[sleuthkit-users] File Vault 2 DD Images and TSK

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

All,
Has anyone done work with DD images created by Macquisition and then
analyzed with TSK?  Here's my issue.  I have this split dd image of an OS X
machine that is FV 2 full disk encrypted.  When I run mmls against it I see
the following partitioning:

mmls -t gpt /mnt/aff/file_vault_test_four.dd
GUID Partition Table (EFI)
Offset Sector: 0 Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Safety Table
01:  -----   0000000000   0000000039   0000000040   Unallocated
02:  Meta    0000000001   0000000001   0000000001   GPT Header
03:  Meta    0000000002   0000000033   0000000032   Partition Table
04:  00      0000000040   0000409639   0000409600   EFI system partition
05:  01      0000409640   0488965175   0488555536   Macintosh HD
06:  02      0488965176   0490234711   0001269536   Recovery HD

So I'm looking at this tool libfvde (https://code.google.com/p/libfvde/)
and following the steps they outline here:

https://code.google.com/p/libfvde/wiki/Mounting

What I'm trying to do is:

"fls -r -o 50480752 image.raw | grep -i EncryptedRoot"

But when I run it against my image I get:

sudo fls -r -o 488965176 /mnt/aff/file_vault_test_four.dd | grep -i
EncryptedRoot
Sector offset supplied is larger than disk image (maximum: 4194304)

I did some googling but nothing came up that appeared to be relevant to
this.

I'm running all of this on OSX 10.7 with TSK 4.0.2.  The image was mounted
with xmount (even though the directory says /mnt/aff it's not affuse).

Thanks ahead of time,
Tom