How to: Recover a raw disk image of your OS X Filevault. and then read it’s contents…

File Vault is the encryption mechanism used to protect user accounts on an OS X file system. Disabled by default it has become more popular since originally released with 10.3 “Panther.”

When enabled, FileVault mounts and unmounts encrypted file systems duringthe user logging in and out process. In 10.5 “Leopard” this image is a Sparse Bundle, recognizable as a collection of 8Mb files. A change from before where a single and large file was used. One primary reason for the breakup to 8Mb is to allow Time Macine backups. A note to upgraders though, be sure to disable and then re enable Filevault otherwise you’ll end up with that sparse image format.

The user’s home directory is encrypted using AES with a key derived from the user’s login password. Content is automatically encrypted and decrypted on the fly. However, this data is not bound as tightly as some assume. Nor is the housekeeping as good as others would assume. Succinctly put: “Encrypted volumes preserve much of the data that is deleted from the volume. Because a file vault is treated as a separate file system, a free space wipe does virtually nothing to destroy deleted data stored inside a vault. Due to Apple’s policy of “security by obscurity”, many false assumptions have been made about the File Vault encryption mechanism, potentially exposing sensitive data to someone with the right tools. Users should be aware of File Vault’s caveats and limitations before relying on it as a means of securing data.

Here are the surprisingly easy steps to pull together a raw disk image from a users FileVault. This particular users name being “beer”. There is an assumption that you already have the key… If you’re looking to crack the encryption look elsewhere for vfcrack, cold boot attacks, and others. This image is suited for FTK or EnCase processing or carving up with Scalpel or Foremost…

Step 1
$ sudo -s
# ls -l /Volumes/Suspect_Disk/Users
total 0
-rw-r–r– 1 root wheel 0 Sep 23 2007 .localized
drwxrwxrwt 4 root wheel 136 Oct 5 18:34 Shared
dr-x—— 3 beer staff 102 Oct 10 13:11 beer

Step 2
# ls -l beer
total 0
drwx——@ 6 beer staff 204 Oct 10 12:58 beer.sparsebundle

Step 3
# hdid -readonly beer.sparsebundle

After being prompted for the File Vault password, the hdid tool will give you a mapping to a series of raw devices for the image:

/dev/disk2 Apple_partition_scheme
/dev/disk2s1 Apple_partition_map
/dev/disk2s2 Apple_HFS

Step 4
The third device down, disk2s2, is the one you’re interested in; it contains the HFS file system containing the home directory. You can copy off the enire file vault’s contents with a simple disk copy:

# dd if=/dev/rdisk2s2 of=/Volumes/Digital_Vault/rdisk2s2 bs=16384

Here’s the annoying part: because the vault is mapped onto the file system, you’re actually going to get a very large file containing a lot of padding; this could be several hundred gig in size depending on the virtual size of the file vault. You’ll need to make sure you have adequate disk space to contain this image.

Once you’ve got the image, it can be accessed much like any other HFS image. You can load it into FTK, or use a data carving tool like Scalpel to get data off of it. In addition to this, you can rename the image to have a .dmg extension and mount the decrypted file system right on your mac:

# mv /Volumes/Digital_Vault/rdisk2s2 /Volumes/Digital_Vault/rdisk2s2.dmg
# hdid -readonly /Volumes/Digital_Vault/rdisk2s2.dmg /dev/disk3/Volumes/beer

And that’s pretty much it…

Quick Fix: To add a link to the Global Links section in MOSS follow these steps:

Sometimes you just need that “quick” fix for a problem with SharePoint. In this case, yes, you could just hard code it into the master page or you could create your own custom control but editing the MyLinks.ascx file has its benefits too.

  1. Go to: C:Program FilesCommon FilesMicrosoft SharedWeb Server Extensions12TEMPLATECONTROLTEMPLATES
  2. Make a copy of “MyLinks.ascx” always a good idea…
  3. Open “MyLinks.ascx” and add the link(s) required e.g. “< href="">My Blog”< / a>
  4. Save and do an IISRESET
  5. The new link should appear

10.6 Snow Leopard Install

Snow Leopard will offer a number of significant improvements to the installation process.

  1. Erase and Install: Though still available via Disk Utility to the uninitiated it will appear to have been removed. So should one ever need to reinstall Snow Leopard, it will automatically archive and then install. What does that mean? Essentially a faster install with no, or fewer post install updates as the installer will leave any updated files alone…
  2. SMART: It won’t install on a hard drive that reports SMART failures.
  3. Haxies: The Snow Leopard installer will scan for known problem software and move it to a folder labeled “Incompatible Software.”
  4. Pulling the power: Should there be a power failure during the installation, it will pick right back up from where it was interrupted.
  5. Install files: The installer copies most files to the disk and runs them from there. A nice feature that should you have ever tried my instructions here in the past. Oh, it also cleans up after itself.
  6. Footprint:
  • Printer drivers are reined in. Only those needed get dropped onto the drive.
  • Quicktime is, unbelievably, optional. If you have a pro license for 7, Quicktime X will not overwrite it.
  • Rosetta is optional, though at this point PPC is nigh on being dismissed… Sigh.

“Time out” for Session Timeouts

On occasion there is a need to persist a session for the duration that a page is in the browser without concern for security. Doing this with .NET / SharePoint is actually pretty easy.

Option A
You can hack your way to a solution, which works just fine, by doing the following.

  1. Add an iFrame / iFrame webpart and link to a custom page.
  2. In the code behind for the linked custom page put:

private void Page_Load(object sender, System.EventArgs e)
Response.AddHeader(“Refresh”, Convert.ToString((Session.Timeout*60)-10));

What will this do? Basically seconds before the session is due to expire it will post back to the server. Simples if naught crude? Perhaps. Effective. Definitely.

Option B
Or you could add something like this to your master page.

< asp:Timer ID=”tmCheckStatus” Interval=”1800000″ runat=”server”>

< /asp: Timer>

With a code behind resembling:

    Protected Sub tmCheckStatus_Tick(ByVal sender As Object, ByVal e As System.EventArgs) Handles tmCheckStatus.Tick
If b2bGlobal.isUserOnline = False Then
'This is if you use forms authentication
'but I'd say it works equally fine for 'normal' sessions
'Or you can fire a popup or redirect to a page asking the users
'if they want to stay online
End If
End Sub

Option B example is from here. Needless to say tweaking is required…

Google Caffeine Beta: a not quite review

Google released a developers preview of their new search tool, Caffeine, which they claim will improve Google search’s

  • Speed
  • Accuracy
  • Size & Comprehensiveness

The developers version is pre-beta, which really means absolutely nothing when in context with Google, and is fully functional so I took it through a few hoops.

  1. Speed
  2. Accuracy
  3. Index size

1. Speed
I searched for “SharePoint” and got the following results:


  • Results 1: 110 of about 21,100,000 for SharePoint. (0.20 seconds)
  • Results 2: 110 of about 21,100,000 for SharePoint. (0.10 seconds)
  • Results 3: 110 of about 21,100,000 for SharePoint. (0.12 seconds)


  • Results 1: 1 10 of about 17,200,000 for SharePoint. (0.14 seconds)
  • Results 2: 1 10 of about 17,200,000 for SharePoint. (0.09 seconds)
  • Results 3: 110 of about 17,200,000 for SharePoint. (0.12 seconds)

Looks like keywords, and their strings, relevancy just increased. As did the index which may explain the almost consist lag in speed, though that could be a resource issue too. All told, possibly just a useless exercise as it is after all, still in “Beta”… However, I do look forward to the imminent deluge of posts that will compare Caffeine to Bing and invariably delve into fanboyism.

Charting Data: Keeping it simple.

I see a lot on charting data in SharePoint, and out.

In my opinion it boils down to three things

  1. what have you got
  2. how did you get it
  3. how are you going to show it

The first two are data related and require some questions.

  • Is it flat data that can “just be charted”?
  • If not, what needs to be done?
  • Is it interactive?
  • If it is, in what way?
  • etc

The third can get complicated as it can delve into what one can only call, the aesthetics of the situation. Some people love pie charts with garish colours. Others simply cannot understand radar charts. One product that works very nicely, has lots of options, and has a nice cost at $0 under the GPL, is Visifire.

Visifire is a set of open source data visualization controls – powered by Microsoft® Silverlight™ & WPF. It is a multi-targeting control which can be used in both WPF & Silverlight applications. Using the same API, charts in both Silverlight & WPF environments can be created within minutes. Visifire can also be embedded in any webpage as a standalone Silverlight App. Visifire is independent of server side technology. It can be used with

  • ASP.Net
  • PHP
  • JSP
  • ColdFusion
  • Ruby on Rails
  • Simple HTML
  • Etc.
This control can be easily used to chart data in a list.

Let me show you how…

  • Upload the Visifire files to your SharePoint document library. Specifically, copy the VisiFire.xap and .js files into the document library that will hold your web part page.
  • Add a Data View web part for the list containing the data you wish to graph to the web part page using SharePoint Designer.
  • In the Code View, replace the line in the section with the following


  1. Columns in this example are @Budget and @Actual, update these if your list is different
  2. I have replaced “<" with "< " so that the code will get presented correctly in the browser

< type="text/javascript" src="Visifire.js" mce_src="Visifire.js">< /script>
< escaping="yes">< ![CDATA[ < type="text/javascript">
var xmlString =
‘ < vc="clr-namespace:Visifire.Charts;assembly=Visifire.Charts" theme="Theme2">‘
+ ‘ < text="Revenue">‘
+ ‘ < title="Month">‘
+ ‘ < title="$ Thousands">‘
+ ‘ < name="Budget" renderas="Column" axisytype="Primary">‘
]]>< /xsl:text>
< select="/dsQueryResponse/Rows/Row">
< escaping="yes">< ![CDATA[ + ' < axislabel="">< /xsl:text>
< select="./@Title">
< escaping="yes">< ![CDATA[" YValue="]]>< /xsl:text>
< select="@Budget">
< escaping="yes">< ![CDATA["/>‘]]>< /xsl:text>
< /xsl:for-each>
< escaping="yes">
< ![CDATA[ + ' < /vc:DataSeries>‘
+ ‘ < name="Actual" renderas="Line" color="Red" axisytype="Primary">‘
]]>< /xsl:text>
< select="/dsQueryResponse/Rows/Row">
< escaping="yes">< ![CDATA[ + ' < axislabel="">< /xsl:text>
< select="./@Title">
< escaping="yes">< ![CDATA[" YValue="]]>< /xsl:text>
< select="@Actual">
< escaping="yes">< ![CDATA["/>‘]]>< /xsl:text>
< /xsl:for-each>
< escaping="yes">
< ![CDATA[ + ' < /vc:DataSeries>‘
+ ‘ < /vc:Chart>‘;
< /script>
]]>< /xsl:text>
< !-- Create the div to hold the chart and then run -->
< !-- the JavaScript code to actually show the chart. -->
< id="myChart" style="width:500px;height:300px;">
< language="javascript" type="text/javascript">
var vChart2 = new Visifire(“Visifire.xap”);
< /script> < /div>