The purpose of this walkthrough is to demonstrate how to successfully decrypt and gain access to a FileVault® 2 protected volume when the recovery key or passphrase is known in order to capture a forensic image for analysis.
- EnCase® v6.18
- FTK® Imager
- Mac OS® Terminal
Note: MacQuisition 2013 R2 now supports auto-detection of FV2 protected volumes which allows the examiner to enter a known password or recovery key to unlock it.
Remove hard drive from MacBook Pro and capture forensic image using preferred tool. In our example, we used EnCase v6.18 and captured an image in the .E01 forensic image file format. You can bypass Step 1 by capturing a raw (dd) image as your first step.
Convert .E01 image to raw (dd) format using FTK Imager.
Rename the dd image to .dmg
Using another Mac based computer or booting into MacQuisition, boot into the OS and mount the dmg file using the terminal command hdiutil attach –nomount /path/to/DMG
List the core storage partitions available using the Terminal command diskutil cs list
Identify the correct logical volume GUID and copy the string. This is the lowest logical volume, not the volume family ID.
Using Terminal, run the command util cs unlockVolume <GUID> (paste logical volume GUID here)
When prompted, enter the passphrase or recovery key.
If you correctly entered the passphrase, you will receive confirmation that it “Finished CoreStorage operation.”
Using MacQuisition or another tool, forensically image the mounted, unencrypted disk to your preferred format. Begin your analysis!