Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tribalchicken/volatility-filevault2

Volatility plugin to extract FileVault 2 VMK's
https://github.com/tribalchicken/volatility-filevault2

Last synced: 3 months ago
JSON representation

Volatility plugin to extract FileVault 2 VMK's

Host: GitHub
URL: https://github.com/tribalchicken/volatility-filevault2
Owner: tribalchicken
Created: 2016-02-13T14:29:17.000Z (almost 9 years ago)
Default Branch: master
Last Pushed: 2021-09-20T21:01:42.000Z (over 3 years ago)
Last Synced: 2024-08-02T03:07:30.329Z (6 months ago)
Language: Python
Size: 5.86 KB
Stars: 49
Watchers: 5
Forks: 8
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-volatility - FileVault2 - Plugin which attempts to extract Apple FileVault 2 Volume Master Keys. (Volatility 2 / Plugins)

README

# volatility-filevault2
This is a volatility plugin which attempts to extract Apple FileVault 2 Volume Master Keys.

Writeup is here: https://tribalchicken.net/extracting-filevault-2-keys-with-volatility/

I have tested with OS X:
- 10.9
- 10.10
- 10.11
- 10.12 (macOS)

NOTE: Has not (yet) been tested on 32-bit OS X.

## How it works
Filevault appears to keep the volume master key in a consistently identifiable region of read only kernel memory. The method used by the plugin is very simple, as all the information is already exposed by Volatility.

In a nutshell, the plugin searches through the memory map of kernel space, searching for a string that is aligned on a map boundary and repeated exactly 0x430 bytes later.

Thats all there is to it (The writeup linked above has further information).

## Usage
filevault2.py is a plugin for the Volatility Framework. You can either place the plugin in the plugins directory at `volatility/plugins`, or alternatively, you can place the plugin in a separate directory and point volatility to it with `--plugins`

For example, using a directory called "Plugins":

```
voldev$ ls plugins
fielvault2.py
voldev$ volatility --plugins=plugins/ --profile=MacElCapitan_10_11_6_15G1004 -f osx10_11_6.vmem mac_filevault2
```

## Common Problems

### Volatility tells you it needs something to do

Volatility doesn't know about the plugin. Check the location of the plugin, and run `volatility --info` to determine if it is detected

## "No suitable address space mapping found"

This isn't an issue with the plugin, but either the profile selected does not match the memory image or the image is in a format that is not understood. Ensure you have the correct profile selected (Keep in mind in some cases there can be different builds of the same OS X version)

### The plugin doesn't find anything
There could be many causes.

- The drive is not FileVault protected.
- The memory image does not contain the key (Image captured after key is evicted from memory, overwritten during acquisition, etc)
- The key exists but the plugin doesn't find it.

If you suspect the plugin isn't working for you then I would love to know.