Re: [sleuthkit-users] File Vault 2 DD Images and TSK

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

The image segments are named sequentially, but it looks like xmount isn't
assembling them correctly (which could be an error on my part).

If I do this:

mmls -i raw -t gpt file_vault_test_four.*

I get a slightly different output:

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Safety Table
01:  -----   0000000000   0000000039   0000000040   Unallocated
02:  Meta    0000000001   0000000001   0000000001   GPT Header
03:  Meta    0000000002   0000000033   0000000032   Partition Table
04:  00      0000000040   0000409639   0000409600   EFI system partition
05:  01      0000409640   0488965175   0488555536   Macintosh HD
06:  02      0488965176   0490234711   0001269536   Recovery HD
07:  -----   0490234712   0490234751   0000000040   Unallocated

And then when I run:

fls -r -o 488965176 file_vault_test_four.* | grep -i EncryptedRoot

I'm getting the correct output.

Thanks,
Tom

On Fri, May 10, 2013 at 4:05 PM, Lehr, John <jl...@sl...> wrote:

> The issue is likely the split dd image.  If your segments are not named
> sequentially, TSK can't put them back together automatically.  Specify all
> the file names in the command in sequential order, such as
>
> fls -r -o 488965176 img_seg1.dd img_seg2.dd img_seg3.dd | grep -i
> EncryptedRoot
>
> To avoid having to type all the segments each time, first assign to a
> variable:
>
> image="img_seg1.dd img_seg2.dd img_seg3.dd"
> fls -r -o 488965176 $image | grep -i EncryptedRoot
>
> Or, finally, you could rename your segments to something TSK can
> automatically reassemble, i.e., add filename extensions .001, .002, .003,
> etc.
>
> ---------------------------------
> John Lehr
> Evidence Technician
> San Luis Obispo Police Department
> ________________________________________
> From: Tom Yarrish [to...@ya...]
> Sent: Friday, May 10, 2013 12:50
> To: sle...@li...
> Subject: [sleuthkit-users] File Vault 2 DD Images and TSK
>
> All,
> Has anyone done work with DD images created by Macquisition and then
> analyzed with TSK?  Here's my issue.  I have this split dd image of an OS X
> machine that is FV 2 full disk encrypted.  When I run mmls against it I see
> the following partitioning:
>
> mmls -t gpt /mnt/aff/file_vault_test_four.dd
> GUID Partition Table (EFI)
> Offset Sector: 0 Units are in 512-byte sectors
>
>      Slot    Start        End          Length       Description
> 00:  Meta    0000000000   0000000000   0000000001   Safety Table
> 01:  -----   0000000000   0000000039   0000000040   Unallocated
> 02:  Meta    0000000001   0000000001   0000000001   GPT Header
> 03:  Meta    0000000002   0000000033   0000000032   Partition Table
> 04:  00      0000000040   0000409639   0000409600   EFI system partition
> 05:  01      0000409640   0488965175   0488555536   Macintosh HD
> 06:  02      0488965176   0490234711   0001269536   Recovery HD
>
> So I'm looking at this tool libfvde (https://code.google.com/p/libfvde/)
> and following the steps they outline here:
>
> https://code.google.com/p/libfvde/wiki/Mounting
>
> What I'm trying to do is:
>
> "fls -r -o 50480752 image.raw | grep -i EncryptedRoot"
>
> But when I run it against my image I get:
>
> sudo fls -r -o 488965176 /mnt/aff/file_vault_test_four.dd | grep -i
> EncryptedRoot
> Sector offset supplied is larger than disk image (maximum: 4194304)
>
> I did some googling but nothing came up that appeared to be relevant to
> this.
>
> I'm running all of this on OSX 10.7 with TSK 4.0.2.  The image was mounted
> with xmount (even though the directory says /mnt/aff it's not affuse).
>
> Thanks ahead of time,
> Tom
>