Imaging a Fusion Drive with FileVault 2 Encryption Using MacQuisition
We recently created a video demonstrating how to image a FileVault 2-encrypted Fusion Drive with MacQuisition, BlackBag’s versatile acquisition tool. What appears below is the narrative script used for the video, should you prefer to view it in a readable format. However, we would also urge you to check out the video itself, which appears above.
Welcome to BlackBag Technologies’ how-to instructional video, ‘Imaging a Fusion Drive with FileVault 2 Encryption Using MacQuisition.’
In this video, we will use BlackBag Technologies’ MacQuisition to image a Macintosh computer that contains a Fusion Drive with FileVault 2 encryption enabled. In order to accomplish this, the examiner will need to know the login password for the FileVault 2 volume, have the necessary Keychain file, or be in possession of the recovery key. We will also see that a Boot Camp partition exists.
Previous MacQuisition videos have discussed booting a subject’s Macintosh computer, identifying attached media, and imaging devices to the examiner’s destination drive. Videos are also available concerning FileVault 2-encrypted volumes and Fusion Drives that are not encrypted.
Identifying Parts of the Fusion Drive
As in previous videos, we are using MacQuisition to boot a subject’s Macintosh computer. A Fusion Drive, whether or not encrypted with FileVault, cannot be identified from the Startup Manager screen. We simply see the available, bootable volumes.
When the MacQuisition program starts, it identifies FileVault 2-encrypted volumes. Since we have encrypted Fusion Drives, we see a pop-up warning that two disks have been identified as being encrypted and locked. We are shown where to unlock the volumes: MacQuisition’s ‘Tools ➔ Mount Device’ view. We note that information for later use, after we have examined the complete disk layout.
Bypassing other MacQuisition startup screens discussed in earlier videos, we have gone directly to MacQuisition’s ‘Image Device’ screen.
Because the Fusion technology was created by Apple, at this time, only Mac OS X can recognize it and offer the examiner a method to image the logical volume. Apple’s first implementation of Core Storage was to enable FileVault 2. They went on to use the Core Storage logical volume manager to create the Fusion Drive, which is capable of spanning two or more devices. When Apple ships a Fusion Drive, it is not encrypted. The user may decide later to enable FileVault 2 encryption. Here we are looking at a Fusion Drive as it would appear after encryption has been enabled.
When a system is booted with MacQuisition, the examiner is the administrator, and the full structure of the drives is available for inspection and imaging. If, however, it is necessary to image a live Macintosh computer, the examiner must have an administrator password, allowing full access to the disk. Otherwise, the operating system blocks the user from imaging the live Macintosh.
MacQuisition identifies the presence of Core Storage volumes and assists us in recognizing them with the icon of a locked safe. In our case, both Fusion and FileVault 2 are present. Because of the encryption, MacQuisition identifies the physical disks holding the encrypted FileVault 2 data with the word “Encrypted” displayed in red to the right of two Core Storage icons. Here we see that both ‘disk0’ and ‘disk1’ are identified as encrypted. In gray, MacQuisition shows their volume name, the total size of each disk, the number of bytes used, the disk designator (disk0s2 and disk1s2), and the fact they are Apple Core Storage. We have seen the SSD drive renamed by the system to ‘Customer.’ For ease of recognition, our volume names both show as ‘Macintosh HD.’
We must be cognizant of two things at this point. First, since the Fusion Drives are not revealed as a mounted, decrypted volume, we again need MacQuisition’s assistance in getting to the decrypted data. Second, to capture the Boot Camp (Windows) partition, we must image disk1. It is a good practice to image the individual devices as well as the mounted, decrypted volume. We will image the Boot Camp partition at the end of this video.
Mounting and Unlocking
To mount the Fusion volumes, we go to the Tools tab, then the Mount Device tab. Earlier we saw the Boot Camp partition in disk1. This is an indicator for us to know which Fusion volume to mount. We locate and highlight disk1s2, the HFS+ partition that was identified previously. In the right column of the screen we can see the partition is listed as “Not Mounted.” With disk1s2 selected, we press the button that says, Unlock Selected Device (Read Only). A prompt for the password, recovery key, or Keychain file appears. We enter the password to unlock the encrypted volume, and within a few seconds the newly mounted volume of the decrypted data appears in the MacQuisition window. At this time, we note the new disk number used for the decrypted data. This number denotes the disk we want to image.
Now that the logical volume is mounted, MacQuisition identifies this by displaying information next to the Core Storage icons. In our case, they read, “disk13 contains decrypted data.” This disk number is pointing to the mounted Fusion volume.
MacQuisition also shows the disk that contains the Macintosh HD volume (disk13) and provides information about its source in gray text that reads, “merged data from disk0s2 and disk1s2.” This is the disk (the special Core Storage device) that was seen in the previous ‘Mount Device’ screen, and it is the decrypted volume that can now be acquired.
Since imaging devices and selecting the destination drive have been covered in previous videos, we will not go over that information here. Another great source of information is the MacQuisition user’s guide, available at the MacQuisition [Help] menu.
Imaging the Boot Camp Volume
Returning to our view of the overall disk structure, we again see the Boot Camp partition. Boot Camp exists outside the FileVault partition, as it is not Apple-related. It is an NTFS file system. As such, in order to obtain the Boot Camp partition, the disk on which it resides must also be imaged. We previously identified Boot Camp as being on disk1. We highlight disk1 as our device to image, then select our imaging options and destination drive. Once these selections are complete we click the Image Device button. MacQuisition provides an informational warning box that reads, “The disk you selected contains an encrypted partition. Are you sure you want to continue?” We select the Continue button. A second warning window appears. It says, “The disk you selected contains a Core Storage partition. Are you sure you want to continue?” This warning prevents the accidental selection of an encrypted volume. In our case, we know the disk we have selected is encrypted; we are now most interested in the Boot Camp partition. We click Continue, then provide the image file name we have decided upon. Once the name is provided, we click the Continue button to begin the imaging process.
In this video, we’ve been able to identify the parts of the Fusion Drive, decrypted the FileVault-encrypted volume, then identified and imaged the Boot Camp volume.
Thank you for watching this video demonstration using BlackBag Technologies’ MacQuisition.
Should you have any further questions on any of BlackBag Technologies’ tools, please don’t hesitate to contact a member of the BlackBag team for assistance.
Remember to check back often, as the BlackBag team will be adding new videos in the future.
Latest posts by BlackBag Training Team (see all)
- Why Acquire T2 Macs with MacQuisition? - September 29, 2019
- MacQuisition: Taking Away the Guess Work - September 10, 2019
- A Present From Santa (APFS): Providing APFS support to The Sleuth Kit® Framework - December 19, 2018