我正在处理dd使用 File Vault 2 加密的 MacBook (Mac OS X 10.11.6) 磁盘的比特流 ( ) 图像。我没有任何密码、密码或恢复密钥来解锁驱动器,但我对解锁/不感兴趣解密驱动器。
我只需要提取与登录屏幕相关的所有可能信息。此信息应包括启用登录的用户名和密码建议(如果有)。对于密码建议,我指的是单击密码框右侧的问号 (?) 时可用的建议。
这是登录屏幕的示例:
据我了解,系统启动了一个特殊的 EFI 预启动,在该屏幕上显示 FileVault 2 解锁屏幕,其中包含已获准解锁磁盘的指定 OS X 帐户的图标。登录信息(用户名等)不应加密,因为它们在您启动系统时和用户使用密码登录之前可用且可见(即磁盘尚未解锁)。
我还尝试通过附加图像然后使用来获取此信息,sudo fdesetup list -device <UUID>但显然外部设备不允许此操作。同样,我无法解锁图像,因为我没有任何密码。但是,我认为用户名应该以非加密格式在某处可用,因为当我启动系统时它们是可见的。
这是diskutil list附加磁盘映像(存储在外部 USB 驱动器中)后的输出hdiutil attach -nomount /Volumes/USB/image.dd.dmg:
/dev/disk0 (internal):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme 500.3 GB disk0
1: EFI EFI 314.6 MB disk0s1
2: Apple_APFS Container disk1 500.0 GB disk0s2
/dev/disk1 (synthesized):
#: TYPE NAME SIZE IDENTIFIER
0: APFS Container Scheme - +500.0 GB disk1
Physical Store disk0s2
1: APFS Volume Macintosh HD 143.2 GB disk1s1
2: APFS Volume Preboot 21.0 MB disk1s2
3: APFS Volume Recovery 522.1 MB disk1s3
4: APFS Volume VM 1.1 GB disk1s4
/dev/disk2 (external, physical):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme *3.0 TB disk2
1: Microsoft Reserved 16.8 MB disk2s1
2: Microsoft Basic Data TARGET 3.0 TB disk2s2
/dev/disk3 (disk image):
#: TYPE NAME SIZE IDENTIFIER
0: GUID_partition_scheme +121.3 GB disk3
1: EFI EFI 209.7 MB disk3s1
2: Apple_CoreStorage Macintosh HD 120.5 GB disk3s2
3: Apple_Boot Recovery HD 650.0 MB disk3s3
Offline
Logical Volume Macintosh HD on disk3s2
UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
Locked Encrypted
这是输出diskutil cs list:
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
=========================================================
Name: Macintosh HD
Status: Online
Size: 120473067520 B (120.5 GB)
Free Space: 12656640 B (12.7 MB)
|
+-< Physical Volume UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
| ----------------------------------------------------
| Index: 0
| Disk: disk3s2
| Status: Online
| Size: 120473067520 B (120.5 GB)
|
+-> Logical Volume Family UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU
----------------------------------------------------------
Encryption Type: AES-XTS
Encryption Status: Locked
Conversion Status: Complete
High Level Queries: Fully Secure
| Passphrase Required
| Accepts New Users
| Has Visible Users
| Has Volume Key
|
+-> Logical Volume XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
---------------------------------------------------
Disk: -none-
Status: Locked
Size (Total): 120108089344 B (120.1 GB)
Revertible: Yes (unlock and decryption required)
LV Name: Macintosh HD
Content Hint: Apple_HFS
如果我尝试该fdesetup命令,我会收到以下错误:
$ fdesetup status -device XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
Error: The -device option is not allowed for this operation.
每次尝试使用另一个 UUID 都会导致此错误:Error: The specified volume or device 'UUUUUUUU-UUUU-UUUU-UUUU-UUUUUUUUUUUU' did not return any information.
最后,问题是“如何从使用 File Vault 2 加密的磁盘映像中提取登录信息(不是密码)?”。基于在输入密码之前这些信息的可用性,我假设用户名以及其他信息(例如,密码提示)没有加密并且可以从磁盘映像中提取。
期待您的反馈。
非常感谢。gostep