Re: [sleuthkit-users] File Vault 2 DD Images and TSK
Brought to you by:
carrier
Menu
▾
▴
Re: [sleuthkit-users] File Vault 2 DD Images and TSK
|
From: Lehr, J. <jl...@sl...> - 2013-05-10 21:19:03
|
The issue is likely the split dd image. If your segments are not named sequentially, TSK can't put them back together automatically. Specify all the file names in the command in sequential order, such as
fls -r -o 488965176 img_seg1.dd img_seg2.dd img_seg3.dd | grep -i EncryptedRoot
To avoid having to type all the segments each time, first assign to a variable:
image="img_seg1.dd img_seg2.dd img_seg3.dd"
fls -r -o 488965176 $image | grep -i EncryptedRoot
Or, finally, you could rename your segments to something TSK can automatically reassemble, i.e., add filename extensions .001, .002, .003, etc.
---------------------------------
John Lehr
Evidence Technician
San Luis Obispo Police Department
________________________________________
From: Tom Yarrish [to...@ya...]
Sent: Friday, May 10, 2013 12:50
To: sle...@li...
Subject: [sleuthkit-users] File Vault 2 DD Images and TSK
All,
Has anyone done work with DD images created by Macquisition and then analyzed with TSK? Here's my issue. I have this split dd image of an OS X machine that is FV 2 full disk encrypted. When I run mmls against it I see the following partitioning:
mmls -t gpt /mnt/aff/file_vault_test_four.dd
GUID Partition Table (EFI)
Offset Sector: 0 Units are in 512-byte sectors
Slot Start End Length Description
00: Meta 0000000000 0000000000 0000000001 Safety Table
01: ----- 0000000000 0000000039 0000000040 Unallocated
02: Meta 0000000001 0000000001 0000000001 GPT Header
03: Meta 0000000002 0000000033 0000000032 Partition Table
04: 00 0000000040 0000409639 0000409600 EFI system partition
05: 01 0000409640 0488965175 0488555536 Macintosh HD
06: 02 0488965176 0490234711 0001269536 Recovery HD
So I'm looking at this tool libfvde (https://code.google.com/p/libfvde/) and following the steps they outline here:
https://code.google.com/p/libfvde/wiki/Mounting
What I'm trying to do is:
"fls -r -o 50480752 image.raw | grep -i EncryptedRoot"
But when I run it against my image I get:
sudo fls -r -o 488965176 /mnt/aff/file_vault_test_four.dd | grep -i EncryptedRoot
Sector offset supplied is larger than disk image (maximum: 4194304)
I did some googling but nothing came up that appeared to be relevant to this.
I'm running all of this on OSX 10.7 with TSK 4.0.2. The image was mounted with xmount (even though the directory says /mnt/aff it's not affuse).
Thanks ahead of time,
Tom
|
