Re: [sleuthkit-users] File Vault 2 DD Images and TSK

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

If the extensions are .001, .002, etc, then just specify the first one and TSK will find the rest. 

On May 10, 2013, at 5:35 PM, Tom Yarrish <to...@ya...> wrote:

> The image segments are named sequentially, but it looks like xmount isn't assembling them correctly (which could be an error on my part).
> 
> If I do this:
> 
> mmls -i raw -t gpt file_vault_test_four.*
> 
> I get a slightly different output:
> 
> GUID Partition Table (EFI)
> Offset Sector: 0
> Units are in 512-byte sectors
> 
>      Slot    Start        End          Length       Description
> 00:  Meta    0000000000   0000000000   0000000001   Safety Table
> 01:  -----   0000000000   0000000039   0000000040   Unallocated
> 02:  Meta    0000000001   0000000001   0000000001   GPT Header
> 03:  Meta    0000000002   0000000033   0000000032   Partition Table
> 04:  00      0000000040   0000409639   0000409600   EFI system partition
> 05:  01      0000409640   0488965175   0488555536   Macintosh HD
> 06:  02      0488965176   0490234711   0001269536   Recovery HD
> 07:  -----   0490234712   0490234751   0000000040   Unallocated
> 
> And then when I run:
> 
> fls -r -o 488965176 file_vault_test_four.* | grep -i EncryptedRoot
> 
> I'm getting the correct output.
> 
> Thanks,
> Tom
> 
> 
> On Fri, May 10, 2013 at 4:05 PM, Lehr, John <jl...@sl...> wrote:
> The issue is likely the split dd image.  If your segments are not named sequentially, TSK can't put them back together automatically.  Specify all the file names in the command in sequential order, such as
> 
> fls -r -o 488965176 img_seg1.dd img_seg2.dd img_seg3.dd | grep -i EncryptedRoot
> 
> To avoid having to type all the segments each time, first assign to a variable:
> 
> image="img_seg1.dd img_seg2.dd img_seg3.dd"
> fls -r -o 488965176 $image | grep -i EncryptedRoot
> 
> Or, finally, you could rename your segments to something TSK can automatically reassemble, i.e., add filename extensions .001, .002, .003, etc.
> 
> ---------------------------------
> John Lehr
> Evidence Technician
> San Luis Obispo Police Department
> ________________________________________
> From: Tom Yarrish [to...@ya...]
> Sent: Friday, May 10, 2013 12:50
> To: sle...@li...
> Subject: [sleuthkit-users] File Vault 2 DD Images and TSK
> 
> All,
> Has anyone done work with DD images created by Macquisition and then analyzed with TSK?  Here's my issue.  I have this split dd image of an OS X machine that is FV 2 full disk encrypted.  When I run mmls against it I see the following partitioning:
> 
> mmls -t gpt /mnt/aff/file_vault_test_four.dd
> GUID Partition Table (EFI)
> Offset Sector: 0 Units are in 512-byte sectors
> 
>      Slot    Start        End          Length       Description
> 00:  Meta    0000000000   0000000000   0000000001   Safety Table
> 01:  -----   0000000000   0000000039   0000000040   Unallocated
> 02:  Meta    0000000001   0000000001   0000000001   GPT Header
> 03:  Meta    0000000002   0000000033   0000000032   Partition Table
> 04:  00      0000000040   0000409639   0000409600   EFI system partition
> 05:  01      0000409640   0488965175   0488555536   Macintosh HD
> 06:  02      0488965176   0490234711   0001269536   Recovery HD
> 
> So I'm looking at this tool libfvde (https://code.google.com/p/libfvde/) and following the steps they outline here:
> 
> https://code.google.com/p/libfvde/wiki/Mounting
> 
> What I'm trying to do is:
> 
> "fls -r -o 50480752 image.raw | grep -i EncryptedRoot"
> 
> But when I run it against my image I get:
> 
> sudo fls -r -o 488965176 /mnt/aff/file_vault_test_four.dd | grep -i EncryptedRoot
> Sector offset supplied is larger than disk image (maximum: 4194304)
> 
> I did some googling but nothing came up that appeared to be relevant to this.
> 
> I'm running all of this on OSX 10.7 with TSK 4.0.2.  The image was mounted with xmount (even though the directory says /mnt/aff it's not affuse).
> 
> Thanks ahead of time,
> Tom
> 
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and 
> their applications. This 200-page book is written by three acclaimed 
> leaders in the field. The early access version is available now. 
> Download your free book today! http://p.sf.net/sfu/neotech_d2d_may_______________________________________________
> sleuthkit-users mailing list
> https://lists.sourceforge.net/lists/listinfo/sleuthkit-users
> http://www.sleuthkit.org