Imaging a FileVault 2-Encrypted Volume Using MacQuisition

One aspect of digital forensics that merits specific attention for today's investigators is Apple's FileVault 2 encryption. FileVault 2 has become increasingly prevalent on OS X systems since its release in 2011, and in fact with OS X Yosemite, it is even more likely that FileVault 2 will be enabled. With that in mind, we recently created a video demonstrating how to image a FileVault 2-encrypted volume with MacQuisition, BlackBag's versatile, 3-in-1 acquisition tool. What appears below is the narrative script used for the video, should you prefer to view it in a readable format. However, we would also urge you to check out the video itself, which appears above.

 

Introduction

Welcome to BlackBag Technologies' how-to instructional video, 'Imaging a FileVault Volume Using MacQuisition.'

In this video, we will demonstrate using BlackBag Technologies' MacQuisition to image a Macintosh computer that contains a FileVault 2 volume. In order to accomplish this, the examiner will need to know the login password for the FileVault 2 volume, have the necessary Keychain file, or be in possession of the recovery key.

 

FileVault 2 Background

Apple’s first implementation of Core Storage was to enable FileVault 2. Apple often advertises FileVault 2 as “full disk encryption,” but it is actually encryption of a volume. This encryption is possible because of Core Storage, Apple’s new logical volume format. Core Storage is a volume manager that is layered between the partition scheme and the file system. Core Storage makes it easy to dynamically allocate partitions while providing full compatibility with existing file systems. It allows in-place volume modifications such as enabling the "full disk encryption" used by FileVault 2 as a background process. When encrypted, the HFS+ volume resides inside the Core Storage logical volume. To access the HFS+ volume, an imaging tool must understand and be able to identify the Core Storage, then be running in an operating system that provides it access to the encrypted data. MacQuisition is that tool.

FileVault 2 can be toggled on and off, thereby encrypting or decrypting the data, although this is a time-consuming process. Decrypting the volume reverts the logical volume, and hence the file system, to its previous unencrypted state, but the disk may continue to be managed as a Core Storage logical volume. However, it is also possible to find that the Core Storage logical volume management has been removed, leaving just the normal Macintosh HFS+ volume.

FileVault 2 can be enabled in the Security & Privacy tab of OS X's System Preferences. Apple has chosen not to implement Core Storage logical disk management functionality through the Disk Utility application, so, virtually all other Core Storage management functions must be performed from the command line.

In this scenario, we have a Mac computer that has two volumes. One volume is FileVault 2, and the other is Boot Camp.

Basic Macintosh imaging is discussed in the MacQuisition video entitled 'MacQuisition Overview.' That video includes information about how to start the subject computer, while ensuring its operating system does not boot.

 

Startup Manager

In this video we have skipped the initial boot process and are beginning at the computer’s Startup Manager. Presented before us we have four bootable volumes, 'Macintosh HD,' 'Boot Camp,' 'MacQuisition 2014R1' and 'MacQuisition-Legacy.'

Take note of the 'Macintosh HD' volume. By default, Apple names the boot drive of OS X as 'Macintosh HD.' We also see our MacQuisition volumes available. At times, even the recovery partition can show at the Startup Manager screen. From this screen, one cannot determine whether FileVault is present. Using the arrow keys on the keyboard, we highlight the volume entitled 'MacQuisition 2014R1' and press the Enter key.

When the examiner selects the 'MacQuisition 2014R1' volume, MacQuisition will begin loading. This is part of MacQuisition's uniqueness, in that it is actually running a licensed version of OS X. The BlackBag logo will appear as MacQuisition is loading. It will remain on the screen as a visible safety feature and will then be followed by the familiar Apple logo, visible for approximately 20 seconds.

When the user selects Agree for the MacQuisition license agreement, the application continues to load.

 

MacQuisition Recognizes FileVault 2

MacQuisition immediately recognizes the existence of a FileVault 2 volume and presents a notification to that effect. Here, the notification presents us with the volume name and identifier of 'disk0s2.' If this computer was a live piece of evidence with the volume mounted and running, the notification presented by MacQuisition would be invaluable, as it would provide notice of the encrypted volume that might need to be imaged prior to shutting down the computer. Make note of the information provided here, as it will assist in selecting the encrypted volume later in the process.

Selecting Continue allows us to move forward into the MacQuisition application.

The 'Case Details' page is normally shown first. We are bypassing that window and its explanation, as it is discussed in detail during the 'MacQuisition Overview' video.

In the Image Device tab, we can see that MacQuisition identifies our encrypted volume with the word “Encrypted” in red beside the actual volume name 'MacintoshHD.' Take note of the volume name and the drive identifier (drive0s2). This is the same data provided by MacQuisition, as it identified the encrypted volume during the application’s startup.

MacQuisition denotes the Apple Core Storage volume with the proper icon, a locked safe with the Apple logo on the side. In this view we see that the Core Storage volume name is 'Macintosh HD,' and the volume size is displayed.

 

Mounting and Unlocking

Now that we've identified the FileVault 2 volume that needs to be imaged, we go to the Tools ➔ Mount Device tab within MacQuisition to mount the device as read-only. Note that when booted into MacQuisition, all volumes are automatically mounted read-only. Our Core Storage volume was not mounted because it is encrypted.

Once we select the 'Macintosh HD' volume, a button located on the bottom right corner illuminates, prompting us to Unlock Selected Device (Read Only).

When we select this Unlock button, MacQuisition presents a screen asking for either the password for the FileVault 2 volume, the recovery key, or a Keychain file. Generally speaking, the password used to decrypt a FileVault 2 volume is the one belonging to the administrative user for the OS X installation. If there is more than one user on the Mac OS X installation, only passwords authorized to decrypt the volume will decrypt it. The recovery key is generated at the time the FileVault 2 volume is created. Users have the ability to store the key with Apple or print the key. If the key is stored with Apple, users are requested to answer three security questions that are maintained by Apple and must be answered in order to retrieve the recovery key. The Keychain file is a decrypted user's Keychain file.1

After successfully adding one of these three items to unlock the drive, MacQuisition provides a prompt advising that the selected drive has been unlocked. We select OK in this window.

Within a few seconds, MacQuisition completes a bus scan and now identifies the encrypted volume as a read-only mounted virtual drive. It is identified in this situation as 'disk 12.' This volume can now be imaged in its decrypted state.

Returning to the Image Device tab, we can see our encrypted drive (disk 0 slice 2) is still attached, and a new disk referred to as 'disk 12' called 'Macintosh HD' is mounted read-only. At disk0s2, MacQuisition advises the examiner that, “disk 12 contains decrypted data.” At 'disk 12' MacQuisition shows that it contains “decrypted data from disk0s2,” a further reminder of what has taken place during the decryption process. These two pieces point to each other, indicating the source of the data and location of the decrypted information.

In this instance, as we are looking at a single encrypted volume, the identification of these pieces seems simple. However, when there are two or more encrypted volumes, these references to each other are invaluable.

At this point we can image the mounted volume, and the contents will be fully decrypted.

 

Imaging

As we attach our evidence drive to the computer, it will be shown in the 'Image Device' window. Notice that we clearly identify our destination drive with the volume name of 'Evidence.' Your standard operating procedures may dictate the need to call the data collection drive something different.

We are going to select our destination drive and switch it to a read-write status in one process. We select the plus sign (+) that is located beneath the Destination box. This opens a 'Select Destination Volume' dialogue box that shows all the volumes attached to this computer and their write status.

We scroll down to find the 'Evidence' volume.

When we select the 'Evidence' volume, a button that reads Make Selected Device Read/Write appears in the lower right of the dialogue box.

As we select this button, MacQuisition presents us with a warning that a change is being made to the read-write status of the device. Note that by default, the Cancel button is illuminated. This is meant as a safety feature to prevent unintended writes to any evidence.

We select the Continue button.

A dialogue window opens, informing us that the volume 'Evidence' is now mounted read-write.

Selecting OK dismisses the dialogue box.

When the write status change is completed, we see our 'Evidence' volume mounted read-write.

Now that we can write to the destination drive, we have the opportunity to select which folder on the volume we want to create our disk image in. By selecting the 'Evidence' volume, an Open button is illuminated. Click Open.

A Finder window opens within the 'Evidence' volume. There is a choice to create a new folder within the volume, cancel, or choose the current folder as a destination for the image. As MacQuisition will create its own folder structure, it is up to the examiner to determine whether or not to create another folder to save the image in. In this case, we are not going to create another folder. We are saving the device image at the root of the 'Evidence' volume, so let’s select Choose.

We have added our 'Evidence' volume as our destination for the device image. To verify this, we look under Destination and see our 'Evidence' volume listed.

At this time we can choose our imaging options. We have chosen the output of the .dmg format, in 2GB segments, with MD5 and SHA1 hashing. An explanation of the imaging choices is contained in the 'MacQuisition Overview' video.

Lastly, we select the volume to be imaged. We are selecting the decrypted 'Macintosh HD' volume that is mounted as 'disk12.' Selecting that volume illuminates the Image Device button.

Selecting the Image Device button opens a dialogue asking for a name of the image being created. By default, MacQuisition names the image by its volume number identifier.

Type a volume name that either meets the operating procedures of your unit, or is descriptive of the volume being imaged. Once satisfied with the volume name, we select Continue.

At this time, MacQuisition provides visible confirmation that the device is being imaged, along with a bar showing the progress of the imaging.

Once the image has completed, MacQuisition shows the word “Completed” in the 'Activity' window.

 

Imaging a Boot Camp Volume

Our decrypted volume has been imaged. In this case, we have an added Boot Camp, or Windows, volume. Since Boot Camp is not a part of the FileVault volume, we need to examine this volume also. To do so, we will image the entire disk, including our Boot Camp volume.

To accomplish this, we continue in the Image Device tab, selecting the physical disk that is identified by the disk icon and labelled as 'DISK 0.'

In this case, we are going to create an image in the .e01 format with Fast Compression turned on. Because we are not changing the destination of the image, we can select Image Device.

MacQuisition warns us that the device we are about to image contains an encrypted partition. Again, as a safety measure, the Cancel button is the default button illuminated. In our case, we have already imaged the decrypted data, so we select Continue.

MacQuisition prompts us again that we are about to image encrypted data. We select Continue once again.

We give the output image file a name and select Continue.

MacQuisition will continue through its imaging and provide positive feedback when the imaging function has completed.

 

Conclusion

Thank you for watching this video demonstration on imaging FileVault 2 and Boot Camp volumes using BlackBag Technologies' MacQuisition.

Should you have any further questions on any of BlackBag Technologies' tools, please don't hesitate to contact a member of the BlackBag team for assistance.

Remember to check back often, as the BlackBag team will be adding new videos in the future.

 

1Correction: The original video and blog entry as published states that the recovery Keychain file is a decrypted user's Keychain file. In fact, the recovery Keychain is an institutional FileVaultMaster.keychain file created in a specific manner, as outlined in Apple's HT202385 tech document (http://support.apple.com/en-us/HT202385).

Leave a Reply

Sorry, you must be logged in to post a comment.