How to: Recover a raw disk image of your OS X Filevault. and then read it’s contents…

File Vault is the encryption mechanism used to protect user accounts on an OS X file system. Disabled by default it has become more popular since originally released with 10.3 “Panther.”

When enabled, FileVault mounts and unmounts encrypted file systems duringthe user logging in and out process. In 10.5 “Leopard” this image is a Sparse Bundle, recognizable as a collection of 8Mb files. A change from before where a single and large file was used. One primary reason for the breakup to 8Mb is to allow Time Macine backups. A note to upgraders though, be sure to disable and then re enable Filevault otherwise you’ll end up with that sparse image format.

The user’s home directory is encrypted using AES with a key derived from the user’s login password. Content is automatically encrypted and decrypted on the fly. However, this data is not bound as tightly as some assume. Nor is the housekeeping as good as others would assume. Succinctly put: “Encrypted volumes preserve much of the data that is deleted from the volume. Because a file vault is treated as a separate file system, a free space wipe does virtually nothing to destroy deleted data stored inside a vault. Due to Apple’s policy of “security by obscurity”, many false assumptions have been made about the File Vault encryption mechanism, potentially exposing sensitive data to someone with the right tools. Users should be aware of File Vault’s caveats and limitations before relying on it as a means of securing data.

Here are the surprisingly easy steps to pull together a raw disk image from a users FileVault. This particular users name being “beer”. There is an assumption that you already have the key… If you’re looking to crack the encryption look elsewhere for vfcrack, cold boot attacks, and others. This image is suited for FTK or EnCase processing or carving up with Scalpel or Foremost…

Step 1
$ sudo -s
# ls -l /Volumes/Suspect_Disk/Users
total 0
-rw-r–r– 1 root wheel 0 Sep 23 2007 .localized
drwxrwxrwt 4 root wheel 136 Oct 5 18:34 Shared
dr-x—— 3 beer staff 102 Oct 10 13:11 beer

Step 2
# ls -l beer
total 0
drwx——@ 6 beer staff 204 Oct 10 12:58 beer.sparsebundle

Step 3
# hdid -readonly beer.sparsebundle

After being prompted for the File Vault password, the hdid tool will give you a mapping to a series of raw devices for the image:

/dev/disk2 Apple_partition_scheme
/dev/disk2s1 Apple_partition_map
/dev/disk2s2 Apple_HFS

Step 4
The third device down, disk2s2, is the one you’re interested in; it contains the HFS file system containing the home directory. You can copy off the enire file vault’s contents with a simple disk copy:

# dd if=/dev/rdisk2s2 of=/Volumes/Digital_Vault/rdisk2s2 bs=16384

Here’s the annoying part: because the vault is mapped onto the file system, you’re actually going to get a very large file containing a lot of padding; this could be several hundred gig in size depending on the virtual size of the file vault. You’ll need to make sure you have adequate disk space to contain this image.

Once you’ve got the image, it can be accessed much like any other HFS image. You can load it into FTK, or use a data carving tool like Scalpel to get data off of it. In addition to this, you can rename the image to have a .dmg extension and mount the decrypted file system right on your mac:

# mv /Volumes/Digital_Vault/rdisk2s2 /Volumes/Digital_Vault/rdisk2s2.dmg
# hdid -readonly /Volumes/Digital_Vault/rdisk2s2.dmg /dev/disk3/Volumes/beer

And that’s pretty much it…

A random tidbit on non random data

I recently was talking with somebody who felt that TrueCrypt hidden volumes were the bee knees. The scenario they used, and which I myself have read ‘musings’ about, involved a laptop carrying sensitive corporate data being seized by customs. Laptop drive gets “reviewed”, secret container is not seen, and laptop passes as normal and uninteresting. Big deal. Bigger deal is if you have 007 style data and that guy in the uniform is pretty certain you have it as well. My colleagues version of the story ends with an almost hollywood style style exhalation of breath and cinematic zoom out to the hero walking out the door. That’s not how it would probably pan out…

Truecrypt volumes, which are essentially files, have certain characteristics that allow programs such as TCHunt to detect them with a high *probability*. The most significant, in mathematical terms, is that their modulo division by 512 is 0. Now it is certainly true that TrueCrypt volumes do not contain known file headers and that their content is indistinguishable from random, so it is difficult to definitively prove that certain files are TrueCrypt volumes. However their very presence can demonstrate and provide reasonable suspicion they contain encrypted data.

The actual math behind this is interesting. TrueCrypt volume files have file sizes that are evenly divisible by 512 and their content passes chi-square randomness tests. A chi-square test is any statistical hypothesis test in which the sampling distribution of the test statistic is a chi-square distribution* when the null hypothesis is true, or any in which this is asymptotically true. Specifically meaning that the sampling distribution (if the null hypothesis is true) can be made to approximate a chi-square distribution as closely as desired by making the sample size large enough.

So what does this all mean? Really nothing for us normal people. For those whom I have built custom STSADM containers for securing your backups and exports, your data is still secure and will stay that way indefinitely. For those running across the border. A forensic analysis will reveal the presence of encrypted data, TrueCrypt volumes or otherwise, but not much more. Sometimes that’s enough to start asking questions or poking further. With the forensic tools, not the dentistry kit.

* A skewed distribution whose shape depends on the number of degrees of freedom. As the number of degrees of freedom increases, the distribution becomes more symmetrical.

dd: clean your drive securely

Now like anybody I’m a BIG fan of wiping old drives using dd but sometimes there’s a tool out there that will do most if not all of the work for you. Cue DBAN. OR as the site says:

Darik’s Boot and Nuke (“DBAN”) is a self-contained boot disk that securely wipes the hard disks of most computers. DBAN will automatically and completely delete the contents of any hard disk that it can detect, which makes it an appropriate utility for bulk or emergency data destruction.

Complemented with TrueCrypt you will have a mighty secure setup. Possible / definite paranoia issues too… But your data will be secure. For the more command line orientated the old reliable dd if=/dev/urandom of=/dev/disk bs=1k is good enough imho. (It puts random bits in place as opposed to a regular pattern. Not that it will stand up to NSA level scrutiny but it’s more than enough for most data recovery…)

For more go to: