 99 b1 a0 f4 40 0e 7a d0 9b 00 68 2f G....... @.z...h/
00000130: 6f c2 de 25 bd 15 89 65 64 e5 eb 8b 15 9d cb ba o..%...e d.......
00000140: 34 57 11 75 75 98 11 56 62 5f 82 c2 0b 26 93 d6 4W.uu..V b_...&..
00000150: 0e 92 9d ab f4 53 bf a2 5b d8 0b 76 bb 23 fa df .....S.. [..v.#..
00000160: d2 de 1a 8d 0b 96 6a 4e 07 8d 3c 7f f6 a5 5d c9 ......jN ..<...].
00000170: 66 b5 b9 e1 ba 80 d3 75 ee be 45 63 60 59 84 8f f......u ..Ec`Y..
00000180: b1 71 0c 14 43 ad 6e a2 e3 cf 4c ab 86 7b 52 a9 .q..C.n. ..L..{R.
00000190: bc ee ed 3d ad 6e 1e d4 a9 50 4d 28 c1 1c e1 a2 ...=.n.. .PM(....
000001a0: 29 a8 89 e4 b7 a0 e0 c1 26 42 59 61 29 f5 99 37 )....... &BYa)..7
000001b0: 9c 13 9b 07 03 12 74 e0 b0 0a 52 46 89 ff 58 45 ......t. ..RF..XE
000001c0: 40 47 67 f0 40 c6 91 84 9e cc 64 af 8b dd 12 de @Gg.@... ..d.....
000001d0: b5 42 62 3c b3 b2 f5 1b 70 4b 39 03 fb e9 c2 b5 .Bb<.... pK9.....
000001e0: 5a 1a 6e 07 8b 5b 27 6a 65 32 59 8c c1 0e 2b cb Z.n..['j e2Y...+.
000001f0: 02 5e 78 f2 9f b0 54 63 e7 0e ab 7f 02 dd 7b ca .^x...Tc ......{.
libfvde_io_handle_read_volume_header: checksum : 0xd18aa350
libfvde_io_handle_read_volume_header: initial value : 0x09354071
libfvde_io_handle_read_volume_header: version : 41967
libfvde_io_handle_read_volume_header: block type : 0x84ab
libfvde_io_handle_read_volume_header: serial number : 0xd309d3f3
libfvde_io_handle_read_volume_header: unknown2 : 0x6afc7c480b1bd7b9
libfvde_io_handle_read_volume_header: unknown3a : 0xfcaebeaf3d951189
libfvde_io_handle_read_volume_header: unknown3b : 0x8976ce04bf443402
libfvde_io_handle_read_volume_header: unknown3c : 0xe192a6880daec820
libfvde_io_handle_read_volume_header: bytes per sector : 1854481868
libfvde_io_handle_read_volume_header: unknown4a : 0x82192798
libfvde_io_handle_read_volume_header: unknown4b : 0x7a3d8197f660d98d
libfvde_io_handle_read_volume_header: physical volume size : 4402425697507534088
libfvde_io_handle_read_volume_header: unknown5:
00000000: ed 8d 60 6a 31 b3 7e 07 db ba 1e d9 63 e8 f6 75 ..`j1.~. ....c..u
libfvde_io_handle_read_volume_header: core storage signature : d
libfvde_io_handle_read_volume_header: checksum algorithm : 1937443297
libfvde_io_handle_read_volume_header: unknown6 : 0x05b9
libfvde_io_handle_read_volume_header: block size : 2189325137
libfvde_io_handle_read_volume_header: metadata size : 4105915120
libfvde_io_handle_read_volume_header: first metadata block number : 12871891460444144818
libfvde_io_handle_read_volume_header: second metadata block number : 11423073882411430823
libfvde_io_handle_read_volume_header: third metadata block number : 8048228748494746120
libfvde_io_handle_read_volume_header: fourth metadata block number : 8081545414007566711
libfvde_io_handle_read_volume_header: unknown7:
00000000: 68 a2 ed 4e c6 f8 dc d8 57 f5 39 3a f9 ed ed 06 h..N.... W.9:....
00000010: a6 09 55 6d ea 7d df e9 ae 6c f5 44 a8 06 16 87 ..Um.}.. .l.D....
libfvde_io_handle_read_volume_header: encryption method : 656311174
libfvde_io_handle_read_volume_header: key data:
00000000: 71 af 1b b0 33 0d 49 3f 14 47 3e e8 fe f3 22 a3 q...3.I? .G>...".
00000010: fb e2 a9 e9 84 2e 91 5f 47 03 07 c8 42 60 46 20 ......._ G...B`F
00000020: 2f ae ac 09 3f ec 20 3f 3a 2d 3b b1 a3 fe 52 cc /...?. ? :-;...R.
00000030: 02 84 87 bf ed d3 02 97 32 f4 d1 33 c7 8a ba 55 ........ 2..3...U
00000040: 74 92 ec f2 fc 28 19 8b 8f 4c 0b 75 4f 76 b5 b4 t....(.. .L.uOv..
00000050: a8 d1 5c cc 87 0a 8f 2a 4e bf 60 4a 0f 57 e5 f3 ..\....* N.`J.W..
00000060: 5b d6 78 7f b0 70 d6 48 f0 22 d8 47 59 ce 49 b3 [.x..p.H .".GY.I.
00000070: 47 15 f8 b5 99 b1 a0 f4 40 0e 7a d0 9b 00 68 2f G....... @.z...h/
libfvde_io_handle_read_volume_header: physical volume identifier : 6fc2de25-bd15-8965-64e5-eb8b159dcbba
libfvde_io_handle_read_volume_header: logical volume group identifier : 34571175-7598-1156-625f-82c20b2693d6
libfvde_io_handle_read_volume_header: unknown8:
00000000: 0e 92 9d ab f4 53 bf a2 5b d8 0b 76 bb 23 fa df .....S.. [..v.#..
00000010: d2 de 1a 8d 0b 96 6a 4e 07 8d 3c 7f f6 a5 5d c9 ......jN ..<...].
00000020: 66 b5 b9 e1 ba 80 d3 75 ee be 45 63 60 59 84 8f f......u ..Ec`Y..
00000030: b1 71 0c 14 43 ad 6e a2 e3 cf 4c ab 86 7b 52 a9 .q..C.n. ..L..{R.
00000040: bc ee ed 3d ad 6e 1e d4 a9 50 4d 28 c1 1c e1 a2 ...=.n.. .PM(....
00000050: 29 a8 89 e4 b7 a0 e0 c1 26 42 59 61 29 f5 99 37 )....... &BYa)..7
00000060: 9c 13 9b 07 03 12 74 e0 b0 0a 52 46 89 ff 58 45 ......t. ..RF..XE
00000070: 40 47 67 f0 40 c6 91 84 9e cc 64 af 8b dd 12 de @Gg.@... ..d.....
00000080: b5 42 62 3c b3 b2 f5 1b 70 4b 39 03 fb e9 c2 b5 .Bb<.... pK9.....
00000090: 5a 1a 6e 07 8b 5b 27 6a 65 32 59 8c c1 0e 2b cb Z.n..['j e2Y...+.
000000a0: 02 5e 78 f2 9f b0 54 63 e7 0e ab 7f 02 dd 7b ca .^x...Tc ......{.
Unable to open: /dev/sda2.
libfvde_io_handle_read_volume_header: unsupported core storage signature.
libfvde_volume_open_read: unable to read volume header.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
I can reproduce with the latest version available for download, as well as, the latest code in Git.
My system spec is as follows
Linux raspberrypi 4.9.35-v7+ #1014 SMP Fri Jun 30 14:47:43 BST 2017 armv7l GNU/Linux
add deflate compression support
Recent analysis of the format indicated that the format uses deflate compression
- add deflate support based on zlib and fallback implementation
Read-write support
hello,
does libfvde support write operations on filevaulted drives?
libfvde_metadata_block_read_data: unsupported block size: 7312611905704139
Same problem as issue #40???
Unable to open source volume
libfvde_metadata_block_read_data: unsupported block size: 7312611905704139.
libfvde_encrypted_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open: unable to open volume.
fvdemount version 20210907
libfvde_xml_plist_copy_from_byte_stream: unable to parse XML plist
I get "Unable to unlock keys." in the 20160801 version. The previous version 20160729 gives a list of errors. So maybe this is an area that is being worked on.
The disk image is from El Capitan. Happy to supply more information.
I took a snapshot of the hard drive (booting into Ubuntu using USB and the a dd of the drive).
My friend lost her emails off her iPhone (going back to 2009), and then when she turned on her Mac Air, it seemed to sync, and deleted all her emails as she was watching. I'm trying to get a disk image I can work with to scan for the email files on the drive. Feel free to tell me I'm being stupid or there is a better way.
family@kitchen:~/Desktop/cr$ sudo fvdemount -v -p ValidPassword -o 314597376 cr.dd /media/fvde
fvdemount 20160801
Unable to unlock keys.
family@kitchen:~/Desktop/cr$ sudo fvdemount -v -p ValidPassword -e EncryptedRoot.plist.wipekey -o 314597376 cr.dd /media/fvde
fvdemount 20160729
Unable to open: cr.dd.
libfvde_xml_plist_copy_from_byte_stream: unable to parse XML plist.
libfvde_encryption_context_plist_read_xml: unable to copy XML plist from byte stream.
libfvde_encryption_context_plist_decrypt: unable to retrieve XML.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to decrypt encrypted root plist.
libfvde_volume_open_read: unable to read keys from primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum
I'm having the same issue described in the #25 that is closed.
mount output:
[root@linux]~# mount -o loop,ro /mnt/fvdevolume/fvde1 /mnt/ntfs_file_system
mount: /mnt/ntfs_file_system: can't read superblock on /dev/loop0.
fvdemount -v output:
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x1d193290000.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 1999628730368.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x1d193290000.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 1999628730368.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x1d193290000.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 1999628730368.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x1d193290000.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 1999628730368.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10000000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 0 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 0.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10000000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 0 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 0.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10000000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 0 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 0.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10000000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 0 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 0.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10008000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 64 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 32768.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10008000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 64 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 32768.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
libcfile_file_read_buffer_with_error_code: unable to read from file with error: Input/output error
libcfile_file_read_buffer: unable to read from file.
libbfio_file_read: unable to read from file: /dev/sda2.
libbfio_file_range_read: unable to read from file IO handle.
libbfio_handle_read_buffer: unable to read from handle.
libfvde_sector_data_read: unable to read sector data.
libfvde_io_handle_read_sector: unable to read sector data.
libfdata_vector_get_element_value_by_index: unable to read element data at offset: 0x10000000.
libfdata_vector_get_element_value_at_offset: unable to retrieve element: 0 value.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 0.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
dmesg output:
[73986.453249] print_req_error: I/O error, dev loop0, sector 3905524864
[73986.453358] print_req_error: I/O error, dev loop0, sector 3905524864
[73986.453364] Buffer I/O error on dev loop0, logical block 488190608, async page read
[73986.453466] print_req_error: I/O error, dev loop0, sector 3905524864
[73986.453471] Buffer I/O error on dev loop0, logical block 488190608, async page read
[73986.454305] blk_partition_remap: fail for partition 2
[73986.454308] Buffer I/O error on dev sda2, logical block 65536, async page read
[73986.454387] blk_partition_remap: fail for partition 2
[73986.454389] Buffer I/O error on dev sda2, logical block 65536, async page read
[73986.454433] print_req_error: I/O error, dev loop0, sector 2
[73986.454450] EXT4-fs (loop0): unable to read superblock
[73986.454550] blk_partition_remap: fail for partition 2
[73986.454552] Buffer I/O error on dev sda2, logical block 65536, async page read
[73986.454593] print_req_error: I/O error, dev loop0, sector 2
[73986.454597] EXT4-fs (loop0): unable to read superblock
[73986.454669] blk_partition_remap: fail for partition 2
[73986.454671] Buffer I/O error on dev sda2, logical block 65536, async page read
[73986.454710] print_req_error: I/O error, dev loop0, sector 2
[73986.454714] EXT4-fs (loop0): unable to read superblock
[73986.454793] blk_partition_remap: fail for partition 2
[73986.454795] Buffer I/O error on dev sda2, logical block 65544, async page read
[73986.454842] blk_partition_remap: fail for partition 2
[73986.454844] Buffer I/O error on dev sda2, logical block 65544, async page read
[73986.454878] print_req_error: I/O error, dev loop0, sector 64
[73986.454882] isofs_fill_super: bread failed, dev=loop0, iso_blknum=16, block=32
[73986.454973] blk_partition_remap: fail for partition 2
[73986.454974] Buffer I/O error on dev sda2, logical block 65536, async page read
[73986.455016] print_req_error: I/O error, dev loop0, sector 0
[73986.455030] FAT-fs (loop0): unable to read boot sector
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum
Well done and thanks for this awesome library and great instructions!
I'm trying to mount an external drive. it seems to do the first mount fine, but I get the following when I mount the fvde file:
sudo mount -o loop,ro /home/bob/fvdemount /home/bob/mydisk
mount: wrong fs type, bad option, bad superblock on /dev/loop2,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so.
dmesg says
[82149.950167] blk_update_request: I/O error, dev loop2, sector 7812579200
[82149.950173] buffer_io_error: 6 callbacks suppressed
[82149.950176] Buffer I/O error on dev loop2, logical block 976572400, async page read
[82149.950277] blk_update_request: I/O error, dev loop2, sector 7812579200
[82149.950282] Buffer I/O error on dev loop2, logical block 976572400, async page read
[82149.953333] blk_update_request: I/O error, dev loop2, sector 7812579326
fvdemount -v says
sudo fvdemount -r mypassword -v /dev/sdc2 /home/bob/fvdemount
fvdemount ...
libfdata_vector_get_element_index_at_offset: invalid element index value exceeds maximum.
libfdata_vector_get_element_value_at_offset: unable to retrieve element index at offset: 0x3a354ff0000.
libfvde_internal_volume_read_buffer_from_file_io_handle: unable to retrieve sector data at offset: 4000040550400.
libfvde_volume_read_buffer: unable to read buffer.
mount_handle_read_buffer: unable to read buffer from input volume.
fvdemount_fuse_read: unable to read from mount handle.
eight times with different values of data offset.
fsck.hfsplus says
sudo fsck.hfsplus -q /home/bob/fvdemount/fvde1
** /home/bob/fvdemount (NO WRITE)
QUICKCHECK ONLY; FILESYSTEM CLEAN
Does the error mean anything to you?
Improve format support
-
Add support for removable media without encryption context -
Make ConversionInfo of the encryption context plist optional -
Check handling of large blobs in XML files- had been solved -
Handle removable media without encryption context -
Add support for compressed encryption context plist- so far only compression seen in metadata block type 0x0019 in partial encrypted volume
- possible in metadata block type 0x001a as well, added a fail safe for now
- Add support for multiple physical volumes (+/-)
Handle encrypted metadata stored in non-first physical volumeHandle data stored in non-first physical volume
- Add support for multi extent logical volume (Sparse LVG) (+/-)
- looks like this is used by multiple physical volumes but need a test image of a single physical volume with Sparse LVG to confirm
- greendale dean mac image (unencrypted logical system volume) defines 0x0505 but logical volume offset is incorrect
- Handle partially encrypted volumes
- Determine the role of com.apple.corestorage.lvf.encryption.status
- Handle edge / unknown format cases
- more than 1 array entry in metadata block 0x0505 - added a fail safe for now
- encrypted volume with only 0x0304 and 0x0404 metadata blocks
- Check if 4k sector size is an issue with the block decryption - current controlled by CS volume header
- Determine what the reason for #40 is
- possibly trying to read too much encrypted metadata?
- is encrypted metadata set to 0-byte values?
Add support for un-encrypted Fusion volumes
Or please explain how to mount such volume. Obviuosly, I don't have EncryptedRoot.plist.wipekey on my Recovery HD.
https://gist.github.com/yurikoles/bbce281789e182af873d
fvdemount: Unable to unlock keys
This is what I am trying ant like other it does not work, sorry if I'm clueless and doing something stupid
root@kali:~# sudo fvdemount -p "mypass" /dev/sdd2 /mnt/fvde/
fvdemount 20180108
Unable to unlock keys.
EncryptedRoot.plist.wipekey missing on encrypted external device?
Hi I'm trying to get the EncryptedRoot.plist.wipekey file from an external device and it seems it is missing.
This is what I get:
mmls /dev/disk2
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0976510983 0976101344 Clon Travel Drive
006: 002 0976510984 0976773127 0000262144 Booter
007: ------- 0976773128 0976773167 0000000040 Unallocated
fls -r -o 0976510984 /dev/disk2| grep -i EncryptedRoot
Executing fls without grep gives me
r/r 3: $ExtentsFile
r/r 4: $CatalogFile
r/r 5: $BadBlockFile
r/r 6: $AllocationFile
r/r 8: $AttributesFile
d/d 19: .HFS+ Private Directory Data^
r/r 16: .journal
r/r 17: .journal_info_block
d/d 18: ^^^^HFS+ Private Data
So it seams there is no EncryptedRoot.plist.wipekey on the device. I also wander why the description is not Recovery HD but Booter
Is this something I'm doing wrong or a bug?
Improve format support
- add support for multi extent logical volume (need test data)
- add support for multiple physical volumes
fvdeinfo: Unable to unlock keys
Hello,
I recently bumped into problem using fvdeinfo. Then I try to extract hash I get message with unable to unlock keys. The system is Mac OS X 10.8.3.
sudo fvdeinfo -p dummy -e EncryptedRoot.plist.wipekey /dev/sdb2 /tmp/mac
fvdeinfo 20190104Unable to unlock keys.
Then I try to mount /dev/sdb2 I get this problem:
sudo fvdemount -p dummy -e EncryptedRoot.plist.wipekey /dev/sdb2 /mnt/temp
fvdemount 20190104Unable to unlock source volume
Any ideas what I'm doing wrong?
configure: error: conditional "HAVE_WINCRYPT" was never defined
I'm trying to build libfvde inside the openSUSE build system. I suspect it is attempting to do a WIndows cross compile.
https://build.opensuse.org/package/show/home:gregfreemyer:Tools-for-forensic-boot-cd/libfvde
If you look at the build log you see the ./confgure process ends with:
[ 68s] checking for stdarg.h... (cached) yes
[ 68s] checking for varargs.h... (cached) no
[ 68s] checking that generated files are newer than configure... done
[ 68s] configure: error: conditional "HAVE_WINCRYPT" was never defined.
[ 68s] Usually this means the macro was only invoked conditionally.
[ 68s] error: Bad exit status from /var/tmp/rpm-tmp.4S1VF9 (%build)
I'm attempting the very basic ./configure statement "./configure " and "./configure--disable-winapi"
Let me know if there is something I'm doing wrong.
Thanks
issues reading Linux hfs mount from mounted single extent logical volume
Hi guys,
I'm having some issues trying to mount my external disk to Ubuntu and I've spent a day on this but really need some help if possible please? Initially, I had issues because I figured out my kernel wasn't built with hfsplus support so I had to recompile and now I can see hfsplus listed in /proc/filesystems.
This disk was created in Mac Mojave. I'm running fvdemount version 20190104
Here is my workflow:
sudo fvdemount -p <password> /dev/sda2 /mnt/Ext4TB_raw/
Mounts OK, no errors printed to screen or dmesg.
sudo mount -o loop,ro /mnt/Ext4TB_raw/fvde1 /mnt/Ext4TB
Returns:
mount: /mnt/Ext4TB: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.
From dmesg after attempting to mount decrypted volume:
[Mon Feb 25 09:52:27 2019] print_req_error: I/O error, dev loop0, sector 7812644736
[Mon Feb 25 09:52:27 2019] print_req_error: I/O error, dev loop0, sector 7812644736
[Mon Feb 25 09:52:27 2019] Buffer I/O error on dev loop0, logical block 976580592, async page read
[Mon Feb 25 09:52:27 2019] print_req_error: I/O error, dev loop0, sector 7812644736
[Mon Feb 25 09:52:27 2019] Buffer I/O error on dev loop0, logical block 976580592, async page read
[Mon Feb 25 09:52:27 2019] print_req_error: I/O error, dev loop0, sector 7812644862
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x4002b48)
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x4002b48)
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Can't find valid F2FS filesystem in 1th superblock
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Magic Mismatch, valid(0xf2f52010) - read(0x0)
[Mon Feb 25 09:52:27 2019] F2FS-fs (loop0): Can't find valid F2FS filesystem in 2th superblock
Interestingly, when I try and run fvdemount with verbose logging enabled (-v), it won't decrypt the disk as it does without logging - it seems to stop during the decryption process. I built fvdemount from sources with logging enabled.
libfvde_metadata_block_read_data: unsupported block size: 2466354417
I am decrypting a encrypted disk by FileVault2, I guess. But, I got error the following:
libfvde_metadata_block_read_data: header data:
00000000: d9 79 20 d6 01 77 a1 b7 bc 32 75 91 2a 52 ba 22 .y ..w.. .2u.*R."
00000010: 48 d8 f7 87 0f 39 8d 69 51 e0 48 94 14 8a 78 5e H....9.i Q.H...x^
00000020: 0c a1 c3 fd ee 1a a9 5f 9c c1 d4 d6 c2 91 b4 1f ......._ ........
00000030: f1 94 01 93 09 56 08 37 1d 00 2d 4f 3d fc 68 91 .....V.7 ..-O=.h.
libfvde_metadata_block_read_data: checksum : 0xd62079d9
libfvde_metadata_block_read_data: initial value : 0xb7a17701
libfvde_metadata_block_read_data: version : 12988
libfvde_metadata_block_read_data: type : 0x9175
libfvde_metadata_block_read_data: serial number : 0x22ba522a
libfvde_metadata_block_read_data: group : 7605798084567095368
libfvde_metadata_block_read_data: unknown3 : 0x5e788a149448e051
libfvde_metadata_block_read_data: number : 6893070318429249804
libfvde_metadata_block_read_data: unknown5 : 0x1fb491c2d6d4c19c
libfvde_metadata_block_read_data: size : 2466354417
libfvde_metadata_block_read_data: unknown6 : 0x37085609
libfvde_metadata_block_read_data: unknown7 : 0x9168fc3d4f2d001d
Unable to open: /dev/loop14p2.
libfvde_metadata_block_read_data: unsupported block size: 2466354417.
libfvde_encrypted_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
I am using libfvde-20180108.
Any help with this would be greatly appreciated.
Thank you.
Data Recovery with libfvde?
Hi, I hope this isn't out of line posting here...I have a situation where my Macbook Filevault 2 drive had a problem while attempting to decrypt using Diskutil. The drive will no longer mount and the output of diskutil cs list is incomplete. It appears the encrypted drive's metadata is corrupt (libfvde_metadata_block_read: mismatch in checksum ( 0xe9241b07 != 0xbd0b4724 ).).
My question: can libfvde be forced to ignore the metadata checksum check and try to generate the decryption key and attempt a decrypt?
Below are program outputs.
Thank you.
Diskutil output:
Logical Volume Group C598ABC1-0B61-4F00-916F-4F8E8210F32A
=========================================================
Name: Macintosh HD
Status: Offline
Size: 0 B (0 B)
Free Space: -none-
|
+-< Physical Volume 6CDD893A-FECD-41E5-ABED-CC8842E6BCB5
----------------------------------------------------
Index: 0
Disk: disk2s2
Status: Checking
Size: 999345127424 B (999.3 GB)
Output of sudo fvdeinfo -v /dev/disk2s2:
fvdeinfo 20140907
libcfile_file_get_size: block size: 512 block count: 1951845952 libcfile_file_get_size: device media size: 999345127424
Reading volume header:
libfvde_io_handle_read_volume_header: reading volume header at offset: 0 (0x00000000)
libfvde_io_handle_read_volume_header: volume header data:
00000000: 93 0a b2 50 ff ff ff ff 01 00 10 00 06 14 d7 01 ...P.... ........
00000010: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030: 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040: 00 80 9c ad e8 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000050: 00 00 00 00 00 00 00 00 43 53 01 00 00 00 04 00 ........ CS......
00000060: 00 10 00 00 00 00 40 00 c7 c9 8a 0e 00 00 00 00 ......@. ........
00000070: c7 cd 8a 0e 00 00 00 00 c7 d1 8a 0e 00 00 00 00 ........ ........
00000080: c7 d5 8a 0e 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000a0: 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 ........ ........
000000b0: 45 7e 96 64 c6 c7 9e 98 70 db 35 fe 7d 03 13 71 E~.d.... p.5.}..q
000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000130: 6c dd 89 3a fe cd 41 e5 ab ed cc 88 42 e6 bc b5 l..:..A. ....B...
00000140: c5 98 ab c1 0b 61 4f 00 91 6f 4f 8e 82 10 f3 2a .....aO. .oO....*
00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_io_handle_read_volume_header: checksum : 0x50b20a93
libfvde_io_handle_read_volume_header: initial value : 0xffffffff
libfvde_io_handle_read_volume_header: version : 1
libfvde_io_handle_read_volume_header: block type : 0x0010
libfvde_io_handle_read_volume_header: serial number : 0x01d71406
libfvde_io_handle_read_volume_header: unknown2 : 0x00000001
libfvde_io_handle_read_volume_header: unknown3a : 0x00000000
libfvde_io_handle_read_volume_header: unknown3b : 0x00000000
libfvde_io_handle_read_volume_header: unknown3c : 0x00000000
libfvde_io_handle_read_volume_header: bytes per sector : 512
libfvde_io_handle_read_volume_header: unknown4a : 0x00000000
libfvde_io_handle_read_volume_header: unknown4b : 0x00000000
libfvde_io_handle_read_volume_header: physical volume size : 999345127424
libfvde_io_handle_read_volume_header: unknown5:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_io_handle_read_volume_header: core storage signature : CS
libfvde_io_handle_read_volume_header: checksum algorithm : 1
libfvde_io_handle_read_volume_header: unknown6 : 0x0004
libfvde_io_handle_read_volume_header: block size : 4096
libfvde_io_handle_read_volume_header: metadata size : 4194304
libfvde_io_handle_read_volume_header: first metadata block number : 243976647
libfvde_io_handle_read_volume_header: second metadata block number : 243977671
libfvde_io_handle_read_volume_header: third metadata block number : 243978695
libfvde_io_handle_read_volume_header: fourth metadata block number : 243979719
libfvde_io_handle_read_volume_header: unknown7:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_io_handle_read_volume_header: encryption method : 2
libfvde_io_handle_read_volume_header: key data:
00000000: 45 7e 96 64 c6 c7 9e 98 70 db 35 fe 7d 03 13 71 E~.d.... p.5.}..q
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_io_handle_read_volume_header: physical volume identifier : 6cdd893a-fecd-41e5-abed-cc8842e6bcb5
libfvde_io_handle_read_volume_header: logical volume group identifier : c598abc1-0b61-4f00-916f-4f8e8210f32a
libfvde_io_handle_read_volume_header: unknown8:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
Reading primary metadata:
libfvde_metadata_read: reading metadata at offset: 999328346112 (0xe8ac9c7000)
libfvde_metadata_block_read: header data:
00000000: 07 1b 24 e9 ff ff ff ff 01 00 11 00 06 14 d7 01 ..$..... ........
00000010: 92 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .*...... ........
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ...... ........
libfvde_metadata_block_read: checksum : 0xe9241b07
libfvde_metadata_block_read: initial value : 0xffffffff
libfvde_metadata_block_read: version : 1
libfvde_metadata_block_read: type : 0x0011
libfvde_metadata_block_read: serial number : 0x01d71406
libfvde_metadata_block_read: unknown2 : 0x00002a92
libfvde_metadata_block_read: unknown3 : 0x00000000
libfvde_metadata_block_read: number : 0
libfvde_metadata_block_read: unknown5 : 0x00000000
libfvde_metadata_block_read: size : 8192
libfvde_metadata_block_read: unknown6 : 0x00000000
libfvde_metadata_block_read: unknown7 : 0x00000000
Unable to open: /dev/disk2s2.
libfvde_metadata_block_read: mismatch in checksum ( 0xe9241b07 != 0xbd0b4724 ).
libfvde_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary metadata.
libfvde_volume_open_file_io_handle: unable to read from volume handle.
info_handle_open_input: unable to open input volume.
Retrieve hash from wipekey only
Good day.
Is it available to retrieve FileVault hash for hashcat only with .wipekey file? I have this file but don't have any access to the encrypted volume.
Unable to mount APFS container
We connected a 128G drive externally and installed MAC OS 10.13.6 (High Sierra) on a HFS+ partition. After the installation it was encrypted with Filevault. After which the drive shows a EFI FAT partition, a Core storage Partition (about 127GB) and a Boot partition (shown below).
'fvdemount 20180108' generates a small fuse file (about 5GB) which fails to mount with error to the effect that it cannot find secondary superblock.
I even increased the logical volume size in the code resulting in the fuse file being larger but it still won't mount and differs considerably from the original data.
I have attached the output debugging messages (Added a few debugging messages).
Any help with this would be greatly appreciated. Thank you.
-------------------------------------------------------------------------------------------
Here is a dump of the drive before and after encryption:
Disk /dev/sdbd: 119.2 GiB, 128035676160 bytes, 250069680 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: CBB77971-8A10-4D5A-B3D9-F1A6B6D29EED
Device Start End Sectors Size Type
/dev/sdbd1 40 409639 409600 200M EFI System
/dev/sdbd2 409640 248800103 248390464 118.5G Apple HFS/HFS+
/dev/sdbd3 248800104 250069639 1269536 619.9M Apple boot
----------------------------------------------------------------------------------------------
Disk /dev/sdbc: 119.2 GiB, 128035676160 bytes, 250069680 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: CBB77971-8A10-4D5A-B3D9-F1A6B6D29EED
Device Start End Sectors Size Type
/dev/sdbc1 40 409639 409600 200M EFI System
/dev/sdbc2 409640 248800103 248390464 118.5G Apple Core storage
/dev/sdbc3 248800104 250069639 1269536 619.9M Apple boot
libfvde_encrypted_metadata_read_type_0x001a: unable to retrieve XML key element
# mmls /dev/sda
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000000039 0000000040 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000033 0000000032 Partition Table
04: 00 0000000040 0000409639 0000409600 EFI system partition
05: 01 0000409640 0196646095 0196236456 Hummingbird
06: 02 0196646096 0197915631 0001269536 Recovery HD
07: ----- 0197915632 0197916671 0000001040 Unallocated
08: 03 0197916672 0236976127 0039059456 BOOTCAMP
09: ----- 0236976128 0236978175 0000002048 Unallocated
# fls -r -o 196646096 /dev/sda | grep -i EncryptedRoot
+++++ r/r 10565: EncryptedRoot.plist.wipekey
# icat -o 196646096 /dev/sda 10565 > EncryptedRoot.plist.wipekey
# fvdemount -e EncryptedRoot.plist.wipekey -p 'Foo bar' /dev/sda2 /media/osx2/
fvdemount 20140907
Unable to open: /dev/sda2.
libfvde_encrypted_metadata_read_type_0x001a: unable to retrieve XML key element.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from volume handle.
mount_handle_open_input: unable to open input volume.
4096 bytes per sector support?
I have a dd physical image of a 250GB SSD (OS Sierra) from a FV2 encrypted Macbook Pro 2016. The block size for this device is 4096 bytes per sector.
I run mmls on the dd file and it shows the Start sector for my encrypted partition as being 0000076806 and Units are 4096-byte sectors.
I run the following command:-
fvdemount -e EncryptedRoot.plist.wipekey -o $((76806*4096)) -p secret_password my_dd_image.dd /mount/point
This seems to work with no errors and when I run file /mount/point/fvde1, it shows information as being a Macintosh HFS Extended version 4...... with block size 4096 and number of blocks as 60956672. Multiplying the block size by the number of blocks, this equates to 232GB (which is correct I believe for a 250GB HDD).
When I then seek to run mount -o loop,ro /mount/point/fvde1 /new_mount_point, it returns an error:
"mount: wrong fs type, bad option, bad superblock on /dev/loop1
.......
......."
I then ran fvdeinfo my_dd_image.dd to see what info showed to see what the problem may be and this also returned an error:-
"Unable to open my_dd_image.dd
libfvde_io_handle_read_volume_header: unsupported core storage signature
libfvde_volume_open_read: unable to read volume header
libfvde_volume_open_file_io_handle: unable to read from file IO handle
info_handle_open_input: unable to open input volume."
libfvde has worked without any problem on other FV2 encrypted Macbooks with sector sizes of 512 bytes but I'm struggling with this one that has sector sizes of 4096bytes.
Is this a known issue?
I have made a dd image of /mount/point/fvde1 and the outputted file is 18GB in total which isn't consistent with the expected filesize
Looking at the sourcecode for the libfvde_io_handle.c, although I am not a C programmer, am I correct in thinking that the sector size is hard-coded as 512 bytes?
fvdemount only mounts 17GB of 232GB volume
From a 233GB "apple core storage" partition the fvdemount'ed volume size is 17GB.
This 17GB volume/device cannot be mounted.
Bug ?
Only changes I did after git clone libfvde , was to rem out lines 21&22 in configure.ac so that autogen.sh would work. Created deb pkgs under debian.
fdisk information (ewfmount'ed E01's + losetup)
fdisk -l /dev/loop0
Disk /dev/loop0: 233.8 GiB, 251000193024 bytes, 490234752 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 5C60C4BD-5B27-4F0C-AFD6-DF7061C9DFBD
Device Start End Sectors Size Type
/dev/loop0p1 40 409639 409600 200M EFI System
/dev/loop0p2 409640 488965175 488555536 233G Apple Core storage
/dev/loop0p3 488965176 490234711 1269536 619.9M Apple boot
fvdeinfo
root@syd-nb7-666:/tmp# fvdeinfo -p ?????? -e /tmp/EncryptedRoot.plist.wipekey /dev/loop0p2 /tmp/mac
fvdeinfo 20151018
Core Storage information:
Physical volume:
Size: 250140434432 bytes
Encryption method: AES XTS
Logical volume:
Size: 17070227456 bytes
volume listing
root@syd-nb7-666:/tmp# cd /tmp/mac/
root@syd-nb7-666:/tmp/mac# ls -lh
total 0
-r--r--r-- 1 root root 16G Oct 26 21:58 fvde1
root@syd-nb7-666:/tmp/mac# ls -l
total 0
-r--r--r-- 1 root root 17070227456 Oct 26 21:58 fvde1
libfvde_encryption_context_plist_get_passphrase_wrapped_kek: invalid plist - missing XML plist crypto users key
i try to mount my macbook disk but i only have the password and not the recoverykey
and as i read it you can access it only with the password right?
i tried
โ ~ sudo fvdemount -e EncryptedRoot.plist.wipekey -p mypassword /dev/sda2 /media/mntpoint1
fvdemount 20160918
Unable to open: /dev/sda2.
libfvde_encryption_context_plist_get_passphrase_wrapped_kek: invalid plist - missing XML plist crypto users key.
libfvde_encrypted_metadata_get_volume_master_key: unable to retrieve passphrase wrapped KEK: 0 from encryption context plist.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to retrieve volume master key from encrypted metadata.
libfvde_volume_open_read: unable to read keys from primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
any suggestions?
libfvalue_utf8_string_with_index_copy_to_integer: unsupported character value: 0x78 at index: 1
I'm trying to mount a USB drive encrypted on Mac OSX (unfortunately I don't remember the exact procedure of encrypting it, but I probably used the default time machine setup a few years ago).
I'm using the following command:
sudo fvdemount -o $(( 409640 * 512 )) -p $DRIVE_PASSWORD /dev/sdb mounted-disk
and I get the following output:
fvdemount 20180505
Unable to open: /dev/sdb.
libfvalue_utf8_string_with_index_copy_to_integer: unsupported character value: 0x78 at index: 1.
libfvalue_utf8_string_copy_to_integer: unable to copy UTF-8 string to integer value.
libfplist_property_get_value_integer: unable to convert value to integer.
libfvde_encrypted_metadata_read_type_0x001a: unable to retrieve logical volume size.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.